1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdlib.h>
114 #include <string.h>
115
116 #include <utility>
117
118 #include <openssl/bytestring.h>
119 #include <openssl/chacha.h>
120 #include <openssl/digest.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/hmac.h>
124 #include <openssl/mem.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
127
128 #include "internal.h"
129 #include "../crypto/internal.h"
130
131
132 BSSL_NAMESPACE_BEGIN
133
134 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
135
compare_uint16_t(const void * p1,const void * p2)136 static int compare_uint16_t(const void *p1, const void *p2) {
137 uint16_t u1 = *((const uint16_t *)p1);
138 uint16_t u2 = *((const uint16_t *)p2);
139 if (u1 < u2) {
140 return -1;
141 } else if (u1 > u2) {
142 return 1;
143 } else {
144 return 0;
145 }
146 }
147
148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149 // more than one extension of the same type in a ClientHello or ServerHello.
150 // This function does an initial scan over the extensions block to filter those
151 // out.
tls1_check_duplicate_extensions(const CBS * cbs)152 static bool tls1_check_duplicate_extensions(const CBS *cbs) {
153 // First pass: count the extensions.
154 size_t num_extensions = 0;
155 CBS extensions = *cbs;
156 while (CBS_len(&extensions) > 0) {
157 uint16_t type;
158 CBS extension;
159
160 if (!CBS_get_u16(&extensions, &type) ||
161 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
162 return false;
163 }
164
165 num_extensions++;
166 }
167
168 if (num_extensions == 0) {
169 return true;
170 }
171
172 Array<uint16_t> extension_types;
173 if (!extension_types.Init(num_extensions)) {
174 return false;
175 }
176
177 // Second pass: gather the extension types.
178 extensions = *cbs;
179 for (size_t i = 0; i < extension_types.size(); i++) {
180 CBS extension;
181
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 // This should not happen.
185 return false;
186 }
187 }
188 assert(CBS_len(&extensions) == 0);
189
190 // Sort the extensions and make sure there are no duplicates.
191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
192 compare_uint16_t);
193 for (size_t i = 1; i < num_extensions; i++) {
194 if (extension_types[i - 1] == extension_types[i]) {
195 return false;
196 }
197 }
198
199 return true;
200 }
201
ssl_client_hello_init(SSL * ssl,SSL_CLIENT_HELLO * out,const SSLMessage & msg)202 bool ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
203 const SSLMessage &msg) {
204 OPENSSL_memset(out, 0, sizeof(*out));
205 out->ssl = ssl;
206 out->client_hello = CBS_data(&msg.body);
207 out->client_hello_len = CBS_len(&msg.body);
208
209 CBS client_hello, random, session_id;
210 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
211 if (!CBS_get_u16(&client_hello, &out->version) ||
212 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
213 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
214 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
215 return false;
216 }
217
218 out->random = CBS_data(&random);
219 out->random_len = CBS_len(&random);
220 out->session_id = CBS_data(&session_id);
221 out->session_id_len = CBS_len(&session_id);
222
223 // Skip past DTLS cookie
224 if (SSL_is_dtls(out->ssl)) {
225 CBS cookie;
226 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
227 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
228 return false;
229 }
230 }
231
232 CBS cipher_suites, compression_methods;
233 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
234 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
235 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
236 CBS_len(&compression_methods) < 1) {
237 return false;
238 }
239
240 out->cipher_suites = CBS_data(&cipher_suites);
241 out->cipher_suites_len = CBS_len(&cipher_suites);
242 out->compression_methods = CBS_data(&compression_methods);
243 out->compression_methods_len = CBS_len(&compression_methods);
244
245 // If the ClientHello ends here then it's valid, but doesn't have any
246 // extensions.
247 if (CBS_len(&client_hello) == 0) {
248 out->extensions = NULL;
249 out->extensions_len = 0;
250 return true;
251 }
252
253 // Extract extensions and check it is valid.
254 CBS extensions;
255 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
256 !tls1_check_duplicate_extensions(&extensions) ||
257 CBS_len(&client_hello) != 0) {
258 return false;
259 }
260
261 out->extensions = CBS_data(&extensions);
262 out->extensions_len = CBS_len(&extensions);
263
264 return true;
265 }
266
ssl_client_hello_get_extension(const SSL_CLIENT_HELLO * client_hello,CBS * out,uint16_t extension_type)267 bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
268 CBS *out, uint16_t extension_type) {
269 CBS extensions;
270 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
271 while (CBS_len(&extensions) != 0) {
272 // Decode the next extension.
273 uint16_t type;
274 CBS extension;
275 if (!CBS_get_u16(&extensions, &type) ||
276 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
277 return false;
278 }
279
280 if (type == extension_type) {
281 *out = extension;
282 return true;
283 }
284 }
285
286 return false;
287 }
288
289 static const uint16_t kDefaultGroups[] = {
290 SSL_CURVE_X25519,
291 SSL_CURVE_SECP256R1,
292 SSL_CURVE_SECP384R1,
293 };
294
tls1_get_grouplist(const SSL_HANDSHAKE * hs)295 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
296 if (!hs->config->supported_group_list.empty()) {
297 return hs->config->supported_group_list;
298 }
299 return Span<const uint16_t>(kDefaultGroups);
300 }
301
tls1_get_shared_group(SSL_HANDSHAKE * hs,uint16_t * out_group_id)302 bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
303 SSL *const ssl = hs->ssl;
304 assert(ssl->server);
305
306 // Clients are not required to send a supported_groups extension. In this
307 // case, the server is free to pick any group it likes. See RFC 4492,
308 // section 4, paragraph 3.
309 //
310 // However, in the interests of compatibility, we will skip ECDH if the
311 // client didn't send an extension because we can't be sure that they'll
312 // support our favoured group. Thus we do not special-case an emtpy
313 // |peer_supported_group_list|.
314
315 Span<const uint16_t> groups = tls1_get_grouplist(hs);
316 Span<const uint16_t> pref, supp;
317 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
318 pref = groups;
319 supp = hs->peer_supported_group_list;
320 } else {
321 pref = hs->peer_supported_group_list;
322 supp = groups;
323 }
324
325 for (uint16_t pref_group : pref) {
326 for (uint16_t supp_group : supp) {
327 if (pref_group == supp_group &&
328 // CECPQ2 doesn't fit in the u8-length-prefixed ECPoint field in TLS
329 // 1.2 and below.
330 (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
331 pref_group != SSL_CURVE_CECPQ2)) {
332 *out_group_id = pref_group;
333 return true;
334 }
335 }
336 }
337
338 return false;
339 }
340
tls1_set_curves(Array<uint16_t> * out_group_ids,Span<const int> curves)341 bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
342 Array<uint16_t> group_ids;
343 if (!group_ids.Init(curves.size())) {
344 return false;
345 }
346
347 for (size_t i = 0; i < curves.size(); i++) {
348 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
349 return false;
350 }
351 }
352
353 *out_group_ids = std::move(group_ids);
354 return true;
355 }
356
tls1_set_curves_list(Array<uint16_t> * out_group_ids,const char * curves)357 bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
358 // Count the number of curves in the list.
359 size_t count = 0;
360 const char *ptr = curves, *col;
361 do {
362 col = strchr(ptr, ':');
363 count++;
364 if (col) {
365 ptr = col + 1;
366 }
367 } while (col);
368
369 Array<uint16_t> group_ids;
370 if (!group_ids.Init(count)) {
371 return false;
372 }
373
374 size_t i = 0;
375 ptr = curves;
376 do {
377 col = strchr(ptr, ':');
378 if (!ssl_name_to_group_id(&group_ids[i++], ptr,
379 col ? (size_t)(col - ptr) : strlen(ptr))) {
380 return false;
381 }
382 if (col) {
383 ptr = col + 1;
384 }
385 } while (col);
386
387 assert(i == count);
388 *out_group_ids = std::move(group_ids);
389 return true;
390 }
391
tls1_check_group_id(const SSL_HANDSHAKE * hs,uint16_t group_id)392 bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
393 if (group_id == SSL_CURVE_CECPQ2 &&
394 ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
395 // CECPQ2 requires TLS 1.3.
396 return false;
397 }
398
399 for (uint16_t supported : tls1_get_grouplist(hs)) {
400 if (supported == group_id) {
401 return true;
402 }
403 }
404
405 return false;
406 }
407
408 // kVerifySignatureAlgorithms is the default list of accepted signature
409 // algorithms for verifying.
410 //
411 // For now, RSA-PSS signature algorithms are not enabled on Android's system
412 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
413 // restore them.
414 static const uint16_t kVerifySignatureAlgorithms[] = {
415 // List our preferred algorithms first.
416 SSL_SIGN_ED25519,
417 SSL_SIGN_ECDSA_SECP256R1_SHA256,
418 SSL_SIGN_RSA_PSS_RSAE_SHA256,
419 SSL_SIGN_RSA_PKCS1_SHA256,
420
421 // Larger hashes are acceptable.
422 SSL_SIGN_ECDSA_SECP384R1_SHA384,
423 SSL_SIGN_RSA_PSS_RSAE_SHA384,
424 SSL_SIGN_RSA_PKCS1_SHA384,
425
426 SSL_SIGN_RSA_PSS_RSAE_SHA512,
427 SSL_SIGN_RSA_PKCS1_SHA512,
428
429 // For now, SHA-1 is still accepted but least preferable.
430 SSL_SIGN_RSA_PKCS1_SHA1,
431
432 };
433
434 // kSignSignatureAlgorithms is the default list of supported signature
435 // algorithms for signing.
436 //
437 // For now, RSA-PSS signature algorithms are not enabled on Android's system
438 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
439 // restore them.
440 static const uint16_t kSignSignatureAlgorithms[] = {
441 // List our preferred algorithms first.
442 SSL_SIGN_ED25519,
443 SSL_SIGN_ECDSA_SECP256R1_SHA256,
444 SSL_SIGN_RSA_PSS_RSAE_SHA256,
445 SSL_SIGN_RSA_PKCS1_SHA256,
446
447 // If needed, sign larger hashes.
448 //
449 // TODO(davidben): Determine which of these may be pruned.
450 SSL_SIGN_ECDSA_SECP384R1_SHA384,
451 SSL_SIGN_RSA_PSS_RSAE_SHA384,
452 SSL_SIGN_RSA_PKCS1_SHA384,
453
454 SSL_SIGN_ECDSA_SECP521R1_SHA512,
455 SSL_SIGN_RSA_PSS_RSAE_SHA512,
456 SSL_SIGN_RSA_PKCS1_SHA512,
457
458 // If the peer supports nothing else, sign with SHA-1.
459 SSL_SIGN_ECDSA_SHA1,
460 SSL_SIGN_RSA_PKCS1_SHA1,
461 };
462
463 struct SSLSignatureAlgorithmList {
NextSSLSignatureAlgorithmList464 bool Next(uint16_t *out) {
465 while (!list.empty()) {
466 uint16_t sigalg = list[0];
467 list = list.subspan(1);
468 if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
469 continue;
470 }
471 if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
472 continue;
473 }
474 *out = sigalg;
475 return true;
476 }
477 return false;
478 }
479
operator ==SSLSignatureAlgorithmList480 bool operator==(const SSLSignatureAlgorithmList &other) const {
481 SSLSignatureAlgorithmList a = *this;
482 SSLSignatureAlgorithmList b = other;
483 uint16_t a_val, b_val;
484 while (a.Next(&a_val)) {
485 if (!b.Next(&b_val) ||
486 a_val != b_val) {
487 return false;
488 }
489 }
490 return !b.Next(&b_val);
491 }
492
operator !=SSLSignatureAlgorithmList493 bool operator!=(const SSLSignatureAlgorithmList &other) const {
494 return !(*this == other);
495 }
496
497 Span<const uint16_t> list;
498 bool skip_ed25519 = false;
499 bool skip_rsa_pss_rsae = false;
500 };
501
tls12_get_verify_sigalgs(const SSL * ssl,bool for_certs)502 static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
503 bool for_certs) {
504 SSLSignatureAlgorithmList ret;
505 if (!ssl->config->verify_sigalgs.empty()) {
506 ret.list = ssl->config->verify_sigalgs;
507 } else {
508 ret.list = kVerifySignatureAlgorithms;
509 ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
510 }
511 if (for_certs) {
512 ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
513 }
514 return ret;
515 }
516
tls12_add_verify_sigalgs(const SSL * ssl,CBB * out,bool for_certs)517 bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
518 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
519 uint16_t sigalg;
520 while (list.Next(&sigalg)) {
521 if (!CBB_add_u16(out, sigalg)) {
522 return false;
523 }
524 }
525 return true;
526 }
527
tls12_check_peer_sigalg(const SSL * ssl,uint8_t * out_alert,uint16_t sigalg)528 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
529 uint16_t sigalg) {
530 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
531 uint16_t verify_sigalg;
532 while (list.Next(&verify_sigalg)) {
533 if (verify_sigalg == sigalg) {
534 return true;
535 }
536 }
537
538 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
539 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
540 return false;
541 }
542
tls12_has_different_verify_sigalgs_for_certs(const SSL * ssl)543 bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
544 return tls12_get_verify_sigalgs(ssl, true) !=
545 tls12_get_verify_sigalgs(ssl, false);
546 }
547
548 // tls_extension represents a TLS extension that is handled internally. The
549 // |init| function is called for each handshake, before any other functions of
550 // the extension. Then the add and parse callbacks are called as needed.
551 //
552 // The parse callbacks receive a |CBS| that contains the contents of the
553 // extension (i.e. not including the type and length bytes). If an extension is
554 // not received then the parse callbacks will be called with a NULL CBS so that
555 // they can do any processing needed to handle the absence of an extension.
556 //
557 // The add callbacks receive a |CBB| to which the extension can be appended but
558 // the function is responsible for appending the type and length bytes too.
559 //
560 // All callbacks return true for success and false for error. If a parse
561 // function returns zero then a fatal alert with value |*out_alert| will be
562 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
563 struct tls_extension {
564 uint16_t value;
565 void (*init)(SSL_HANDSHAKE *hs);
566
567 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
568 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
569 CBS *contents);
570
571 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
572 CBS *contents);
573 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
574 };
575
forbid_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)576 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
577 CBS *contents) {
578 if (contents != NULL) {
579 // Servers MUST NOT send this extension.
580 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
581 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
582 return false;
583 }
584
585 return true;
586 }
587
ignore_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)588 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
589 CBS *contents) {
590 // This extension from the client is handled elsewhere.
591 return true;
592 }
593
dont_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)594 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
595 return true;
596 }
597
598 // Server name indication (SNI).
599 //
600 // https://tools.ietf.org/html/rfc6066#section-3.
601
ext_sni_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)602 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
603 SSL *const ssl = hs->ssl;
604 if (ssl->hostname == nullptr) {
605 return true;
606 }
607
608 CBB contents, server_name_list, name;
609 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
610 !CBB_add_u16_length_prefixed(out, &contents) ||
611 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
612 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
613 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
614 !CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(),
615 strlen(ssl->hostname.get())) ||
616 !CBB_flush(out)) {
617 return false;
618 }
619
620 return true;
621 }
622
ext_sni_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)623 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
624 CBS *contents) {
625 // The server may acknowledge SNI with an empty extension. We check the syntax
626 // but otherwise ignore this signal.
627 return contents == NULL || CBS_len(contents) == 0;
628 }
629
ext_sni_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)630 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
631 CBS *contents) {
632 SSL *const ssl = hs->ssl;
633 if (contents == NULL) {
634 return true;
635 }
636
637 CBS server_name_list, host_name;
638 uint8_t name_type;
639 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
640 !CBS_get_u8(&server_name_list, &name_type) ||
641 // Although the server_name extension was intended to be extensible to
642 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
643 // different name types will cause an error. Further, RFC 4366 originally
644 // defined syntax inextensibly. RFC 6066 corrected this mistake, but
645 // adding new name types is no longer feasible.
646 //
647 // Act as if the extensibility does not exist to simplify parsing.
648 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
649 CBS_len(&server_name_list) != 0 ||
650 CBS_len(contents) != 0) {
651 return false;
652 }
653
654 if (name_type != TLSEXT_NAMETYPE_host_name ||
655 CBS_len(&host_name) == 0 ||
656 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
657 CBS_contains_zero_byte(&host_name)) {
658 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
659 return false;
660 }
661
662 // Copy the hostname as a string.
663 char *raw = nullptr;
664 if (!CBS_strdup(&host_name, &raw)) {
665 *out_alert = SSL_AD_INTERNAL_ERROR;
666 return false;
667 }
668 ssl->s3->hostname.reset(raw);
669
670 hs->should_ack_sni = true;
671 return true;
672 }
673
ext_sni_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)674 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
675 if (hs->ssl->s3->session_reused ||
676 !hs->should_ack_sni) {
677 return true;
678 }
679
680 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
681 !CBB_add_u16(out, 0 /* length */)) {
682 return false;
683 }
684
685 return true;
686 }
687
688
689 // Renegotiation indication.
690 //
691 // https://tools.ietf.org/html/rfc5746
692
ext_ri_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)693 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
694 SSL *const ssl = hs->ssl;
695 // Renegotiation indication is not necessary in TLS 1.3.
696 if (hs->min_version >= TLS1_3_VERSION) {
697 return true;
698 }
699
700 assert(ssl->s3->initial_handshake_complete ==
701 (ssl->s3->previous_client_finished_len != 0));
702
703 CBB contents, prev_finished;
704 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
705 !CBB_add_u16_length_prefixed(out, &contents) ||
706 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
707 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
708 ssl->s3->previous_client_finished_len) ||
709 !CBB_flush(out)) {
710 return false;
711 }
712
713 return true;
714 }
715
ext_ri_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)716 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
717 CBS *contents) {
718 SSL *const ssl = hs->ssl;
719 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
720 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
721 return false;
722 }
723
724 // Servers may not switch between omitting the extension and supporting it.
725 // See RFC 5746, sections 3.5 and 4.2.
726 if (ssl->s3->initial_handshake_complete &&
727 (contents != NULL) != ssl->s3->send_connection_binding) {
728 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
729 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
730 return false;
731 }
732
733 if (contents == NULL) {
734 // Strictly speaking, if we want to avoid an attack we should *always* see
735 // RI even on initial ServerHello because the client doesn't see any
736 // renegotiation during an attack. However this would mean we could not
737 // connect to any server which doesn't support RI.
738 //
739 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
740 // practical terms every client sets it so it's just assumed here.
741 return true;
742 }
743
744 const size_t expected_len = ssl->s3->previous_client_finished_len +
745 ssl->s3->previous_server_finished_len;
746
747 // Check for logic errors
748 assert(!expected_len || ssl->s3->previous_client_finished_len);
749 assert(!expected_len || ssl->s3->previous_server_finished_len);
750 assert(ssl->s3->initial_handshake_complete ==
751 (ssl->s3->previous_client_finished_len != 0));
752 assert(ssl->s3->initial_handshake_complete ==
753 (ssl->s3->previous_server_finished_len != 0));
754
755 // Parse out the extension contents.
756 CBS renegotiated_connection;
757 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
758 CBS_len(contents) != 0) {
759 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
760 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
761 return false;
762 }
763
764 // Check that the extension matches.
765 if (CBS_len(&renegotiated_connection) != expected_len) {
766 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
767 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
768 return false;
769 }
770
771 const uint8_t *d = CBS_data(&renegotiated_connection);
772 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
773 ssl->s3->previous_client_finished_len) == 0;
774 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
775 ok = true;
776 #endif
777 if (!ok) {
778 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
779 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
780 return false;
781 }
782 d += ssl->s3->previous_client_finished_len;
783
784 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
785 ssl->s3->previous_server_finished_len) == 0;
786 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
787 ok = true;
788 #endif
789 if (!ok) {
790 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
791 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
792 return false;
793 }
794 ssl->s3->send_connection_binding = true;
795
796 return true;
797 }
798
ext_ri_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)799 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
800 CBS *contents) {
801 SSL *const ssl = hs->ssl;
802 // Renegotiation isn't supported as a server so this function should never be
803 // called after the initial handshake.
804 assert(!ssl->s3->initial_handshake_complete);
805
806 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
807 return true;
808 }
809
810 if (contents == NULL) {
811 return true;
812 }
813
814 CBS renegotiated_connection;
815 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
816 CBS_len(contents) != 0) {
817 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
818 return false;
819 }
820
821 // Check that the extension matches. We do not support renegotiation as a
822 // server, so this must be empty.
823 if (CBS_len(&renegotiated_connection) != 0) {
824 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
825 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
826 return false;
827 }
828
829 ssl->s3->send_connection_binding = true;
830
831 return true;
832 }
833
ext_ri_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)834 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
835 SSL *const ssl = hs->ssl;
836 // Renegotiation isn't supported as a server so this function should never be
837 // called after the initial handshake.
838 assert(!ssl->s3->initial_handshake_complete);
839
840 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
841 return true;
842 }
843
844 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
845 !CBB_add_u16(out, 1 /* length */) ||
846 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
847 return false;
848 }
849
850 return true;
851 }
852
853
854 // Extended Master Secret.
855 //
856 // https://tools.ietf.org/html/rfc7627
857
ext_ems_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)858 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
859 // Extended master secret is not necessary in TLS 1.3.
860 if (hs->min_version >= TLS1_3_VERSION) {
861 return true;
862 }
863
864 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
865 !CBB_add_u16(out, 0 /* length */)) {
866 return false;
867 }
868
869 return true;
870 }
871
ext_ems_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)872 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
873 CBS *contents) {
874 SSL *const ssl = hs->ssl;
875
876 if (contents != NULL) {
877 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
878 CBS_len(contents) != 0) {
879 return false;
880 }
881
882 hs->extended_master_secret = true;
883 }
884
885 // Whether EMS is negotiated may not change on renegotiation.
886 if (ssl->s3->established_session != nullptr &&
887 hs->extended_master_secret !=
888 !!ssl->s3->established_session->extended_master_secret) {
889 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
890 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
891 return false;
892 }
893
894 return true;
895 }
896
ext_ems_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)897 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
898 CBS *contents) {
899 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
900 return true;
901 }
902
903 if (contents == NULL) {
904 return true;
905 }
906
907 if (CBS_len(contents) != 0) {
908 return false;
909 }
910
911 hs->extended_master_secret = true;
912 return true;
913 }
914
ext_ems_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)915 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
916 if (!hs->extended_master_secret) {
917 return true;
918 }
919
920 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
921 !CBB_add_u16(out, 0 /* length */)) {
922 return false;
923 }
924
925 return true;
926 }
927
928
929 // Session tickets.
930 //
931 // https://tools.ietf.org/html/rfc5077
932
ext_ticket_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)933 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
934 SSL *const ssl = hs->ssl;
935 // TLS 1.3 uses a different ticket extension.
936 if (hs->min_version >= TLS1_3_VERSION ||
937 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
938 return true;
939 }
940
941 Span<const uint8_t> ticket;
942
943 // Renegotiation does not participate in session resumption. However, still
944 // advertise the extension to avoid potentially breaking servers which carry
945 // over the state from the previous handshake, such as OpenSSL servers
946 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
947 if (!ssl->s3->initial_handshake_complete &&
948 ssl->session != nullptr &&
949 !ssl->session->ticket.empty() &&
950 // Don't send TLS 1.3 session tickets in the ticket extension.
951 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
952 ticket = ssl->session->ticket;
953 }
954
955 CBB ticket_cbb;
956 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
957 !CBB_add_u16_length_prefixed(out, &ticket_cbb) ||
958 !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||
959 !CBB_flush(out)) {
960 return false;
961 }
962
963 return true;
964 }
965
ext_ticket_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)966 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
967 CBS *contents) {
968 SSL *const ssl = hs->ssl;
969 if (contents == NULL) {
970 return true;
971 }
972
973 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
974 return false;
975 }
976
977 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
978 // this function should never be called, even if the server tries to send the
979 // extension.
980 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
981
982 if (CBS_len(contents) != 0) {
983 return false;
984 }
985
986 hs->ticket_expected = true;
987 return true;
988 }
989
ext_ticket_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)990 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
991 if (!hs->ticket_expected) {
992 return true;
993 }
994
995 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
996 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
997
998 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
999 !CBB_add_u16(out, 0 /* length */)) {
1000 return false;
1001 }
1002
1003 return true;
1004 }
1005
1006
1007 // Signature Algorithms.
1008 //
1009 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
1010
ext_sigalgs_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1011 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1012 SSL *const ssl = hs->ssl;
1013 if (hs->max_version < TLS1_2_VERSION) {
1014 return true;
1015 }
1016
1017 // Prior to TLS 1.3, there was no way to signal different signature algorithm
1018 // preferences between the online signature and certificates. If we do not
1019 // send the signature_algorithms_cert extension, use the potentially more
1020 // restrictive certificate list.
1021 //
1022 // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
1023 // check both here and in signature_algorithms_cert. |hs->max_version| is not
1024 // the negotiated version. Rather the expectation is that any server consuming
1025 // signature algorithms added in TLS 1.3 will also know to look at
1026 // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
1027 // seems prudent to condition this new extension on it.
1028 bool for_certs = hs->max_version < TLS1_3_VERSION;
1029 CBB contents, sigalgs_cbb;
1030 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
1031 !CBB_add_u16_length_prefixed(out, &contents) ||
1032 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1033 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
1034 !CBB_flush(out)) {
1035 return false;
1036 }
1037
1038 return true;
1039 }
1040
ext_sigalgs_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1041 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1042 CBS *contents) {
1043 hs->peer_sigalgs.Reset();
1044 if (contents == NULL) {
1045 return true;
1046 }
1047
1048 CBS supported_signature_algorithms;
1049 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1050 CBS_len(contents) != 0 ||
1051 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1052 return false;
1053 }
1054
1055 return true;
1056 }
1057
1058
1059 // Signature Algorithms for Certificates.
1060 //
1061 // https://tools.ietf.org/html/rfc8446#section-4.2.3
1062
ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1063 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1064 SSL *const ssl = hs->ssl;
1065 // If this extension is omitted, it defaults to the signature_algorithms
1066 // extension, so only emit it if the list is different.
1067 //
1068 // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
1069 // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
1070 if (hs->max_version < TLS1_3_VERSION ||
1071 !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
1072 return true;
1073 }
1074
1075 CBB contents, sigalgs_cbb;
1076 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
1077 !CBB_add_u16_length_prefixed(out, &contents) ||
1078 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1079 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
1080 !CBB_flush(out)) {
1081 return false;
1082 }
1083
1084 return true;
1085 }
1086
1087
1088 // OCSP Stapling.
1089 //
1090 // https://tools.ietf.org/html/rfc6066#section-8
1091
ext_ocsp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1092 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1093 if (!hs->config->ocsp_stapling_enabled) {
1094 return true;
1095 }
1096
1097 CBB contents;
1098 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1099 !CBB_add_u16_length_prefixed(out, &contents) ||
1100 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1101 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1102 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1103 !CBB_flush(out)) {
1104 return false;
1105 }
1106
1107 return true;
1108 }
1109
ext_ocsp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1110 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1111 CBS *contents) {
1112 SSL *const ssl = hs->ssl;
1113 if (contents == NULL) {
1114 return true;
1115 }
1116
1117 // TLS 1.3 OCSP responses are included in the Certificate extensions.
1118 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1119 return false;
1120 }
1121
1122 // OCSP stapling is forbidden on non-certificate ciphers.
1123 if (CBS_len(contents) != 0 ||
1124 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1125 return false;
1126 }
1127
1128 // Note this does not check for resumption in TLS 1.2. Sending
1129 // status_request here does not make sense, but OpenSSL does so and the
1130 // specification does not say anything. Tolerate it but ignore it.
1131
1132 hs->certificate_status_expected = true;
1133 return true;
1134 }
1135
ext_ocsp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1136 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1137 CBS *contents) {
1138 if (contents == NULL) {
1139 return true;
1140 }
1141
1142 uint8_t status_type;
1143 if (!CBS_get_u8(contents, &status_type)) {
1144 return false;
1145 }
1146
1147 // We cannot decide whether OCSP stapling will occur yet because the correct
1148 // SSL_CTX might not have been selected.
1149 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1150
1151 return true;
1152 }
1153
ext_ocsp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1154 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1155 SSL *const ssl = hs->ssl;
1156 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1157 !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL ||
1158 ssl->s3->session_reused ||
1159 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1160 return true;
1161 }
1162
1163 hs->certificate_status_expected = true;
1164
1165 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1166 CBB_add_u16(out, 0 /* length */);
1167 }
1168
1169
1170 // Next protocol negotiation.
1171 //
1172 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1173
ext_npn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1174 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1175 SSL *const ssl = hs->ssl;
1176 if (ssl->s3->initial_handshake_complete ||
1177 ssl->ctx->next_proto_select_cb == NULL ||
1178 SSL_is_dtls(ssl)) {
1179 return true;
1180 }
1181
1182 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1183 !CBB_add_u16(out, 0 /* length */)) {
1184 return false;
1185 }
1186
1187 return true;
1188 }
1189
ext_npn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1190 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1191 CBS *contents) {
1192 SSL *const ssl = hs->ssl;
1193 if (contents == NULL) {
1194 return true;
1195 }
1196
1197 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1198 return false;
1199 }
1200
1201 // If any of these are false then we should never have sent the NPN
1202 // extension in the ClientHello and thus this function should never have been
1203 // called.
1204 assert(!ssl->s3->initial_handshake_complete);
1205 assert(!SSL_is_dtls(ssl));
1206 assert(ssl->ctx->next_proto_select_cb != NULL);
1207
1208 if (!ssl->s3->alpn_selected.empty()) {
1209 // NPN and ALPN may not be negotiated in the same connection.
1210 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1211 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1212 return false;
1213 }
1214
1215 const uint8_t *const orig_contents = CBS_data(contents);
1216 const size_t orig_len = CBS_len(contents);
1217
1218 while (CBS_len(contents) != 0) {
1219 CBS proto;
1220 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1221 CBS_len(&proto) == 0) {
1222 return false;
1223 }
1224 }
1225
1226 uint8_t *selected;
1227 uint8_t selected_len;
1228 if (ssl->ctx->next_proto_select_cb(
1229 ssl, &selected, &selected_len, orig_contents, orig_len,
1230 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1231 !ssl->s3->next_proto_negotiated.CopyFrom(
1232 MakeConstSpan(selected, selected_len))) {
1233 *out_alert = SSL_AD_INTERNAL_ERROR;
1234 return false;
1235 }
1236
1237 hs->next_proto_neg_seen = true;
1238 return true;
1239 }
1240
ext_npn_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1241 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1242 CBS *contents) {
1243 SSL *const ssl = hs->ssl;
1244 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1245 return true;
1246 }
1247
1248 if (contents != NULL && CBS_len(contents) != 0) {
1249 return false;
1250 }
1251
1252 if (contents == NULL ||
1253 ssl->s3->initial_handshake_complete ||
1254 ssl->ctx->next_protos_advertised_cb == NULL ||
1255 SSL_is_dtls(ssl)) {
1256 return true;
1257 }
1258
1259 hs->next_proto_neg_seen = true;
1260 return true;
1261 }
1262
ext_npn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1263 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1264 SSL *const ssl = hs->ssl;
1265 // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1266 // parsed.
1267 if (!hs->next_proto_neg_seen) {
1268 return true;
1269 }
1270
1271 const uint8_t *npa;
1272 unsigned npa_len;
1273
1274 if (ssl->ctx->next_protos_advertised_cb(
1275 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1276 SSL_TLSEXT_ERR_OK) {
1277 hs->next_proto_neg_seen = false;
1278 return true;
1279 }
1280
1281 CBB contents;
1282 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1283 !CBB_add_u16_length_prefixed(out, &contents) ||
1284 !CBB_add_bytes(&contents, npa, npa_len) ||
1285 !CBB_flush(out)) {
1286 return false;
1287 }
1288
1289 return true;
1290 }
1291
1292
1293 // Signed certificate timestamps.
1294 //
1295 // https://tools.ietf.org/html/rfc6962#section-3.3.1
1296
ext_sct_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1297 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1298 if (!hs->config->signed_cert_timestamps_enabled) {
1299 return true;
1300 }
1301
1302 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1303 !CBB_add_u16(out, 0 /* length */)) {
1304 return false;
1305 }
1306
1307 return true;
1308 }
1309
ext_sct_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1310 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1311 CBS *contents) {
1312 SSL *const ssl = hs->ssl;
1313 if (contents == NULL) {
1314 return true;
1315 }
1316
1317 // TLS 1.3 SCTs are included in the Certificate extensions.
1318 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1319 *out_alert = SSL_AD_DECODE_ERROR;
1320 return false;
1321 }
1322
1323 // If this is false then we should never have sent the SCT extension in the
1324 // ClientHello and thus this function should never have been called.
1325 assert(hs->config->signed_cert_timestamps_enabled);
1326
1327 if (!ssl_is_sct_list_valid(contents)) {
1328 *out_alert = SSL_AD_DECODE_ERROR;
1329 return false;
1330 }
1331
1332 // Session resumption uses the original session information. The extension
1333 // should not be sent on resumption, but RFC 6962 did not make it a
1334 // requirement, so tolerate this.
1335 //
1336 // TODO(davidben): Enforce this anyway.
1337 if (!ssl->s3->session_reused) {
1338 hs->new_session->signed_cert_timestamp_list.reset(
1339 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));
1340 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1341 *out_alert = SSL_AD_INTERNAL_ERROR;
1342 return false;
1343 }
1344 }
1345
1346 return true;
1347 }
1348
ext_sct_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1349 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1350 CBS *contents) {
1351 if (contents == NULL) {
1352 return true;
1353 }
1354
1355 if (CBS_len(contents) != 0) {
1356 return false;
1357 }
1358
1359 hs->scts_requested = true;
1360 return true;
1361 }
1362
ext_sct_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1363 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1364 SSL *const ssl = hs->ssl;
1365 // The extension shouldn't be sent when resuming sessions.
1366 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
1367 hs->config->cert->signed_cert_timestamp_list == NULL) {
1368 return true;
1369 }
1370
1371 CBB contents;
1372 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1373 CBB_add_u16_length_prefixed(out, &contents) &&
1374 CBB_add_bytes(
1375 &contents,
1376 CRYPTO_BUFFER_data(
1377 hs->config->cert->signed_cert_timestamp_list.get()),
1378 CRYPTO_BUFFER_len(
1379 hs->config->cert->signed_cert_timestamp_list.get())) &&
1380 CBB_flush(out);
1381 }
1382
1383
1384 // Application-level Protocol Negotiation.
1385 //
1386 // https://tools.ietf.org/html/rfc7301
1387
ext_alpn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1388 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1389 SSL *const ssl = hs->ssl;
1390 if (hs->config->alpn_client_proto_list.empty() ||
1391 ssl->s3->initial_handshake_complete) {
1392 return true;
1393 }
1394
1395 CBB contents, proto_list;
1396 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1397 !CBB_add_u16_length_prefixed(out, &contents) ||
1398 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1399 !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
1400 hs->config->alpn_client_proto_list.size()) ||
1401 !CBB_flush(out)) {
1402 return false;
1403 }
1404
1405 return true;
1406 }
1407
ext_alpn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1408 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1409 CBS *contents) {
1410 SSL *const ssl = hs->ssl;
1411 if (contents == NULL) {
1412 return true;
1413 }
1414
1415 assert(!ssl->s3->initial_handshake_complete);
1416 assert(!hs->config->alpn_client_proto_list.empty());
1417
1418 if (hs->next_proto_neg_seen) {
1419 // NPN and ALPN may not be negotiated in the same connection.
1420 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1421 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1422 return false;
1423 }
1424
1425 // The extension data consists of a ProtocolNameList which must have
1426 // exactly one ProtocolName. Each of these is length-prefixed.
1427 CBS protocol_name_list, protocol_name;
1428 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1429 CBS_len(contents) != 0 ||
1430 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1431 // Empty protocol names are forbidden.
1432 CBS_len(&protocol_name) == 0 ||
1433 CBS_len(&protocol_name_list) != 0) {
1434 return false;
1435 }
1436
1437 if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {
1438 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1439 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1440 return false;
1441 }
1442
1443 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1444 *out_alert = SSL_AD_INTERNAL_ERROR;
1445 return false;
1446 }
1447
1448 return true;
1449 }
1450
ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE * hs,Span<const uint8_t> protocol)1451 bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
1452 Span<const uint8_t> protocol) {
1453 if (hs->config->alpn_client_proto_list.empty()) {
1454 return false;
1455 }
1456
1457 if (hs->ssl->ctx->allow_unknown_alpn_protos) {
1458 return true;
1459 }
1460
1461 // Check that the protocol name is one of the ones we advertised.
1462 CBS client_protocol_name_list =
1463 MakeConstSpan(hs->config->alpn_client_proto_list),
1464 client_protocol_name;
1465 while (CBS_len(&client_protocol_name_list) > 0) {
1466 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1467 &client_protocol_name)) {
1468 return false;
1469 }
1470
1471 if (client_protocol_name == protocol) {
1472 return true;
1473 }
1474 }
1475
1476 return false;
1477 }
1478
ssl_negotiate_alpn(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)1479 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1480 const SSL_CLIENT_HELLO *client_hello) {
1481 SSL *const ssl = hs->ssl;
1482 CBS contents;
1483 if (ssl->ctx->alpn_select_cb == NULL ||
1484 !ssl_client_hello_get_extension(
1485 client_hello, &contents,
1486 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1487 // Ignore ALPN if not configured or no extension was supplied.
1488 return true;
1489 }
1490
1491 // ALPN takes precedence over NPN.
1492 hs->next_proto_neg_seen = false;
1493
1494 CBS protocol_name_list;
1495 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1496 CBS_len(&contents) != 0 ||
1497 CBS_len(&protocol_name_list) < 2) {
1498 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1499 *out_alert = SSL_AD_DECODE_ERROR;
1500 return false;
1501 }
1502
1503 // Validate the protocol list.
1504 CBS protocol_name_list_copy = protocol_name_list;
1505 while (CBS_len(&protocol_name_list_copy) > 0) {
1506 CBS protocol_name;
1507
1508 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1509 // Empty protocol names are forbidden.
1510 CBS_len(&protocol_name) == 0) {
1511 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1512 *out_alert = SSL_AD_DECODE_ERROR;
1513 return false;
1514 }
1515 }
1516
1517 const uint8_t *selected;
1518 uint8_t selected_len;
1519 if (ssl->ctx->alpn_select_cb(
1520 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1521 CBS_len(&protocol_name_list),
1522 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1523 if (selected_len == 0) {
1524 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1525 *out_alert = SSL_AD_INTERNAL_ERROR;
1526 return false;
1527 }
1528 if (!ssl->s3->alpn_selected.CopyFrom(
1529 MakeConstSpan(selected, selected_len))) {
1530 *out_alert = SSL_AD_INTERNAL_ERROR;
1531 return false;
1532 }
1533 }
1534
1535 return true;
1536 }
1537
ext_alpn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1538 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1539 SSL *const ssl = hs->ssl;
1540 if (ssl->s3->alpn_selected.empty()) {
1541 return true;
1542 }
1543
1544 CBB contents, proto_list, proto;
1545 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1546 !CBB_add_u16_length_prefixed(out, &contents) ||
1547 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1548 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1549 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1550 ssl->s3->alpn_selected.size()) ||
1551 !CBB_flush(out)) {
1552 return false;
1553 }
1554
1555 return true;
1556 }
1557
1558
1559 // Channel ID.
1560 //
1561 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1562
ext_channel_id_init(SSL_HANDSHAKE * hs)1563 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1564 hs->ssl->s3->channel_id_valid = false;
1565 }
1566
ext_channel_id_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1567 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1568 SSL *const ssl = hs->ssl;
1569 if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1570 return true;
1571 }
1572
1573 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1574 !CBB_add_u16(out, 0 /* length */)) {
1575 return false;
1576 }
1577
1578 return true;
1579 }
1580
ext_channel_id_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1581 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1582 uint8_t *out_alert,
1583 CBS *contents) {
1584 SSL *const ssl = hs->ssl;
1585 if (contents == NULL) {
1586 return true;
1587 }
1588
1589 assert(!SSL_is_dtls(ssl));
1590 assert(hs->config->channel_id_enabled);
1591
1592 if (CBS_len(contents) != 0) {
1593 return false;
1594 }
1595
1596 ssl->s3->channel_id_valid = true;
1597 return true;
1598 }
1599
ext_channel_id_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1600 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1601 uint8_t *out_alert,
1602 CBS *contents) {
1603 SSL *const ssl = hs->ssl;
1604 if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1605 return true;
1606 }
1607
1608 if (CBS_len(contents) != 0) {
1609 return false;
1610 }
1611
1612 ssl->s3->channel_id_valid = true;
1613 return true;
1614 }
1615
ext_channel_id_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1616 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1617 SSL *const ssl = hs->ssl;
1618 if (!ssl->s3->channel_id_valid) {
1619 return true;
1620 }
1621
1622 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1623 !CBB_add_u16(out, 0 /* length */)) {
1624 return false;
1625 }
1626
1627 return true;
1628 }
1629
1630
1631 // Secure Real-time Transport Protocol (SRTP) extension.
1632 //
1633 // https://tools.ietf.org/html/rfc5764
1634
1635
ext_srtp_init(SSL_HANDSHAKE * hs)1636 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1637 hs->ssl->s3->srtp_profile = NULL;
1638 }
1639
ext_srtp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1640 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1641 SSL *const ssl = hs->ssl;
1642 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1643 if (profiles == NULL ||
1644 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1645 return true;
1646 }
1647
1648 CBB contents, profile_ids;
1649 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1650 !CBB_add_u16_length_prefixed(out, &contents) ||
1651 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1652 return false;
1653 }
1654
1655 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1656 if (!CBB_add_u16(&profile_ids, profile->id)) {
1657 return false;
1658 }
1659 }
1660
1661 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1662 !CBB_flush(out)) {
1663 return false;
1664 }
1665
1666 return true;
1667 }
1668
ext_srtp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1669 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1670 CBS *contents) {
1671 SSL *const ssl = hs->ssl;
1672 if (contents == NULL) {
1673 return true;
1674 }
1675
1676 // The extension consists of a u16-prefixed profile ID list containing a
1677 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1678 //
1679 // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1680 CBS profile_ids, srtp_mki;
1681 uint16_t profile_id;
1682 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1683 !CBS_get_u16(&profile_ids, &profile_id) ||
1684 CBS_len(&profile_ids) != 0 ||
1685 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1686 CBS_len(contents) != 0) {
1687 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1688 return false;
1689 }
1690
1691 if (CBS_len(&srtp_mki) != 0) {
1692 // Must be no MKI, since we never offer one.
1693 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1694 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1695 return false;
1696 }
1697
1698 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1699
1700 // Check to see if the server gave us something we support (and presumably
1701 // offered).
1702 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1703 if (profile->id == profile_id) {
1704 ssl->s3->srtp_profile = profile;
1705 return true;
1706 }
1707 }
1708
1709 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1710 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1711 return false;
1712 }
1713
ext_srtp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1714 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1715 CBS *contents) {
1716 SSL *const ssl = hs->ssl;
1717 if (contents == NULL) {
1718 return true;
1719 }
1720
1721 CBS profile_ids, srtp_mki;
1722 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1723 CBS_len(&profile_ids) < 2 ||
1724 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1725 CBS_len(contents) != 0) {
1726 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1727 return false;
1728 }
1729 // Discard the MKI value for now.
1730
1731 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1732 SSL_get_srtp_profiles(ssl);
1733
1734 // Pick the server's most preferred profile.
1735 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1736 CBS profile_ids_tmp;
1737 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1738
1739 while (CBS_len(&profile_ids_tmp) > 0) {
1740 uint16_t profile_id;
1741 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1742 return false;
1743 }
1744
1745 if (server_profile->id == profile_id) {
1746 ssl->s3->srtp_profile = server_profile;
1747 return true;
1748 }
1749 }
1750 }
1751
1752 return true;
1753 }
1754
ext_srtp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1755 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1756 SSL *const ssl = hs->ssl;
1757 if (ssl->s3->srtp_profile == NULL) {
1758 return true;
1759 }
1760
1761 CBB contents, profile_ids;
1762 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1763 !CBB_add_u16_length_prefixed(out, &contents) ||
1764 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1765 !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
1766 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1767 !CBB_flush(out)) {
1768 return false;
1769 }
1770
1771 return true;
1772 }
1773
1774
1775 // EC point formats.
1776 //
1777 // https://tools.ietf.org/html/rfc4492#section-5.1.2
1778
ext_ec_point_add_extension(SSL_HANDSHAKE * hs,CBB * out)1779 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1780 CBB contents, formats;
1781 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1782 !CBB_add_u16_length_prefixed(out, &contents) ||
1783 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1784 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1785 !CBB_flush(out)) {
1786 return false;
1787 }
1788
1789 return true;
1790 }
1791
ext_ec_point_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1792 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1793 // The point format extension is unneccessary in TLS 1.3.
1794 if (hs->min_version >= TLS1_3_VERSION) {
1795 return true;
1796 }
1797
1798 return ext_ec_point_add_extension(hs, out);
1799 }
1800
ext_ec_point_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1801 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1802 CBS *contents) {
1803 if (contents == NULL) {
1804 return true;
1805 }
1806
1807 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1808 return false;
1809 }
1810
1811 CBS ec_point_format_list;
1812 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1813 CBS_len(contents) != 0) {
1814 return false;
1815 }
1816
1817 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1818 // point format.
1819 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1820 TLSEXT_ECPOINTFORMAT_uncompressed,
1821 CBS_len(&ec_point_format_list)) == NULL) {
1822 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1823 return false;
1824 }
1825
1826 return true;
1827 }
1828
ext_ec_point_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1829 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1830 CBS *contents) {
1831 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1832 return true;
1833 }
1834
1835 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1836 }
1837
ext_ec_point_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1838 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1839 SSL *const ssl = hs->ssl;
1840 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1841 return true;
1842 }
1843
1844 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1845 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1846 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1847
1848 if (!using_ecc) {
1849 return true;
1850 }
1851
1852 return ext_ec_point_add_extension(hs, out);
1853 }
1854
1855
1856 // Pre Shared Key
1857 //
1858 // https://tools.ietf.org/html/rfc8446#section-4.2.11
1859
ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE * hs)1860 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1861 SSL *const ssl = hs->ssl;
1862 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1863 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1864 return 0;
1865 }
1866
1867 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1868 return 15 + ssl->session->ticket.size() + binder_len;
1869 }
1870
ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1871 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1872 SSL *const ssl = hs->ssl;
1873 hs->needs_psk_binder = false;
1874 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1875 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1876 return true;
1877 }
1878
1879 // Per RFC 8446 section 4.1.4, skip offering the session if the selected
1880 // cipher in HelloRetryRequest does not match. This avoids performing the
1881 // transcript hash transformation for multiple hashes.
1882 if (hs->received_hello_retry_request &&
1883 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1884 return true;
1885 }
1886
1887 struct OPENSSL_timeval now;
1888 ssl_get_current_time(ssl, &now);
1889 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1890 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1891
1892 // Fill in a placeholder zero binder of the appropriate length. It will be
1893 // computed and filled in later after length prefixes are computed.
1894 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1895 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1896
1897 CBB contents, identity, ticket, binders, binder;
1898 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1899 !CBB_add_u16_length_prefixed(out, &contents) ||
1900 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1901 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1902 !CBB_add_bytes(&ticket, ssl->session->ticket.data(),
1903 ssl->session->ticket.size()) ||
1904 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1905 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1906 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1907 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1908 return false;
1909 }
1910
1911 hs->needs_psk_binder = true;
1912 return CBB_flush(out);
1913 }
1914
ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1915 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1916 uint8_t *out_alert,
1917 CBS *contents) {
1918 uint16_t psk_id;
1919 if (!CBS_get_u16(contents, &psk_id) ||
1920 CBS_len(contents) != 0) {
1921 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1922 *out_alert = SSL_AD_DECODE_ERROR;
1923 return false;
1924 }
1925
1926 // We only advertise one PSK identity, so the only legal index is zero.
1927 if (psk_id != 0) {
1928 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1929 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1930 return false;
1931 }
1932
1933 return true;
1934 }
1935
ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE * hs,CBS * out_ticket,CBS * out_binders,uint32_t * out_obfuscated_ticket_age,uint8_t * out_alert,CBS * contents)1936 bool ssl_ext_pre_shared_key_parse_clienthello(
1937 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1938 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
1939 // We only process the first PSK identity since we don't support pure PSK.
1940 CBS identities, binders;
1941 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1942 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1943 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1944 !CBS_get_u16_length_prefixed(contents, &binders) ||
1945 CBS_len(&binders) == 0 ||
1946 CBS_len(contents) != 0) {
1947 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1948 *out_alert = SSL_AD_DECODE_ERROR;
1949 return false;
1950 }
1951
1952 *out_binders = binders;
1953
1954 // Check the syntax of the remaining identities, but do not process them.
1955 size_t num_identities = 1;
1956 while (CBS_len(&identities) != 0) {
1957 CBS unused_ticket;
1958 uint32_t unused_obfuscated_ticket_age;
1959 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1960 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1961 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1962 *out_alert = SSL_AD_DECODE_ERROR;
1963 return false;
1964 }
1965
1966 num_identities++;
1967 }
1968
1969 // Check the syntax of the binders. The value will be checked later if
1970 // resuming.
1971 size_t num_binders = 0;
1972 while (CBS_len(&binders) != 0) {
1973 CBS binder;
1974 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1975 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1976 *out_alert = SSL_AD_DECODE_ERROR;
1977 return false;
1978 }
1979
1980 num_binders++;
1981 }
1982
1983 if (num_identities != num_binders) {
1984 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1985 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1986 return false;
1987 }
1988
1989 return true;
1990 }
1991
ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1992 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1993 if (!hs->ssl->s3->session_reused) {
1994 return true;
1995 }
1996
1997 CBB contents;
1998 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1999 !CBB_add_u16_length_prefixed(out, &contents) ||
2000 // We only consider the first identity for resumption
2001 !CBB_add_u16(&contents, 0) ||
2002 !CBB_flush(out)) {
2003 return false;
2004 }
2005
2006 return true;
2007 }
2008
2009
2010 // Pre-Shared Key Exchange Modes
2011 //
2012 // https://tools.ietf.org/html/rfc8446#section-4.2.9
2013
ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2014 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
2015 CBB *out) {
2016 if (hs->max_version < TLS1_3_VERSION) {
2017 return true;
2018 }
2019
2020 CBB contents, ke_modes;
2021 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
2022 !CBB_add_u16_length_prefixed(out, &contents) ||
2023 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
2024 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
2025 return false;
2026 }
2027
2028 return CBB_flush(out);
2029 }
2030
ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2031 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
2032 uint8_t *out_alert,
2033 CBS *contents) {
2034 if (contents == NULL) {
2035 return true;
2036 }
2037
2038 CBS ke_modes;
2039 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
2040 CBS_len(&ke_modes) == 0 ||
2041 CBS_len(contents) != 0) {
2042 *out_alert = SSL_AD_DECODE_ERROR;
2043 return false;
2044 }
2045
2046 // We only support tickets with PSK_DHE_KE.
2047 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
2048 CBS_len(&ke_modes)) != NULL;
2049
2050 return true;
2051 }
2052
2053
2054 // Early Data Indication
2055 //
2056 // https://tools.ietf.org/html/rfc8446#section-4.2.10
2057
ext_early_data_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2058 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2059 SSL *const ssl = hs->ssl;
2060 if (!ssl->enable_early_data ||
2061 // Session must be 0-RTT capable.
2062 ssl->session == nullptr ||
2063 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
2064 ssl->session->ticket_max_early_data == 0 ||
2065 // The second ClientHello never offers early data.
2066 hs->received_hello_retry_request ||
2067 // In case ALPN preferences changed since this session was established,
2068 // avoid reporting a confusing value in |SSL_get0_alpn_selected|.
2069 (!ssl->session->early_alpn.empty() &&
2070 !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn))) {
2071 return true;
2072 }
2073
2074 hs->early_data_offered = true;
2075
2076 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2077 !CBB_add_u16(out, 0) ||
2078 !CBB_flush(out)) {
2079 return false;
2080 }
2081
2082 return true;
2083 }
2084
ext_early_data_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2085 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2086 uint8_t *out_alert, CBS *contents) {
2087 SSL *const ssl = hs->ssl;
2088 if (contents == NULL) {
2089 return true;
2090 }
2091
2092 if (CBS_len(contents) != 0) {
2093 *out_alert = SSL_AD_DECODE_ERROR;
2094 return false;
2095 }
2096
2097 if (!ssl->s3->session_reused) {
2098 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2099 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2100 return false;
2101 }
2102
2103 ssl->s3->early_data_accepted = true;
2104 return true;
2105 }
2106
ext_early_data_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2107 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2108 uint8_t *out_alert, CBS *contents) {
2109 SSL *const ssl = hs->ssl;
2110 if (contents == NULL ||
2111 ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2112 return true;
2113 }
2114
2115 if (CBS_len(contents) != 0) {
2116 *out_alert = SSL_AD_DECODE_ERROR;
2117 return false;
2118 }
2119
2120 hs->early_data_offered = true;
2121 return true;
2122 }
2123
ext_early_data_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2124 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2125 if (!hs->ssl->s3->early_data_accepted) {
2126 return true;
2127 }
2128
2129 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2130 !CBB_add_u16(out, 0) ||
2131 !CBB_flush(out)) {
2132 return false;
2133 }
2134
2135 return true;
2136 }
2137
2138
2139 // Key Share
2140 //
2141 // https://tools.ietf.org/html/rfc8446#section-4.2.8
2142
ext_key_share_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2143 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2144 SSL *const ssl = hs->ssl;
2145 if (hs->max_version < TLS1_3_VERSION) {
2146 return true;
2147 }
2148
2149 CBB contents, kse_bytes;
2150 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2151 !CBB_add_u16_length_prefixed(out, &contents) ||
2152 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2153 return false;
2154 }
2155
2156 uint16_t group_id = hs->retry_group;
2157 uint16_t second_group_id = 0;
2158 if (hs->received_hello_retry_request) {
2159 // We received a HelloRetryRequest without a new curve, so there is no new
2160 // share to append. Leave |hs->key_share| as-is.
2161 if (group_id == 0 &&
2162 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2163 hs->key_share_bytes.size())) {
2164 return false;
2165 }
2166 hs->key_share_bytes.Reset();
2167 if (group_id == 0) {
2168 return CBB_flush(out);
2169 }
2170 } else {
2171 // Add a fake group. See draft-davidben-tls-grease-01.
2172 if (ssl->ctx->grease_enabled &&
2173 (!CBB_add_u16(&kse_bytes,
2174 ssl_get_grease_value(hs, ssl_grease_group)) ||
2175 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2176 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2177 return false;
2178 }
2179
2180 // Predict the most preferred group.
2181 Span<const uint16_t> groups = tls1_get_grouplist(hs);
2182 if (groups.empty()) {
2183 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2184 return false;
2185 }
2186
2187 group_id = groups[0];
2188
2189 if (group_id == SSL_CURVE_CECPQ2 && groups.size() >= 2) {
2190 // CECPQ2 is not sent as the only initial key share. We'll include the
2191 // 2nd preference group too to avoid round-trips.
2192 second_group_id = groups[1];
2193 assert(second_group_id != group_id);
2194 }
2195 }
2196
2197 CBB key_exchange;
2198 hs->key_shares[0] = SSLKeyShare::Create(group_id);
2199 if (!hs->key_shares[0] ||
2200 !CBB_add_u16(&kse_bytes, group_id) ||
2201 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2202 !hs->key_shares[0]->Offer(&key_exchange) ||
2203 !CBB_flush(&kse_bytes)) {
2204 return false;
2205 }
2206
2207 if (second_group_id != 0) {
2208 hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
2209 if (!hs->key_shares[1] ||
2210 !CBB_add_u16(&kse_bytes, second_group_id) ||
2211 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2212 !hs->key_shares[1]->Offer(&key_exchange) ||
2213 !CBB_flush(&kse_bytes)) {
2214 return false;
2215 }
2216 }
2217
2218 // Save the contents of the extension to repeat it in the second
2219 // ClientHello.
2220 if (!hs->received_hello_retry_request &&
2221 !hs->key_share_bytes.CopyFrom(
2222 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2223 return false;
2224 }
2225
2226 return CBB_flush(out);
2227 }
2228
ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE * hs,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2229 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2230 Array<uint8_t> *out_secret,
2231 uint8_t *out_alert, CBS *contents) {
2232 CBS peer_key;
2233 uint16_t group_id;
2234 if (!CBS_get_u16(contents, &group_id) ||
2235 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2236 CBS_len(contents) != 0) {
2237 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2238 *out_alert = SSL_AD_DECODE_ERROR;
2239 return false;
2240 }
2241
2242 SSLKeyShare *key_share = hs->key_shares[0].get();
2243 if (key_share->GroupID() != group_id) {
2244 if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {
2245 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2246 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2247 return false;
2248 }
2249 key_share = hs->key_shares[1].get();
2250 }
2251
2252 if (!key_share->Finish(out_secret, out_alert, peer_key)) {
2253 *out_alert = SSL_AD_INTERNAL_ERROR;
2254 return false;
2255 }
2256
2257 hs->new_session->group_id = group_id;
2258 hs->key_shares[0].reset();
2259 hs->key_shares[1].reset();
2260 return true;
2261 }
2262
ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE * hs,bool * out_found,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2263 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2264 Array<uint8_t> *out_secret,
2265 uint8_t *out_alert, CBS *contents) {
2266 uint16_t group_id;
2267 CBS key_shares;
2268 if (!tls1_get_shared_group(hs, &group_id)) {
2269 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2270 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2271 return false;
2272 }
2273
2274 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2275 CBS_len(contents) != 0) {
2276 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2277 return false;
2278 }
2279
2280 // Find the corresponding key share.
2281 CBS peer_key;
2282 CBS_init(&peer_key, NULL, 0);
2283 while (CBS_len(&key_shares) > 0) {
2284 uint16_t id;
2285 CBS peer_key_tmp;
2286 if (!CBS_get_u16(&key_shares, &id) ||
2287 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2288 CBS_len(&peer_key_tmp) == 0) {
2289 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2290 return false;
2291 }
2292
2293 if (id == group_id) {
2294 if (CBS_len(&peer_key) != 0) {
2295 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2296 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2297 return false;
2298 }
2299
2300 peer_key = peer_key_tmp;
2301 // Continue parsing the structure to keep peers honest.
2302 }
2303 }
2304
2305 if (CBS_len(&peer_key) == 0) {
2306 *out_found = false;
2307 out_secret->Reset();
2308 return true;
2309 }
2310
2311 // Compute the DH secret.
2312 Array<uint8_t> secret;
2313 ScopedCBB public_key;
2314 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2315 if (!key_share ||
2316 !CBB_init(public_key.get(), 32) ||
2317 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2318 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2319 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2320 return false;
2321 }
2322
2323 *out_secret = std::move(secret);
2324 *out_found = true;
2325 return true;
2326 }
2327
ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2328 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2329 uint16_t group_id;
2330 CBB kse_bytes, public_key;
2331 if (!tls1_get_shared_group(hs, &group_id) ||
2332 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2333 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2334 !CBB_add_u16(&kse_bytes, group_id) ||
2335 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2336 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2337 hs->ecdh_public_key.size()) ||
2338 !CBB_flush(out)) {
2339 return false;
2340 }
2341
2342 hs->ecdh_public_key.Reset();
2343
2344 hs->new_session->group_id = group_id;
2345 return true;
2346 }
2347
2348
2349 // Supported Versions
2350 //
2351 // https://tools.ietf.org/html/rfc8446#section-4.2.1
2352
ext_supported_versions_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2353 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2354 SSL *const ssl = hs->ssl;
2355 if (hs->max_version <= TLS1_2_VERSION) {
2356 return true;
2357 }
2358
2359 CBB contents, versions;
2360 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2361 !CBB_add_u16_length_prefixed(out, &contents) ||
2362 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2363 return false;
2364 }
2365
2366 // Add a fake version. See draft-davidben-tls-grease-01.
2367 if (ssl->ctx->grease_enabled &&
2368 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2369 return false;
2370 }
2371
2372 if (!ssl_add_supported_versions(hs, &versions) ||
2373 !CBB_flush(out)) {
2374 return false;
2375 }
2376
2377 return true;
2378 }
2379
2380
2381 // Cookie
2382 //
2383 // https://tools.ietf.org/html/rfc8446#section-4.2.2
2384
ext_cookie_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2385 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2386 if (hs->cookie.empty()) {
2387 return true;
2388 }
2389
2390 CBB contents, cookie;
2391 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2392 !CBB_add_u16_length_prefixed(out, &contents) ||
2393 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2394 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2395 !CBB_flush(out)) {
2396 return false;
2397 }
2398
2399 // The cookie is no longer needed in memory.
2400 hs->cookie.Reset();
2401 return true;
2402 }
2403
2404
2405 // Supported Groups
2406 //
2407 // https://tools.ietf.org/html/rfc4492#section-5.1.1
2408 // https://tools.ietf.org/html/rfc8446#section-4.2.7
2409
ext_supported_groups_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2410 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2411 SSL *const ssl = hs->ssl;
2412 CBB contents, groups_bytes;
2413 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2414 !CBB_add_u16_length_prefixed(out, &contents) ||
2415 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2416 return false;
2417 }
2418
2419 // Add a fake group. See draft-davidben-tls-grease-01.
2420 if (ssl->ctx->grease_enabled &&
2421 !CBB_add_u16(&groups_bytes,
2422 ssl_get_grease_value(hs, ssl_grease_group))) {
2423 return false;
2424 }
2425
2426 for (uint16_t group : tls1_get_grouplist(hs)) {
2427 if (group == SSL_CURVE_CECPQ2 &&
2428 hs->max_version < TLS1_3_VERSION) {
2429 continue;
2430 }
2431 if (!CBB_add_u16(&groups_bytes, group)) {
2432 return false;
2433 }
2434 }
2435
2436 return CBB_flush(out);
2437 }
2438
ext_supported_groups_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2439 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2440 uint8_t *out_alert,
2441 CBS *contents) {
2442 // This extension is not expected to be echoed by servers in TLS 1.2, but some
2443 // BigIP servers send it nonetheless, so do not enforce this.
2444 return true;
2445 }
2446
parse_u16_array(const CBS * cbs,Array<uint16_t> * out)2447 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2448 CBS copy = *cbs;
2449 if ((CBS_len(©) & 1) != 0) {
2450 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2451 return false;
2452 }
2453
2454 Array<uint16_t> ret;
2455 if (!ret.Init(CBS_len(©) / 2)) {
2456 return false;
2457 }
2458 for (size_t i = 0; i < ret.size(); i++) {
2459 if (!CBS_get_u16(©, &ret[i])) {
2460 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2461 return false;
2462 }
2463 }
2464
2465 assert(CBS_len(©) == 0);
2466 *out = std::move(ret);
2467 return 1;
2468 }
2469
ext_supported_groups_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2470 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2471 uint8_t *out_alert,
2472 CBS *contents) {
2473 if (contents == NULL) {
2474 return true;
2475 }
2476
2477 CBS supported_group_list;
2478 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2479 CBS_len(&supported_group_list) == 0 ||
2480 CBS_len(contents) != 0 ||
2481 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2482 return false;
2483 }
2484
2485 return true;
2486 }
2487
2488 // Token Binding
2489 //
2490 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2491
2492 // The Token Binding version number currently matches the draft number of
2493 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2494 // Since there are no wire changes to the protocol from draft 13 through the
2495 // current draft (16), this implementation supports all versions in that range.
2496 static uint16_t kTokenBindingMaxVersion = 16;
2497 static uint16_t kTokenBindingMinVersion = 13;
2498
ext_token_binding_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2499 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2500 SSL *const ssl = hs->ssl;
2501 if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
2502 return true;
2503 }
2504
2505 CBB contents, params;
2506 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2507 !CBB_add_u16_length_prefixed(out, &contents) ||
2508 !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2509 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2510 !CBB_add_bytes(¶ms, hs->config->token_binding_params.data(),
2511 hs->config->token_binding_params.size()) ||
2512 !CBB_flush(out)) {
2513 return false;
2514 }
2515
2516 return true;
2517 }
2518
ext_token_binding_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2519 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2520 uint8_t *out_alert,
2521 CBS *contents) {
2522 SSL *const ssl = hs->ssl;
2523 if (contents == nullptr) {
2524 return true;
2525 }
2526
2527 CBS params_list;
2528 uint16_t version;
2529 uint8_t param;
2530 if (!CBS_get_u16(contents, &version) ||
2531 !CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
2532 !CBS_get_u8(¶ms_list, ¶m) ||
2533 CBS_len(¶ms_list) > 0 ||
2534 CBS_len(contents) > 0) {
2535 *out_alert = SSL_AD_DECODE_ERROR;
2536 return false;
2537 }
2538
2539 // The server-negotiated version must be less than or equal to our version.
2540 if (version > kTokenBindingMaxVersion) {
2541 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2542 return false;
2543 }
2544
2545 // If the server-selected version is less than what we support, then Token
2546 // Binding wasn't negotiated (but the extension was parsed successfully).
2547 if (version < kTokenBindingMinVersion) {
2548 return true;
2549 }
2550
2551 for (uint8_t config_param : hs->config->token_binding_params) {
2552 if (param == config_param) {
2553 ssl->s3->negotiated_token_binding_param = param;
2554 ssl->s3->token_binding_negotiated = true;
2555 return true;
2556 }
2557 }
2558
2559 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2560 return false;
2561 }
2562
2563 // select_tb_param looks for the first token binding param in
2564 // |hs->ssl->token_binding_params| that is also in |params| and puts it in
2565 // |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
2566 // param is found, and false otherwise.
select_tb_param(SSL_HANDSHAKE * hs,Span<const uint8_t> peer_params)2567 static bool select_tb_param(SSL_HANDSHAKE *hs,
2568 Span<const uint8_t> peer_params) {
2569 for (uint8_t tb_param : hs->config->token_binding_params) {
2570 for (uint8_t peer_param : peer_params) {
2571 if (tb_param == peer_param) {
2572 hs->ssl->s3->negotiated_token_binding_param = tb_param;
2573 return true;
2574 }
2575 }
2576 }
2577 return false;
2578 }
2579
ext_token_binding_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2580 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2581 uint8_t *out_alert,
2582 CBS *contents) {
2583 SSL *const ssl = hs->ssl;
2584 if (contents == nullptr || hs->config->token_binding_params.empty()) {
2585 return true;
2586 }
2587
2588 CBS params;
2589 uint16_t version;
2590 if (!CBS_get_u16(contents, &version) ||
2591 !CBS_get_u8_length_prefixed(contents, ¶ms) ||
2592 CBS_len(¶ms) == 0 ||
2593 CBS_len(contents) > 0) {
2594 *out_alert = SSL_AD_DECODE_ERROR;
2595 return false;
2596 }
2597
2598 // If the client-selected version is less than what we support, then Token
2599 // Binding wasn't negotiated (but the extension was parsed successfully).
2600 if (version < kTokenBindingMinVersion) {
2601 return true;
2602 }
2603
2604 // If the client-selected version is higher than we support, use our max
2605 // version. Otherwise, use the client's version.
2606 hs->negotiated_token_binding_version =
2607 std::min(version, kTokenBindingMaxVersion);
2608 if (!select_tb_param(hs, params)) {
2609 return true;
2610 }
2611
2612 ssl->s3->token_binding_negotiated = true;
2613 return true;
2614 }
2615
ext_token_binding_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2616 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2617 SSL *const ssl = hs->ssl;
2618
2619 if (!ssl->s3->token_binding_negotiated) {
2620 return true;
2621 }
2622
2623 CBB contents, params;
2624 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2625 !CBB_add_u16_length_prefixed(out, &contents) ||
2626 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2627 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2628 !CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) ||
2629 !CBB_flush(out)) {
2630 return false;
2631 }
2632
2633 return true;
2634 }
2635
2636 // QUIC Transport Parameters
2637
ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2638 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2639 CBB *out) {
2640 if (hs->config->quic_transport_params.empty() ||
2641 hs->max_version <= TLS1_2_VERSION) {
2642 return true;
2643 }
2644
2645 CBB contents;
2646 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2647 !CBB_add_u16_length_prefixed(out, &contents) ||
2648 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2649 hs->config->quic_transport_params.size()) ||
2650 !CBB_flush(out)) {
2651 return false;
2652 }
2653 return true;
2654 }
2655
ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2656 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2657 uint8_t *out_alert,
2658 CBS *contents) {
2659 SSL *const ssl = hs->ssl;
2660 if (contents == nullptr) {
2661 return true;
2662 }
2663 // QUIC requires TLS 1.3.
2664 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2665 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2666 return false;
2667 }
2668
2669 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2670 }
2671
ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2672 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2673 uint8_t *out_alert,
2674 CBS *contents) {
2675 SSL *const ssl = hs->ssl;
2676 if (!contents || hs->config->quic_transport_params.empty()) {
2677 return true;
2678 }
2679 // Ignore the extension before TLS 1.3.
2680 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2681 return true;
2682 }
2683
2684 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2685 }
2686
ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2687 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2688 CBB *out) {
2689 if (hs->config->quic_transport_params.empty()) {
2690 return true;
2691 }
2692
2693 CBB contents;
2694 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2695 !CBB_add_u16_length_prefixed(out, &contents) ||
2696 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2697 hs->config->quic_transport_params.size()) ||
2698 !CBB_flush(out)) {
2699 return false;
2700 }
2701
2702 return true;
2703 }
2704
2705 // Delegated credentials.
2706 //
2707 // https://tools.ietf.org/html/draft-ietf-tls-subcerts
2708
ext_delegated_credential_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2709 static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs,
2710 CBB *out) {
2711 return true;
2712 }
2713
ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2714 static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
2715 uint8_t *out_alert,
2716 CBS *contents) {
2717 assert(TLSEXT_TYPE_delegated_credential == 0xff02);
2718 // TODO: Check that the extension is empty.
2719 //
2720 // As of draft-02, the client sends an empty extension in order indicate
2721 // support for delegated credentials. This could change, however, since the
2722 // spec is not yet finalized. This assertion is here to remind us to enforce
2723 // this check once the extension ID is assigned.
2724
2725 if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
2726 // Don't use delegated credentials unless we're negotiating TLS 1.3 or
2727 // higher.
2728 return true;
2729 }
2730
2731 hs->delegated_credential_requested = true;
2732 return true;
2733 }
2734
2735 // Certificate compression
2736
cert_compression_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2737 static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2738 bool first = true;
2739 CBB contents, algs;
2740
2741 for (const auto *alg : hs->ssl->ctx->cert_compression_algs.get()) {
2742 if (alg->decompress == nullptr) {
2743 continue;
2744 }
2745
2746 if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) ||
2747 !CBB_add_u16_length_prefixed(out, &contents) ||
2748 !CBB_add_u8_length_prefixed(&contents, &algs))) {
2749 return false;
2750 }
2751 first = false;
2752 if (!CBB_add_u16(&algs, alg->alg_id)) {
2753 return false;
2754 }
2755 }
2756
2757 return first || CBB_flush(out);
2758 }
2759
cert_compression_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2760 static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
2761 uint8_t *out_alert,
2762 CBS *contents) {
2763 if (contents == nullptr) {
2764 return true;
2765 }
2766
2767 // The server may not echo this extension. Any server to client negotiation is
2768 // advertised in the CertificateRequest message.
2769 return false;
2770 }
2771
cert_compression_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2772 static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,
2773 uint8_t *out_alert,
2774 CBS *contents) {
2775 if (contents == nullptr) {
2776 return true;
2777 }
2778
2779 const size_t num_algs =
2780 sk_CertCompressionAlg_num(hs->ssl->ctx->cert_compression_algs.get());
2781
2782 CBS alg_ids;
2783 if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
2784 CBS_len(contents) != 0 ||
2785 CBS_len(&alg_ids) == 0 ||
2786 CBS_len(&alg_ids) % 2 == 1) {
2787 return false;
2788 }
2789
2790 const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;
2791 Array<uint16_t> given_alg_ids;
2792 if (!given_alg_ids.Init(num_given_alg_ids)) {
2793 return false;
2794 }
2795
2796 size_t best_index = num_algs;
2797 size_t given_alg_idx = 0;
2798
2799 while (CBS_len(&alg_ids) > 0) {
2800 uint16_t alg_id;
2801 if (!CBS_get_u16(&alg_ids, &alg_id)) {
2802 return false;
2803 }
2804
2805 given_alg_ids[given_alg_idx++] = alg_id;
2806
2807 for (size_t i = 0; i < num_algs; i++) {
2808 const auto *alg = sk_CertCompressionAlg_value(
2809 hs->ssl->ctx->cert_compression_algs.get(), i);
2810 if (alg->alg_id == alg_id && alg->compress != nullptr) {
2811 if (i < best_index) {
2812 best_index = i;
2813 }
2814 break;
2815 }
2816 }
2817 }
2818
2819 qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),
2820 compare_uint16_t);
2821 for (size_t i = 1; i < num_given_alg_ids; i++) {
2822 if (given_alg_ids[i - 1] == given_alg_ids[i]) {
2823 return false;
2824 }
2825 }
2826
2827 if (best_index < num_algs &&
2828 ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
2829 hs->cert_compression_negotiated = true;
2830 hs->cert_compression_alg_id =
2831 sk_CertCompressionAlg_value(hs->ssl->ctx->cert_compression_algs.get(),
2832 best_index)
2833 ->alg_id;
2834 }
2835
2836 return true;
2837 }
2838
cert_compression_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2839 static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2840 return true;
2841 }
2842
2843 // kExtensions contains all the supported extensions.
2844 static const struct tls_extension kExtensions[] = {
2845 {
2846 TLSEXT_TYPE_server_name,
2847 NULL,
2848 ext_sni_add_clienthello,
2849 ext_sni_parse_serverhello,
2850 ext_sni_parse_clienthello,
2851 ext_sni_add_serverhello,
2852 },
2853 {
2854 TLSEXT_TYPE_extended_master_secret,
2855 NULL,
2856 ext_ems_add_clienthello,
2857 ext_ems_parse_serverhello,
2858 ext_ems_parse_clienthello,
2859 ext_ems_add_serverhello,
2860 },
2861 {
2862 TLSEXT_TYPE_renegotiate,
2863 NULL,
2864 ext_ri_add_clienthello,
2865 ext_ri_parse_serverhello,
2866 ext_ri_parse_clienthello,
2867 ext_ri_add_serverhello,
2868 },
2869 {
2870 TLSEXT_TYPE_supported_groups,
2871 NULL,
2872 ext_supported_groups_add_clienthello,
2873 ext_supported_groups_parse_serverhello,
2874 ext_supported_groups_parse_clienthello,
2875 dont_add_serverhello,
2876 },
2877 {
2878 TLSEXT_TYPE_ec_point_formats,
2879 NULL,
2880 ext_ec_point_add_clienthello,
2881 ext_ec_point_parse_serverhello,
2882 ext_ec_point_parse_clienthello,
2883 ext_ec_point_add_serverhello,
2884 },
2885 {
2886 TLSEXT_TYPE_session_ticket,
2887 NULL,
2888 ext_ticket_add_clienthello,
2889 ext_ticket_parse_serverhello,
2890 // Ticket extension client parsing is handled in ssl_session.c
2891 ignore_parse_clienthello,
2892 ext_ticket_add_serverhello,
2893 },
2894 {
2895 TLSEXT_TYPE_application_layer_protocol_negotiation,
2896 NULL,
2897 ext_alpn_add_clienthello,
2898 ext_alpn_parse_serverhello,
2899 // ALPN is negotiated late in |ssl_negotiate_alpn|.
2900 ignore_parse_clienthello,
2901 ext_alpn_add_serverhello,
2902 },
2903 {
2904 TLSEXT_TYPE_status_request,
2905 NULL,
2906 ext_ocsp_add_clienthello,
2907 ext_ocsp_parse_serverhello,
2908 ext_ocsp_parse_clienthello,
2909 ext_ocsp_add_serverhello,
2910 },
2911 {
2912 TLSEXT_TYPE_signature_algorithms,
2913 NULL,
2914 ext_sigalgs_add_clienthello,
2915 forbid_parse_serverhello,
2916 ext_sigalgs_parse_clienthello,
2917 dont_add_serverhello,
2918 },
2919 {
2920 TLSEXT_TYPE_signature_algorithms_cert,
2921 NULL,
2922 ext_sigalgs_cert_add_clienthello,
2923 forbid_parse_serverhello,
2924 ignore_parse_clienthello,
2925 dont_add_serverhello,
2926 },
2927 {
2928 TLSEXT_TYPE_next_proto_neg,
2929 NULL,
2930 ext_npn_add_clienthello,
2931 ext_npn_parse_serverhello,
2932 ext_npn_parse_clienthello,
2933 ext_npn_add_serverhello,
2934 },
2935 {
2936 TLSEXT_TYPE_certificate_timestamp,
2937 NULL,
2938 ext_sct_add_clienthello,
2939 ext_sct_parse_serverhello,
2940 ext_sct_parse_clienthello,
2941 ext_sct_add_serverhello,
2942 },
2943 {
2944 TLSEXT_TYPE_channel_id,
2945 ext_channel_id_init,
2946 ext_channel_id_add_clienthello,
2947 ext_channel_id_parse_serverhello,
2948 ext_channel_id_parse_clienthello,
2949 ext_channel_id_add_serverhello,
2950 },
2951 {
2952 TLSEXT_TYPE_srtp,
2953 ext_srtp_init,
2954 ext_srtp_add_clienthello,
2955 ext_srtp_parse_serverhello,
2956 ext_srtp_parse_clienthello,
2957 ext_srtp_add_serverhello,
2958 },
2959 {
2960 TLSEXT_TYPE_key_share,
2961 NULL,
2962 ext_key_share_add_clienthello,
2963 forbid_parse_serverhello,
2964 ignore_parse_clienthello,
2965 dont_add_serverhello,
2966 },
2967 {
2968 TLSEXT_TYPE_psk_key_exchange_modes,
2969 NULL,
2970 ext_psk_key_exchange_modes_add_clienthello,
2971 forbid_parse_serverhello,
2972 ext_psk_key_exchange_modes_parse_clienthello,
2973 dont_add_serverhello,
2974 },
2975 {
2976 TLSEXT_TYPE_early_data,
2977 NULL,
2978 ext_early_data_add_clienthello,
2979 ext_early_data_parse_serverhello,
2980 ext_early_data_parse_clienthello,
2981 ext_early_data_add_serverhello,
2982 },
2983 {
2984 TLSEXT_TYPE_supported_versions,
2985 NULL,
2986 ext_supported_versions_add_clienthello,
2987 forbid_parse_serverhello,
2988 ignore_parse_clienthello,
2989 dont_add_serverhello,
2990 },
2991 {
2992 TLSEXT_TYPE_cookie,
2993 NULL,
2994 ext_cookie_add_clienthello,
2995 forbid_parse_serverhello,
2996 ignore_parse_clienthello,
2997 dont_add_serverhello,
2998 },
2999 {
3000 TLSEXT_TYPE_quic_transport_parameters,
3001 NULL,
3002 ext_quic_transport_params_add_clienthello,
3003 ext_quic_transport_params_parse_serverhello,
3004 ext_quic_transport_params_parse_clienthello,
3005 ext_quic_transport_params_add_serverhello,
3006 },
3007 {
3008 TLSEXT_TYPE_token_binding,
3009 NULL,
3010 ext_token_binding_add_clienthello,
3011 ext_token_binding_parse_serverhello,
3012 ext_token_binding_parse_clienthello,
3013 ext_token_binding_add_serverhello,
3014 },
3015 {
3016 TLSEXT_TYPE_cert_compression,
3017 NULL,
3018 cert_compression_add_clienthello,
3019 cert_compression_parse_serverhello,
3020 cert_compression_parse_clienthello,
3021 cert_compression_add_serverhello,
3022 },
3023 {
3024 TLSEXT_TYPE_delegated_credential,
3025 NULL,
3026 ext_delegated_credential_add_clienthello,
3027 forbid_parse_serverhello,
3028 ext_delegated_credential_parse_clienthello,
3029 dont_add_serverhello,
3030 },
3031 };
3032
3033 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
3034
3035 static_assert(kNumExtensions <=
3036 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
3037 "too many extensions for sent bitset");
3038 static_assert(kNumExtensions <=
3039 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
3040 "too many extensions for received bitset");
3041
tls_extension_find(uint32_t * out_index,uint16_t value)3042 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
3043 uint16_t value) {
3044 unsigned i;
3045 for (i = 0; i < kNumExtensions; i++) {
3046 if (kExtensions[i].value == value) {
3047 *out_index = i;
3048 return &kExtensions[i];
3049 }
3050 }
3051
3052 return NULL;
3053 }
3054
ssl_add_clienthello_tlsext(SSL_HANDSHAKE * hs,CBB * out,size_t header_len)3055 bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
3056 size_t header_len) {
3057 SSL *const ssl = hs->ssl;
3058 CBB extensions;
3059 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3060 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3061 return false;
3062 }
3063
3064 hs->extensions.sent = 0;
3065
3066 for (size_t i = 0; i < kNumExtensions; i++) {
3067 if (kExtensions[i].init != NULL) {
3068 kExtensions[i].init(hs);
3069 }
3070 }
3071
3072 uint16_t grease_ext1 = 0;
3073 if (ssl->ctx->grease_enabled) {
3074 // Add a fake empty extension. See draft-davidben-tls-grease-01.
3075 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
3076 if (!CBB_add_u16(&extensions, grease_ext1) ||
3077 !CBB_add_u16(&extensions, 0 /* zero length */)) {
3078 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3079 return false;
3080 }
3081 }
3082
3083 bool last_was_empty = false;
3084 for (size_t i = 0; i < kNumExtensions; i++) {
3085 const size_t len_before = CBB_len(&extensions);
3086 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
3087 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3088 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3089 return false;
3090 }
3091
3092 const size_t bytes_written = CBB_len(&extensions) - len_before;
3093 if (bytes_written != 0) {
3094 hs->extensions.sent |= (1u << i);
3095 }
3096 // If the difference in lengths is only four bytes then the extension had
3097 // an empty body.
3098 last_was_empty = (bytes_written == 4);
3099 }
3100
3101 if (ssl->ctx->grease_enabled) {
3102 // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
3103 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
3104
3105 // The two fake extensions must not have the same value. GREASE values are
3106 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
3107 // one.
3108 if (grease_ext1 == grease_ext2) {
3109 grease_ext2 ^= 0x1010;
3110 }
3111
3112 if (!CBB_add_u16(&extensions, grease_ext2) ||
3113 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
3114 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
3115 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3116 return false;
3117 }
3118
3119 last_was_empty = false;
3120 }
3121
3122 if (!SSL_is_dtls(ssl)) {
3123 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
3124 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
3125 size_t padding_len = 0;
3126
3127 // The final extension must be non-empty. WebSphere Application
3128 // Server 7.0 is intolerant to the last extension being zero-length. See
3129 // https://crbug.com/363583.
3130 if (last_was_empty && psk_extension_len == 0) {
3131 padding_len = 1;
3132 // The addition of the padding extension may push us into the F5 bug.
3133 header_len += 4 + padding_len;
3134 }
3135
3136 // Add padding to workaround bugs in F5 terminators. See RFC 7685.
3137 //
3138 // NB: because this code works out the length of all existing extensions
3139 // it MUST always appear last (save for any PSK extension).
3140 if (header_len > 0xff && header_len < 0x200) {
3141 // If our calculations already included a padding extension, remove that
3142 // factor because we're about to change its length.
3143 if (padding_len != 0) {
3144 header_len -= 4 + padding_len;
3145 }
3146 padding_len = 0x200 - header_len;
3147 // Extensions take at least four bytes to encode. Always include at least
3148 // one byte of data if including the extension. WebSphere Application
3149 // Server 7.0 is intolerant to the last extension being zero-length. See
3150 // https://crbug.com/363583.
3151 if (padding_len >= 4 + 1) {
3152 padding_len -= 4;
3153 } else {
3154 padding_len = 1;
3155 }
3156 }
3157
3158 if (padding_len != 0) {
3159 uint8_t *padding_bytes;
3160 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
3161 !CBB_add_u16(&extensions, padding_len) ||
3162 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
3163 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3164 return false;
3165 }
3166
3167 OPENSSL_memset(padding_bytes, 0, padding_len);
3168 }
3169 }
3170
3171 // The PSK extension must be last, including after the padding.
3172 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
3173 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3174 return false;
3175 }
3176
3177 // Discard empty extensions blocks.
3178 if (CBB_len(&extensions) == 0) {
3179 CBB_discard_child(out);
3180 }
3181
3182 return CBB_flush(out);
3183 }
3184
ssl_add_serverhello_tlsext(SSL_HANDSHAKE * hs,CBB * out)3185 bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
3186 SSL *const ssl = hs->ssl;
3187 CBB extensions;
3188 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3189 goto err;
3190 }
3191
3192 for (unsigned i = 0; i < kNumExtensions; i++) {
3193 if (!(hs->extensions.received & (1u << i))) {
3194 // Don't send extensions that were not received.
3195 continue;
3196 }
3197
3198 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
3199 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3200 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3201 goto err;
3202 }
3203 }
3204
3205 // Discard empty extensions blocks before TLS 1.3.
3206 if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
3207 CBB_len(&extensions) == 0) {
3208 CBB_discard_child(out);
3209 }
3210
3211 return CBB_flush(out);
3212
3213 err:
3214 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3215 return false;
3216 }
3217
ssl_scan_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,int * out_alert)3218 static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3219 const SSL_CLIENT_HELLO *client_hello,
3220 int *out_alert) {
3221 for (size_t i = 0; i < kNumExtensions; i++) {
3222 if (kExtensions[i].init != NULL) {
3223 kExtensions[i].init(hs);
3224 }
3225 }
3226
3227 hs->extensions.received = 0;
3228 CBS extensions;
3229 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3230 while (CBS_len(&extensions) != 0) {
3231 uint16_t type;
3232 CBS extension;
3233
3234 // Decode the next extension.
3235 if (!CBS_get_u16(&extensions, &type) ||
3236 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3237 *out_alert = SSL_AD_DECODE_ERROR;
3238 return false;
3239 }
3240
3241 unsigned ext_index;
3242 const struct tls_extension *const ext =
3243 tls_extension_find(&ext_index, type);
3244 if (ext == NULL) {
3245 continue;
3246 }
3247
3248 hs->extensions.received |= (1u << ext_index);
3249 uint8_t alert = SSL_AD_DECODE_ERROR;
3250 if (!ext->parse_clienthello(hs, &alert, &extension)) {
3251 *out_alert = alert;
3252 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3253 ERR_add_error_dataf("extension %u", (unsigned)type);
3254 return false;
3255 }
3256 }
3257
3258 for (size_t i = 0; i < kNumExtensions; i++) {
3259 if (hs->extensions.received & (1u << i)) {
3260 continue;
3261 }
3262
3263 CBS *contents = NULL, fake_contents;
3264 static const uint8_t kFakeRenegotiateExtension[] = {0};
3265 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3266 ssl_client_cipher_list_contains_cipher(client_hello,
3267 SSL3_CK_SCSV & 0xffff)) {
3268 // The renegotiation SCSV was received so pretend that we received a
3269 // renegotiation extension.
3270 CBS_init(&fake_contents, kFakeRenegotiateExtension,
3271 sizeof(kFakeRenegotiateExtension));
3272 contents = &fake_contents;
3273 hs->extensions.received |= (1u << i);
3274 }
3275
3276 // Extension wasn't observed so call the callback with a NULL
3277 // parameter.
3278 uint8_t alert = SSL_AD_DECODE_ERROR;
3279 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3280 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3281 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3282 *out_alert = alert;
3283 return false;
3284 }
3285 }
3286
3287 return true;
3288 }
3289
ssl_parse_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)3290 bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3291 const SSL_CLIENT_HELLO *client_hello) {
3292 SSL *const ssl = hs->ssl;
3293 int alert = SSL_AD_DECODE_ERROR;
3294 if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {
3295 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3296 return false;
3297 }
3298
3299 if (!ssl_check_clienthello_tlsext(hs)) {
3300 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3301 return false;
3302 }
3303
3304 return true;
3305 }
3306
ssl_scan_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs,int * out_alert)3307 static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3308 int *out_alert) {
3309 SSL *const ssl = hs->ssl;
3310 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3311 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3312 return true;
3313 }
3314
3315 // Decode the extensions block and check it is valid.
3316 CBS extensions;
3317 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3318 !tls1_check_duplicate_extensions(&extensions)) {
3319 *out_alert = SSL_AD_DECODE_ERROR;
3320 return false;
3321 }
3322
3323 uint32_t received = 0;
3324 while (CBS_len(&extensions) != 0) {
3325 uint16_t type;
3326 CBS extension;
3327
3328 // Decode the next extension.
3329 if (!CBS_get_u16(&extensions, &type) ||
3330 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3331 *out_alert = SSL_AD_DECODE_ERROR;
3332 return false;
3333 }
3334
3335 unsigned ext_index;
3336 const struct tls_extension *const ext =
3337 tls_extension_find(&ext_index, type);
3338
3339 if (ext == NULL) {
3340 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3341 ERR_add_error_dataf("extension %u", (unsigned)type);
3342 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3343 return false;
3344 }
3345
3346 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3347 "too many bits");
3348
3349 if (!(hs->extensions.sent & (1u << ext_index))) {
3350 // If the extension was never sent then it is illegal.
3351 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3352 ERR_add_error_dataf("extension :%u", (unsigned)type);
3353 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3354 return false;
3355 }
3356
3357 received |= (1u << ext_index);
3358
3359 uint8_t alert = SSL_AD_DECODE_ERROR;
3360 if (!ext->parse_serverhello(hs, &alert, &extension)) {
3361 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3362 ERR_add_error_dataf("extension %u", (unsigned)type);
3363 *out_alert = alert;
3364 return false;
3365 }
3366 }
3367
3368 for (size_t i = 0; i < kNumExtensions; i++) {
3369 if (!(received & (1u << i))) {
3370 // Extension wasn't observed so call the callback with a NULL
3371 // parameter.
3372 uint8_t alert = SSL_AD_DECODE_ERROR;
3373 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3374 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3375 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3376 *out_alert = alert;
3377 return false;
3378 }
3379 }
3380 }
3381
3382 return true;
3383 }
3384
ssl_check_clienthello_tlsext(SSL_HANDSHAKE * hs)3385 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3386 SSL *const ssl = hs->ssl;
3387
3388 if (ssl->s3->token_binding_negotiated &&
3389 !(SSL_get_secure_renegotiation_support(ssl) &&
3390 SSL_get_extms_support(ssl))) {
3391 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3392 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3393 return false;
3394 }
3395
3396 int ret = SSL_TLSEXT_ERR_NOACK;
3397 int al = SSL_AD_UNRECOGNIZED_NAME;
3398
3399 if (ssl->ctx->servername_callback != 0) {
3400 ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
3401 } else if (ssl->session_ctx->servername_callback != 0) {
3402 ret = ssl->session_ctx->servername_callback(
3403 ssl, &al, ssl->session_ctx->servername_arg);
3404 }
3405
3406 switch (ret) {
3407 case SSL_TLSEXT_ERR_ALERT_FATAL:
3408 ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3409 return false;
3410
3411 case SSL_TLSEXT_ERR_NOACK:
3412 hs->should_ack_sni = false;
3413 return true;
3414
3415 default:
3416 return true;
3417 }
3418 }
3419
ssl_parse_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs)3420 bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3421 SSL *const ssl = hs->ssl;
3422 int alert = SSL_AD_DECODE_ERROR;
3423 if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
3424 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3425 return false;
3426 }
3427
3428 return true;
3429 }
3430
decrypt_ticket_with_cipher_ctx(Array<uint8_t> * out,EVP_CIPHER_CTX * cipher_ctx,HMAC_CTX * hmac_ctx,Span<const uint8_t> ticket)3431 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3432 Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,
3433 Span<const uint8_t> ticket) {
3434 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3435
3436 // Check the MAC at the end of the ticket.
3437 uint8_t mac[EVP_MAX_MD_SIZE];
3438 size_t mac_len = HMAC_size(hmac_ctx);
3439 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3440 // The ticket must be large enough for key name, IV, data, and MAC.
3441 return ssl_ticket_aead_ignore_ticket;
3442 }
3443 // Split the ticket into the ticket and the MAC.
3444 auto ticket_mac = ticket.subspan(ticket.size() - mac_len);
3445 ticket = ticket.subspan(0, ticket.size() - mac_len);
3446 HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
3447 HMAC_Final(hmac_ctx, mac, NULL);
3448 assert(mac_len == ticket_mac.size());
3449 bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;
3450 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3451 mac_ok = true;
3452 #endif
3453 if (!mac_ok) {
3454 return ssl_ticket_aead_ignore_ticket;
3455 }
3456
3457 // Decrypt the session data.
3458 auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);
3459 Array<uint8_t> plaintext;
3460 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3461 if (!plaintext.CopyFrom(ciphertext)) {
3462 return ssl_ticket_aead_error;
3463 }
3464 #else
3465 if (ciphertext.size() >= INT_MAX) {
3466 return ssl_ticket_aead_ignore_ticket;
3467 }
3468 if (!plaintext.Init(ciphertext.size())) {
3469 return ssl_ticket_aead_error;
3470 }
3471 int len1, len2;
3472 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),
3473 (int)ciphertext.size()) ||
3474 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {
3475 ERR_clear_error();
3476 return ssl_ticket_aead_ignore_ticket;
3477 }
3478 plaintext.Shrink(static_cast<size_t>(len1) + len2);
3479 #endif
3480
3481 *out = std::move(plaintext);
3482 return ssl_ticket_aead_success;
3483 }
3484
ssl_decrypt_ticket_with_cb(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3485 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3486 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3487 Span<const uint8_t> ticket) {
3488 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3489 ScopedEVP_CIPHER_CTX cipher_ctx;
3490 ScopedHMAC_CTX hmac_ctx;
3491 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3492 // The actual IV is shorter, but the length is determined by the callback's
3493 // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure
3494 // the callback has enough.
3495 auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);
3496 int cb_ret = hs->ssl->session_ctx->ticket_key_cb(
3497 hs->ssl, const_cast<uint8_t *>(name.data()),
3498 const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(),
3499 0 /* decrypt */);
3500 if (cb_ret < 0) {
3501 return ssl_ticket_aead_error;
3502 } else if (cb_ret == 0) {
3503 return ssl_ticket_aead_ignore_ticket;
3504 } else if (cb_ret == 2) {
3505 *out_renew_ticket = true;
3506 } else {
3507 assert(cb_ret == 1);
3508 }
3509 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3510 ticket);
3511 }
3512
ssl_decrypt_ticket_with_ticket_keys(SSL_HANDSHAKE * hs,Array<uint8_t> * out,Span<const uint8_t> ticket)3513 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3514 SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) {
3515 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3516 SSL_CTX *ctx = hs->ssl->session_ctx.get();
3517
3518 // Rotate the ticket key if necessary.
3519 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3520 return ssl_ticket_aead_error;
3521 }
3522
3523 const EVP_CIPHER *cipher = EVP_aes_128_cbc();
3524 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3525 auto iv =
3526 ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));
3527
3528 // Pick the matching ticket key and decrypt.
3529 ScopedEVP_CIPHER_CTX cipher_ctx;
3530 ScopedHMAC_CTX hmac_ctx;
3531 {
3532 MutexReadLock lock(&ctx->lock);
3533 const TicketKey *key;
3534 if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {
3535 key = ctx->ticket_key_current.get();
3536 } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {
3537 key = ctx->ticket_key_prev.get();
3538 } else {
3539 return ssl_ticket_aead_ignore_ticket;
3540 }
3541 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3542 tlsext_tick_md(), NULL) ||
3543 !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
3544 key->aes_key, iv.data())) {
3545 return ssl_ticket_aead_error;
3546 }
3547 }
3548 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3549 ticket);
3550 }
3551
ssl_decrypt_ticket_with_method(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3552 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3553 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3554 Span<const uint8_t> ticket) {
3555 Array<uint8_t> plaintext;
3556 if (!plaintext.Init(ticket.size())) {
3557 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3558 return ssl_ticket_aead_error;
3559 }
3560
3561 size_t plaintext_len;
3562 const enum ssl_ticket_aead_result_t result =
3563 hs->ssl->session_ctx->ticket_aead_method->open(
3564 hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),
3565 ticket.data(), ticket.size());
3566 if (result != ssl_ticket_aead_success) {
3567 return result;
3568 }
3569
3570 plaintext.Shrink(plaintext_len);
3571 *out = std::move(plaintext);
3572 return ssl_ticket_aead_success;
3573 }
3574
ssl_process_ticket(SSL_HANDSHAKE * hs,UniquePtr<SSL_SESSION> * out_session,bool * out_renew_ticket,Span<const uint8_t> ticket,Span<const uint8_t> session_id)3575 enum ssl_ticket_aead_result_t ssl_process_ticket(
3576 SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
3577 bool *out_renew_ticket, Span<const uint8_t> ticket,
3578 Span<const uint8_t> session_id) {
3579 *out_renew_ticket = false;
3580 out_session->reset();
3581
3582 if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||
3583 session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3584 return ssl_ticket_aead_ignore_ticket;
3585 }
3586
3587 Array<uint8_t> plaintext;
3588 enum ssl_ticket_aead_result_t result;
3589 if (hs->ssl->session_ctx->ticket_aead_method != NULL) {
3590 result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
3591 ticket);
3592 } else {
3593 // Ensure there is room for the key name and the largest IV |ticket_key_cb|
3594 // may try to consume. The real limit may be lower, but the maximum IV
3595 // length should be well under the minimum size for the session material and
3596 // HMAC.
3597 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3598 return ssl_ticket_aead_ignore_ticket;
3599 }
3600 if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
3601 result =
3602 ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
3603 } else {
3604 result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);
3605 }
3606 }
3607
3608 if (result != ssl_ticket_aead_success) {
3609 return result;
3610 }
3611
3612 // Decode the session.
3613 UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
3614 plaintext.data(), plaintext.size(), hs->ssl->ctx.get()));
3615 if (!session) {
3616 ERR_clear_error(); // Don't leave an error on the queue.
3617 return ssl_ticket_aead_ignore_ticket;
3618 }
3619
3620 // Copy the client's session ID into the new session, to denote the ticket has
3621 // been accepted.
3622 OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size());
3623 session->session_id_length = session_id.size();
3624
3625 *out_session = std::move(session);
3626 return ssl_ticket_aead_success;
3627 }
3628
tls1_parse_peer_sigalgs(SSL_HANDSHAKE * hs,const CBS * in_sigalgs)3629 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3630 // Extension ignored for inappropriate versions
3631 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3632 return true;
3633 }
3634
3635 // In all contexts, the signature algorithms list may not be empty. (It may be
3636 // omitted by clients in TLS 1.2, but then the entire extension is omitted.)
3637 return CBS_len(in_sigalgs) != 0 &&
3638 parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3639 }
3640
tls1_get_legacy_signature_algorithm(uint16_t * out,const EVP_PKEY * pkey)3641 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3642 switch (EVP_PKEY_id(pkey)) {
3643 case EVP_PKEY_RSA:
3644 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3645 return true;
3646 case EVP_PKEY_EC:
3647 *out = SSL_SIGN_ECDSA_SHA1;
3648 return true;
3649 default:
3650 return false;
3651 }
3652 }
3653
tls1_choose_signature_algorithm(SSL_HANDSHAKE * hs,uint16_t * out)3654 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3655 SSL *const ssl = hs->ssl;
3656 CERT *cert = hs->config->cert.get();
3657 DC *dc = cert->dc.get();
3658
3659 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3660 // handshake.
3661 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3662 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3663 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3664 return false;
3665 }
3666 return true;
3667 }
3668
3669 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3670 if (ssl_signing_with_dc(hs)) {
3671 sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1);
3672 } else if (!cert->sigalgs.empty()) {
3673 sigalgs = cert->sigalgs;
3674 }
3675
3676 Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
3677
3678 for (uint16_t sigalg : sigalgs) {
3679 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3680 // negotiated.
3681 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3682 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3683 continue;
3684 }
3685
3686 for (uint16_t peer_sigalg : peer_sigalgs) {
3687 if (sigalg == peer_sigalg) {
3688 *out = sigalg;
3689 return true;
3690 }
3691 }
3692 }
3693
3694 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3695 return false;
3696 }
3697
tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE * hs)3698 Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) {
3699 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3700 if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
3701 // If the client didn't specify any signature_algorithms extension then
3702 // we can assume that it supports SHA1. See
3703 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3704 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3705 SSL_SIGN_ECDSA_SHA1};
3706 peer_sigalgs = kDefaultPeerAlgorithms;
3707 }
3708 return peer_sigalgs;
3709 }
3710
tls1_verify_channel_id(SSL_HANDSHAKE * hs,const SSLMessage & msg)3711 bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3712 SSL *const ssl = hs->ssl;
3713 // A Channel ID handshake message is structured to contain multiple
3714 // extensions, but the only one that can be present is Channel ID.
3715 uint16_t extension_type;
3716 CBS channel_id = msg.body, extension;
3717 if (!CBS_get_u16(&channel_id, &extension_type) ||
3718 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3719 CBS_len(&channel_id) != 0 ||
3720 extension_type != TLSEXT_TYPE_channel_id ||
3721 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3722 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3723 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3724 return false;
3725 }
3726
3727 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3728 if (!p256) {
3729 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3730 return false;
3731 }
3732
3733 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3734 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3735 if (!sig || !x || !y) {
3736 return false;
3737 }
3738
3739 const uint8_t *p = CBS_data(&extension);
3740 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3741 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3742 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3743 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3744 return false;
3745 }
3746
3747 UniquePtr<EC_KEY> key(EC_KEY_new());
3748 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3749 if (!key || !point ||
3750 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3751 y.get(), nullptr) ||
3752 !EC_KEY_set_group(key.get(), p256.get()) ||
3753 !EC_KEY_set_public_key(key.get(), point.get())) {
3754 return false;
3755 }
3756
3757 uint8_t digest[EVP_MAX_MD_SIZE];
3758 size_t digest_len;
3759 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3760 return false;
3761 }
3762
3763 bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3764 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3765 sig_ok = true;
3766 ERR_clear_error();
3767 #endif
3768 if (!sig_ok) {
3769 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3770 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3771 ssl->s3->channel_id_valid = false;
3772 return false;
3773 }
3774
3775 OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
3776 return true;
3777 }
3778
tls1_write_channel_id(SSL_HANDSHAKE * hs,CBB * cbb)3779 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3780 uint8_t digest[EVP_MAX_MD_SIZE];
3781 size_t digest_len;
3782 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3783 return false;
3784 }
3785
3786 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());
3787 if (ec_key == nullptr) {
3788 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3789 return false;
3790 }
3791
3792 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3793 if (!x || !y ||
3794 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3795 EC_KEY_get0_public_key(ec_key),
3796 x.get(), y.get(), nullptr)) {
3797 return false;
3798 }
3799
3800 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3801 if (!sig) {
3802 return false;
3803 }
3804
3805 CBB child;
3806 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3807 !CBB_add_u16_length_prefixed(cbb, &child) ||
3808 !BN_bn2cbb_padded(&child, 32, x.get()) ||
3809 !BN_bn2cbb_padded(&child, 32, y.get()) ||
3810 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3811 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3812 !CBB_flush(cbb)) {
3813 return false;
3814 }
3815
3816 return true;
3817 }
3818
tls1_channel_id_hash(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len)3819 bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3820 SSL *const ssl = hs->ssl;
3821 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3822 Array<uint8_t> msg;
3823 if (!tls13_get_cert_verify_signature_input(hs, &msg,
3824 ssl_cert_verify_channel_id)) {
3825 return false;
3826 }
3827 SHA256(msg.data(), msg.size(), out);
3828 *out_len = SHA256_DIGEST_LENGTH;
3829 return true;
3830 }
3831
3832 SHA256_CTX ctx;
3833
3834 SHA256_Init(&ctx);
3835 static const char kClientIDMagic[] = "TLS Channel ID signature";
3836 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3837
3838 if (ssl->session != NULL) {
3839 static const char kResumptionMagic[] = "Resumption";
3840 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3841 if (ssl->session->original_handshake_hash_len == 0) {
3842 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3843 return false;
3844 }
3845 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3846 ssl->session->original_handshake_hash_len);
3847 }
3848
3849 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3850 size_t hs_hash_len;
3851 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3852 return false;
3853 }
3854 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3855 SHA256_Final(out, &ctx);
3856 *out_len = SHA256_DIGEST_LENGTH;
3857 return true;
3858 }
3859
tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE * hs)3860 bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3861 SSL *const ssl = hs->ssl;
3862 // This function should never be called for a resumed session because the
3863 // handshake hashes that we wish to record are for the original, full
3864 // handshake.
3865 if (ssl->session != NULL) {
3866 return false;
3867 }
3868
3869 static_assert(
3870 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3871 "original_handshake_hash is too small");
3872
3873 size_t digest_len;
3874 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3875 &digest_len)) {
3876 return false;
3877 }
3878
3879 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3880 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3881 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3882
3883 return true;
3884 }
3885
ssl_do_channel_id_callback(SSL_HANDSHAKE * hs)3886 bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
3887 if (hs->config->channel_id_private != NULL ||
3888 hs->ssl->ctx->channel_id_cb == NULL) {
3889 return true;
3890 }
3891
3892 EVP_PKEY *key = NULL;
3893 hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
3894 if (key == NULL) {
3895 // The caller should try again later.
3896 return true;
3897 }
3898
3899 UniquePtr<EVP_PKEY> free_key(key);
3900 return SSL_set1_tls_channel_id(hs->ssl, key);
3901 }
3902
ssl_is_sct_list_valid(const CBS * contents)3903 bool ssl_is_sct_list_valid(const CBS *contents) {
3904 // Shallow parse the SCT list for sanity. By the RFC
3905 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3906 // of the SCTs may be empty.
3907 CBS copy = *contents;
3908 CBS sct_list;
3909 if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
3910 CBS_len(©) != 0 ||
3911 CBS_len(&sct_list) == 0) {
3912 return false;
3913 }
3914
3915 while (CBS_len(&sct_list) > 0) {
3916 CBS sct;
3917 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
3918 CBS_len(&sct) == 0) {
3919 return false;
3920 }
3921 }
3922
3923 return true;
3924 }
3925
3926 BSSL_NAMESPACE_END
3927
3928 using namespace bssl;
3929
SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO * client_hello,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)3930 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
3931 uint16_t extension_type,
3932 const uint8_t **out_data,
3933 size_t *out_len) {
3934 CBS cbs;
3935 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
3936 return 0;
3937 }
3938
3939 *out_data = CBS_data(&cbs);
3940 *out_len = CBS_len(&cbs);
3941 return 1;
3942 }
3943
SSL_CTX_set_ed25519_enabled(SSL_CTX * ctx,int enabled)3944 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
3945 ctx->ed25519_enabled = !!enabled;
3946 }
3947
SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX * ctx,int enabled)3948 void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
3949 ctx->rsa_pss_rsae_certs_enabled = !!enabled;
3950 }
3951