1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdlib.h>
114 #include <string.h>
115
116 #include <utility>
117
118 #include <openssl/bytestring.h>
119 #include <openssl/chacha.h>
120 #include <openssl/digest.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/hmac.h>
124 #include <openssl/mem.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
127
128 #include "internal.h"
129 #include "../crypto/internal.h"
130
131
132 BSSL_NAMESPACE_BEGIN
133
134 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
135
compare_uint16_t(const void * p1,const void * p2)136 static int compare_uint16_t(const void *p1, const void *p2) {
137 uint16_t u1 = *((const uint16_t *)p1);
138 uint16_t u2 = *((const uint16_t *)p2);
139 if (u1 < u2) {
140 return -1;
141 } else if (u1 > u2) {
142 return 1;
143 } else {
144 return 0;
145 }
146 }
147
148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149 // more than one extension of the same type in a ClientHello or ServerHello.
150 // This function does an initial scan over the extensions block to filter those
151 // out.
tls1_check_duplicate_extensions(const CBS * cbs)152 static bool tls1_check_duplicate_extensions(const CBS *cbs) {
153 // First pass: count the extensions.
154 size_t num_extensions = 0;
155 CBS extensions = *cbs;
156 while (CBS_len(&extensions) > 0) {
157 uint16_t type;
158 CBS extension;
159
160 if (!CBS_get_u16(&extensions, &type) ||
161 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
162 return false;
163 }
164
165 num_extensions++;
166 }
167
168 if (num_extensions == 0) {
169 return true;
170 }
171
172 Array<uint16_t> extension_types;
173 if (!extension_types.Init(num_extensions)) {
174 return false;
175 }
176
177 // Second pass: gather the extension types.
178 extensions = *cbs;
179 for (size_t i = 0; i < extension_types.size(); i++) {
180 CBS extension;
181
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 // This should not happen.
185 return false;
186 }
187 }
188 assert(CBS_len(&extensions) == 0);
189
190 // Sort the extensions and make sure there are no duplicates.
191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
192 compare_uint16_t);
193 for (size_t i = 1; i < num_extensions; i++) {
194 if (extension_types[i - 1] == extension_types[i]) {
195 return false;
196 }
197 }
198
199 return true;
200 }
201
is_post_quantum_group(uint16_t id)202 static bool is_post_quantum_group(uint16_t id) {
203 return id == SSL_CURVE_CECPQ2;
204 }
205
ssl_client_hello_init(const SSL * ssl,SSL_CLIENT_HELLO * out,const SSLMessage & msg)206 bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
207 const SSLMessage &msg) {
208 OPENSSL_memset(out, 0, sizeof(*out));
209 out->ssl = const_cast<SSL *>(ssl);
210 out->client_hello = CBS_data(&msg.body);
211 out->client_hello_len = CBS_len(&msg.body);
212
213 CBS client_hello, random, session_id;
214 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
215 if (!CBS_get_u16(&client_hello, &out->version) ||
216 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
217 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
218 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
219 return false;
220 }
221
222 out->random = CBS_data(&random);
223 out->random_len = CBS_len(&random);
224 out->session_id = CBS_data(&session_id);
225 out->session_id_len = CBS_len(&session_id);
226
227 // Skip past DTLS cookie
228 if (SSL_is_dtls(out->ssl)) {
229 CBS cookie;
230 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
231 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
232 return false;
233 }
234 }
235
236 CBS cipher_suites, compression_methods;
237 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
238 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
239 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
240 CBS_len(&compression_methods) < 1) {
241 return false;
242 }
243
244 out->cipher_suites = CBS_data(&cipher_suites);
245 out->cipher_suites_len = CBS_len(&cipher_suites);
246 out->compression_methods = CBS_data(&compression_methods);
247 out->compression_methods_len = CBS_len(&compression_methods);
248
249 // If the ClientHello ends here then it's valid, but doesn't have any
250 // extensions.
251 if (CBS_len(&client_hello) == 0) {
252 out->extensions = NULL;
253 out->extensions_len = 0;
254 return true;
255 }
256
257 // Extract extensions and check it is valid.
258 CBS extensions;
259 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
260 !tls1_check_duplicate_extensions(&extensions) ||
261 CBS_len(&client_hello) != 0) {
262 return false;
263 }
264
265 out->extensions = CBS_data(&extensions);
266 out->extensions_len = CBS_len(&extensions);
267
268 return true;
269 }
270
ssl_client_hello_get_extension(const SSL_CLIENT_HELLO * client_hello,CBS * out,uint16_t extension_type)271 bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
272 CBS *out, uint16_t extension_type) {
273 CBS extensions;
274 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
275 while (CBS_len(&extensions) != 0) {
276 // Decode the next extension.
277 uint16_t type;
278 CBS extension;
279 if (!CBS_get_u16(&extensions, &type) ||
280 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
281 return false;
282 }
283
284 if (type == extension_type) {
285 *out = extension;
286 return true;
287 }
288 }
289
290 return false;
291 }
292
293 static const uint16_t kDefaultGroups[] = {
294 SSL_CURVE_X25519,
295 SSL_CURVE_SECP256R1,
296 SSL_CURVE_SECP384R1,
297 };
298
tls1_get_grouplist(const SSL_HANDSHAKE * hs)299 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
300 if (!hs->config->supported_group_list.empty()) {
301 return hs->config->supported_group_list;
302 }
303 return Span<const uint16_t>(kDefaultGroups);
304 }
305
tls1_get_shared_group(SSL_HANDSHAKE * hs,uint16_t * out_group_id)306 bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
307 SSL *const ssl = hs->ssl;
308 assert(ssl->server);
309
310 // Clients are not required to send a supported_groups extension. In this
311 // case, the server is free to pick any group it likes. See RFC 4492,
312 // section 4, paragraph 3.
313 //
314 // However, in the interests of compatibility, we will skip ECDH if the
315 // client didn't send an extension because we can't be sure that they'll
316 // support our favoured group. Thus we do not special-case an emtpy
317 // |peer_supported_group_list|.
318
319 Span<const uint16_t> groups = tls1_get_grouplist(hs);
320 Span<const uint16_t> pref, supp;
321 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
322 pref = groups;
323 supp = hs->peer_supported_group_list;
324 } else {
325 pref = hs->peer_supported_group_list;
326 supp = groups;
327 }
328
329 for (uint16_t pref_group : pref) {
330 for (uint16_t supp_group : supp) {
331 if (pref_group == supp_group &&
332 // CECPQ2(b) doesn't fit in the u8-length-prefixed ECPoint field in
333 // TLS 1.2 and below.
334 (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
335 !is_post_quantum_group(pref_group))) {
336 *out_group_id = pref_group;
337 return true;
338 }
339 }
340 }
341
342 return false;
343 }
344
tls1_set_curves(Array<uint16_t> * out_group_ids,Span<const int> curves)345 bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
346 Array<uint16_t> group_ids;
347 if (!group_ids.Init(curves.size())) {
348 return false;
349 }
350
351 for (size_t i = 0; i < curves.size(); i++) {
352 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
353 return false;
354 }
355 }
356
357 *out_group_ids = std::move(group_ids);
358 return true;
359 }
360
tls1_set_curves_list(Array<uint16_t> * out_group_ids,const char * curves)361 bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
362 // Count the number of curves in the list.
363 size_t count = 0;
364 const char *ptr = curves, *col;
365 do {
366 col = strchr(ptr, ':');
367 count++;
368 if (col) {
369 ptr = col + 1;
370 }
371 } while (col);
372
373 Array<uint16_t> group_ids;
374 if (!group_ids.Init(count)) {
375 return false;
376 }
377
378 size_t i = 0;
379 ptr = curves;
380 do {
381 col = strchr(ptr, ':');
382 if (!ssl_name_to_group_id(&group_ids[i++], ptr,
383 col ? (size_t)(col - ptr) : strlen(ptr))) {
384 return false;
385 }
386 if (col) {
387 ptr = col + 1;
388 }
389 } while (col);
390
391 assert(i == count);
392 *out_group_ids = std::move(group_ids);
393 return true;
394 }
395
tls1_check_group_id(const SSL_HANDSHAKE * hs,uint16_t group_id)396 bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
397 if (is_post_quantum_group(group_id) &&
398 ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
399 // CECPQ2(b) requires TLS 1.3.
400 return false;
401 }
402
403 for (uint16_t supported : tls1_get_grouplist(hs)) {
404 if (supported == group_id) {
405 return true;
406 }
407 }
408
409 return false;
410 }
411
412 // kVerifySignatureAlgorithms is the default list of accepted signature
413 // algorithms for verifying.
414 //
415 // For now, RSA-PSS signature algorithms are not enabled on Android's system
416 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
417 // restore them.
418 static const uint16_t kVerifySignatureAlgorithms[] = {
419 // List our preferred algorithms first.
420 SSL_SIGN_ED25519,
421 SSL_SIGN_ECDSA_SECP256R1_SHA256,
422 SSL_SIGN_RSA_PSS_RSAE_SHA256,
423 SSL_SIGN_RSA_PKCS1_SHA256,
424
425 // Larger hashes are acceptable.
426 SSL_SIGN_ECDSA_SECP384R1_SHA384,
427 SSL_SIGN_RSA_PSS_RSAE_SHA384,
428 SSL_SIGN_RSA_PKCS1_SHA384,
429
430 SSL_SIGN_RSA_PSS_RSAE_SHA512,
431 SSL_SIGN_RSA_PKCS1_SHA512,
432
433 // For now, SHA-1 is still accepted but least preferable.
434 SSL_SIGN_RSA_PKCS1_SHA1,
435
436 };
437
438 // kSignSignatureAlgorithms is the default list of supported signature
439 // algorithms for signing.
440 //
441 // For now, RSA-PSS signature algorithms are not enabled on Android's system
442 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
443 // restore them.
444 static const uint16_t kSignSignatureAlgorithms[] = {
445 // List our preferred algorithms first.
446 SSL_SIGN_ED25519,
447 SSL_SIGN_ECDSA_SECP256R1_SHA256,
448 SSL_SIGN_RSA_PSS_RSAE_SHA256,
449 SSL_SIGN_RSA_PKCS1_SHA256,
450
451 // If needed, sign larger hashes.
452 //
453 // TODO(davidben): Determine which of these may be pruned.
454 SSL_SIGN_ECDSA_SECP384R1_SHA384,
455 SSL_SIGN_RSA_PSS_RSAE_SHA384,
456 SSL_SIGN_RSA_PKCS1_SHA384,
457
458 SSL_SIGN_ECDSA_SECP521R1_SHA512,
459 SSL_SIGN_RSA_PSS_RSAE_SHA512,
460 SSL_SIGN_RSA_PKCS1_SHA512,
461
462 // If the peer supports nothing else, sign with SHA-1.
463 SSL_SIGN_ECDSA_SHA1,
464 SSL_SIGN_RSA_PKCS1_SHA1,
465 };
466
467 struct SSLSignatureAlgorithmList {
NextSSLSignatureAlgorithmList468 bool Next(uint16_t *out) {
469 while (!list.empty()) {
470 uint16_t sigalg = list[0];
471 list = list.subspan(1);
472 if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
473 continue;
474 }
475 if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
476 continue;
477 }
478 *out = sigalg;
479 return true;
480 }
481 return false;
482 }
483
operator ==SSLSignatureAlgorithmList484 bool operator==(const SSLSignatureAlgorithmList &other) const {
485 SSLSignatureAlgorithmList a = *this;
486 SSLSignatureAlgorithmList b = other;
487 uint16_t a_val, b_val;
488 while (a.Next(&a_val)) {
489 if (!b.Next(&b_val) ||
490 a_val != b_val) {
491 return false;
492 }
493 }
494 return !b.Next(&b_val);
495 }
496
operator !=SSLSignatureAlgorithmList497 bool operator!=(const SSLSignatureAlgorithmList &other) const {
498 return !(*this == other);
499 }
500
501 Span<const uint16_t> list;
502 bool skip_ed25519 = false;
503 bool skip_rsa_pss_rsae = false;
504 };
505
tls12_get_verify_sigalgs(const SSL * ssl,bool for_certs)506 static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
507 bool for_certs) {
508 SSLSignatureAlgorithmList ret;
509 if (!ssl->config->verify_sigalgs.empty()) {
510 ret.list = ssl->config->verify_sigalgs;
511 } else {
512 ret.list = kVerifySignatureAlgorithms;
513 ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
514 }
515 if (for_certs) {
516 ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
517 }
518 return ret;
519 }
520
tls12_add_verify_sigalgs(const SSL * ssl,CBB * out,bool for_certs)521 bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
522 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
523 uint16_t sigalg;
524 while (list.Next(&sigalg)) {
525 if (!CBB_add_u16(out, sigalg)) {
526 return false;
527 }
528 }
529 return true;
530 }
531
tls12_check_peer_sigalg(const SSL * ssl,uint8_t * out_alert,uint16_t sigalg)532 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
533 uint16_t sigalg) {
534 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
535 uint16_t verify_sigalg;
536 while (list.Next(&verify_sigalg)) {
537 if (verify_sigalg == sigalg) {
538 return true;
539 }
540 }
541
542 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
543 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
544 return false;
545 }
546
tls12_has_different_verify_sigalgs_for_certs(const SSL * ssl)547 bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
548 return tls12_get_verify_sigalgs(ssl, true) !=
549 tls12_get_verify_sigalgs(ssl, false);
550 }
551
552 // tls_extension represents a TLS extension that is handled internally. The
553 // |init| function is called for each handshake, before any other functions of
554 // the extension. Then the add and parse callbacks are called as needed.
555 //
556 // The parse callbacks receive a |CBS| that contains the contents of the
557 // extension (i.e. not including the type and length bytes). If an extension is
558 // not received then the parse callbacks will be called with a NULL CBS so that
559 // they can do any processing needed to handle the absence of an extension.
560 //
561 // The add callbacks receive a |CBB| to which the extension can be appended but
562 // the function is responsible for appending the type and length bytes too.
563 //
564 // All callbacks return true for success and false for error. If a parse
565 // function returns zero then a fatal alert with value |*out_alert| will be
566 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
567 struct tls_extension {
568 uint16_t value;
569 void (*init)(SSL_HANDSHAKE *hs);
570
571 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
572 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
573 CBS *contents);
574
575 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
576 CBS *contents);
577 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
578 };
579
forbid_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)580 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
581 CBS *contents) {
582 if (contents != NULL) {
583 // Servers MUST NOT send this extension.
584 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
585 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
586 return false;
587 }
588
589 return true;
590 }
591
ignore_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)592 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
593 CBS *contents) {
594 // This extension from the client is handled elsewhere.
595 return true;
596 }
597
dont_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)598 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
599 return true;
600 }
601
602 // Server name indication (SNI).
603 //
604 // https://tools.ietf.org/html/rfc6066#section-3.
605
ext_sni_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)606 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
607 SSL *const ssl = hs->ssl;
608 if (ssl->hostname == nullptr) {
609 return true;
610 }
611
612 CBB contents, server_name_list, name;
613 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
614 !CBB_add_u16_length_prefixed(out, &contents) ||
615 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
616 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
617 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
618 !CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(),
619 strlen(ssl->hostname.get())) ||
620 !CBB_flush(out)) {
621 return false;
622 }
623
624 return true;
625 }
626
ext_sni_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)627 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
628 CBS *contents) {
629 // The server may acknowledge SNI with an empty extension. We check the syntax
630 // but otherwise ignore this signal.
631 return contents == NULL || CBS_len(contents) == 0;
632 }
633
ext_sni_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)634 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
635 CBS *contents) {
636 // SNI has already been parsed earlier in the handshake. See |extract_sni|.
637 return true;
638 }
639
ext_sni_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)640 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
641 if (hs->ssl->s3->session_reused ||
642 !hs->should_ack_sni) {
643 return true;
644 }
645
646 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
647 !CBB_add_u16(out, 0 /* length */)) {
648 return false;
649 }
650
651 return true;
652 }
653
654
655 // Renegotiation indication.
656 //
657 // https://tools.ietf.org/html/rfc5746
658
ext_ri_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)659 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
660 SSL *const ssl = hs->ssl;
661 // Renegotiation indication is not necessary in TLS 1.3.
662 if (hs->min_version >= TLS1_3_VERSION) {
663 return true;
664 }
665
666 assert(ssl->s3->initial_handshake_complete ==
667 (ssl->s3->previous_client_finished_len != 0));
668
669 CBB contents, prev_finished;
670 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
671 !CBB_add_u16_length_prefixed(out, &contents) ||
672 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
673 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
674 ssl->s3->previous_client_finished_len) ||
675 !CBB_flush(out)) {
676 return false;
677 }
678
679 return true;
680 }
681
ext_ri_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)682 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
683 CBS *contents) {
684 SSL *const ssl = hs->ssl;
685 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
686 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
687 return false;
688 }
689
690 // Servers may not switch between omitting the extension and supporting it.
691 // See RFC 5746, sections 3.5 and 4.2.
692 if (ssl->s3->initial_handshake_complete &&
693 (contents != NULL) != ssl->s3->send_connection_binding) {
694 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
695 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
696 return false;
697 }
698
699 if (contents == NULL) {
700 // Strictly speaking, if we want to avoid an attack we should *always* see
701 // RI even on initial ServerHello because the client doesn't see any
702 // renegotiation during an attack. However this would mean we could not
703 // connect to any server which doesn't support RI.
704 //
705 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
706 // practical terms every client sets it so it's just assumed here.
707 return true;
708 }
709
710 const size_t expected_len = ssl->s3->previous_client_finished_len +
711 ssl->s3->previous_server_finished_len;
712
713 // Check for logic errors
714 assert(!expected_len || ssl->s3->previous_client_finished_len);
715 assert(!expected_len || ssl->s3->previous_server_finished_len);
716 assert(ssl->s3->initial_handshake_complete ==
717 (ssl->s3->previous_client_finished_len != 0));
718 assert(ssl->s3->initial_handshake_complete ==
719 (ssl->s3->previous_server_finished_len != 0));
720
721 // Parse out the extension contents.
722 CBS renegotiated_connection;
723 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
724 CBS_len(contents) != 0) {
725 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
726 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
727 return false;
728 }
729
730 // Check that the extension matches.
731 if (CBS_len(&renegotiated_connection) != expected_len) {
732 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
733 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
734 return false;
735 }
736
737 const uint8_t *d = CBS_data(&renegotiated_connection);
738 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
739 ssl->s3->previous_client_finished_len) == 0;
740 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
741 ok = true;
742 #endif
743 if (!ok) {
744 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
745 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
746 return false;
747 }
748 d += ssl->s3->previous_client_finished_len;
749
750 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
751 ssl->s3->previous_server_finished_len) == 0;
752 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
753 ok = true;
754 #endif
755 if (!ok) {
756 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
757 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
758 return false;
759 }
760 ssl->s3->send_connection_binding = true;
761
762 return true;
763 }
764
ext_ri_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)765 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
766 CBS *contents) {
767 SSL *const ssl = hs->ssl;
768 // Renegotiation isn't supported as a server so this function should never be
769 // called after the initial handshake.
770 assert(!ssl->s3->initial_handshake_complete);
771
772 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
773 return true;
774 }
775
776 if (contents == NULL) {
777 return true;
778 }
779
780 CBS renegotiated_connection;
781 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
782 CBS_len(contents) != 0) {
783 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
784 return false;
785 }
786
787 // Check that the extension matches. We do not support renegotiation as a
788 // server, so this must be empty.
789 if (CBS_len(&renegotiated_connection) != 0) {
790 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
791 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
792 return false;
793 }
794
795 ssl->s3->send_connection_binding = true;
796
797 return true;
798 }
799
ext_ri_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)800 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
801 SSL *const ssl = hs->ssl;
802 // Renegotiation isn't supported as a server so this function should never be
803 // called after the initial handshake.
804 assert(!ssl->s3->initial_handshake_complete);
805
806 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
807 return true;
808 }
809
810 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
811 !CBB_add_u16(out, 1 /* length */) ||
812 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
813 return false;
814 }
815
816 return true;
817 }
818
819
820 // Extended Master Secret.
821 //
822 // https://tools.ietf.org/html/rfc7627
823
ext_ems_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)824 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
825 // Extended master secret is not necessary in TLS 1.3.
826 if (hs->min_version >= TLS1_3_VERSION) {
827 return true;
828 }
829
830 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
831 !CBB_add_u16(out, 0 /* length */)) {
832 return false;
833 }
834
835 return true;
836 }
837
ext_ems_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)838 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
839 CBS *contents) {
840 SSL *const ssl = hs->ssl;
841
842 if (contents != NULL) {
843 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
844 CBS_len(contents) != 0) {
845 return false;
846 }
847
848 hs->extended_master_secret = true;
849 }
850
851 // Whether EMS is negotiated may not change on renegotiation.
852 if (ssl->s3->established_session != nullptr &&
853 hs->extended_master_secret !=
854 !!ssl->s3->established_session->extended_master_secret) {
855 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
856 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
857 return false;
858 }
859
860 return true;
861 }
862
ext_ems_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)863 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
864 CBS *contents) {
865 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
866 return true;
867 }
868
869 if (contents == NULL) {
870 return true;
871 }
872
873 if (CBS_len(contents) != 0) {
874 return false;
875 }
876
877 hs->extended_master_secret = true;
878 return true;
879 }
880
ext_ems_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)881 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
882 if (!hs->extended_master_secret) {
883 return true;
884 }
885
886 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
887 !CBB_add_u16(out, 0 /* length */)) {
888 return false;
889 }
890
891 return true;
892 }
893
894
895 // Session tickets.
896 //
897 // https://tools.ietf.org/html/rfc5077
898
ext_ticket_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)899 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
900 SSL *const ssl = hs->ssl;
901 // TLS 1.3 uses a different ticket extension.
902 if (hs->min_version >= TLS1_3_VERSION ||
903 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
904 return true;
905 }
906
907 Span<const uint8_t> ticket;
908
909 // Renegotiation does not participate in session resumption. However, still
910 // advertise the extension to avoid potentially breaking servers which carry
911 // over the state from the previous handshake, such as OpenSSL servers
912 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
913 if (!ssl->s3->initial_handshake_complete &&
914 ssl->session != nullptr &&
915 !ssl->session->ticket.empty() &&
916 // Don't send TLS 1.3 session tickets in the ticket extension.
917 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
918 ticket = ssl->session->ticket;
919 }
920
921 CBB ticket_cbb;
922 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
923 !CBB_add_u16_length_prefixed(out, &ticket_cbb) ||
924 !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||
925 !CBB_flush(out)) {
926 return false;
927 }
928
929 return true;
930 }
931
ext_ticket_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)932 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
933 CBS *contents) {
934 SSL *const ssl = hs->ssl;
935 if (contents == NULL) {
936 return true;
937 }
938
939 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
940 return false;
941 }
942
943 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
944 // this function should never be called, even if the server tries to send the
945 // extension.
946 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
947
948 if (CBS_len(contents) != 0) {
949 return false;
950 }
951
952 hs->ticket_expected = true;
953 return true;
954 }
955
ext_ticket_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)956 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
957 if (!hs->ticket_expected) {
958 return true;
959 }
960
961 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
962 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
963
964 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
965 !CBB_add_u16(out, 0 /* length */)) {
966 return false;
967 }
968
969 return true;
970 }
971
972
973 // Signature Algorithms.
974 //
975 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
976
ext_sigalgs_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)977 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
978 SSL *const ssl = hs->ssl;
979 if (hs->max_version < TLS1_2_VERSION) {
980 return true;
981 }
982
983 // Prior to TLS 1.3, there was no way to signal different signature algorithm
984 // preferences between the online signature and certificates. If we do not
985 // send the signature_algorithms_cert extension, use the potentially more
986 // restrictive certificate list.
987 //
988 // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
989 // check both here and in signature_algorithms_cert. |hs->max_version| is not
990 // the negotiated version. Rather the expectation is that any server consuming
991 // signature algorithms added in TLS 1.3 will also know to look at
992 // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
993 // seems prudent to condition this new extension on it.
994 bool for_certs = hs->max_version < TLS1_3_VERSION;
995 CBB contents, sigalgs_cbb;
996 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
997 !CBB_add_u16_length_prefixed(out, &contents) ||
998 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
999 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
1000 !CBB_flush(out)) {
1001 return false;
1002 }
1003
1004 return true;
1005 }
1006
ext_sigalgs_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1007 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1008 CBS *contents) {
1009 hs->peer_sigalgs.Reset();
1010 if (contents == NULL) {
1011 return true;
1012 }
1013
1014 CBS supported_signature_algorithms;
1015 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1016 CBS_len(contents) != 0 ||
1017 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1018 return false;
1019 }
1020
1021 return true;
1022 }
1023
1024
1025 // Signature Algorithms for Certificates.
1026 //
1027 // https://tools.ietf.org/html/rfc8446#section-4.2.3
1028
ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1029 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1030 SSL *const ssl = hs->ssl;
1031 // If this extension is omitted, it defaults to the signature_algorithms
1032 // extension, so only emit it if the list is different.
1033 //
1034 // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
1035 // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
1036 if (hs->max_version < TLS1_3_VERSION ||
1037 !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
1038 return true;
1039 }
1040
1041 CBB contents, sigalgs_cbb;
1042 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
1043 !CBB_add_u16_length_prefixed(out, &contents) ||
1044 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1045 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
1046 !CBB_flush(out)) {
1047 return false;
1048 }
1049
1050 return true;
1051 }
1052
1053
1054 // OCSP Stapling.
1055 //
1056 // https://tools.ietf.org/html/rfc6066#section-8
1057
ext_ocsp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1058 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1059 if (!hs->config->ocsp_stapling_enabled) {
1060 return true;
1061 }
1062
1063 CBB contents;
1064 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1065 !CBB_add_u16_length_prefixed(out, &contents) ||
1066 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1067 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1068 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1069 !CBB_flush(out)) {
1070 return false;
1071 }
1072
1073 return true;
1074 }
1075
ext_ocsp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1076 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1077 CBS *contents) {
1078 SSL *const ssl = hs->ssl;
1079 if (contents == NULL) {
1080 return true;
1081 }
1082
1083 // TLS 1.3 OCSP responses are included in the Certificate extensions.
1084 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1085 return false;
1086 }
1087
1088 // OCSP stapling is forbidden on non-certificate ciphers.
1089 if (CBS_len(contents) != 0 ||
1090 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1091 return false;
1092 }
1093
1094 // Note this does not check for resumption in TLS 1.2. Sending
1095 // status_request here does not make sense, but OpenSSL does so and the
1096 // specification does not say anything. Tolerate it but ignore it.
1097
1098 hs->certificate_status_expected = true;
1099 return true;
1100 }
1101
ext_ocsp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1102 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1103 CBS *contents) {
1104 if (contents == NULL) {
1105 return true;
1106 }
1107
1108 uint8_t status_type;
1109 if (!CBS_get_u8(contents, &status_type)) {
1110 return false;
1111 }
1112
1113 // We cannot decide whether OCSP stapling will occur yet because the correct
1114 // SSL_CTX might not have been selected.
1115 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1116
1117 return true;
1118 }
1119
ext_ocsp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1120 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1121 SSL *const ssl = hs->ssl;
1122 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1123 !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL ||
1124 ssl->s3->session_reused ||
1125 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1126 return true;
1127 }
1128
1129 hs->certificate_status_expected = true;
1130
1131 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1132 CBB_add_u16(out, 0 /* length */);
1133 }
1134
1135
1136 // Next protocol negotiation.
1137 //
1138 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1139
ext_npn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1140 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1141 SSL *const ssl = hs->ssl;
1142 if (ssl->s3->initial_handshake_complete ||
1143 ssl->ctx->next_proto_select_cb == NULL ||
1144 SSL_is_dtls(ssl)) {
1145 return true;
1146 }
1147
1148 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1149 !CBB_add_u16(out, 0 /* length */)) {
1150 return false;
1151 }
1152
1153 return true;
1154 }
1155
ext_npn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1156 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1157 CBS *contents) {
1158 SSL *const ssl = hs->ssl;
1159 if (contents == NULL) {
1160 return true;
1161 }
1162
1163 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1164 return false;
1165 }
1166
1167 // If any of these are false then we should never have sent the NPN
1168 // extension in the ClientHello and thus this function should never have been
1169 // called.
1170 assert(!ssl->s3->initial_handshake_complete);
1171 assert(!SSL_is_dtls(ssl));
1172 assert(ssl->ctx->next_proto_select_cb != NULL);
1173
1174 if (!ssl->s3->alpn_selected.empty()) {
1175 // NPN and ALPN may not be negotiated in the same connection.
1176 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1177 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1178 return false;
1179 }
1180
1181 const uint8_t *const orig_contents = CBS_data(contents);
1182 const size_t orig_len = CBS_len(contents);
1183
1184 while (CBS_len(contents) != 0) {
1185 CBS proto;
1186 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1187 CBS_len(&proto) == 0) {
1188 return false;
1189 }
1190 }
1191
1192 uint8_t *selected;
1193 uint8_t selected_len;
1194 if (ssl->ctx->next_proto_select_cb(
1195 ssl, &selected, &selected_len, orig_contents, orig_len,
1196 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1197 !ssl->s3->next_proto_negotiated.CopyFrom(
1198 MakeConstSpan(selected, selected_len))) {
1199 *out_alert = SSL_AD_INTERNAL_ERROR;
1200 return false;
1201 }
1202
1203 hs->next_proto_neg_seen = true;
1204 return true;
1205 }
1206
ext_npn_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1207 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1208 CBS *contents) {
1209 SSL *const ssl = hs->ssl;
1210 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1211 return true;
1212 }
1213
1214 if (contents != NULL && CBS_len(contents) != 0) {
1215 return false;
1216 }
1217
1218 if (contents == NULL ||
1219 ssl->s3->initial_handshake_complete ||
1220 ssl->ctx->next_protos_advertised_cb == NULL ||
1221 SSL_is_dtls(ssl)) {
1222 return true;
1223 }
1224
1225 hs->next_proto_neg_seen = true;
1226 return true;
1227 }
1228
ext_npn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1229 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1230 SSL *const ssl = hs->ssl;
1231 // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1232 // parsed.
1233 if (!hs->next_proto_neg_seen) {
1234 return true;
1235 }
1236
1237 const uint8_t *npa;
1238 unsigned npa_len;
1239
1240 if (ssl->ctx->next_protos_advertised_cb(
1241 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1242 SSL_TLSEXT_ERR_OK) {
1243 hs->next_proto_neg_seen = false;
1244 return true;
1245 }
1246
1247 CBB contents;
1248 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1249 !CBB_add_u16_length_prefixed(out, &contents) ||
1250 !CBB_add_bytes(&contents, npa, npa_len) ||
1251 !CBB_flush(out)) {
1252 return false;
1253 }
1254
1255 return true;
1256 }
1257
1258
1259 // Signed certificate timestamps.
1260 //
1261 // https://tools.ietf.org/html/rfc6962#section-3.3.1
1262
ext_sct_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1263 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1264 if (!hs->config->signed_cert_timestamps_enabled) {
1265 return true;
1266 }
1267
1268 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1269 !CBB_add_u16(out, 0 /* length */)) {
1270 return false;
1271 }
1272
1273 return true;
1274 }
1275
ext_sct_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1276 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1277 CBS *contents) {
1278 SSL *const ssl = hs->ssl;
1279 if (contents == NULL) {
1280 return true;
1281 }
1282
1283 // TLS 1.3 SCTs are included in the Certificate extensions.
1284 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1285 *out_alert = SSL_AD_DECODE_ERROR;
1286 return false;
1287 }
1288
1289 // If this is false then we should never have sent the SCT extension in the
1290 // ClientHello and thus this function should never have been called.
1291 assert(hs->config->signed_cert_timestamps_enabled);
1292
1293 if (!ssl_is_sct_list_valid(contents)) {
1294 *out_alert = SSL_AD_DECODE_ERROR;
1295 return false;
1296 }
1297
1298 // Session resumption uses the original session information. The extension
1299 // should not be sent on resumption, but RFC 6962 did not make it a
1300 // requirement, so tolerate this.
1301 //
1302 // TODO(davidben): Enforce this anyway.
1303 if (!ssl->s3->session_reused) {
1304 hs->new_session->signed_cert_timestamp_list.reset(
1305 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));
1306 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1307 *out_alert = SSL_AD_INTERNAL_ERROR;
1308 return false;
1309 }
1310 }
1311
1312 return true;
1313 }
1314
ext_sct_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1315 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1316 CBS *contents) {
1317 if (contents == NULL) {
1318 return true;
1319 }
1320
1321 if (CBS_len(contents) != 0) {
1322 return false;
1323 }
1324
1325 hs->scts_requested = true;
1326 return true;
1327 }
1328
ext_sct_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1329 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1330 SSL *const ssl = hs->ssl;
1331 // The extension shouldn't be sent when resuming sessions.
1332 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
1333 hs->config->cert->signed_cert_timestamp_list == NULL) {
1334 return true;
1335 }
1336
1337 CBB contents;
1338 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1339 CBB_add_u16_length_prefixed(out, &contents) &&
1340 CBB_add_bytes(
1341 &contents,
1342 CRYPTO_BUFFER_data(
1343 hs->config->cert->signed_cert_timestamp_list.get()),
1344 CRYPTO_BUFFER_len(
1345 hs->config->cert->signed_cert_timestamp_list.get())) &&
1346 CBB_flush(out);
1347 }
1348
1349
1350 // Application-level Protocol Negotiation.
1351 //
1352 // https://tools.ietf.org/html/rfc7301
1353
ext_alpn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1354 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1355 SSL *const ssl = hs->ssl;
1356 if (hs->config->alpn_client_proto_list.empty() ||
1357 ssl->s3->initial_handshake_complete) {
1358 return true;
1359 }
1360
1361 CBB contents, proto_list;
1362 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1363 !CBB_add_u16_length_prefixed(out, &contents) ||
1364 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1365 !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
1366 hs->config->alpn_client_proto_list.size()) ||
1367 !CBB_flush(out)) {
1368 return false;
1369 }
1370
1371 return true;
1372 }
1373
ext_alpn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1374 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1375 CBS *contents) {
1376 SSL *const ssl = hs->ssl;
1377 if (contents == NULL) {
1378 return true;
1379 }
1380
1381 assert(!ssl->s3->initial_handshake_complete);
1382 assert(!hs->config->alpn_client_proto_list.empty());
1383
1384 if (hs->next_proto_neg_seen) {
1385 // NPN and ALPN may not be negotiated in the same connection.
1386 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1387 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1388 return false;
1389 }
1390
1391 // The extension data consists of a ProtocolNameList which must have
1392 // exactly one ProtocolName. Each of these is length-prefixed.
1393 CBS protocol_name_list, protocol_name;
1394 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1395 CBS_len(contents) != 0 ||
1396 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1397 // Empty protocol names are forbidden.
1398 CBS_len(&protocol_name) == 0 ||
1399 CBS_len(&protocol_name_list) != 0) {
1400 return false;
1401 }
1402
1403 if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {
1404 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1405 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1406 return false;
1407 }
1408
1409 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1410 *out_alert = SSL_AD_INTERNAL_ERROR;
1411 return false;
1412 }
1413
1414 return true;
1415 }
1416
ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE * hs,Span<const uint8_t> protocol)1417 bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
1418 Span<const uint8_t> protocol) {
1419 if (hs->config->alpn_client_proto_list.empty()) {
1420 return false;
1421 }
1422
1423 if (hs->ssl->ctx->allow_unknown_alpn_protos) {
1424 return true;
1425 }
1426
1427 // Check that the protocol name is one of the ones we advertised.
1428 CBS client_protocol_name_list =
1429 MakeConstSpan(hs->config->alpn_client_proto_list),
1430 client_protocol_name;
1431 while (CBS_len(&client_protocol_name_list) > 0) {
1432 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1433 &client_protocol_name)) {
1434 return false;
1435 }
1436
1437 if (client_protocol_name == protocol) {
1438 return true;
1439 }
1440 }
1441
1442 return false;
1443 }
1444
ssl_negotiate_alpn(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)1445 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1446 const SSL_CLIENT_HELLO *client_hello) {
1447 SSL *const ssl = hs->ssl;
1448 CBS contents;
1449 if (ssl->ctx->alpn_select_cb == NULL ||
1450 !ssl_client_hello_get_extension(
1451 client_hello, &contents,
1452 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1453 // Ignore ALPN if not configured or no extension was supplied.
1454 return true;
1455 }
1456
1457 // ALPN takes precedence over NPN.
1458 hs->next_proto_neg_seen = false;
1459
1460 CBS protocol_name_list;
1461 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1462 CBS_len(&contents) != 0 ||
1463 CBS_len(&protocol_name_list) < 2) {
1464 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1465 *out_alert = SSL_AD_DECODE_ERROR;
1466 return false;
1467 }
1468
1469 // Validate the protocol list.
1470 CBS protocol_name_list_copy = protocol_name_list;
1471 while (CBS_len(&protocol_name_list_copy) > 0) {
1472 CBS protocol_name;
1473
1474 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1475 // Empty protocol names are forbidden.
1476 CBS_len(&protocol_name) == 0) {
1477 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1478 *out_alert = SSL_AD_DECODE_ERROR;
1479 return false;
1480 }
1481 }
1482
1483 const uint8_t *selected;
1484 uint8_t selected_len;
1485 if (ssl->ctx->alpn_select_cb(
1486 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1487 CBS_len(&protocol_name_list),
1488 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1489 if (selected_len == 0) {
1490 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1491 *out_alert = SSL_AD_INTERNAL_ERROR;
1492 return false;
1493 }
1494 if (!ssl->s3->alpn_selected.CopyFrom(
1495 MakeConstSpan(selected, selected_len))) {
1496 *out_alert = SSL_AD_INTERNAL_ERROR;
1497 return false;
1498 }
1499 }
1500
1501 return true;
1502 }
1503
ext_alpn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1504 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1505 SSL *const ssl = hs->ssl;
1506 if (ssl->s3->alpn_selected.empty()) {
1507 return true;
1508 }
1509
1510 CBB contents, proto_list, proto;
1511 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1512 !CBB_add_u16_length_prefixed(out, &contents) ||
1513 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1514 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1515 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1516 ssl->s3->alpn_selected.size()) ||
1517 !CBB_flush(out)) {
1518 return false;
1519 }
1520
1521 return true;
1522 }
1523
1524
1525 // Channel ID.
1526 //
1527 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1528
ext_channel_id_init(SSL_HANDSHAKE * hs)1529 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1530 hs->ssl->s3->channel_id_valid = false;
1531 }
1532
ext_channel_id_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1533 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1534 SSL *const ssl = hs->ssl;
1535 if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1536 return true;
1537 }
1538
1539 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1540 !CBB_add_u16(out, 0 /* length */)) {
1541 return false;
1542 }
1543
1544 return true;
1545 }
1546
ext_channel_id_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1547 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1548 uint8_t *out_alert,
1549 CBS *contents) {
1550 SSL *const ssl = hs->ssl;
1551 if (contents == NULL) {
1552 return true;
1553 }
1554
1555 assert(!SSL_is_dtls(ssl));
1556 assert(hs->config->channel_id_enabled);
1557
1558 if (CBS_len(contents) != 0) {
1559 return false;
1560 }
1561
1562 ssl->s3->channel_id_valid = true;
1563 return true;
1564 }
1565
ext_channel_id_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1566 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1567 uint8_t *out_alert,
1568 CBS *contents) {
1569 SSL *const ssl = hs->ssl;
1570 if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1571 return true;
1572 }
1573
1574 if (CBS_len(contents) != 0) {
1575 return false;
1576 }
1577
1578 ssl->s3->channel_id_valid = true;
1579 return true;
1580 }
1581
ext_channel_id_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1582 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1583 SSL *const ssl = hs->ssl;
1584 if (!ssl->s3->channel_id_valid) {
1585 return true;
1586 }
1587
1588 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1589 !CBB_add_u16(out, 0 /* length */)) {
1590 return false;
1591 }
1592
1593 return true;
1594 }
1595
1596
1597 // Secure Real-time Transport Protocol (SRTP) extension.
1598 //
1599 // https://tools.ietf.org/html/rfc5764
1600
1601
ext_srtp_init(SSL_HANDSHAKE * hs)1602 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1603 hs->ssl->s3->srtp_profile = NULL;
1604 }
1605
ext_srtp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1606 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1607 SSL *const ssl = hs->ssl;
1608 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1609 if (profiles == NULL ||
1610 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1611 return true;
1612 }
1613
1614 CBB contents, profile_ids;
1615 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1616 !CBB_add_u16_length_prefixed(out, &contents) ||
1617 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1618 return false;
1619 }
1620
1621 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1622 if (!CBB_add_u16(&profile_ids, profile->id)) {
1623 return false;
1624 }
1625 }
1626
1627 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1628 !CBB_flush(out)) {
1629 return false;
1630 }
1631
1632 return true;
1633 }
1634
ext_srtp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1635 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1636 CBS *contents) {
1637 SSL *const ssl = hs->ssl;
1638 if (contents == NULL) {
1639 return true;
1640 }
1641
1642 // The extension consists of a u16-prefixed profile ID list containing a
1643 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1644 //
1645 // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1646 CBS profile_ids, srtp_mki;
1647 uint16_t profile_id;
1648 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1649 !CBS_get_u16(&profile_ids, &profile_id) ||
1650 CBS_len(&profile_ids) != 0 ||
1651 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1652 CBS_len(contents) != 0) {
1653 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1654 return false;
1655 }
1656
1657 if (CBS_len(&srtp_mki) != 0) {
1658 // Must be no MKI, since we never offer one.
1659 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1660 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1661 return false;
1662 }
1663
1664 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1665
1666 // Check to see if the server gave us something we support (and presumably
1667 // offered).
1668 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1669 if (profile->id == profile_id) {
1670 ssl->s3->srtp_profile = profile;
1671 return true;
1672 }
1673 }
1674
1675 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1676 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1677 return false;
1678 }
1679
ext_srtp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1680 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1681 CBS *contents) {
1682 SSL *const ssl = hs->ssl;
1683 if (contents == NULL) {
1684 return true;
1685 }
1686
1687 CBS profile_ids, srtp_mki;
1688 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1689 CBS_len(&profile_ids) < 2 ||
1690 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1691 CBS_len(contents) != 0) {
1692 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1693 return false;
1694 }
1695 // Discard the MKI value for now.
1696
1697 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1698 SSL_get_srtp_profiles(ssl);
1699
1700 // Pick the server's most preferred profile.
1701 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1702 CBS profile_ids_tmp;
1703 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1704
1705 while (CBS_len(&profile_ids_tmp) > 0) {
1706 uint16_t profile_id;
1707 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1708 return false;
1709 }
1710
1711 if (server_profile->id == profile_id) {
1712 ssl->s3->srtp_profile = server_profile;
1713 return true;
1714 }
1715 }
1716 }
1717
1718 return true;
1719 }
1720
ext_srtp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1721 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1722 SSL *const ssl = hs->ssl;
1723 if (ssl->s3->srtp_profile == NULL) {
1724 return true;
1725 }
1726
1727 CBB contents, profile_ids;
1728 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1729 !CBB_add_u16_length_prefixed(out, &contents) ||
1730 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1731 !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
1732 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1733 !CBB_flush(out)) {
1734 return false;
1735 }
1736
1737 return true;
1738 }
1739
1740
1741 // EC point formats.
1742 //
1743 // https://tools.ietf.org/html/rfc4492#section-5.1.2
1744
ext_ec_point_add_extension(SSL_HANDSHAKE * hs,CBB * out)1745 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1746 CBB contents, formats;
1747 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1748 !CBB_add_u16_length_prefixed(out, &contents) ||
1749 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1750 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1751 !CBB_flush(out)) {
1752 return false;
1753 }
1754
1755 return true;
1756 }
1757
ext_ec_point_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1758 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1759 // The point format extension is unnecessary in TLS 1.3.
1760 if (hs->min_version >= TLS1_3_VERSION) {
1761 return true;
1762 }
1763
1764 return ext_ec_point_add_extension(hs, out);
1765 }
1766
ext_ec_point_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1767 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1768 CBS *contents) {
1769 if (contents == NULL) {
1770 return true;
1771 }
1772
1773 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1774 return false;
1775 }
1776
1777 CBS ec_point_format_list;
1778 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1779 CBS_len(contents) != 0) {
1780 return false;
1781 }
1782
1783 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1784 // point format.
1785 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1786 TLSEXT_ECPOINTFORMAT_uncompressed,
1787 CBS_len(&ec_point_format_list)) == NULL) {
1788 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1789 return false;
1790 }
1791
1792 return true;
1793 }
1794
ext_ec_point_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1795 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1796 CBS *contents) {
1797 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1798 return true;
1799 }
1800
1801 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1802 }
1803
ext_ec_point_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1804 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1805 SSL *const ssl = hs->ssl;
1806 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1807 return true;
1808 }
1809
1810 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1811 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1812 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1813
1814 if (!using_ecc) {
1815 return true;
1816 }
1817
1818 return ext_ec_point_add_extension(hs, out);
1819 }
1820
1821
1822 // Pre Shared Key
1823 //
1824 // https://tools.ietf.org/html/rfc8446#section-4.2.11
1825
ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE * hs)1826 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1827 SSL *const ssl = hs->ssl;
1828 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1829 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1830 return 0;
1831 }
1832
1833 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1834 return 15 + ssl->session->ticket.size() + binder_len;
1835 }
1836
ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1837 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1838 SSL *const ssl = hs->ssl;
1839 hs->needs_psk_binder = false;
1840 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1841 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1842 return true;
1843 }
1844
1845 // Per RFC 8446 section 4.1.4, skip offering the session if the selected
1846 // cipher in HelloRetryRequest does not match. This avoids performing the
1847 // transcript hash transformation for multiple hashes.
1848 if (hs->received_hello_retry_request &&
1849 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1850 return true;
1851 }
1852
1853 struct OPENSSL_timeval now;
1854 ssl_get_current_time(ssl, &now);
1855 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1856 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1857
1858 // Fill in a placeholder zero binder of the appropriate length. It will be
1859 // computed and filled in later after length prefixes are computed.
1860 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1861 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1862
1863 CBB contents, identity, ticket, binders, binder;
1864 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1865 !CBB_add_u16_length_prefixed(out, &contents) ||
1866 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1867 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1868 !CBB_add_bytes(&ticket, ssl->session->ticket.data(),
1869 ssl->session->ticket.size()) ||
1870 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1871 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1872 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1873 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1874 return false;
1875 }
1876
1877 hs->needs_psk_binder = true;
1878 return CBB_flush(out);
1879 }
1880
ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1881 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1882 uint8_t *out_alert,
1883 CBS *contents) {
1884 uint16_t psk_id;
1885 if (!CBS_get_u16(contents, &psk_id) ||
1886 CBS_len(contents) != 0) {
1887 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1888 *out_alert = SSL_AD_DECODE_ERROR;
1889 return false;
1890 }
1891
1892 // We only advertise one PSK identity, so the only legal index is zero.
1893 if (psk_id != 0) {
1894 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1895 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1896 return false;
1897 }
1898
1899 return true;
1900 }
1901
ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE * hs,CBS * out_ticket,CBS * out_binders,uint32_t * out_obfuscated_ticket_age,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello,CBS * contents)1902 bool ssl_ext_pre_shared_key_parse_clienthello(
1903 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1904 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert,
1905 const SSL_CLIENT_HELLO *client_hello, CBS *contents) {
1906 // Verify that the pre_shared_key extension is the last extension in
1907 // ClientHello.
1908 if (CBS_data(contents) + CBS_len(contents) !=
1909 client_hello->extensions + client_hello->extensions_len) {
1910 OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
1911 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1912 return false;
1913 }
1914
1915 // We only process the first PSK identity since we don't support pure PSK.
1916 CBS identities, binders;
1917 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1918 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1919 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1920 !CBS_get_u16_length_prefixed(contents, &binders) ||
1921 CBS_len(&binders) == 0 ||
1922 CBS_len(contents) != 0) {
1923 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1924 *out_alert = SSL_AD_DECODE_ERROR;
1925 return false;
1926 }
1927
1928 *out_binders = binders;
1929
1930 // Check the syntax of the remaining identities, but do not process them.
1931 size_t num_identities = 1;
1932 while (CBS_len(&identities) != 0) {
1933 CBS unused_ticket;
1934 uint32_t unused_obfuscated_ticket_age;
1935 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1936 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1937 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1938 *out_alert = SSL_AD_DECODE_ERROR;
1939 return false;
1940 }
1941
1942 num_identities++;
1943 }
1944
1945 // Check the syntax of the binders. The value will be checked later if
1946 // resuming.
1947 size_t num_binders = 0;
1948 while (CBS_len(&binders) != 0) {
1949 CBS binder;
1950 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1951 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1952 *out_alert = SSL_AD_DECODE_ERROR;
1953 return false;
1954 }
1955
1956 num_binders++;
1957 }
1958
1959 if (num_identities != num_binders) {
1960 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1961 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1962 return false;
1963 }
1964
1965 return true;
1966 }
1967
ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1968 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1969 if (!hs->ssl->s3->session_reused) {
1970 return true;
1971 }
1972
1973 CBB contents;
1974 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1975 !CBB_add_u16_length_prefixed(out, &contents) ||
1976 // We only consider the first identity for resumption
1977 !CBB_add_u16(&contents, 0) ||
1978 !CBB_flush(out)) {
1979 return false;
1980 }
1981
1982 return true;
1983 }
1984
1985
1986 // Pre-Shared Key Exchange Modes
1987 //
1988 // https://tools.ietf.org/html/rfc8446#section-4.2.9
1989
ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1990 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
1991 CBB *out) {
1992 if (hs->max_version < TLS1_3_VERSION) {
1993 return true;
1994 }
1995
1996 CBB contents, ke_modes;
1997 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
1998 !CBB_add_u16_length_prefixed(out, &contents) ||
1999 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
2000 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
2001 return false;
2002 }
2003
2004 return CBB_flush(out);
2005 }
2006
ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2007 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
2008 uint8_t *out_alert,
2009 CBS *contents) {
2010 if (contents == NULL) {
2011 return true;
2012 }
2013
2014 CBS ke_modes;
2015 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
2016 CBS_len(&ke_modes) == 0 ||
2017 CBS_len(contents) != 0) {
2018 *out_alert = SSL_AD_DECODE_ERROR;
2019 return false;
2020 }
2021
2022 // We only support tickets with PSK_DHE_KE.
2023 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
2024 CBS_len(&ke_modes)) != NULL;
2025
2026 return true;
2027 }
2028
2029
2030 // Early Data Indication
2031 //
2032 // https://tools.ietf.org/html/rfc8446#section-4.2.10
2033
ext_early_data_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2034 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2035 SSL *const ssl = hs->ssl;
2036 // The second ClientHello never offers early data, and we must have already
2037 // filled in |early_data_reason| by this point.
2038 if (hs->received_hello_retry_request) {
2039 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
2040 return true;
2041 }
2042
2043 if (!ssl->enable_early_data) {
2044 ssl->s3->early_data_reason = ssl_early_data_disabled;
2045 return true;
2046 }
2047
2048 if (hs->max_version < TLS1_3_VERSION) {
2049 // We discard inapplicable sessions, so this is redundant with the session
2050 // checks below, but we check give a more useful reason.
2051 ssl->s3->early_data_reason = ssl_early_data_protocol_version;
2052 return true;
2053 }
2054
2055 if (ssl->session == nullptr) {
2056 ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
2057 return true;
2058 }
2059
2060 if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
2061 ssl->session->ticket_max_early_data == 0) {
2062 ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
2063 return true;
2064 }
2065
2066 // In case ALPN preferences changed since this session was established, avoid
2067 // reporting a confusing value in |SSL_get0_alpn_selected| and sending early
2068 // data we know will be rejected.
2069 if (!ssl->session->early_alpn.empty() &&
2070 !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
2071 ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
2072 return true;
2073 }
2074
2075 // |early_data_reason| will be filled in later when the server responds.
2076 hs->early_data_offered = true;
2077
2078 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2079 !CBB_add_u16(out, 0) ||
2080 !CBB_flush(out)) {
2081 return false;
2082 }
2083
2084 return true;
2085 }
2086
ext_early_data_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2087 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2088 uint8_t *out_alert,
2089 CBS *contents) {
2090 SSL *const ssl = hs->ssl;
2091 if (contents == NULL) {
2092 if (hs->early_data_offered && !hs->received_hello_retry_request) {
2093 ssl->s3->early_data_reason = ssl->s3->session_reused
2094 ? ssl_early_data_peer_declined
2095 : ssl_early_data_session_not_resumed;
2096 } else {
2097 // We already filled in |early_data_reason| when declining to offer 0-RTT
2098 // or handling the implicit HelloRetryRequest reject.
2099 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
2100 }
2101 return true;
2102 }
2103
2104 // If we received an HRR, the second ClientHello never offers early data, so
2105 // the extensions logic will automatically reject early data extensions as
2106 // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
2107 assert(!hs->received_hello_retry_request);
2108
2109 if (CBS_len(contents) != 0) {
2110 *out_alert = SSL_AD_DECODE_ERROR;
2111 return false;
2112 }
2113
2114 if (!ssl->s3->session_reused) {
2115 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2116 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2117 return false;
2118 }
2119
2120 ssl->s3->early_data_reason = ssl_early_data_accepted;
2121 ssl->s3->early_data_accepted = true;
2122 return true;
2123 }
2124
ext_early_data_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2125 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2126 uint8_t *out_alert, CBS *contents) {
2127 SSL *const ssl = hs->ssl;
2128 if (contents == NULL ||
2129 ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2130 return true;
2131 }
2132
2133 if (CBS_len(contents) != 0) {
2134 *out_alert = SSL_AD_DECODE_ERROR;
2135 return false;
2136 }
2137
2138 hs->early_data_offered = true;
2139 return true;
2140 }
2141
ext_early_data_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2142 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2143 if (!hs->ssl->s3->early_data_accepted) {
2144 return true;
2145 }
2146
2147 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2148 !CBB_add_u16(out, 0) ||
2149 !CBB_flush(out)) {
2150 return false;
2151 }
2152
2153 return true;
2154 }
2155
2156
2157 // Key Share
2158 //
2159 // https://tools.ietf.org/html/rfc8446#section-4.2.8
2160
ext_key_share_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2161 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2162 SSL *const ssl = hs->ssl;
2163 if (hs->max_version < TLS1_3_VERSION) {
2164 return true;
2165 }
2166
2167 CBB contents, kse_bytes;
2168 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2169 !CBB_add_u16_length_prefixed(out, &contents) ||
2170 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2171 return false;
2172 }
2173
2174 uint16_t group_id = hs->retry_group;
2175 uint16_t second_group_id = 0;
2176 if (hs->received_hello_retry_request) {
2177 // We received a HelloRetryRequest without a new curve, so there is no new
2178 // share to append. Leave |hs->key_share| as-is.
2179 if (group_id == 0 &&
2180 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2181 hs->key_share_bytes.size())) {
2182 return false;
2183 }
2184 hs->key_share_bytes.Reset();
2185 if (group_id == 0) {
2186 return CBB_flush(out);
2187 }
2188 } else {
2189 // Add a fake group. See draft-davidben-tls-grease-01.
2190 if (ssl->ctx->grease_enabled &&
2191 (!CBB_add_u16(&kse_bytes,
2192 ssl_get_grease_value(hs, ssl_grease_group)) ||
2193 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2194 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2195 return false;
2196 }
2197
2198 // Predict the most preferred group.
2199 Span<const uint16_t> groups = tls1_get_grouplist(hs);
2200 if (groups.empty()) {
2201 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2202 return false;
2203 }
2204
2205 group_id = groups[0];
2206
2207 if (is_post_quantum_group(group_id) && groups.size() >= 2) {
2208 // CECPQ2(b) is not sent as the only initial key share. We'll include the
2209 // 2nd preference group too to avoid round-trips.
2210 second_group_id = groups[1];
2211 assert(second_group_id != group_id);
2212 }
2213 }
2214
2215 CBB key_exchange;
2216 hs->key_shares[0] = SSLKeyShare::Create(group_id);
2217 if (!hs->key_shares[0] ||
2218 !CBB_add_u16(&kse_bytes, group_id) ||
2219 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2220 !hs->key_shares[0]->Offer(&key_exchange) ||
2221 !CBB_flush(&kse_bytes)) {
2222 return false;
2223 }
2224
2225 if (second_group_id != 0) {
2226 hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
2227 if (!hs->key_shares[1] ||
2228 !CBB_add_u16(&kse_bytes, second_group_id) ||
2229 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2230 !hs->key_shares[1]->Offer(&key_exchange) ||
2231 !CBB_flush(&kse_bytes)) {
2232 return false;
2233 }
2234 }
2235
2236 // Save the contents of the extension to repeat it in the second
2237 // ClientHello.
2238 if (!hs->received_hello_retry_request &&
2239 !hs->key_share_bytes.CopyFrom(
2240 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2241 return false;
2242 }
2243
2244 return CBB_flush(out);
2245 }
2246
ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE * hs,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2247 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2248 Array<uint8_t> *out_secret,
2249 uint8_t *out_alert, CBS *contents) {
2250 CBS peer_key;
2251 uint16_t group_id;
2252 if (!CBS_get_u16(contents, &group_id) ||
2253 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2254 CBS_len(contents) != 0) {
2255 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2256 *out_alert = SSL_AD_DECODE_ERROR;
2257 return false;
2258 }
2259
2260 SSLKeyShare *key_share = hs->key_shares[0].get();
2261 if (key_share->GroupID() != group_id) {
2262 if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {
2263 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2264 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2265 return false;
2266 }
2267 key_share = hs->key_shares[1].get();
2268 }
2269
2270 if (!key_share->Finish(out_secret, out_alert, peer_key)) {
2271 *out_alert = SSL_AD_INTERNAL_ERROR;
2272 return false;
2273 }
2274
2275 hs->new_session->group_id = group_id;
2276 hs->key_shares[0].reset();
2277 hs->key_shares[1].reset();
2278 return true;
2279 }
2280
ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE * hs,bool * out_found,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2281 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2282 Array<uint8_t> *out_secret,
2283 uint8_t *out_alert, CBS *contents) {
2284 uint16_t group_id;
2285 CBS key_shares;
2286 if (!tls1_get_shared_group(hs, &group_id)) {
2287 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2288 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2289 return false;
2290 }
2291
2292 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2293 CBS_len(contents) != 0) {
2294 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2295 return false;
2296 }
2297
2298 // Find the corresponding key share.
2299 CBS peer_key;
2300 CBS_init(&peer_key, NULL, 0);
2301 while (CBS_len(&key_shares) > 0) {
2302 uint16_t id;
2303 CBS peer_key_tmp;
2304 if (!CBS_get_u16(&key_shares, &id) ||
2305 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2306 CBS_len(&peer_key_tmp) == 0) {
2307 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2308 return false;
2309 }
2310
2311 if (id == group_id) {
2312 if (CBS_len(&peer_key) != 0) {
2313 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2314 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2315 return false;
2316 }
2317
2318 peer_key = peer_key_tmp;
2319 // Continue parsing the structure to keep peers honest.
2320 }
2321 }
2322
2323 if (CBS_len(&peer_key) == 0) {
2324 *out_found = false;
2325 out_secret->Reset();
2326 return true;
2327 }
2328
2329 // Compute the DH secret.
2330 Array<uint8_t> secret;
2331 ScopedCBB public_key;
2332 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2333 if (!key_share ||
2334 !CBB_init(public_key.get(), 32) ||
2335 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2336 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2337 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2338 return false;
2339 }
2340
2341 *out_secret = std::move(secret);
2342 *out_found = true;
2343 return true;
2344 }
2345
ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2346 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2347 uint16_t group_id;
2348 CBB kse_bytes, public_key;
2349 if (!tls1_get_shared_group(hs, &group_id) ||
2350 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2351 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2352 !CBB_add_u16(&kse_bytes, group_id) ||
2353 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2354 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2355 hs->ecdh_public_key.size()) ||
2356 !CBB_flush(out)) {
2357 return false;
2358 }
2359
2360 hs->ecdh_public_key.Reset();
2361
2362 hs->new_session->group_id = group_id;
2363 return true;
2364 }
2365
2366
2367 // Supported Versions
2368 //
2369 // https://tools.ietf.org/html/rfc8446#section-4.2.1
2370
ext_supported_versions_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2371 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2372 SSL *const ssl = hs->ssl;
2373 if (hs->max_version <= TLS1_2_VERSION) {
2374 return true;
2375 }
2376
2377 CBB contents, versions;
2378 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2379 !CBB_add_u16_length_prefixed(out, &contents) ||
2380 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2381 return false;
2382 }
2383
2384 // Add a fake version. See draft-davidben-tls-grease-01.
2385 if (ssl->ctx->grease_enabled &&
2386 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2387 return false;
2388 }
2389
2390 if (!ssl_add_supported_versions(hs, &versions) ||
2391 !CBB_flush(out)) {
2392 return false;
2393 }
2394
2395 return true;
2396 }
2397
2398
2399 // Cookie
2400 //
2401 // https://tools.ietf.org/html/rfc8446#section-4.2.2
2402
ext_cookie_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2403 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2404 if (hs->cookie.empty()) {
2405 return true;
2406 }
2407
2408 CBB contents, cookie;
2409 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2410 !CBB_add_u16_length_prefixed(out, &contents) ||
2411 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2412 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2413 !CBB_flush(out)) {
2414 return false;
2415 }
2416
2417 // The cookie is no longer needed in memory.
2418 hs->cookie.Reset();
2419 return true;
2420 }
2421
2422
2423 // Supported Groups
2424 //
2425 // https://tools.ietf.org/html/rfc4492#section-5.1.1
2426 // https://tools.ietf.org/html/rfc8446#section-4.2.7
2427
ext_supported_groups_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2428 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2429 SSL *const ssl = hs->ssl;
2430 CBB contents, groups_bytes;
2431 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2432 !CBB_add_u16_length_prefixed(out, &contents) ||
2433 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2434 return false;
2435 }
2436
2437 // Add a fake group. See draft-davidben-tls-grease-01.
2438 if (ssl->ctx->grease_enabled &&
2439 !CBB_add_u16(&groups_bytes,
2440 ssl_get_grease_value(hs, ssl_grease_group))) {
2441 return false;
2442 }
2443
2444 for (uint16_t group : tls1_get_grouplist(hs)) {
2445 if (is_post_quantum_group(group) &&
2446 hs->max_version < TLS1_3_VERSION) {
2447 continue;
2448 }
2449 if (!CBB_add_u16(&groups_bytes, group)) {
2450 return false;
2451 }
2452 }
2453
2454 return CBB_flush(out);
2455 }
2456
ext_supported_groups_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2457 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2458 uint8_t *out_alert,
2459 CBS *contents) {
2460 // This extension is not expected to be echoed by servers in TLS 1.2, but some
2461 // BigIP servers send it nonetheless, so do not enforce this.
2462 return true;
2463 }
2464
parse_u16_array(const CBS * cbs,Array<uint16_t> * out)2465 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2466 CBS copy = *cbs;
2467 if ((CBS_len(©) & 1) != 0) {
2468 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2469 return false;
2470 }
2471
2472 Array<uint16_t> ret;
2473 if (!ret.Init(CBS_len(©) / 2)) {
2474 return false;
2475 }
2476 for (size_t i = 0; i < ret.size(); i++) {
2477 if (!CBS_get_u16(©, &ret[i])) {
2478 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2479 return false;
2480 }
2481 }
2482
2483 assert(CBS_len(©) == 0);
2484 *out = std::move(ret);
2485 return 1;
2486 }
2487
ext_supported_groups_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2488 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2489 uint8_t *out_alert,
2490 CBS *contents) {
2491 if (contents == NULL) {
2492 return true;
2493 }
2494
2495 CBS supported_group_list;
2496 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2497 CBS_len(&supported_group_list) == 0 ||
2498 CBS_len(contents) != 0 ||
2499 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2500 return false;
2501 }
2502
2503 return true;
2504 }
2505
2506 // Token Binding
2507 //
2508 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2509
2510 // The Token Binding version number currently matches the draft number of
2511 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2512 // Since there are no wire changes to the protocol from draft 13 through the
2513 // current draft (16), this implementation supports all versions in that range.
2514 static uint16_t kTokenBindingMaxVersion = 16;
2515 static uint16_t kTokenBindingMinVersion = 13;
2516
ext_token_binding_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2517 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2518 SSL *const ssl = hs->ssl;
2519 if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
2520 return true;
2521 }
2522
2523 CBB contents, params;
2524 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2525 !CBB_add_u16_length_prefixed(out, &contents) ||
2526 !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2527 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2528 !CBB_add_bytes(¶ms, hs->config->token_binding_params.data(),
2529 hs->config->token_binding_params.size()) ||
2530 !CBB_flush(out)) {
2531 return false;
2532 }
2533
2534 return true;
2535 }
2536
ext_token_binding_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2537 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2538 uint8_t *out_alert,
2539 CBS *contents) {
2540 SSL *const ssl = hs->ssl;
2541 if (contents == nullptr) {
2542 return true;
2543 }
2544
2545 CBS params_list;
2546 uint16_t version;
2547 uint8_t param;
2548 if (!CBS_get_u16(contents, &version) ||
2549 !CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
2550 !CBS_get_u8(¶ms_list, ¶m) ||
2551 CBS_len(¶ms_list) > 0 ||
2552 CBS_len(contents) > 0) {
2553 *out_alert = SSL_AD_DECODE_ERROR;
2554 return false;
2555 }
2556
2557 // The server-negotiated version must be less than or equal to our version.
2558 if (version > kTokenBindingMaxVersion) {
2559 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2560 return false;
2561 }
2562
2563 // If the server-selected version is less than what we support, then Token
2564 // Binding wasn't negotiated (but the extension was parsed successfully).
2565 if (version < kTokenBindingMinVersion) {
2566 return true;
2567 }
2568
2569 for (uint8_t config_param : hs->config->token_binding_params) {
2570 if (param == config_param) {
2571 ssl->s3->negotiated_token_binding_param = param;
2572 ssl->s3->token_binding_negotiated = true;
2573 return true;
2574 }
2575 }
2576
2577 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2578 return false;
2579 }
2580
2581 // select_tb_param looks for the first token binding param in
2582 // |hs->ssl->token_binding_params| that is also in |params| and puts it in
2583 // |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
2584 // param is found, and false otherwise.
select_tb_param(SSL_HANDSHAKE * hs,Span<const uint8_t> peer_params)2585 static bool select_tb_param(SSL_HANDSHAKE *hs,
2586 Span<const uint8_t> peer_params) {
2587 for (uint8_t tb_param : hs->config->token_binding_params) {
2588 for (uint8_t peer_param : peer_params) {
2589 if (tb_param == peer_param) {
2590 hs->ssl->s3->negotiated_token_binding_param = tb_param;
2591 return true;
2592 }
2593 }
2594 }
2595 return false;
2596 }
2597
ext_token_binding_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2598 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2599 uint8_t *out_alert,
2600 CBS *contents) {
2601 SSL *const ssl = hs->ssl;
2602 if (contents == nullptr || hs->config->token_binding_params.empty()) {
2603 return true;
2604 }
2605
2606 CBS params;
2607 uint16_t version;
2608 if (!CBS_get_u16(contents, &version) ||
2609 !CBS_get_u8_length_prefixed(contents, ¶ms) ||
2610 CBS_len(¶ms) == 0 ||
2611 CBS_len(contents) > 0) {
2612 *out_alert = SSL_AD_DECODE_ERROR;
2613 return false;
2614 }
2615
2616 // If the client-selected version is less than what we support, then Token
2617 // Binding wasn't negotiated (but the extension was parsed successfully).
2618 if (version < kTokenBindingMinVersion) {
2619 return true;
2620 }
2621
2622 // If the client-selected version is higher than we support, use our max
2623 // version. Otherwise, use the client's version.
2624 hs->negotiated_token_binding_version =
2625 std::min(version, kTokenBindingMaxVersion);
2626 if (!select_tb_param(hs, params)) {
2627 return true;
2628 }
2629
2630 ssl->s3->token_binding_negotiated = true;
2631 return true;
2632 }
2633
ext_token_binding_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2634 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2635 SSL *const ssl = hs->ssl;
2636
2637 if (!ssl->s3->token_binding_negotiated) {
2638 return true;
2639 }
2640
2641 CBB contents, params;
2642 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2643 !CBB_add_u16_length_prefixed(out, &contents) ||
2644 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2645 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2646 !CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) ||
2647 !CBB_flush(out)) {
2648 return false;
2649 }
2650
2651 return true;
2652 }
2653
2654 // QUIC Transport Parameters
2655
ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2656 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2657 CBB *out) {
2658 if (hs->config->quic_transport_params.empty() ||
2659 hs->max_version <= TLS1_2_VERSION) {
2660 return true;
2661 }
2662
2663 CBB contents;
2664 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2665 !CBB_add_u16_length_prefixed(out, &contents) ||
2666 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2667 hs->config->quic_transport_params.size()) ||
2668 !CBB_flush(out)) {
2669 return false;
2670 }
2671 return true;
2672 }
2673
ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2674 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2675 uint8_t *out_alert,
2676 CBS *contents) {
2677 SSL *const ssl = hs->ssl;
2678 if (contents == nullptr) {
2679 return true;
2680 }
2681 // QUIC requires TLS 1.3.
2682 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2683 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2684 return false;
2685 }
2686
2687 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2688 }
2689
ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2690 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2691 uint8_t *out_alert,
2692 CBS *contents) {
2693 SSL *const ssl = hs->ssl;
2694 if (!contents || hs->config->quic_transport_params.empty()) {
2695 return true;
2696 }
2697 // Ignore the extension before TLS 1.3.
2698 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2699 return true;
2700 }
2701
2702 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2703 }
2704
ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2705 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2706 CBB *out) {
2707 if (hs->config->quic_transport_params.empty()) {
2708 return true;
2709 }
2710
2711 CBB contents;
2712 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2713 !CBB_add_u16_length_prefixed(out, &contents) ||
2714 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2715 hs->config->quic_transport_params.size()) ||
2716 !CBB_flush(out)) {
2717 return false;
2718 }
2719
2720 return true;
2721 }
2722
2723 // Delegated credentials.
2724 //
2725 // https://tools.ietf.org/html/draft-ietf-tls-subcerts
2726
ext_delegated_credential_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2727 static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs,
2728 CBB *out) {
2729 return true;
2730 }
2731
ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2732 static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
2733 uint8_t *out_alert,
2734 CBS *contents) {
2735 assert(TLSEXT_TYPE_delegated_credential == 0xff02);
2736 // TODO: Check that the extension is empty.
2737 //
2738 // As of draft-03, the client sends an empty extension in order indicate
2739 // support for delegated credentials. This could change, however, since the
2740 // spec is not yet finalized. This assertion is here to remind us to enforce
2741 // this check once the extension ID is assigned.
2742
2743 if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
2744 // Don't use delegated credentials unless we're negotiating TLS 1.3 or
2745 // higher.
2746 return true;
2747 }
2748
2749 hs->delegated_credential_requested = true;
2750 return true;
2751 }
2752
2753 // Certificate compression
2754
cert_compression_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2755 static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2756 bool first = true;
2757 CBB contents, algs;
2758
2759 for (const auto &alg : hs->ssl->ctx->cert_compression_algs) {
2760 if (alg.decompress == nullptr) {
2761 continue;
2762 }
2763
2764 if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) ||
2765 !CBB_add_u16_length_prefixed(out, &contents) ||
2766 !CBB_add_u8_length_prefixed(&contents, &algs))) {
2767 return false;
2768 }
2769 first = false;
2770 if (!CBB_add_u16(&algs, alg.alg_id)) {
2771 return false;
2772 }
2773 }
2774
2775 return first || CBB_flush(out);
2776 }
2777
cert_compression_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2778 static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
2779 uint8_t *out_alert,
2780 CBS *contents) {
2781 if (contents == nullptr) {
2782 return true;
2783 }
2784
2785 // The server may not echo this extension. Any server to client negotiation is
2786 // advertised in the CertificateRequest message.
2787 return false;
2788 }
2789
cert_compression_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2790 static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,
2791 uint8_t *out_alert,
2792 CBS *contents) {
2793 if (contents == nullptr) {
2794 return true;
2795 }
2796
2797 const SSL_CTX *ctx = hs->ssl->ctx.get();
2798 const size_t num_algs = ctx->cert_compression_algs.size();
2799
2800 CBS alg_ids;
2801 if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
2802 CBS_len(contents) != 0 ||
2803 CBS_len(&alg_ids) == 0 ||
2804 CBS_len(&alg_ids) % 2 == 1) {
2805 return false;
2806 }
2807
2808 const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;
2809 Array<uint16_t> given_alg_ids;
2810 if (!given_alg_ids.Init(num_given_alg_ids)) {
2811 return false;
2812 }
2813
2814 size_t best_index = num_algs;
2815 size_t given_alg_idx = 0;
2816
2817 while (CBS_len(&alg_ids) > 0) {
2818 uint16_t alg_id;
2819 if (!CBS_get_u16(&alg_ids, &alg_id)) {
2820 return false;
2821 }
2822
2823 given_alg_ids[given_alg_idx++] = alg_id;
2824
2825 for (size_t i = 0; i < num_algs; i++) {
2826 const auto &alg = ctx->cert_compression_algs[i];
2827 if (alg.alg_id == alg_id && alg.compress != nullptr) {
2828 if (i < best_index) {
2829 best_index = i;
2830 }
2831 break;
2832 }
2833 }
2834 }
2835
2836 qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),
2837 compare_uint16_t);
2838 for (size_t i = 1; i < num_given_alg_ids; i++) {
2839 if (given_alg_ids[i - 1] == given_alg_ids[i]) {
2840 return false;
2841 }
2842 }
2843
2844 if (best_index < num_algs &&
2845 ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
2846 hs->cert_compression_negotiated = true;
2847 hs->cert_compression_alg_id = ctx->cert_compression_algs[best_index].alg_id;
2848 }
2849
2850 return true;
2851 }
2852
cert_compression_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2853 static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2854 return true;
2855 }
2856
2857
2858 // Post-quantum experiment signal
2859 //
2860 // This extension may be used in order to identify a control group for
2861 // experimenting with post-quantum key exchange algorithms.
2862
ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2863 static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
2864 CBB *out) {
2865 if (hs->ssl->ctx->pq_experiment_signal &&
2866 (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
2867 !CBB_add_u16(out, 0))) {
2868 return false;
2869 }
2870
2871 return true;
2872 }
2873
ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2874 static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
2875 uint8_t *out_alert,
2876 CBS *contents) {
2877 if (contents == nullptr) {
2878 return true;
2879 }
2880
2881 if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
2882 return false;
2883 }
2884
2885 hs->ssl->s3->pq_experiment_signal_seen = true;
2886 return true;
2887 }
2888
ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2889 static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
2890 uint8_t *out_alert,
2891 CBS *contents) {
2892 if (contents == nullptr) {
2893 return true;
2894 }
2895
2896 if (CBS_len(contents) != 0) {
2897 return false;
2898 }
2899
2900 if (hs->ssl->ctx->pq_experiment_signal) {
2901 hs->ssl->s3->pq_experiment_signal_seen = true;
2902 }
2903
2904 return true;
2905 }
2906
ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2907 static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
2908 CBB *out) {
2909 if (hs->ssl->s3->pq_experiment_signal_seen &&
2910 (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
2911 !CBB_add_u16(out, 0))) {
2912 return false;
2913 }
2914
2915 return true;
2916 }
2917
2918 // kExtensions contains all the supported extensions.
2919 static const struct tls_extension kExtensions[] = {
2920 {
2921 TLSEXT_TYPE_server_name,
2922 NULL,
2923 ext_sni_add_clienthello,
2924 ext_sni_parse_serverhello,
2925 ext_sni_parse_clienthello,
2926 ext_sni_add_serverhello,
2927 },
2928 {
2929 TLSEXT_TYPE_extended_master_secret,
2930 NULL,
2931 ext_ems_add_clienthello,
2932 ext_ems_parse_serverhello,
2933 ext_ems_parse_clienthello,
2934 ext_ems_add_serverhello,
2935 },
2936 {
2937 TLSEXT_TYPE_renegotiate,
2938 NULL,
2939 ext_ri_add_clienthello,
2940 ext_ri_parse_serverhello,
2941 ext_ri_parse_clienthello,
2942 ext_ri_add_serverhello,
2943 },
2944 {
2945 TLSEXT_TYPE_supported_groups,
2946 NULL,
2947 ext_supported_groups_add_clienthello,
2948 ext_supported_groups_parse_serverhello,
2949 ext_supported_groups_parse_clienthello,
2950 dont_add_serverhello,
2951 },
2952 {
2953 TLSEXT_TYPE_ec_point_formats,
2954 NULL,
2955 ext_ec_point_add_clienthello,
2956 ext_ec_point_parse_serverhello,
2957 ext_ec_point_parse_clienthello,
2958 ext_ec_point_add_serverhello,
2959 },
2960 {
2961 TLSEXT_TYPE_session_ticket,
2962 NULL,
2963 ext_ticket_add_clienthello,
2964 ext_ticket_parse_serverhello,
2965 // Ticket extension client parsing is handled in ssl_session.c
2966 ignore_parse_clienthello,
2967 ext_ticket_add_serverhello,
2968 },
2969 {
2970 TLSEXT_TYPE_application_layer_protocol_negotiation,
2971 NULL,
2972 ext_alpn_add_clienthello,
2973 ext_alpn_parse_serverhello,
2974 // ALPN is negotiated late in |ssl_negotiate_alpn|.
2975 ignore_parse_clienthello,
2976 ext_alpn_add_serverhello,
2977 },
2978 {
2979 TLSEXT_TYPE_status_request,
2980 NULL,
2981 ext_ocsp_add_clienthello,
2982 ext_ocsp_parse_serverhello,
2983 ext_ocsp_parse_clienthello,
2984 ext_ocsp_add_serverhello,
2985 },
2986 {
2987 TLSEXT_TYPE_signature_algorithms,
2988 NULL,
2989 ext_sigalgs_add_clienthello,
2990 forbid_parse_serverhello,
2991 ext_sigalgs_parse_clienthello,
2992 dont_add_serverhello,
2993 },
2994 {
2995 TLSEXT_TYPE_signature_algorithms_cert,
2996 NULL,
2997 ext_sigalgs_cert_add_clienthello,
2998 forbid_parse_serverhello,
2999 ignore_parse_clienthello,
3000 dont_add_serverhello,
3001 },
3002 {
3003 TLSEXT_TYPE_next_proto_neg,
3004 NULL,
3005 ext_npn_add_clienthello,
3006 ext_npn_parse_serverhello,
3007 ext_npn_parse_clienthello,
3008 ext_npn_add_serverhello,
3009 },
3010 {
3011 TLSEXT_TYPE_certificate_timestamp,
3012 NULL,
3013 ext_sct_add_clienthello,
3014 ext_sct_parse_serverhello,
3015 ext_sct_parse_clienthello,
3016 ext_sct_add_serverhello,
3017 },
3018 {
3019 TLSEXT_TYPE_channel_id,
3020 ext_channel_id_init,
3021 ext_channel_id_add_clienthello,
3022 ext_channel_id_parse_serverhello,
3023 ext_channel_id_parse_clienthello,
3024 ext_channel_id_add_serverhello,
3025 },
3026 {
3027 TLSEXT_TYPE_srtp,
3028 ext_srtp_init,
3029 ext_srtp_add_clienthello,
3030 ext_srtp_parse_serverhello,
3031 ext_srtp_parse_clienthello,
3032 ext_srtp_add_serverhello,
3033 },
3034 {
3035 TLSEXT_TYPE_key_share,
3036 NULL,
3037 ext_key_share_add_clienthello,
3038 forbid_parse_serverhello,
3039 ignore_parse_clienthello,
3040 dont_add_serverhello,
3041 },
3042 {
3043 TLSEXT_TYPE_psk_key_exchange_modes,
3044 NULL,
3045 ext_psk_key_exchange_modes_add_clienthello,
3046 forbid_parse_serverhello,
3047 ext_psk_key_exchange_modes_parse_clienthello,
3048 dont_add_serverhello,
3049 },
3050 {
3051 TLSEXT_TYPE_early_data,
3052 NULL,
3053 ext_early_data_add_clienthello,
3054 ext_early_data_parse_serverhello,
3055 ext_early_data_parse_clienthello,
3056 ext_early_data_add_serverhello,
3057 },
3058 {
3059 TLSEXT_TYPE_supported_versions,
3060 NULL,
3061 ext_supported_versions_add_clienthello,
3062 forbid_parse_serverhello,
3063 ignore_parse_clienthello,
3064 dont_add_serverhello,
3065 },
3066 {
3067 TLSEXT_TYPE_cookie,
3068 NULL,
3069 ext_cookie_add_clienthello,
3070 forbid_parse_serverhello,
3071 ignore_parse_clienthello,
3072 dont_add_serverhello,
3073 },
3074 {
3075 TLSEXT_TYPE_quic_transport_parameters,
3076 NULL,
3077 ext_quic_transport_params_add_clienthello,
3078 ext_quic_transport_params_parse_serverhello,
3079 ext_quic_transport_params_parse_clienthello,
3080 ext_quic_transport_params_add_serverhello,
3081 },
3082 {
3083 TLSEXT_TYPE_token_binding,
3084 NULL,
3085 ext_token_binding_add_clienthello,
3086 ext_token_binding_parse_serverhello,
3087 ext_token_binding_parse_clienthello,
3088 ext_token_binding_add_serverhello,
3089 },
3090 {
3091 TLSEXT_TYPE_cert_compression,
3092 NULL,
3093 cert_compression_add_clienthello,
3094 cert_compression_parse_serverhello,
3095 cert_compression_parse_clienthello,
3096 cert_compression_add_serverhello,
3097 },
3098 {
3099 TLSEXT_TYPE_delegated_credential,
3100 NULL,
3101 ext_delegated_credential_add_clienthello,
3102 forbid_parse_serverhello,
3103 ext_delegated_credential_parse_clienthello,
3104 dont_add_serverhello,
3105 },
3106 {
3107 TLSEXT_TYPE_pq_experiment_signal,
3108 NULL,
3109 ext_pq_experiment_signal_add_clienthello,
3110 ext_pq_experiment_signal_parse_serverhello,
3111 ext_pq_experiment_signal_parse_clienthello,
3112 ext_pq_experiment_signal_add_serverhello,
3113 },
3114 };
3115
3116 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
3117
3118 static_assert(kNumExtensions <=
3119 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
3120 "too many extensions for sent bitset");
3121 static_assert(kNumExtensions <=
3122 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
3123 "too many extensions for received bitset");
3124
tls_extension_find(uint32_t * out_index,uint16_t value)3125 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
3126 uint16_t value) {
3127 unsigned i;
3128 for (i = 0; i < kNumExtensions; i++) {
3129 if (kExtensions[i].value == value) {
3130 *out_index = i;
3131 return &kExtensions[i];
3132 }
3133 }
3134
3135 return NULL;
3136 }
3137
ssl_add_clienthello_tlsext(SSL_HANDSHAKE * hs,CBB * out,size_t header_len)3138 bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
3139 size_t header_len) {
3140 SSL *const ssl = hs->ssl;
3141 CBB extensions;
3142 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3143 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3144 return false;
3145 }
3146
3147 // Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS
3148 // 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is
3149 // important to reset this value.
3150 hs->extensions.sent = 0;
3151
3152 for (size_t i = 0; i < kNumExtensions; i++) {
3153 if (kExtensions[i].init != NULL) {
3154 kExtensions[i].init(hs);
3155 }
3156 }
3157
3158 uint16_t grease_ext1 = 0;
3159 if (ssl->ctx->grease_enabled) {
3160 // Add a fake empty extension. See draft-davidben-tls-grease-01.
3161 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
3162 if (!CBB_add_u16(&extensions, grease_ext1) ||
3163 !CBB_add_u16(&extensions, 0 /* zero length */)) {
3164 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3165 return false;
3166 }
3167 }
3168
3169 bool last_was_empty = false;
3170 for (size_t i = 0; i < kNumExtensions; i++) {
3171 const size_t len_before = CBB_len(&extensions);
3172 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
3173 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3174 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3175 return false;
3176 }
3177
3178 const size_t bytes_written = CBB_len(&extensions) - len_before;
3179 if (bytes_written != 0) {
3180 hs->extensions.sent |= (1u << i);
3181 }
3182 // If the difference in lengths is only four bytes then the extension had
3183 // an empty body.
3184 last_was_empty = (bytes_written == 4);
3185 }
3186
3187 if (ssl->ctx->grease_enabled) {
3188 // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
3189 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
3190
3191 // The two fake extensions must not have the same value. GREASE values are
3192 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
3193 // one.
3194 if (grease_ext1 == grease_ext2) {
3195 grease_ext2 ^= 0x1010;
3196 }
3197
3198 if (!CBB_add_u16(&extensions, grease_ext2) ||
3199 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
3200 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
3201 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3202 return false;
3203 }
3204
3205 last_was_empty = false;
3206 }
3207
3208 if (!SSL_is_dtls(ssl)) {
3209 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
3210 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
3211 size_t padding_len = 0;
3212
3213 // The final extension must be non-empty. WebSphere Application
3214 // Server 7.0 is intolerant to the last extension being zero-length. See
3215 // https://crbug.com/363583.
3216 if (last_was_empty && psk_extension_len == 0) {
3217 padding_len = 1;
3218 // The addition of the padding extension may push us into the F5 bug.
3219 header_len += 4 + padding_len;
3220 }
3221
3222 // Add padding to workaround bugs in F5 terminators. See RFC 7685.
3223 //
3224 // NB: because this code works out the length of all existing extensions
3225 // it MUST always appear last (save for any PSK extension).
3226 if (header_len > 0xff && header_len < 0x200) {
3227 // If our calculations already included a padding extension, remove that
3228 // factor because we're about to change its length.
3229 if (padding_len != 0) {
3230 header_len -= 4 + padding_len;
3231 }
3232 padding_len = 0x200 - header_len;
3233 // Extensions take at least four bytes to encode. Always include at least
3234 // one byte of data if including the extension. WebSphere Application
3235 // Server 7.0 is intolerant to the last extension being zero-length. See
3236 // https://crbug.com/363583.
3237 if (padding_len >= 4 + 1) {
3238 padding_len -= 4;
3239 } else {
3240 padding_len = 1;
3241 }
3242 }
3243
3244 if (padding_len != 0) {
3245 uint8_t *padding_bytes;
3246 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
3247 !CBB_add_u16(&extensions, padding_len) ||
3248 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
3249 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3250 return false;
3251 }
3252
3253 OPENSSL_memset(padding_bytes, 0, padding_len);
3254 }
3255 }
3256
3257 // The PSK extension must be last, including after the padding.
3258 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
3259 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3260 return false;
3261 }
3262
3263 // Discard empty extensions blocks.
3264 if (CBB_len(&extensions) == 0) {
3265 CBB_discard_child(out);
3266 }
3267
3268 return CBB_flush(out);
3269 }
3270
ssl_add_serverhello_tlsext(SSL_HANDSHAKE * hs,CBB * out)3271 bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
3272 SSL *const ssl = hs->ssl;
3273 CBB extensions;
3274 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3275 goto err;
3276 }
3277
3278 for (unsigned i = 0; i < kNumExtensions; i++) {
3279 if (!(hs->extensions.received & (1u << i))) {
3280 // Don't send extensions that were not received.
3281 continue;
3282 }
3283
3284 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
3285 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3286 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3287 goto err;
3288 }
3289 }
3290
3291 // Discard empty extensions blocks before TLS 1.3.
3292 if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
3293 CBB_len(&extensions) == 0) {
3294 CBB_discard_child(out);
3295 }
3296
3297 return CBB_flush(out);
3298
3299 err:
3300 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3301 return false;
3302 }
3303
ssl_scan_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,int * out_alert)3304 static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3305 const SSL_CLIENT_HELLO *client_hello,
3306 int *out_alert) {
3307 for (size_t i = 0; i < kNumExtensions; i++) {
3308 if (kExtensions[i].init != NULL) {
3309 kExtensions[i].init(hs);
3310 }
3311 }
3312
3313 hs->extensions.received = 0;
3314 CBS extensions;
3315 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3316 while (CBS_len(&extensions) != 0) {
3317 uint16_t type;
3318 CBS extension;
3319
3320 // Decode the next extension.
3321 if (!CBS_get_u16(&extensions, &type) ||
3322 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3323 *out_alert = SSL_AD_DECODE_ERROR;
3324 return false;
3325 }
3326
3327 unsigned ext_index;
3328 const struct tls_extension *const ext =
3329 tls_extension_find(&ext_index, type);
3330 if (ext == NULL) {
3331 continue;
3332 }
3333
3334 hs->extensions.received |= (1u << ext_index);
3335 uint8_t alert = SSL_AD_DECODE_ERROR;
3336 if (!ext->parse_clienthello(hs, &alert, &extension)) {
3337 *out_alert = alert;
3338 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3339 ERR_add_error_dataf("extension %u", (unsigned)type);
3340 return false;
3341 }
3342 }
3343
3344 for (size_t i = 0; i < kNumExtensions; i++) {
3345 if (hs->extensions.received & (1u << i)) {
3346 continue;
3347 }
3348
3349 CBS *contents = NULL, fake_contents;
3350 static const uint8_t kFakeRenegotiateExtension[] = {0};
3351 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3352 ssl_client_cipher_list_contains_cipher(client_hello,
3353 SSL3_CK_SCSV & 0xffff)) {
3354 // The renegotiation SCSV was received so pretend that we received a
3355 // renegotiation extension.
3356 CBS_init(&fake_contents, kFakeRenegotiateExtension,
3357 sizeof(kFakeRenegotiateExtension));
3358 contents = &fake_contents;
3359 hs->extensions.received |= (1u << i);
3360 }
3361
3362 // Extension wasn't observed so call the callback with a NULL
3363 // parameter.
3364 uint8_t alert = SSL_AD_DECODE_ERROR;
3365 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3366 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3367 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3368 *out_alert = alert;
3369 return false;
3370 }
3371 }
3372
3373 return true;
3374 }
3375
ssl_parse_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)3376 bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3377 const SSL_CLIENT_HELLO *client_hello) {
3378 SSL *const ssl = hs->ssl;
3379 int alert = SSL_AD_DECODE_ERROR;
3380 if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {
3381 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3382 return false;
3383 }
3384
3385 if (!ssl_check_clienthello_tlsext(hs)) {
3386 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3387 return false;
3388 }
3389
3390 return true;
3391 }
3392
ssl_scan_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs,int * out_alert)3393 static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3394 int *out_alert) {
3395 SSL *const ssl = hs->ssl;
3396 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3397 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3398 return true;
3399 }
3400
3401 // Decode the extensions block and check it is valid.
3402 CBS extensions;
3403 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3404 !tls1_check_duplicate_extensions(&extensions)) {
3405 *out_alert = SSL_AD_DECODE_ERROR;
3406 return false;
3407 }
3408
3409 uint32_t received = 0;
3410 while (CBS_len(&extensions) != 0) {
3411 uint16_t type;
3412 CBS extension;
3413
3414 // Decode the next extension.
3415 if (!CBS_get_u16(&extensions, &type) ||
3416 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3417 *out_alert = SSL_AD_DECODE_ERROR;
3418 return false;
3419 }
3420
3421 unsigned ext_index;
3422 const struct tls_extension *const ext =
3423 tls_extension_find(&ext_index, type);
3424
3425 if (ext == NULL) {
3426 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3427 ERR_add_error_dataf("extension %u", (unsigned)type);
3428 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3429 return false;
3430 }
3431
3432 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3433 "too many bits");
3434
3435 if (!(hs->extensions.sent & (1u << ext_index))) {
3436 // If the extension was never sent then it is illegal.
3437 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3438 ERR_add_error_dataf("extension :%u", (unsigned)type);
3439 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3440 return false;
3441 }
3442
3443 received |= (1u << ext_index);
3444
3445 uint8_t alert = SSL_AD_DECODE_ERROR;
3446 if (!ext->parse_serverhello(hs, &alert, &extension)) {
3447 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3448 ERR_add_error_dataf("extension %u", (unsigned)type);
3449 *out_alert = alert;
3450 return false;
3451 }
3452 }
3453
3454 for (size_t i = 0; i < kNumExtensions; i++) {
3455 if (!(received & (1u << i))) {
3456 // Extension wasn't observed so call the callback with a NULL
3457 // parameter.
3458 uint8_t alert = SSL_AD_DECODE_ERROR;
3459 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3460 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3461 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3462 *out_alert = alert;
3463 return false;
3464 }
3465 }
3466 }
3467
3468 return true;
3469 }
3470
ssl_check_clienthello_tlsext(SSL_HANDSHAKE * hs)3471 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3472 SSL *const ssl = hs->ssl;
3473
3474 if (ssl->s3->token_binding_negotiated &&
3475 !(SSL_get_secure_renegotiation_support(ssl) &&
3476 SSL_get_extms_support(ssl))) {
3477 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3478 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3479 return false;
3480 }
3481
3482 int ret = SSL_TLSEXT_ERR_NOACK;
3483 int al = SSL_AD_UNRECOGNIZED_NAME;
3484
3485 if (ssl->ctx->servername_callback != 0) {
3486 ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
3487 } else if (ssl->session_ctx->servername_callback != 0) {
3488 ret = ssl->session_ctx->servername_callback(
3489 ssl, &al, ssl->session_ctx->servername_arg);
3490 }
3491
3492 switch (ret) {
3493 case SSL_TLSEXT_ERR_ALERT_FATAL:
3494 ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3495 return false;
3496
3497 case SSL_TLSEXT_ERR_NOACK:
3498 hs->should_ack_sni = false;
3499 return true;
3500
3501 default:
3502 return true;
3503 }
3504 }
3505
ssl_parse_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs)3506 bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3507 SSL *const ssl = hs->ssl;
3508 int alert = SSL_AD_DECODE_ERROR;
3509 if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
3510 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3511 return false;
3512 }
3513
3514 return true;
3515 }
3516
decrypt_ticket_with_cipher_ctx(Array<uint8_t> * out,EVP_CIPHER_CTX * cipher_ctx,HMAC_CTX * hmac_ctx,Span<const uint8_t> ticket)3517 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3518 Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,
3519 Span<const uint8_t> ticket) {
3520 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3521
3522 // Check the MAC at the end of the ticket.
3523 uint8_t mac[EVP_MAX_MD_SIZE];
3524 size_t mac_len = HMAC_size(hmac_ctx);
3525 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3526 // The ticket must be large enough for key name, IV, data, and MAC.
3527 return ssl_ticket_aead_ignore_ticket;
3528 }
3529 // Split the ticket into the ticket and the MAC.
3530 auto ticket_mac = ticket.subspan(ticket.size() - mac_len);
3531 ticket = ticket.subspan(0, ticket.size() - mac_len);
3532 HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
3533 HMAC_Final(hmac_ctx, mac, NULL);
3534 assert(mac_len == ticket_mac.size());
3535 bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;
3536 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3537 mac_ok = true;
3538 #endif
3539 if (!mac_ok) {
3540 return ssl_ticket_aead_ignore_ticket;
3541 }
3542
3543 // Decrypt the session data.
3544 auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);
3545 Array<uint8_t> plaintext;
3546 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3547 if (!plaintext.CopyFrom(ciphertext)) {
3548 return ssl_ticket_aead_error;
3549 }
3550 #else
3551 if (ciphertext.size() >= INT_MAX) {
3552 return ssl_ticket_aead_ignore_ticket;
3553 }
3554 if (!plaintext.Init(ciphertext.size())) {
3555 return ssl_ticket_aead_error;
3556 }
3557 int len1, len2;
3558 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),
3559 (int)ciphertext.size()) ||
3560 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {
3561 ERR_clear_error();
3562 return ssl_ticket_aead_ignore_ticket;
3563 }
3564 plaintext.Shrink(static_cast<size_t>(len1) + len2);
3565 #endif
3566
3567 *out = std::move(plaintext);
3568 return ssl_ticket_aead_success;
3569 }
3570
ssl_decrypt_ticket_with_cb(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3571 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3572 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3573 Span<const uint8_t> ticket) {
3574 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3575 ScopedEVP_CIPHER_CTX cipher_ctx;
3576 ScopedHMAC_CTX hmac_ctx;
3577 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3578 // The actual IV is shorter, but the length is determined by the callback's
3579 // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure
3580 // the callback has enough.
3581 auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);
3582 int cb_ret = hs->ssl->session_ctx->ticket_key_cb(
3583 hs->ssl, const_cast<uint8_t *>(name.data()),
3584 const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(),
3585 0 /* decrypt */);
3586 if (cb_ret < 0) {
3587 return ssl_ticket_aead_error;
3588 } else if (cb_ret == 0) {
3589 return ssl_ticket_aead_ignore_ticket;
3590 } else if (cb_ret == 2) {
3591 *out_renew_ticket = true;
3592 } else {
3593 assert(cb_ret == 1);
3594 }
3595 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3596 ticket);
3597 }
3598
ssl_decrypt_ticket_with_ticket_keys(SSL_HANDSHAKE * hs,Array<uint8_t> * out,Span<const uint8_t> ticket)3599 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3600 SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) {
3601 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3602 SSL_CTX *ctx = hs->ssl->session_ctx.get();
3603
3604 // Rotate the ticket key if necessary.
3605 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3606 return ssl_ticket_aead_error;
3607 }
3608
3609 const EVP_CIPHER *cipher = EVP_aes_128_cbc();
3610 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3611 auto iv =
3612 ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));
3613
3614 // Pick the matching ticket key and decrypt.
3615 ScopedEVP_CIPHER_CTX cipher_ctx;
3616 ScopedHMAC_CTX hmac_ctx;
3617 {
3618 MutexReadLock lock(&ctx->lock);
3619 const TicketKey *key;
3620 if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {
3621 key = ctx->ticket_key_current.get();
3622 } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {
3623 key = ctx->ticket_key_prev.get();
3624 } else {
3625 return ssl_ticket_aead_ignore_ticket;
3626 }
3627 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3628 tlsext_tick_md(), NULL) ||
3629 !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
3630 key->aes_key, iv.data())) {
3631 return ssl_ticket_aead_error;
3632 }
3633 }
3634 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3635 ticket);
3636 }
3637
ssl_decrypt_ticket_with_method(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3638 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3639 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3640 Span<const uint8_t> ticket) {
3641 Array<uint8_t> plaintext;
3642 if (!plaintext.Init(ticket.size())) {
3643 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3644 return ssl_ticket_aead_error;
3645 }
3646
3647 size_t plaintext_len;
3648 const enum ssl_ticket_aead_result_t result =
3649 hs->ssl->session_ctx->ticket_aead_method->open(
3650 hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),
3651 ticket.data(), ticket.size());
3652 if (result != ssl_ticket_aead_success) {
3653 return result;
3654 }
3655
3656 plaintext.Shrink(plaintext_len);
3657 *out = std::move(plaintext);
3658 return ssl_ticket_aead_success;
3659 }
3660
ssl_process_ticket(SSL_HANDSHAKE * hs,UniquePtr<SSL_SESSION> * out_session,bool * out_renew_ticket,Span<const uint8_t> ticket,Span<const uint8_t> session_id)3661 enum ssl_ticket_aead_result_t ssl_process_ticket(
3662 SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
3663 bool *out_renew_ticket, Span<const uint8_t> ticket,
3664 Span<const uint8_t> session_id) {
3665 *out_renew_ticket = false;
3666 out_session->reset();
3667
3668 if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||
3669 session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3670 return ssl_ticket_aead_ignore_ticket;
3671 }
3672
3673 Array<uint8_t> plaintext;
3674 enum ssl_ticket_aead_result_t result;
3675 if (hs->ssl->session_ctx->ticket_aead_method != NULL) {
3676 result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
3677 ticket);
3678 } else {
3679 // Ensure there is room for the key name and the largest IV |ticket_key_cb|
3680 // may try to consume. The real limit may be lower, but the maximum IV
3681 // length should be well under the minimum size for the session material and
3682 // HMAC.
3683 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3684 return ssl_ticket_aead_ignore_ticket;
3685 }
3686 if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
3687 result =
3688 ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
3689 } else {
3690 result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);
3691 }
3692 }
3693
3694 if (result != ssl_ticket_aead_success) {
3695 return result;
3696 }
3697
3698 // Decode the session.
3699 UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
3700 plaintext.data(), plaintext.size(), hs->ssl->ctx.get()));
3701 if (!session) {
3702 ERR_clear_error(); // Don't leave an error on the queue.
3703 return ssl_ticket_aead_ignore_ticket;
3704 }
3705
3706 // Copy the client's session ID into the new session, to denote the ticket has
3707 // been accepted.
3708 OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size());
3709 session->session_id_length = session_id.size();
3710
3711 *out_session = std::move(session);
3712 return ssl_ticket_aead_success;
3713 }
3714
tls1_parse_peer_sigalgs(SSL_HANDSHAKE * hs,const CBS * in_sigalgs)3715 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3716 // Extension ignored for inappropriate versions
3717 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3718 return true;
3719 }
3720
3721 // In all contexts, the signature algorithms list may not be empty. (It may be
3722 // omitted by clients in TLS 1.2, but then the entire extension is omitted.)
3723 return CBS_len(in_sigalgs) != 0 &&
3724 parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3725 }
3726
tls1_get_legacy_signature_algorithm(uint16_t * out,const EVP_PKEY * pkey)3727 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3728 switch (EVP_PKEY_id(pkey)) {
3729 case EVP_PKEY_RSA:
3730 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3731 return true;
3732 case EVP_PKEY_EC:
3733 *out = SSL_SIGN_ECDSA_SHA1;
3734 return true;
3735 default:
3736 return false;
3737 }
3738 }
3739
tls1_choose_signature_algorithm(SSL_HANDSHAKE * hs,uint16_t * out)3740 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3741 SSL *const ssl = hs->ssl;
3742 CERT *cert = hs->config->cert.get();
3743 DC *dc = cert->dc.get();
3744
3745 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3746 // handshake.
3747 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3748 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3749 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3750 return false;
3751 }
3752 return true;
3753 }
3754
3755 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3756 if (ssl_signing_with_dc(hs)) {
3757 sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1);
3758 } else if (!cert->sigalgs.empty()) {
3759 sigalgs = cert->sigalgs;
3760 }
3761
3762 Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
3763
3764 for (uint16_t sigalg : sigalgs) {
3765 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3766 // negotiated.
3767 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3768 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3769 continue;
3770 }
3771
3772 for (uint16_t peer_sigalg : peer_sigalgs) {
3773 if (sigalg == peer_sigalg) {
3774 *out = sigalg;
3775 return true;
3776 }
3777 }
3778 }
3779
3780 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3781 return false;
3782 }
3783
tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE * hs)3784 Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) {
3785 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3786 if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
3787 // If the client didn't specify any signature_algorithms extension then
3788 // we can assume that it supports SHA1. See
3789 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3790 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3791 SSL_SIGN_ECDSA_SHA1};
3792 peer_sigalgs = kDefaultPeerAlgorithms;
3793 }
3794 return peer_sigalgs;
3795 }
3796
tls1_verify_channel_id(SSL_HANDSHAKE * hs,const SSLMessage & msg)3797 bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3798 SSL *const ssl = hs->ssl;
3799 // A Channel ID handshake message is structured to contain multiple
3800 // extensions, but the only one that can be present is Channel ID.
3801 uint16_t extension_type;
3802 CBS channel_id = msg.body, extension;
3803 if (!CBS_get_u16(&channel_id, &extension_type) ||
3804 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3805 CBS_len(&channel_id) != 0 ||
3806 extension_type != TLSEXT_TYPE_channel_id ||
3807 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3808 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3809 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3810 return false;
3811 }
3812
3813 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3814 if (!p256) {
3815 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3816 return false;
3817 }
3818
3819 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3820 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3821 if (!sig || !x || !y) {
3822 return false;
3823 }
3824
3825 const uint8_t *p = CBS_data(&extension);
3826 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3827 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3828 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3829 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3830 return false;
3831 }
3832
3833 UniquePtr<EC_KEY> key(EC_KEY_new());
3834 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3835 if (!key || !point ||
3836 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3837 y.get(), nullptr) ||
3838 !EC_KEY_set_group(key.get(), p256.get()) ||
3839 !EC_KEY_set_public_key(key.get(), point.get())) {
3840 return false;
3841 }
3842
3843 uint8_t digest[EVP_MAX_MD_SIZE];
3844 size_t digest_len;
3845 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3846 return false;
3847 }
3848
3849 bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3850 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3851 sig_ok = true;
3852 ERR_clear_error();
3853 #endif
3854 if (!sig_ok) {
3855 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3856 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3857 ssl->s3->channel_id_valid = false;
3858 return false;
3859 }
3860
3861 OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
3862 return true;
3863 }
3864
tls1_write_channel_id(SSL_HANDSHAKE * hs,CBB * cbb)3865 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3866 uint8_t digest[EVP_MAX_MD_SIZE];
3867 size_t digest_len;
3868 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3869 return false;
3870 }
3871
3872 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());
3873 if (ec_key == nullptr) {
3874 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3875 return false;
3876 }
3877
3878 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3879 if (!x || !y ||
3880 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3881 EC_KEY_get0_public_key(ec_key),
3882 x.get(), y.get(), nullptr)) {
3883 return false;
3884 }
3885
3886 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3887 if (!sig) {
3888 return false;
3889 }
3890
3891 CBB child;
3892 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3893 !CBB_add_u16_length_prefixed(cbb, &child) ||
3894 !BN_bn2cbb_padded(&child, 32, x.get()) ||
3895 !BN_bn2cbb_padded(&child, 32, y.get()) ||
3896 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3897 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3898 !CBB_flush(cbb)) {
3899 return false;
3900 }
3901
3902 return true;
3903 }
3904
tls1_channel_id_hash(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len)3905 bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3906 SSL *const ssl = hs->ssl;
3907 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3908 Array<uint8_t> msg;
3909 if (!tls13_get_cert_verify_signature_input(hs, &msg,
3910 ssl_cert_verify_channel_id)) {
3911 return false;
3912 }
3913 SHA256(msg.data(), msg.size(), out);
3914 *out_len = SHA256_DIGEST_LENGTH;
3915 return true;
3916 }
3917
3918 SHA256_CTX ctx;
3919
3920 SHA256_Init(&ctx);
3921 static const char kClientIDMagic[] = "TLS Channel ID signature";
3922 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3923
3924 if (ssl->session != NULL) {
3925 static const char kResumptionMagic[] = "Resumption";
3926 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3927 if (ssl->session->original_handshake_hash_len == 0) {
3928 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3929 return false;
3930 }
3931 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3932 ssl->session->original_handshake_hash_len);
3933 }
3934
3935 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3936 size_t hs_hash_len;
3937 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3938 return false;
3939 }
3940 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3941 SHA256_Final(out, &ctx);
3942 *out_len = SHA256_DIGEST_LENGTH;
3943 return true;
3944 }
3945
tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE * hs)3946 bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3947 SSL *const ssl = hs->ssl;
3948 // This function should never be called for a resumed session because the
3949 // handshake hashes that we wish to record are for the original, full
3950 // handshake.
3951 if (ssl->session != NULL) {
3952 return false;
3953 }
3954
3955 static_assert(
3956 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3957 "original_handshake_hash is too small");
3958
3959 size_t digest_len;
3960 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3961 &digest_len)) {
3962 return false;
3963 }
3964
3965 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3966 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3967 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3968
3969 return true;
3970 }
3971
ssl_do_channel_id_callback(SSL_HANDSHAKE * hs)3972 bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
3973 if (hs->config->channel_id_private != NULL ||
3974 hs->ssl->ctx->channel_id_cb == NULL) {
3975 return true;
3976 }
3977
3978 EVP_PKEY *key = NULL;
3979 hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
3980 if (key == NULL) {
3981 // The caller should try again later.
3982 return true;
3983 }
3984
3985 UniquePtr<EVP_PKEY> free_key(key);
3986 return SSL_set1_tls_channel_id(hs->ssl, key);
3987 }
3988
ssl_is_sct_list_valid(const CBS * contents)3989 bool ssl_is_sct_list_valid(const CBS *contents) {
3990 // Shallow parse the SCT list for sanity. By the RFC
3991 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3992 // of the SCTs may be empty.
3993 CBS copy = *contents;
3994 CBS sct_list;
3995 if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
3996 CBS_len(©) != 0 ||
3997 CBS_len(&sct_list) == 0) {
3998 return false;
3999 }
4000
4001 while (CBS_len(&sct_list) > 0) {
4002 CBS sct;
4003 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
4004 CBS_len(&sct) == 0) {
4005 return false;
4006 }
4007 }
4008
4009 return true;
4010 }
4011
4012 BSSL_NAMESPACE_END
4013
4014 using namespace bssl;
4015
SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO * client_hello,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)4016 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
4017 uint16_t extension_type,
4018 const uint8_t **out_data,
4019 size_t *out_len) {
4020 CBS cbs;
4021 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
4022 return 0;
4023 }
4024
4025 *out_data = CBS_data(&cbs);
4026 *out_len = CBS_len(&cbs);
4027 return 1;
4028 }
4029
SSL_CTX_set_ed25519_enabled(SSL_CTX * ctx,int enabled)4030 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
4031 ctx->ed25519_enabled = !!enabled;
4032 }
4033
SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX * ctx,int enabled)4034 void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
4035 ctx->rsa_pss_rsae_certs_enabled = !!enabled;
4036 }
4037