1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdlib.h>
114 #include <string.h>
115
116 #include <openssl/bytestring.h>
117 #include <openssl/digest.h>
118 #include <openssl/err.h>
119 #include <openssl/evp.h>
120 #include <openssl/hmac.h>
121 #include <openssl/mem.h>
122 #include <openssl/nid.h>
123 #include <openssl/rand.h>
124
125 #include "internal.h"
126 #include "../crypto/internal.h"
127
128
129 static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
130
compare_uint16_t(const void * p1,const void * p2)131 static int compare_uint16_t(const void *p1, const void *p2) {
132 uint16_t u1 = *((const uint16_t *)p1);
133 uint16_t u2 = *((const uint16_t *)p2);
134 if (u1 < u2) {
135 return -1;
136 } else if (u1 > u2) {
137 return 1;
138 } else {
139 return 0;
140 }
141 }
142
143 /* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
144 * more than one extension of the same type in a ClientHello or ServerHello.
145 * This function does an initial scan over the extensions block to filter those
146 * out. */
tls1_check_duplicate_extensions(const CBS * cbs)147 static int tls1_check_duplicate_extensions(const CBS *cbs) {
148 CBS extensions = *cbs;
149 size_t num_extensions = 0, i = 0;
150 uint16_t *extension_types = NULL;
151 int ret = 0;
152
153 /* First pass: count the extensions. */
154 while (CBS_len(&extensions) > 0) {
155 uint16_t type;
156 CBS extension;
157
158 if (!CBS_get_u16(&extensions, &type) ||
159 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
160 goto done;
161 }
162
163 num_extensions++;
164 }
165
166 if (num_extensions == 0) {
167 return 1;
168 }
169
170 extension_types =
171 (uint16_t *)OPENSSL_malloc(sizeof(uint16_t) * num_extensions);
172 if (extension_types == NULL) {
173 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
174 goto done;
175 }
176
177 /* Second pass: gather the extension types. */
178 extensions = *cbs;
179 for (i = 0; i < num_extensions; i++) {
180 CBS extension;
181
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 /* This should not happen. */
185 goto done;
186 }
187 }
188 assert(CBS_len(&extensions) == 0);
189
190 /* Sort the extensions and make sure there are no duplicates. */
191 qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
192 for (i = 1; i < num_extensions; i++) {
193 if (extension_types[i - 1] == extension_types[i]) {
194 goto done;
195 }
196 }
197
198 ret = 1;
199
200 done:
201 OPENSSL_free(extension_types);
202 return ret;
203 }
204
ssl_client_hello_init(SSL * ssl,SSL_CLIENT_HELLO * out,const uint8_t * in,size_t in_len)205 int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, const uint8_t *in,
206 size_t in_len) {
207 OPENSSL_memset(out, 0, sizeof(*out));
208 out->ssl = ssl;
209 out->client_hello = in;
210 out->client_hello_len = in_len;
211
212 CBS client_hello, random, session_id;
213 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
214 if (!CBS_get_u16(&client_hello, &out->version) ||
215 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
216 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
217 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
218 return 0;
219 }
220
221 out->random = CBS_data(&random);
222 out->random_len = CBS_len(&random);
223 out->session_id = CBS_data(&session_id);
224 out->session_id_len = CBS_len(&session_id);
225
226 /* Skip past DTLS cookie */
227 if (SSL_is_dtls(out->ssl)) {
228 CBS cookie;
229 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
230 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
231 return 0;
232 }
233 }
234
235 CBS cipher_suites, compression_methods;
236 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
237 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
238 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
239 CBS_len(&compression_methods) < 1) {
240 return 0;
241 }
242
243 out->cipher_suites = CBS_data(&cipher_suites);
244 out->cipher_suites_len = CBS_len(&cipher_suites);
245 out->compression_methods = CBS_data(&compression_methods);
246 out->compression_methods_len = CBS_len(&compression_methods);
247
248 /* If the ClientHello ends here then it's valid, but doesn't have any
249 * extensions. (E.g. SSLv3.) */
250 if (CBS_len(&client_hello) == 0) {
251 out->extensions = NULL;
252 out->extensions_len = 0;
253 return 1;
254 }
255
256 /* Extract extensions and check it is valid. */
257 CBS extensions;
258 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
259 !tls1_check_duplicate_extensions(&extensions) ||
260 CBS_len(&client_hello) != 0) {
261 return 0;
262 }
263
264 out->extensions = CBS_data(&extensions);
265 out->extensions_len = CBS_len(&extensions);
266
267 return 1;
268 }
269
ssl_client_hello_get_extension(const SSL_CLIENT_HELLO * client_hello,CBS * out,uint16_t extension_type)270 int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
271 CBS *out, uint16_t extension_type) {
272 CBS extensions;
273 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
274 while (CBS_len(&extensions) != 0) {
275 /* Decode the next extension. */
276 uint16_t type;
277 CBS extension;
278 if (!CBS_get_u16(&extensions, &type) ||
279 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
280 return 0;
281 }
282
283 if (type == extension_type) {
284 *out = extension;
285 return 1;
286 }
287 }
288
289 return 0;
290 }
291
SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO * client_hello,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)292 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
293 uint16_t extension_type,
294 const uint8_t **out_data,
295 size_t *out_len) {
296 CBS cbs;
297 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
298 return 0;
299 }
300
301 *out_data = CBS_data(&cbs);
302 *out_len = CBS_len(&cbs);
303 return 1;
304 }
305
306 static const uint16_t kDefaultGroups[] = {
307 SSL_CURVE_X25519,
308 SSL_CURVE_SECP256R1,
309 SSL_CURVE_SECP384R1,
310 };
311
tls1_get_grouplist(SSL * ssl,const uint16_t ** out_group_ids,size_t * out_group_ids_len)312 void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids,
313 size_t *out_group_ids_len) {
314 *out_group_ids = ssl->supported_group_list;
315 *out_group_ids_len = ssl->supported_group_list_len;
316 if (!*out_group_ids) {
317 *out_group_ids = kDefaultGroups;
318 *out_group_ids_len = OPENSSL_ARRAY_SIZE(kDefaultGroups);
319 }
320 }
321
tls1_get_shared_group(SSL_HANDSHAKE * hs,uint16_t * out_group_id)322 int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
323 SSL *const ssl = hs->ssl;
324 assert(ssl->server);
325
326 const uint16_t *groups, *pref, *supp;
327 size_t groups_len, pref_len, supp_len;
328 tls1_get_grouplist(ssl, &groups, &groups_len);
329
330 /* Clients are not required to send a supported_groups extension. In this
331 * case, the server is free to pick any group it likes. See RFC 4492,
332 * section 4, paragraph 3.
333 *
334 * However, in the interests of compatibility, we will skip ECDH if the
335 * client didn't send an extension because we can't be sure that they'll
336 * support our favoured group. Thus we do not special-case an emtpy
337 * |peer_supported_group_list|. */
338
339 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
340 pref = groups;
341 pref_len = groups_len;
342 supp = hs->peer_supported_group_list;
343 supp_len = hs->peer_supported_group_list_len;
344 } else {
345 pref = hs->peer_supported_group_list;
346 pref_len = hs->peer_supported_group_list_len;
347 supp = groups;
348 supp_len = groups_len;
349 }
350
351 for (size_t i = 0; i < pref_len; i++) {
352 for (size_t j = 0; j < supp_len; j++) {
353 if (pref[i] == supp[j]) {
354 *out_group_id = pref[i];
355 return 1;
356 }
357 }
358 }
359
360 return 0;
361 }
362
tls1_set_curves(uint16_t ** out_group_ids,size_t * out_group_ids_len,const int * curves,size_t ncurves)363 int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
364 const int *curves, size_t ncurves) {
365 uint16_t *group_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t));
366 if (group_ids == NULL) {
367 return 0;
368 }
369
370 for (size_t i = 0; i < ncurves; i++) {
371 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
372 OPENSSL_free(group_ids);
373 return 0;
374 }
375 }
376
377 OPENSSL_free(*out_group_ids);
378 *out_group_ids = group_ids;
379 *out_group_ids_len = ncurves;
380
381 return 1;
382 }
383
tls1_set_curves_list(uint16_t ** out_group_ids,size_t * out_group_ids_len,const char * curves)384 int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
385 const char *curves) {
386 uint16_t *group_ids = NULL;
387 size_t ncurves = 0;
388
389 const char *col;
390 const char *ptr = curves;
391
392 do {
393 col = strchr(ptr, ':');
394
395 uint16_t group_id;
396 if (!ssl_name_to_group_id(&group_id, ptr,
397 col ? (size_t)(col - ptr) : strlen(ptr))) {
398 goto err;
399 }
400
401 uint16_t *new_group_ids = (uint16_t *)OPENSSL_realloc(
402 group_ids, (ncurves + 1) * sizeof(uint16_t));
403 if (new_group_ids == NULL) {
404 goto err;
405 }
406 group_ids = new_group_ids;
407
408 group_ids[ncurves] = group_id;
409 ncurves++;
410
411 if (col) {
412 ptr = col + 1;
413 }
414 } while (col);
415
416 OPENSSL_free(*out_group_ids);
417 *out_group_ids = group_ids;
418 *out_group_ids_len = ncurves;
419
420 return 1;
421
422 err:
423 OPENSSL_free(group_ids);
424 return 0;
425 }
426
tls1_check_group_id(SSL * ssl,uint16_t group_id)427 int tls1_check_group_id(SSL *ssl, uint16_t group_id) {
428 const uint16_t *groups;
429 size_t groups_len;
430 tls1_get_grouplist(ssl, &groups, &groups_len);
431 for (size_t i = 0; i < groups_len; i++) {
432 if (groups[i] == group_id) {
433 return 1;
434 }
435 }
436
437 return 0;
438 }
439
440 /* kVerifySignatureAlgorithms is the default list of accepted signature
441 * algorithms for verifying.
442 *
443 * For now, RSA-PSS signature algorithms are not enabled on Android's system
444 * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
445 * restore them. */
446 static const uint16_t kVerifySignatureAlgorithms[] = {
447 /* List our preferred algorithms first. */
448 SSL_SIGN_ED25519,
449 SSL_SIGN_ECDSA_SECP256R1_SHA256,
450 #if !defined(BORINGSSL_ANDROID_SYSTEM)
451 SSL_SIGN_RSA_PSS_SHA256,
452 #endif
453 SSL_SIGN_RSA_PKCS1_SHA256,
454
455 /* Larger hashes are acceptable. */
456 SSL_SIGN_ECDSA_SECP384R1_SHA384,
457 #if !defined(BORINGSSL_ANDROID_SYSTEM)
458 SSL_SIGN_RSA_PSS_SHA384,
459 #endif
460 SSL_SIGN_RSA_PKCS1_SHA384,
461
462 /* TODO(davidben): Remove this. */
463 #if defined(BORINGSSL_ANDROID_SYSTEM)
464 SSL_SIGN_ECDSA_SECP521R1_SHA512,
465 #endif
466 #if !defined(BORINGSSL_ANDROID_SYSTEM)
467 SSL_SIGN_RSA_PSS_SHA512,
468 #endif
469 SSL_SIGN_RSA_PKCS1_SHA512,
470
471 /* For now, SHA-1 is still accepted but least preferable. */
472 SSL_SIGN_RSA_PKCS1_SHA1,
473
474 };
475
476 /* kSignSignatureAlgorithms is the default list of supported signature
477 * algorithms for signing.
478 *
479 * For now, RSA-PSS signature algorithms are not enabled on Android's system
480 * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
481 * restore them. */
482 static const uint16_t kSignSignatureAlgorithms[] = {
483 /* List our preferred algorithms first. */
484 SSL_SIGN_ED25519,
485 SSL_SIGN_ECDSA_SECP256R1_SHA256,
486 #if !defined(BORINGSSL_ANDROID_SYSTEM)
487 SSL_SIGN_RSA_PSS_SHA256,
488 #endif
489 SSL_SIGN_RSA_PKCS1_SHA256,
490
491 /* If needed, sign larger hashes.
492 *
493 * TODO(davidben): Determine which of these may be pruned. */
494 SSL_SIGN_ECDSA_SECP384R1_SHA384,
495 #if !defined(BORINGSSL_ANDROID_SYSTEM)
496 SSL_SIGN_RSA_PSS_SHA384,
497 #endif
498 SSL_SIGN_RSA_PKCS1_SHA384,
499
500 SSL_SIGN_ECDSA_SECP521R1_SHA512,
501 #if !defined(BORINGSSL_ANDROID_SYSTEM)
502 SSL_SIGN_RSA_PSS_SHA512,
503 #endif
504 SSL_SIGN_RSA_PKCS1_SHA512,
505
506 /* If the peer supports nothing else, sign with SHA-1. */
507 SSL_SIGN_ECDSA_SHA1,
508 SSL_SIGN_RSA_PKCS1_SHA1,
509 };
510
SSL_CTX_set_ed25519_enabled(SSL_CTX * ctx,int enabled)511 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
512 ctx->ed25519_enabled = !!enabled;
513 }
514
tls12_add_verify_sigalgs(const SSL * ssl,CBB * out)515 int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
516 const uint16_t *sigalgs = kVerifySignatureAlgorithms;
517 size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
518 if (ssl->ctx->num_verify_sigalgs != 0) {
519 sigalgs = ssl->ctx->verify_sigalgs;
520 num_sigalgs = ssl->ctx->num_verify_sigalgs;
521 }
522
523 for (size_t i = 0; i < num_sigalgs; i++) {
524 if (sigalgs == kVerifySignatureAlgorithms &&
525 sigalgs[i] == SSL_SIGN_ED25519 &&
526 !ssl->ctx->ed25519_enabled) {
527 continue;
528 }
529 if (!CBB_add_u16(out, sigalgs[i])) {
530 return 0;
531 }
532 }
533
534 return 1;
535 }
536
tls12_check_peer_sigalg(SSL * ssl,uint8_t * out_alert,uint16_t sigalg)537 int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg) {
538 const uint16_t *sigalgs = kVerifySignatureAlgorithms;
539 size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
540 if (ssl->ctx->num_verify_sigalgs != 0) {
541 sigalgs = ssl->ctx->verify_sigalgs;
542 num_sigalgs = ssl->ctx->num_verify_sigalgs;
543 }
544
545 for (size_t i = 0; i < num_sigalgs; i++) {
546 if (sigalgs == kVerifySignatureAlgorithms &&
547 sigalgs[i] == SSL_SIGN_ED25519 &&
548 !ssl->ctx->ed25519_enabled) {
549 continue;
550 }
551 if (sigalg == sigalgs[i]) {
552 return 1;
553 }
554 }
555
556 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
557 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
558 return 0;
559 }
560
561 /* tls_extension represents a TLS extension that is handled internally. The
562 * |init| function is called for each handshake, before any other functions of
563 * the extension. Then the add and parse callbacks are called as needed.
564 *
565 * The parse callbacks receive a |CBS| that contains the contents of the
566 * extension (i.e. not including the type and length bytes). If an extension is
567 * not received then the parse callbacks will be called with a NULL CBS so that
568 * they can do any processing needed to handle the absence of an extension.
569 *
570 * The add callbacks receive a |CBB| to which the extension can be appended but
571 * the function is responsible for appending the type and length bytes too.
572 *
573 * All callbacks return one for success and zero for error. If a parse function
574 * returns zero then a fatal alert with value |*out_alert| will be sent. If
575 * |*out_alert| isn't set, then a |decode_error| alert will be sent. */
576 struct tls_extension {
577 uint16_t value;
578 void (*init)(SSL_HANDSHAKE *hs);
579
580 int (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
581 int (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
582 CBS *contents);
583
584 int (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
585 CBS *contents);
586 int (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
587 };
588
forbid_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)589 static int forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
590 CBS *contents) {
591 if (contents != NULL) {
592 /* Servers MUST NOT send this extension. */
593 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
594 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
595 return 0;
596 }
597
598 return 1;
599 }
600
ignore_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)601 static int ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
602 CBS *contents) {
603 /* This extension from the client is handled elsewhere. */
604 return 1;
605 }
606
dont_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)607 static int dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
608 return 1;
609 }
610
611 /* Server name indication (SNI).
612 *
613 * https://tools.ietf.org/html/rfc6066#section-3. */
614
ext_sni_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)615 static int ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
616 SSL *const ssl = hs->ssl;
617 if (ssl->tlsext_hostname == NULL) {
618 return 1;
619 }
620
621 CBB contents, server_name_list, name;
622 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
623 !CBB_add_u16_length_prefixed(out, &contents) ||
624 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
625 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
626 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
627 !CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname,
628 strlen(ssl->tlsext_hostname)) ||
629 !CBB_flush(out)) {
630 return 0;
631 }
632
633 return 1;
634 }
635
ext_sni_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)636 static int ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
637 CBS *contents) {
638 SSL *const ssl = hs->ssl;
639 if (contents == NULL) {
640 return 1;
641 }
642
643 if (CBS_len(contents) != 0) {
644 return 0;
645 }
646
647 assert(ssl->tlsext_hostname != NULL);
648
649 if (ssl->session == NULL) {
650 OPENSSL_free(hs->new_session->tlsext_hostname);
651 hs->new_session->tlsext_hostname = BUF_strdup(ssl->tlsext_hostname);
652 if (!hs->new_session->tlsext_hostname) {
653 *out_alert = SSL_AD_INTERNAL_ERROR;
654 return 0;
655 }
656 }
657
658 return 1;
659 }
660
ext_sni_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)661 static int ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
662 CBS *contents) {
663 if (contents == NULL) {
664 return 1;
665 }
666
667 CBS server_name_list, host_name;
668 uint8_t name_type;
669 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
670 !CBS_get_u8(&server_name_list, &name_type) ||
671 /* Although the server_name extension was intended to be extensible to
672 * new name types and multiple names, OpenSSL 1.0.x had a bug which meant
673 * different name types will cause an error. Further, RFC 4366 originally
674 * defined syntax inextensibly. RFC 6066 corrected this mistake, but
675 * adding new name types is no longer feasible.
676 *
677 * Act as if the extensibility does not exist to simplify parsing. */
678 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
679 CBS_len(&server_name_list) != 0 ||
680 CBS_len(contents) != 0) {
681 return 0;
682 }
683
684 if (name_type != TLSEXT_NAMETYPE_host_name ||
685 CBS_len(&host_name) == 0 ||
686 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
687 CBS_contains_zero_byte(&host_name)) {
688 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
689 return 0;
690 }
691
692 /* Copy the hostname as a string. */
693 if (!CBS_strdup(&host_name, &hs->hostname)) {
694 *out_alert = SSL_AD_INTERNAL_ERROR;
695 return 0;
696 }
697
698 hs->should_ack_sni = 1;
699 return 1;
700 }
701
ext_sni_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)702 static int ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
703 if (hs->ssl->s3->session_reused ||
704 !hs->should_ack_sni) {
705 return 1;
706 }
707
708 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
709 !CBB_add_u16(out, 0 /* length */)) {
710 return 0;
711 }
712
713 return 1;
714 }
715
716
717 /* Renegotiation indication.
718 *
719 * https://tools.ietf.org/html/rfc5746 */
720
ext_ri_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)721 static int ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
722 SSL *const ssl = hs->ssl;
723 /* Renegotiation indication is not necessary in TLS 1.3. */
724 if (hs->min_version >= TLS1_3_VERSION) {
725 return 1;
726 }
727
728 assert(ssl->s3->initial_handshake_complete ==
729 (ssl->s3->previous_client_finished_len != 0));
730
731 CBB contents, prev_finished;
732 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
733 !CBB_add_u16_length_prefixed(out, &contents) ||
734 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
735 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
736 ssl->s3->previous_client_finished_len) ||
737 !CBB_flush(out)) {
738 return 0;
739 }
740
741 return 1;
742 }
743
ext_ri_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)744 static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
745 CBS *contents) {
746 SSL *const ssl = hs->ssl;
747 if (contents != NULL && ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
748 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
749 return 0;
750 }
751
752 /* Servers may not switch between omitting the extension and supporting it.
753 * See RFC 5746, sections 3.5 and 4.2. */
754 if (ssl->s3->initial_handshake_complete &&
755 (contents != NULL) != ssl->s3->send_connection_binding) {
756 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
757 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
758 return 0;
759 }
760
761 if (contents == NULL) {
762 /* Strictly speaking, if we want to avoid an attack we should *always* see
763 * RI even on initial ServerHello because the client doesn't see any
764 * renegotiation during an attack. However this would mean we could not
765 * connect to any server which doesn't support RI.
766 *
767 * OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
768 * practical terms every client sets it so it's just assumed here. */
769 return 1;
770 }
771
772 const size_t expected_len = ssl->s3->previous_client_finished_len +
773 ssl->s3->previous_server_finished_len;
774
775 /* Check for logic errors */
776 assert(!expected_len || ssl->s3->previous_client_finished_len);
777 assert(!expected_len || ssl->s3->previous_server_finished_len);
778 assert(ssl->s3->initial_handshake_complete ==
779 (ssl->s3->previous_client_finished_len != 0));
780 assert(ssl->s3->initial_handshake_complete ==
781 (ssl->s3->previous_server_finished_len != 0));
782
783 /* Parse out the extension contents. */
784 CBS renegotiated_connection;
785 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
786 CBS_len(contents) != 0) {
787 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
788 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
789 return 0;
790 }
791
792 /* Check that the extension matches. */
793 if (CBS_len(&renegotiated_connection) != expected_len) {
794 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
795 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
796 return 0;
797 }
798
799 const uint8_t *d = CBS_data(&renegotiated_connection);
800 int ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
801 ssl->s3->previous_client_finished_len) == 0;
802 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
803 ok = 1;
804 #endif
805 if (!ok) {
806 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
807 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
808 return 0;
809 }
810 d += ssl->s3->previous_client_finished_len;
811
812 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
813 ssl->s3->previous_server_finished_len) == 0;
814 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
815 ok = 1;
816 #endif
817 if (!ok) {
818 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
819 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
820 return 0;
821 }
822 ssl->s3->send_connection_binding = 1;
823
824 return 1;
825 }
826
ext_ri_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)827 static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
828 CBS *contents) {
829 SSL *const ssl = hs->ssl;
830 /* Renegotiation isn't supported as a server so this function should never be
831 * called after the initial handshake. */
832 assert(!ssl->s3->initial_handshake_complete);
833
834 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
835 return 1;
836 }
837
838 if (contents == NULL) {
839 return 1;
840 }
841
842 CBS renegotiated_connection;
843 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
844 CBS_len(contents) != 0) {
845 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
846 return 0;
847 }
848
849 /* Check that the extension matches. We do not support renegotiation as a
850 * server, so this must be empty. */
851 if (CBS_len(&renegotiated_connection) != 0) {
852 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
853 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
854 return 0;
855 }
856
857 ssl->s3->send_connection_binding = 1;
858
859 return 1;
860 }
861
ext_ri_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)862 static int ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
863 SSL *const ssl = hs->ssl;
864 /* Renegotiation isn't supported as a server so this function should never be
865 * called after the initial handshake. */
866 assert(!ssl->s3->initial_handshake_complete);
867
868 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
869 return 1;
870 }
871
872 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
873 !CBB_add_u16(out, 1 /* length */) ||
874 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
875 return 0;
876 }
877
878 return 1;
879 }
880
881
882 /* Extended Master Secret.
883 *
884 * https://tools.ietf.org/html/rfc7627 */
885
ext_ems_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)886 static int ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
887 /* Extended master secret is not necessary in TLS 1.3. */
888 if (hs->min_version >= TLS1_3_VERSION || hs->max_version <= SSL3_VERSION) {
889 return 1;
890 }
891
892 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
893 !CBB_add_u16(out, 0 /* length */)) {
894 return 0;
895 }
896
897 return 1;
898 }
899
ext_ems_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)900 static int ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
901 CBS *contents) {
902 SSL *const ssl = hs->ssl;
903
904 if (contents != NULL) {
905 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
906 ssl->version == SSL3_VERSION ||
907 CBS_len(contents) != 0) {
908 return 0;
909 }
910
911 hs->extended_master_secret = 1;
912 }
913
914 /* Whether EMS is negotiated may not change on renegotiation. */
915 if (ssl->s3->established_session != NULL &&
916 hs->extended_master_secret !=
917 ssl->s3->established_session->extended_master_secret) {
918 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
919 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
920 return 0;
921 }
922
923 return 1;
924 }
925
ext_ems_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)926 static int ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
927 CBS *contents) {
928 uint16_t version = ssl3_protocol_version(hs->ssl);
929 if (version >= TLS1_3_VERSION ||
930 version == SSL3_VERSION) {
931 return 1;
932 }
933
934 if (contents == NULL) {
935 return 1;
936 }
937
938 if (CBS_len(contents) != 0) {
939 return 0;
940 }
941
942 hs->extended_master_secret = 1;
943 return 1;
944 }
945
ext_ems_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)946 static int ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
947 if (!hs->extended_master_secret) {
948 return 1;
949 }
950
951 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
952 !CBB_add_u16(out, 0 /* length */)) {
953 return 0;
954 }
955
956 return 1;
957 }
958
959
960 /* Session tickets.
961 *
962 * https://tools.ietf.org/html/rfc5077 */
963
ext_ticket_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)964 static int ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
965 SSL *const ssl = hs->ssl;
966 /* TLS 1.3 uses a different ticket extension. */
967 if (hs->min_version >= TLS1_3_VERSION ||
968 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
969 return 1;
970 }
971
972 const uint8_t *ticket_data = NULL;
973 int ticket_len = 0;
974
975 /* Renegotiation does not participate in session resumption. However, still
976 * advertise the extension to avoid potentially breaking servers which carry
977 * over the state from the previous handshake, such as OpenSSL servers
978 * without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
979 if (!ssl->s3->initial_handshake_complete &&
980 ssl->session != NULL &&
981 ssl->session->tlsext_tick != NULL &&
982 /* Don't send TLS 1.3 session tickets in the ticket extension. */
983 SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
984 ticket_data = ssl->session->tlsext_tick;
985 ticket_len = ssl->session->tlsext_ticklen;
986 }
987
988 CBB ticket;
989 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
990 !CBB_add_u16_length_prefixed(out, &ticket) ||
991 !CBB_add_bytes(&ticket, ticket_data, ticket_len) ||
992 !CBB_flush(out)) {
993 return 0;
994 }
995
996 return 1;
997 }
998
ext_ticket_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)999 static int ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1000 CBS *contents) {
1001 SSL *const ssl = hs->ssl;
1002 if (contents == NULL) {
1003 return 1;
1004 }
1005
1006 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1007 return 0;
1008 }
1009
1010 /* If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
1011 * this function should never be called, even if the server tries to send the
1012 * extension. */
1013 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
1014
1015 if (CBS_len(contents) != 0) {
1016 return 0;
1017 }
1018
1019 hs->ticket_expected = 1;
1020 return 1;
1021 }
1022
ext_ticket_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1023 static int ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1024 if (!hs->ticket_expected) {
1025 return 1;
1026 }
1027
1028 /* If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. */
1029 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
1030
1031 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
1032 !CBB_add_u16(out, 0 /* length */)) {
1033 return 0;
1034 }
1035
1036 return 1;
1037 }
1038
1039
1040 /* Signature Algorithms.
1041 *
1042 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
1043
ext_sigalgs_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1044 static int ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1045 SSL *const ssl = hs->ssl;
1046 if (hs->max_version < TLS1_2_VERSION) {
1047 return 1;
1048 }
1049
1050 CBB contents, sigalgs_cbb;
1051 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
1052 !CBB_add_u16_length_prefixed(out, &contents) ||
1053 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1054 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
1055 !CBB_flush(out)) {
1056 return 0;
1057 }
1058
1059 return 1;
1060 }
1061
ext_sigalgs_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1062 static int ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1063 CBS *contents) {
1064 OPENSSL_free(hs->peer_sigalgs);
1065 hs->peer_sigalgs = NULL;
1066 hs->num_peer_sigalgs = 0;
1067
1068 if (contents == NULL) {
1069 return 1;
1070 }
1071
1072 CBS supported_signature_algorithms;
1073 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1074 CBS_len(contents) != 0 ||
1075 CBS_len(&supported_signature_algorithms) == 0 ||
1076 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1077 return 0;
1078 }
1079
1080 return 1;
1081 }
1082
1083
1084 /* OCSP Stapling.
1085 *
1086 * https://tools.ietf.org/html/rfc6066#section-8 */
1087
ext_ocsp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1088 static int ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1089 SSL *const ssl = hs->ssl;
1090 if (!ssl->ocsp_stapling_enabled) {
1091 return 1;
1092 }
1093
1094 CBB contents;
1095 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1096 !CBB_add_u16_length_prefixed(out, &contents) ||
1097 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1098 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1099 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1100 !CBB_flush(out)) {
1101 return 0;
1102 }
1103
1104 return 1;
1105 }
1106
ext_ocsp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1107 static int ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1108 CBS *contents) {
1109 SSL *const ssl = hs->ssl;
1110 if (contents == NULL) {
1111 return 1;
1112 }
1113
1114 /* TLS 1.3 OCSP responses are included in the Certificate extensions. */
1115 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1116 return 0;
1117 }
1118
1119 /* OCSP stapling is forbidden on non-certificate ciphers. */
1120 if (CBS_len(contents) != 0 ||
1121 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1122 return 0;
1123 }
1124
1125 /* Note this does not check for resumption in TLS 1.2. Sending
1126 * status_request here does not make sense, but OpenSSL does so and the
1127 * specification does not say anything. Tolerate it but ignore it. */
1128
1129 hs->certificate_status_expected = 1;
1130 return 1;
1131 }
1132
ext_ocsp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1133 static int ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1134 CBS *contents) {
1135 if (contents == NULL) {
1136 return 1;
1137 }
1138
1139 uint8_t status_type;
1140 if (!CBS_get_u8(contents, &status_type)) {
1141 return 0;
1142 }
1143
1144 /* We cannot decide whether OCSP stapling will occur yet because the correct
1145 * SSL_CTX might not have been selected. */
1146 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1147
1148 return 1;
1149 }
1150
ext_ocsp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1151 static int ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1152 SSL *const ssl = hs->ssl;
1153 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
1154 !hs->ocsp_stapling_requested ||
1155 ssl->cert->ocsp_response == NULL ||
1156 ssl->s3->session_reused ||
1157 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1158 return 1;
1159 }
1160
1161 hs->certificate_status_expected = 1;
1162
1163 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1164 CBB_add_u16(out, 0 /* length */);
1165 }
1166
1167
1168 /* Next protocol negotiation.
1169 *
1170 * https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html */
1171
ext_npn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1172 static int ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1173 SSL *const ssl = hs->ssl;
1174 if (ssl->s3->initial_handshake_complete ||
1175 ssl->ctx->next_proto_select_cb == NULL ||
1176 SSL_is_dtls(ssl)) {
1177 return 1;
1178 }
1179
1180 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1181 !CBB_add_u16(out, 0 /* length */)) {
1182 return 0;
1183 }
1184
1185 return 1;
1186 }
1187
ext_npn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1188 static int ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1189 CBS *contents) {
1190 SSL *const ssl = hs->ssl;
1191 if (contents == NULL) {
1192 return 1;
1193 }
1194
1195 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1196 return 0;
1197 }
1198
1199 /* If any of these are false then we should never have sent the NPN
1200 * extension in the ClientHello and thus this function should never have been
1201 * called. */
1202 assert(!ssl->s3->initial_handshake_complete);
1203 assert(!SSL_is_dtls(ssl));
1204 assert(ssl->ctx->next_proto_select_cb != NULL);
1205
1206 if (ssl->s3->alpn_selected != NULL) {
1207 /* NPN and ALPN may not be negotiated in the same connection. */
1208 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1209 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1210 return 0;
1211 }
1212
1213 const uint8_t *const orig_contents = CBS_data(contents);
1214 const size_t orig_len = CBS_len(contents);
1215
1216 while (CBS_len(contents) != 0) {
1217 CBS proto;
1218 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1219 CBS_len(&proto) == 0) {
1220 return 0;
1221 }
1222 }
1223
1224 uint8_t *selected;
1225 uint8_t selected_len;
1226 if (ssl->ctx->next_proto_select_cb(
1227 ssl, &selected, &selected_len, orig_contents, orig_len,
1228 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
1229 *out_alert = SSL_AD_INTERNAL_ERROR;
1230 return 0;
1231 }
1232
1233 OPENSSL_free(ssl->s3->next_proto_negotiated);
1234 ssl->s3->next_proto_negotiated =
1235 (uint8_t *)BUF_memdup(selected, selected_len);
1236 if (ssl->s3->next_proto_negotiated == NULL) {
1237 *out_alert = SSL_AD_INTERNAL_ERROR;
1238 return 0;
1239 }
1240
1241 ssl->s3->next_proto_negotiated_len = selected_len;
1242 hs->next_proto_neg_seen = 1;
1243
1244 return 1;
1245 }
1246
ext_npn_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1247 static int ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1248 CBS *contents) {
1249 SSL *const ssl = hs->ssl;
1250 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1251 return 1;
1252 }
1253
1254 if (contents != NULL && CBS_len(contents) != 0) {
1255 return 0;
1256 }
1257
1258 if (contents == NULL ||
1259 ssl->s3->initial_handshake_complete ||
1260 ssl->ctx->next_protos_advertised_cb == NULL ||
1261 SSL_is_dtls(ssl)) {
1262 return 1;
1263 }
1264
1265 hs->next_proto_neg_seen = 1;
1266 return 1;
1267 }
1268
ext_npn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1269 static int ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1270 SSL *const ssl = hs->ssl;
1271 /* |next_proto_neg_seen| might have been cleared when an ALPN extension was
1272 * parsed. */
1273 if (!hs->next_proto_neg_seen) {
1274 return 1;
1275 }
1276
1277 const uint8_t *npa;
1278 unsigned npa_len;
1279
1280 if (ssl->ctx->next_protos_advertised_cb(
1281 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1282 SSL_TLSEXT_ERR_OK) {
1283 hs->next_proto_neg_seen = 0;
1284 return 1;
1285 }
1286
1287 CBB contents;
1288 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1289 !CBB_add_u16_length_prefixed(out, &contents) ||
1290 !CBB_add_bytes(&contents, npa, npa_len) ||
1291 !CBB_flush(out)) {
1292 return 0;
1293 }
1294
1295 return 1;
1296 }
1297
1298
1299 /* Signed certificate timestamps.
1300 *
1301 * https://tools.ietf.org/html/rfc6962#section-3.3.1 */
1302
ext_sct_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1303 static int ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1304 SSL *const ssl = hs->ssl;
1305 if (!ssl->signed_cert_timestamps_enabled) {
1306 return 1;
1307 }
1308
1309 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1310 !CBB_add_u16(out, 0 /* length */)) {
1311 return 0;
1312 }
1313
1314 return 1;
1315 }
1316
ext_sct_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1317 static int ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1318 CBS *contents) {
1319 SSL *const ssl = hs->ssl;
1320 if (contents == NULL) {
1321 return 1;
1322 }
1323
1324 /* TLS 1.3 SCTs are included in the Certificate extensions. */
1325 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1326 *out_alert = SSL_AD_DECODE_ERROR;
1327 return 0;
1328 }
1329
1330 /* If this is false then we should never have sent the SCT extension in the
1331 * ClientHello and thus this function should never have been called. */
1332 assert(ssl->signed_cert_timestamps_enabled);
1333
1334 if (!ssl_is_sct_list_valid(contents)) {
1335 *out_alert = SSL_AD_DECODE_ERROR;
1336 return 0;
1337 }
1338
1339 /* Session resumption uses the original session information. The extension
1340 * should not be sent on resumption, but RFC 6962 did not make it a
1341 * requirement, so tolerate this.
1342 *
1343 * TODO(davidben): Enforce this anyway. */
1344 if (!ssl->s3->session_reused &&
1345 !CBS_stow(contents, &hs->new_session->tlsext_signed_cert_timestamp_list,
1346 &hs->new_session->tlsext_signed_cert_timestamp_list_length)) {
1347 *out_alert = SSL_AD_INTERNAL_ERROR;
1348 return 0;
1349 }
1350
1351 return 1;
1352 }
1353
ext_sct_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1354 static int ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1355 CBS *contents) {
1356 if (contents == NULL) {
1357 return 1;
1358 }
1359
1360 if (CBS_len(contents) != 0) {
1361 return 0;
1362 }
1363
1364 hs->scts_requested = 1;
1365 return 1;
1366 }
1367
ext_sct_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1368 static int ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1369 SSL *const ssl = hs->ssl;
1370 /* The extension shouldn't be sent when resuming sessions. */
1371 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
1372 ssl->s3->session_reused ||
1373 ssl->cert->signed_cert_timestamp_list == NULL) {
1374 return 1;
1375 }
1376
1377 CBB contents;
1378 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1379 CBB_add_u16_length_prefixed(out, &contents) &&
1380 CBB_add_bytes(
1381 &contents,
1382 CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list),
1383 CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) &&
1384 CBB_flush(out);
1385 }
1386
1387
1388 /* Application-level Protocol Negotiation.
1389 *
1390 * https://tools.ietf.org/html/rfc7301 */
1391
ext_alpn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1392 static int ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1393 SSL *const ssl = hs->ssl;
1394 if (ssl->alpn_client_proto_list == NULL ||
1395 ssl->s3->initial_handshake_complete) {
1396 return 1;
1397 }
1398
1399 CBB contents, proto_list;
1400 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1401 !CBB_add_u16_length_prefixed(out, &contents) ||
1402 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1403 !CBB_add_bytes(&proto_list, ssl->alpn_client_proto_list,
1404 ssl->alpn_client_proto_list_len) ||
1405 !CBB_flush(out)) {
1406 return 0;
1407 }
1408
1409 return 1;
1410 }
1411
ext_alpn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1412 static int ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1413 CBS *contents) {
1414 SSL *const ssl = hs->ssl;
1415 if (contents == NULL) {
1416 return 1;
1417 }
1418
1419 assert(!ssl->s3->initial_handshake_complete);
1420 assert(ssl->alpn_client_proto_list != NULL);
1421
1422 if (hs->next_proto_neg_seen) {
1423 /* NPN and ALPN may not be negotiated in the same connection. */
1424 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1425 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1426 return 0;
1427 }
1428
1429 /* The extension data consists of a ProtocolNameList which must have
1430 * exactly one ProtocolName. Each of these is length-prefixed. */
1431 CBS protocol_name_list, protocol_name;
1432 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1433 CBS_len(contents) != 0 ||
1434 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1435 /* Empty protocol names are forbidden. */
1436 CBS_len(&protocol_name) == 0 ||
1437 CBS_len(&protocol_name_list) != 0) {
1438 return 0;
1439 }
1440
1441 if (!ssl->ctx->allow_unknown_alpn_protos) {
1442 /* Check that the protocol name is one of the ones we advertised. */
1443 int protocol_ok = 0;
1444 CBS client_protocol_name_list, client_protocol_name;
1445 CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list,
1446 ssl->alpn_client_proto_list_len);
1447 while (CBS_len(&client_protocol_name_list) > 0) {
1448 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1449 &client_protocol_name)) {
1450 *out_alert = SSL_AD_INTERNAL_ERROR;
1451 return 0;
1452 }
1453
1454 if (CBS_len(&client_protocol_name) == CBS_len(&protocol_name) &&
1455 OPENSSL_memcmp(CBS_data(&client_protocol_name),
1456 CBS_data(&protocol_name),
1457 CBS_len(&protocol_name)) == 0) {
1458 protocol_ok = 1;
1459 break;
1460 }
1461 }
1462
1463 if (!protocol_ok) {
1464 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1465 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1466 return 0;
1467 }
1468 }
1469
1470 if (!CBS_stow(&protocol_name, &ssl->s3->alpn_selected,
1471 &ssl->s3->alpn_selected_len)) {
1472 *out_alert = SSL_AD_INTERNAL_ERROR;
1473 return 0;
1474 }
1475
1476 return 1;
1477 }
1478
ssl_negotiate_alpn(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)1479 int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1480 const SSL_CLIENT_HELLO *client_hello) {
1481 SSL *const ssl = hs->ssl;
1482 CBS contents;
1483 if (ssl->ctx->alpn_select_cb == NULL ||
1484 !ssl_client_hello_get_extension(
1485 client_hello, &contents,
1486 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1487 /* Ignore ALPN if not configured or no extension was supplied. */
1488 return 1;
1489 }
1490
1491 /* ALPN takes precedence over NPN. */
1492 hs->next_proto_neg_seen = 0;
1493
1494 CBS protocol_name_list;
1495 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1496 CBS_len(&contents) != 0 ||
1497 CBS_len(&protocol_name_list) < 2) {
1498 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1499 *out_alert = SSL_AD_DECODE_ERROR;
1500 return 0;
1501 }
1502
1503 /* Validate the protocol list. */
1504 CBS protocol_name_list_copy = protocol_name_list;
1505 while (CBS_len(&protocol_name_list_copy) > 0) {
1506 CBS protocol_name;
1507
1508 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1509 /* Empty protocol names are forbidden. */
1510 CBS_len(&protocol_name) == 0) {
1511 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1512 *out_alert = SSL_AD_DECODE_ERROR;
1513 return 0;
1514 }
1515 }
1516
1517 const uint8_t *selected;
1518 uint8_t selected_len;
1519 if (ssl->ctx->alpn_select_cb(
1520 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1521 CBS_len(&protocol_name_list),
1522 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1523 OPENSSL_free(ssl->s3->alpn_selected);
1524 ssl->s3->alpn_selected = (uint8_t *)BUF_memdup(selected, selected_len);
1525 if (ssl->s3->alpn_selected == NULL) {
1526 *out_alert = SSL_AD_INTERNAL_ERROR;
1527 return 0;
1528 }
1529 ssl->s3->alpn_selected_len = selected_len;
1530 }
1531
1532 return 1;
1533 }
1534
ext_alpn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1535 static int ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1536 SSL *const ssl = hs->ssl;
1537 if (ssl->s3->alpn_selected == NULL) {
1538 return 1;
1539 }
1540
1541 CBB contents, proto_list, proto;
1542 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1543 !CBB_add_u16_length_prefixed(out, &contents) ||
1544 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1545 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1546 !CBB_add_bytes(&proto, ssl->s3->alpn_selected,
1547 ssl->s3->alpn_selected_len) ||
1548 !CBB_flush(out)) {
1549 return 0;
1550 }
1551
1552 return 1;
1553 }
1554
1555
1556 /* Channel ID.
1557 *
1558 * https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 */
1559
ext_channel_id_init(SSL_HANDSHAKE * hs)1560 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1561 hs->ssl->s3->tlsext_channel_id_valid = 0;
1562 }
1563
ext_channel_id_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1564 static int ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1565 SSL *const ssl = hs->ssl;
1566 if (!ssl->tlsext_channel_id_enabled ||
1567 SSL_is_dtls(ssl)) {
1568 return 1;
1569 }
1570
1571 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1572 !CBB_add_u16(out, 0 /* length */)) {
1573 return 0;
1574 }
1575
1576 return 1;
1577 }
1578
ext_channel_id_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1579 static int ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1580 uint8_t *out_alert, CBS *contents) {
1581 SSL *const ssl = hs->ssl;
1582 if (contents == NULL) {
1583 return 1;
1584 }
1585
1586 assert(!SSL_is_dtls(ssl));
1587 assert(ssl->tlsext_channel_id_enabled);
1588
1589 if (CBS_len(contents) != 0) {
1590 return 0;
1591 }
1592
1593 ssl->s3->tlsext_channel_id_valid = 1;
1594 return 1;
1595 }
1596
ext_channel_id_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1597 static int ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1598 uint8_t *out_alert, CBS *contents) {
1599 SSL *const ssl = hs->ssl;
1600 if (contents == NULL ||
1601 !ssl->tlsext_channel_id_enabled ||
1602 SSL_is_dtls(ssl)) {
1603 return 1;
1604 }
1605
1606 if (CBS_len(contents) != 0) {
1607 return 0;
1608 }
1609
1610 ssl->s3->tlsext_channel_id_valid = 1;
1611 return 1;
1612 }
1613
ext_channel_id_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1614 static int ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1615 SSL *const ssl = hs->ssl;
1616 if (!ssl->s3->tlsext_channel_id_valid) {
1617 return 1;
1618 }
1619
1620 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1621 !CBB_add_u16(out, 0 /* length */)) {
1622 return 0;
1623 }
1624
1625 return 1;
1626 }
1627
1628
1629 /* Secure Real-time Transport Protocol (SRTP) extension.
1630 *
1631 * https://tools.ietf.org/html/rfc5764 */
1632
1633
ext_srtp_init(SSL_HANDSHAKE * hs)1634 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1635 hs->ssl->srtp_profile = NULL;
1636 }
1637
ext_srtp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1638 static int ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1639 SSL *const ssl = hs->ssl;
1640 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1641 if (profiles == NULL) {
1642 return 1;
1643 }
1644 const size_t num_profiles = sk_SRTP_PROTECTION_PROFILE_num(profiles);
1645 if (num_profiles == 0) {
1646 return 1;
1647 }
1648
1649 CBB contents, profile_ids;
1650 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1651 !CBB_add_u16_length_prefixed(out, &contents) ||
1652 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1653 return 0;
1654 }
1655
1656 for (size_t i = 0; i < num_profiles; i++) {
1657 if (!CBB_add_u16(&profile_ids,
1658 sk_SRTP_PROTECTION_PROFILE_value(profiles, i)->id)) {
1659 return 0;
1660 }
1661 }
1662
1663 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1664 !CBB_flush(out)) {
1665 return 0;
1666 }
1667
1668 return 1;
1669 }
1670
ext_srtp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1671 static int ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1672 CBS *contents) {
1673 SSL *const ssl = hs->ssl;
1674 if (contents == NULL) {
1675 return 1;
1676 }
1677
1678 /* The extension consists of a u16-prefixed profile ID list containing a
1679 * single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1680 *
1681 * See https://tools.ietf.org/html/rfc5764#section-4.1.1 */
1682 CBS profile_ids, srtp_mki;
1683 uint16_t profile_id;
1684 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1685 !CBS_get_u16(&profile_ids, &profile_id) ||
1686 CBS_len(&profile_ids) != 0 ||
1687 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1688 CBS_len(contents) != 0) {
1689 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1690 return 0;
1691 }
1692
1693 if (CBS_len(&srtp_mki) != 0) {
1694 /* Must be no MKI, since we never offer one. */
1695 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1696 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1697 return 0;
1698 }
1699
1700 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1701
1702 /* Check to see if the server gave us something we support (and presumably
1703 * offered). */
1704 for (size_t i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(profiles); i++) {
1705 const SRTP_PROTECTION_PROFILE *profile =
1706 sk_SRTP_PROTECTION_PROFILE_value(profiles, i);
1707
1708 if (profile->id == profile_id) {
1709 ssl->srtp_profile = profile;
1710 return 1;
1711 }
1712 }
1713
1714 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1715 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1716 return 0;
1717 }
1718
ext_srtp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1719 static int ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1720 CBS *contents) {
1721 SSL *const ssl = hs->ssl;
1722 if (contents == NULL) {
1723 return 1;
1724 }
1725
1726 CBS profile_ids, srtp_mki;
1727 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1728 CBS_len(&profile_ids) < 2 ||
1729 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1730 CBS_len(contents) != 0) {
1731 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1732 return 0;
1733 }
1734 /* Discard the MKI value for now. */
1735
1736 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1737 SSL_get_srtp_profiles(ssl);
1738
1739 /* Pick the server's most preferred profile. */
1740 for (size_t i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(server_profiles); i++) {
1741 const SRTP_PROTECTION_PROFILE *server_profile =
1742 sk_SRTP_PROTECTION_PROFILE_value(server_profiles, i);
1743
1744 CBS profile_ids_tmp;
1745 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1746
1747 while (CBS_len(&profile_ids_tmp) > 0) {
1748 uint16_t profile_id;
1749 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1750 return 0;
1751 }
1752
1753 if (server_profile->id == profile_id) {
1754 ssl->srtp_profile = server_profile;
1755 return 1;
1756 }
1757 }
1758 }
1759
1760 return 1;
1761 }
1762
ext_srtp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1763 static int ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1764 SSL *const ssl = hs->ssl;
1765 if (ssl->srtp_profile == NULL) {
1766 return 1;
1767 }
1768
1769 CBB contents, profile_ids;
1770 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1771 !CBB_add_u16_length_prefixed(out, &contents) ||
1772 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1773 !CBB_add_u16(&profile_ids, ssl->srtp_profile->id) ||
1774 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1775 !CBB_flush(out)) {
1776 return 0;
1777 }
1778
1779 return 1;
1780 }
1781
1782
1783 /* EC point formats.
1784 *
1785 * https://tools.ietf.org/html/rfc4492#section-5.1.2 */
1786
ext_ec_point_add_extension(SSL_HANDSHAKE * hs,CBB * out)1787 static int ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1788 CBB contents, formats;
1789 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1790 !CBB_add_u16_length_prefixed(out, &contents) ||
1791 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1792 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1793 !CBB_flush(out)) {
1794 return 0;
1795 }
1796
1797 return 1;
1798 }
1799
ext_ec_point_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1800 static int ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1801 /* The point format extension is unneccessary in TLS 1.3. */
1802 if (hs->min_version >= TLS1_3_VERSION) {
1803 return 1;
1804 }
1805
1806 return ext_ec_point_add_extension(hs, out);
1807 }
1808
ext_ec_point_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1809 static int ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1810 CBS *contents) {
1811 if (contents == NULL) {
1812 return 1;
1813 }
1814
1815 if (ssl3_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1816 return 0;
1817 }
1818
1819 CBS ec_point_format_list;
1820 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1821 CBS_len(contents) != 0) {
1822 return 0;
1823 }
1824
1825 /* Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1826 * point format. */
1827 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1828 TLSEXT_ECPOINTFORMAT_uncompressed,
1829 CBS_len(&ec_point_format_list)) == NULL) {
1830 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1831 return 0;
1832 }
1833
1834 return 1;
1835 }
1836
ext_ec_point_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1837 static int ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1838 CBS *contents) {
1839 if (ssl3_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1840 return 1;
1841 }
1842
1843 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1844 }
1845
ext_ec_point_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1846 static int ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1847 SSL *const ssl = hs->ssl;
1848 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
1849 return 1;
1850 }
1851
1852 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1853 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1854 const int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1855
1856 if (!using_ecc) {
1857 return 1;
1858 }
1859
1860 return ext_ec_point_add_extension(hs, out);
1861 }
1862
1863
1864 /* Pre Shared Key
1865 *
1866 * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 */
1867
ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE * hs)1868 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1869 SSL *const ssl = hs->ssl;
1870 if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
1871 SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
1872 return 0;
1873 }
1874
1875 size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session));
1876 return 15 + ssl->session->tlsext_ticklen + binder_len;
1877 }
1878
ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1879 static int ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1880 SSL *const ssl = hs->ssl;
1881 if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
1882 SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
1883 return 1;
1884 }
1885
1886 struct OPENSSL_timeval now;
1887 ssl_get_current_time(ssl, &now);
1888 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1889 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1890
1891 /* Fill in a placeholder zero binder of the appropriate length. It will be
1892 * computed and filled in later after length prefixes are computed. */
1893 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1894 size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session));
1895
1896 CBB contents, identity, ticket, binders, binder;
1897 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1898 !CBB_add_u16_length_prefixed(out, &contents) ||
1899 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1900 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1901 !CBB_add_bytes(&ticket, ssl->session->tlsext_tick,
1902 ssl->session->tlsext_ticklen) ||
1903 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1904 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1905 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1906 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1907 return 0;
1908 }
1909
1910 hs->needs_psk_binder = 1;
1911 return CBB_flush(out);
1912 }
1913
ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1914 int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1915 uint8_t *out_alert,
1916 CBS *contents) {
1917 uint16_t psk_id;
1918 if (!CBS_get_u16(contents, &psk_id) ||
1919 CBS_len(contents) != 0) {
1920 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1921 *out_alert = SSL_AD_DECODE_ERROR;
1922 return 0;
1923 }
1924
1925 /* We only advertise one PSK identity, so the only legal index is zero. */
1926 if (psk_id != 0) {
1927 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1928 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1929 return 0;
1930 }
1931
1932 return 1;
1933 }
1934
ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE * hs,CBS * out_ticket,CBS * out_binders,uint32_t * out_obfuscated_ticket_age,uint8_t * out_alert,CBS * contents)1935 int ssl_ext_pre_shared_key_parse_clienthello(
1936 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1937 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
1938 /* We only process the first PSK identity since we don't support pure PSK. */
1939 CBS identities, binders;
1940 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1941 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1942 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1943 !CBS_get_u16_length_prefixed(contents, &binders) ||
1944 CBS_len(&binders) == 0 ||
1945 CBS_len(contents) != 0) {
1946 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1947 *out_alert = SSL_AD_DECODE_ERROR;
1948 return 0;
1949 }
1950
1951 *out_binders = binders;
1952
1953 /* Check the syntax of the remaining identities, but do not process them. */
1954 size_t num_identities = 1;
1955 while (CBS_len(&identities) != 0) {
1956 CBS unused_ticket;
1957 uint32_t unused_obfuscated_ticket_age;
1958 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1959 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1960 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1961 *out_alert = SSL_AD_DECODE_ERROR;
1962 return 0;
1963 }
1964
1965 num_identities++;
1966 }
1967
1968 /* Check the syntax of the binders. The value will be checked later if
1969 * resuming. */
1970 size_t num_binders = 0;
1971 while (CBS_len(&binders) != 0) {
1972 CBS binder;
1973 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1974 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1975 *out_alert = SSL_AD_DECODE_ERROR;
1976 return 0;
1977 }
1978
1979 num_binders++;
1980 }
1981
1982 if (num_identities != num_binders) {
1983 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1984 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1985 return 0;
1986 }
1987
1988 return 1;
1989 }
1990
ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1991 int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1992 if (!hs->ssl->s3->session_reused) {
1993 return 1;
1994 }
1995
1996 CBB contents;
1997 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1998 !CBB_add_u16_length_prefixed(out, &contents) ||
1999 /* We only consider the first identity for resumption */
2000 !CBB_add_u16(&contents, 0) ||
2001 !CBB_flush(out)) {
2002 return 0;
2003 }
2004
2005 return 1;
2006 }
2007
2008
2009 /* Pre-Shared Key Exchange Modes
2010 *
2011 * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 */
2012
ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2013 static int ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
2014 CBB *out) {
2015 if (hs->max_version < TLS1_3_VERSION) {
2016 return 1;
2017 }
2018
2019 CBB contents, ke_modes;
2020 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
2021 !CBB_add_u16_length_prefixed(out, &contents) ||
2022 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
2023 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
2024 return 0;
2025 }
2026
2027 return CBB_flush(out);
2028 }
2029
ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2030 static int ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
2031 uint8_t *out_alert,
2032 CBS *contents) {
2033 if (contents == NULL) {
2034 return 1;
2035 }
2036
2037 CBS ke_modes;
2038 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
2039 CBS_len(&ke_modes) == 0 ||
2040 CBS_len(contents) != 0) {
2041 *out_alert = SSL_AD_DECODE_ERROR;
2042 return 0;
2043 }
2044
2045 /* We only support tickets with PSK_DHE_KE. */
2046 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
2047 CBS_len(&ke_modes)) != NULL;
2048
2049 return 1;
2050 }
2051
2052
2053 /* Early Data Indication
2054 *
2055 * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 */
2056
ext_early_data_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2057 static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2058 SSL *const ssl = hs->ssl;
2059 if (ssl->session == NULL ||
2060 SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION ||
2061 ssl->session->ticket_max_early_data == 0 ||
2062 hs->received_hello_retry_request ||
2063 !ssl->cert->enable_early_data) {
2064 return 1;
2065 }
2066
2067 hs->early_data_offered = 1;
2068
2069 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2070 !CBB_add_u16(out, 0) ||
2071 !CBB_flush(out)) {
2072 return 0;
2073 }
2074
2075 return 1;
2076 }
2077
ext_early_data_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2078 static int ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2079 uint8_t *out_alert, CBS *contents) {
2080 SSL *const ssl = hs->ssl;
2081 if (contents == NULL) {
2082 return 1;
2083 }
2084
2085 if (CBS_len(contents) != 0) {
2086 *out_alert = SSL_AD_DECODE_ERROR;
2087 return 0;
2088 }
2089
2090 if (!ssl->s3->session_reused) {
2091 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2092 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2093 return 0;
2094 }
2095
2096 ssl->early_data_accepted = 1;
2097 return 1;
2098 }
2099
ext_early_data_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2100 static int ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2101 uint8_t *out_alert, CBS *contents) {
2102 SSL *const ssl = hs->ssl;
2103 if (contents == NULL ||
2104 ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
2105 return 1;
2106 }
2107
2108 if (CBS_len(contents) != 0) {
2109 *out_alert = SSL_AD_DECODE_ERROR;
2110 return 0;
2111 }
2112
2113 hs->early_data_offered = 1;
2114 return 1;
2115 }
2116
ext_early_data_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2117 static int ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2118 if (!hs->ssl->early_data_accepted) {
2119 return 1;
2120 }
2121
2122 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2123 !CBB_add_u16(out, 0) ||
2124 !CBB_flush(out)) {
2125 return 0;
2126 }
2127
2128 return 1;
2129 }
2130
2131
2132 /* Key Share
2133 *
2134 * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 */
2135
ext_key_share_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2136 static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2137 SSL *const ssl = hs->ssl;
2138 if (hs->max_version < TLS1_3_VERSION) {
2139 return 1;
2140 }
2141
2142 CBB contents, kse_bytes;
2143 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2144 !CBB_add_u16_length_prefixed(out, &contents) ||
2145 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2146 return 0;
2147 }
2148
2149 uint16_t group_id = hs->retry_group;
2150 if (hs->received_hello_retry_request) {
2151 /* We received a HelloRetryRequest without a new curve, so there is no new
2152 * share to append. Leave |ecdh_ctx| as-is. */
2153 if (group_id == 0 &&
2154 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes,
2155 hs->key_share_bytes_len)) {
2156 return 0;
2157 }
2158 OPENSSL_free(hs->key_share_bytes);
2159 hs->key_share_bytes = NULL;
2160 hs->key_share_bytes_len = 0;
2161 if (group_id == 0) {
2162 return CBB_flush(out);
2163 }
2164 } else {
2165 /* Add a fake group. See draft-davidben-tls-grease-01. */
2166 if (ssl->ctx->grease_enabled &&
2167 (!CBB_add_u16(&kse_bytes,
2168 ssl_get_grease_value(ssl, ssl_grease_group)) ||
2169 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2170 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2171 return 0;
2172 }
2173
2174 /* Predict the most preferred group. */
2175 const uint16_t *groups;
2176 size_t groups_len;
2177 tls1_get_grouplist(ssl, &groups, &groups_len);
2178 if (groups_len == 0) {
2179 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2180 return 0;
2181 }
2182
2183 group_id = groups[0];
2184 }
2185
2186 CBB key_exchange;
2187 if (!CBB_add_u16(&kse_bytes, group_id) ||
2188 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2189 !SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) ||
2190 !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &key_exchange) ||
2191 !CBB_flush(&kse_bytes)) {
2192 return 0;
2193 }
2194
2195 if (!hs->received_hello_retry_request) {
2196 /* Save the contents of the extension to repeat it in the second
2197 * ClientHello. */
2198 hs->key_share_bytes_len = CBB_len(&kse_bytes);
2199 hs->key_share_bytes =
2200 (uint8_t *)BUF_memdup(CBB_data(&kse_bytes), CBB_len(&kse_bytes));
2201 if (hs->key_share_bytes == NULL) {
2202 return 0;
2203 }
2204 }
2205
2206 return CBB_flush(out);
2207 }
2208
ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t ** out_secret,size_t * out_secret_len,uint8_t * out_alert,CBS * contents)2209 int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret,
2210 size_t *out_secret_len,
2211 uint8_t *out_alert, CBS *contents) {
2212 CBS peer_key;
2213 uint16_t group_id;
2214 if (!CBS_get_u16(contents, &group_id) ||
2215 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2216 CBS_len(contents) != 0) {
2217 *out_alert = SSL_AD_DECODE_ERROR;
2218 return 0;
2219 }
2220
2221 if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) != group_id) {
2222 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2223 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2224 return 0;
2225 }
2226
2227 if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, out_secret, out_secret_len, out_alert,
2228 CBS_data(&peer_key), CBS_len(&peer_key))) {
2229 *out_alert = SSL_AD_INTERNAL_ERROR;
2230 return 0;
2231 }
2232
2233 hs->new_session->group_id = group_id;
2234 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
2235 return 1;
2236 }
2237
ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE * hs,int * out_found,uint8_t ** out_secret,size_t * out_secret_len,uint8_t * out_alert,CBS * contents)2238 int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
2239 uint8_t **out_secret,
2240 size_t *out_secret_len,
2241 uint8_t *out_alert, CBS *contents) {
2242 uint16_t group_id;
2243 CBS key_shares;
2244 if (!tls1_get_shared_group(hs, &group_id)) {
2245 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2246 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2247 return 0;
2248 }
2249
2250 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2251 CBS_len(contents) != 0) {
2252 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2253 return 0;
2254 }
2255
2256 /* Find the corresponding key share. */
2257 int found = 0;
2258 CBS peer_key;
2259 while (CBS_len(&key_shares) > 0) {
2260 uint16_t id;
2261 CBS peer_key_tmp;
2262 if (!CBS_get_u16(&key_shares, &id) ||
2263 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp)) {
2264 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2265 return 0;
2266 }
2267
2268 if (id == group_id) {
2269 if (found) {
2270 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2271 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2272 return 0;
2273 }
2274
2275 found = 1;
2276 peer_key = peer_key_tmp;
2277 /* Continue parsing the structure to keep peers honest. */
2278 }
2279 }
2280
2281 if (!found) {
2282 *out_found = 0;
2283 *out_secret = NULL;
2284 *out_secret_len = 0;
2285 return 1;
2286 }
2287
2288 /* Compute the DH secret. */
2289 uint8_t *secret = NULL;
2290 size_t secret_len;
2291 SSL_ECDH_CTX group;
2292 OPENSSL_memset(&group, 0, sizeof(SSL_ECDH_CTX));
2293 CBB public_key;
2294 if (!CBB_init(&public_key, 32) ||
2295 !SSL_ECDH_CTX_init(&group, group_id) ||
2296 !SSL_ECDH_CTX_accept(&group, &public_key, &secret, &secret_len, out_alert,
2297 CBS_data(&peer_key), CBS_len(&peer_key)) ||
2298 !CBB_finish(&public_key, &hs->ecdh_public_key,
2299 &hs->ecdh_public_key_len)) {
2300 OPENSSL_free(secret);
2301 SSL_ECDH_CTX_cleanup(&group);
2302 CBB_cleanup(&public_key);
2303 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2304 return 0;
2305 }
2306
2307 SSL_ECDH_CTX_cleanup(&group);
2308
2309 *out_secret = secret;
2310 *out_secret_len = secret_len;
2311 *out_found = 1;
2312 return 1;
2313 }
2314
ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2315 int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2316 uint16_t group_id;
2317 CBB kse_bytes, public_key;
2318 if (!tls1_get_shared_group(hs, &group_id) ||
2319 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2320 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2321 !CBB_add_u16(&kse_bytes, group_id) ||
2322 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2323 !CBB_add_bytes(&public_key, hs->ecdh_public_key,
2324 hs->ecdh_public_key_len) ||
2325 !CBB_flush(out)) {
2326 return 0;
2327 }
2328
2329 OPENSSL_free(hs->ecdh_public_key);
2330 hs->ecdh_public_key = NULL;
2331 hs->ecdh_public_key_len = 0;
2332
2333 hs->new_session->group_id = group_id;
2334 return 1;
2335 }
2336
2337
2338 /* Supported Versions
2339 *
2340 * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 */
2341
ext_supported_versions_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2342 static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2343 SSL *const ssl = hs->ssl;
2344 if (hs->max_version <= TLS1_2_VERSION) {
2345 return 1;
2346 }
2347
2348 CBB contents, versions;
2349 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2350 !CBB_add_u16_length_prefixed(out, &contents) ||
2351 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2352 return 0;
2353 }
2354
2355 /* Add a fake version. See draft-davidben-tls-grease-01. */
2356 if (ssl->ctx->grease_enabled &&
2357 !CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) {
2358 return 0;
2359 }
2360
2361 if (!ssl_add_supported_versions(hs, &versions) ||
2362 !CBB_flush(out)) {
2363 return 0;
2364 }
2365
2366 return 1;
2367 }
2368
2369
2370 /* Cookie
2371 *
2372 * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 */
2373
ext_cookie_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2374 static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2375 if (hs->cookie == NULL) {
2376 return 1;
2377 }
2378
2379 CBB contents, cookie;
2380 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2381 !CBB_add_u16_length_prefixed(out, &contents) ||
2382 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2383 !CBB_add_bytes(&cookie, hs->cookie, hs->cookie_len) ||
2384 !CBB_flush(out)) {
2385 return 0;
2386 }
2387
2388 /* The cookie is no longer needed in memory. */
2389 OPENSSL_free(hs->cookie);
2390 hs->cookie = NULL;
2391 hs->cookie_len = 0;
2392 return 1;
2393 }
2394
2395
2396 /* Negotiated Groups
2397 *
2398 * https://tools.ietf.org/html/rfc4492#section-5.1.2
2399 * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 */
2400
ext_supported_groups_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2401 static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2402 SSL *const ssl = hs->ssl;
2403 CBB contents, groups_bytes;
2404 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2405 !CBB_add_u16_length_prefixed(out, &contents) ||
2406 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2407 return 0;
2408 }
2409
2410 /* Add a fake group. See draft-davidben-tls-grease-01. */
2411 if (ssl->ctx->grease_enabled &&
2412 !CBB_add_u16(&groups_bytes,
2413 ssl_get_grease_value(ssl, ssl_grease_group))) {
2414 return 0;
2415 }
2416
2417 const uint16_t *groups;
2418 size_t groups_len;
2419 tls1_get_grouplist(ssl, &groups, &groups_len);
2420
2421 for (size_t i = 0; i < groups_len; i++) {
2422 if (!CBB_add_u16(&groups_bytes, groups[i])) {
2423 return 0;
2424 }
2425 }
2426
2427 return CBB_flush(out);
2428 }
2429
ext_supported_groups_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2430 static int ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2431 uint8_t *out_alert,
2432 CBS *contents) {
2433 /* This extension is not expected to be echoed by servers in TLS 1.2, but some
2434 * BigIP servers send it nonetheless, so do not enforce this. */
2435 return 1;
2436 }
2437
ext_supported_groups_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2438 static int ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2439 uint8_t *out_alert,
2440 CBS *contents) {
2441 if (contents == NULL) {
2442 return 1;
2443 }
2444
2445 CBS supported_group_list;
2446 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2447 CBS_len(&supported_group_list) == 0 ||
2448 (CBS_len(&supported_group_list) & 1) != 0 ||
2449 CBS_len(contents) != 0) {
2450 return 0;
2451 }
2452
2453 hs->peer_supported_group_list =
2454 (uint16_t *)OPENSSL_malloc(CBS_len(&supported_group_list));
2455 if (hs->peer_supported_group_list == NULL) {
2456 *out_alert = SSL_AD_INTERNAL_ERROR;
2457 return 0;
2458 }
2459
2460 const size_t num_groups = CBS_len(&supported_group_list) / 2;
2461 for (size_t i = 0; i < num_groups; i++) {
2462 if (!CBS_get_u16(&supported_group_list,
2463 &hs->peer_supported_group_list[i])) {
2464 goto err;
2465 }
2466 }
2467
2468 assert(CBS_len(&supported_group_list) == 0);
2469 hs->peer_supported_group_list_len = num_groups;
2470
2471 return 1;
2472
2473 err:
2474 OPENSSL_free(hs->peer_supported_group_list);
2475 hs->peer_supported_group_list = NULL;
2476 *out_alert = SSL_AD_INTERNAL_ERROR;
2477 return 0;
2478 }
2479
ext_supported_groups_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2480 static int ext_supported_groups_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2481 /* Servers don't echo this extension. */
2482 return 1;
2483 }
2484
2485
2486 /* kExtensions contains all the supported extensions. */
2487 static const struct tls_extension kExtensions[] = {
2488 {
2489 TLSEXT_TYPE_renegotiate,
2490 NULL,
2491 ext_ri_add_clienthello,
2492 ext_ri_parse_serverhello,
2493 ext_ri_parse_clienthello,
2494 ext_ri_add_serverhello,
2495 },
2496 {
2497 TLSEXT_TYPE_server_name,
2498 NULL,
2499 ext_sni_add_clienthello,
2500 ext_sni_parse_serverhello,
2501 ext_sni_parse_clienthello,
2502 ext_sni_add_serverhello,
2503 },
2504 {
2505 TLSEXT_TYPE_extended_master_secret,
2506 NULL,
2507 ext_ems_add_clienthello,
2508 ext_ems_parse_serverhello,
2509 ext_ems_parse_clienthello,
2510 ext_ems_add_serverhello,
2511 },
2512 {
2513 TLSEXT_TYPE_session_ticket,
2514 NULL,
2515 ext_ticket_add_clienthello,
2516 ext_ticket_parse_serverhello,
2517 /* Ticket extension client parsing is handled in ssl_session.c */
2518 ignore_parse_clienthello,
2519 ext_ticket_add_serverhello,
2520 },
2521 {
2522 TLSEXT_TYPE_signature_algorithms,
2523 NULL,
2524 ext_sigalgs_add_clienthello,
2525 forbid_parse_serverhello,
2526 ext_sigalgs_parse_clienthello,
2527 dont_add_serverhello,
2528 },
2529 {
2530 TLSEXT_TYPE_status_request,
2531 NULL,
2532 ext_ocsp_add_clienthello,
2533 ext_ocsp_parse_serverhello,
2534 ext_ocsp_parse_clienthello,
2535 ext_ocsp_add_serverhello,
2536 },
2537 {
2538 TLSEXT_TYPE_next_proto_neg,
2539 NULL,
2540 ext_npn_add_clienthello,
2541 ext_npn_parse_serverhello,
2542 ext_npn_parse_clienthello,
2543 ext_npn_add_serverhello,
2544 },
2545 {
2546 TLSEXT_TYPE_certificate_timestamp,
2547 NULL,
2548 ext_sct_add_clienthello,
2549 ext_sct_parse_serverhello,
2550 ext_sct_parse_clienthello,
2551 ext_sct_add_serverhello,
2552 },
2553 {
2554 TLSEXT_TYPE_application_layer_protocol_negotiation,
2555 NULL,
2556 ext_alpn_add_clienthello,
2557 ext_alpn_parse_serverhello,
2558 /* ALPN is negotiated late in |ssl_negotiate_alpn|. */
2559 ignore_parse_clienthello,
2560 ext_alpn_add_serverhello,
2561 },
2562 {
2563 TLSEXT_TYPE_channel_id,
2564 ext_channel_id_init,
2565 ext_channel_id_add_clienthello,
2566 ext_channel_id_parse_serverhello,
2567 ext_channel_id_parse_clienthello,
2568 ext_channel_id_add_serverhello,
2569 },
2570 {
2571 TLSEXT_TYPE_srtp,
2572 ext_srtp_init,
2573 ext_srtp_add_clienthello,
2574 ext_srtp_parse_serverhello,
2575 ext_srtp_parse_clienthello,
2576 ext_srtp_add_serverhello,
2577 },
2578 {
2579 TLSEXT_TYPE_ec_point_formats,
2580 NULL,
2581 ext_ec_point_add_clienthello,
2582 ext_ec_point_parse_serverhello,
2583 ext_ec_point_parse_clienthello,
2584 ext_ec_point_add_serverhello,
2585 },
2586 {
2587 TLSEXT_TYPE_key_share,
2588 NULL,
2589 ext_key_share_add_clienthello,
2590 forbid_parse_serverhello,
2591 ignore_parse_clienthello,
2592 dont_add_serverhello,
2593 },
2594 {
2595 TLSEXT_TYPE_psk_key_exchange_modes,
2596 NULL,
2597 ext_psk_key_exchange_modes_add_clienthello,
2598 forbid_parse_serverhello,
2599 ext_psk_key_exchange_modes_parse_clienthello,
2600 dont_add_serverhello,
2601 },
2602 {
2603 TLSEXT_TYPE_early_data,
2604 NULL,
2605 ext_early_data_add_clienthello,
2606 ext_early_data_parse_serverhello,
2607 ext_early_data_parse_clienthello,
2608 ext_early_data_add_serverhello,
2609 },
2610 {
2611 TLSEXT_TYPE_supported_versions,
2612 NULL,
2613 ext_supported_versions_add_clienthello,
2614 forbid_parse_serverhello,
2615 ignore_parse_clienthello,
2616 dont_add_serverhello,
2617 },
2618 {
2619 TLSEXT_TYPE_cookie,
2620 NULL,
2621 ext_cookie_add_clienthello,
2622 forbid_parse_serverhello,
2623 ignore_parse_clienthello,
2624 dont_add_serverhello,
2625 },
2626 /* The final extension must be non-empty. WebSphere Application Server 7.0 is
2627 * intolerant to the last extension being zero-length. See
2628 * https://crbug.com/363583. */
2629 {
2630 TLSEXT_TYPE_supported_groups,
2631 NULL,
2632 ext_supported_groups_add_clienthello,
2633 ext_supported_groups_parse_serverhello,
2634 ext_supported_groups_parse_clienthello,
2635 ext_supported_groups_add_serverhello,
2636 },
2637 };
2638
2639 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
2640
2641 static_assert(kNumExtensions <=
2642 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
2643 "too many extensions for sent bitset");
2644 static_assert(kNumExtensions <=
2645 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
2646 "too many extensions for received bitset");
2647
tls_extension_find(uint32_t * out_index,uint16_t value)2648 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
2649 uint16_t value) {
2650 unsigned i;
2651 for (i = 0; i < kNumExtensions; i++) {
2652 if (kExtensions[i].value == value) {
2653 *out_index = i;
2654 return &kExtensions[i];
2655 }
2656 }
2657
2658 return NULL;
2659 }
2660
SSL_extension_supported(unsigned extension_value)2661 int SSL_extension_supported(unsigned extension_value) {
2662 uint32_t index;
2663 return extension_value == TLSEXT_TYPE_padding ||
2664 tls_extension_find(&index, extension_value) != NULL;
2665 }
2666
ssl_add_clienthello_tlsext(SSL_HANDSHAKE * hs,CBB * out,size_t header_len)2667 int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
2668 SSL *const ssl = hs->ssl;
2669 /* Don't add extensions for SSLv3 unless doing secure renegotiation. */
2670 if (hs->client_version == SSL3_VERSION &&
2671 !ssl->s3->send_connection_binding) {
2672 return 1;
2673 }
2674
2675 CBB extensions;
2676 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
2677 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2678 return 0;
2679 }
2680
2681 hs->extensions.sent = 0;
2682 hs->custom_extensions.sent = 0;
2683
2684 for (size_t i = 0; i < kNumExtensions; i++) {
2685 if (kExtensions[i].init != NULL) {
2686 kExtensions[i].init(hs);
2687 }
2688 }
2689
2690 uint16_t grease_ext1 = 0;
2691 if (ssl->ctx->grease_enabled) {
2692 /* Add a fake empty extension. See draft-davidben-tls-grease-01. */
2693 grease_ext1 = ssl_get_grease_value(ssl, ssl_grease_extension1);
2694 if (!CBB_add_u16(&extensions, grease_ext1) ||
2695 !CBB_add_u16(&extensions, 0 /* zero length */)) {
2696 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2697 return 0;
2698 }
2699 }
2700
2701 for (size_t i = 0; i < kNumExtensions; i++) {
2702 const size_t len_before = CBB_len(&extensions);
2703 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
2704 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2705 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2706 return 0;
2707 }
2708
2709 if (CBB_len(&extensions) != len_before) {
2710 hs->extensions.sent |= (1u << i);
2711 }
2712 }
2713
2714 if (!custom_ext_add_clienthello(hs, &extensions)) {
2715 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2716 return 0;
2717 }
2718
2719 if (ssl->ctx->grease_enabled) {
2720 /* Add a fake non-empty extension. See draft-davidben-tls-grease-01. */
2721 uint16_t grease_ext2 = ssl_get_grease_value(ssl, ssl_grease_extension2);
2722
2723 /* The two fake extensions must not have the same value. GREASE values are
2724 * of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
2725 * one. */
2726 if (grease_ext1 == grease_ext2) {
2727 grease_ext2 ^= 0x1010;
2728 }
2729
2730 if (!CBB_add_u16(&extensions, grease_ext2) ||
2731 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
2732 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
2733 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2734 return 0;
2735 }
2736 }
2737
2738 if (!SSL_is_dtls(ssl)) {
2739 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
2740 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
2741 if (header_len > 0xff && header_len < 0x200) {
2742 /* Add padding to workaround bugs in F5 terminators. See RFC 7685.
2743 *
2744 * NB: because this code works out the length of all existing extensions
2745 * it MUST always appear last. */
2746 size_t padding_len = 0x200 - header_len;
2747 /* Extensions take at least four bytes to encode. Always include at least
2748 * one byte of data if including the extension. WebSphere Application
2749 * Server 7.0 is intolerant to the last extension being zero-length. See
2750 * https://crbug.com/363583. */
2751 if (padding_len >= 4 + 1) {
2752 padding_len -= 4;
2753 } else {
2754 padding_len = 1;
2755 }
2756
2757 uint8_t *padding_bytes;
2758 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
2759 !CBB_add_u16(&extensions, padding_len) ||
2760 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
2761 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2762 return 0;
2763 }
2764
2765 OPENSSL_memset(padding_bytes, 0, padding_len);
2766 }
2767 }
2768
2769 /* The PSK extension must be last, including after the padding. */
2770 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
2771 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2772 return 0;
2773 }
2774
2775 /* Discard empty extensions blocks. */
2776 if (CBB_len(&extensions) == 0) {
2777 CBB_discard_child(out);
2778 }
2779
2780 return CBB_flush(out);
2781 }
2782
ssl_add_serverhello_tlsext(SSL_HANDSHAKE * hs,CBB * out)2783 int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
2784 SSL *const ssl = hs->ssl;
2785 CBB extensions;
2786 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
2787 goto err;
2788 }
2789
2790 for (unsigned i = 0; i < kNumExtensions; i++) {
2791 if (!(hs->extensions.received & (1u << i))) {
2792 /* Don't send extensions that were not received. */
2793 continue;
2794 }
2795
2796 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
2797 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2798 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2799 goto err;
2800 }
2801 }
2802
2803 if (!custom_ext_add_serverhello(hs, &extensions)) {
2804 goto err;
2805 }
2806
2807 /* Discard empty extensions blocks before TLS 1.3. */
2808 if (ssl3_protocol_version(ssl) < TLS1_3_VERSION &&
2809 CBB_len(&extensions) == 0) {
2810 CBB_discard_child(out);
2811 }
2812
2813 return CBB_flush(out);
2814
2815 err:
2816 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2817 return 0;
2818 }
2819
ssl_scan_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,int * out_alert)2820 static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
2821 const SSL_CLIENT_HELLO *client_hello,
2822 int *out_alert) {
2823 SSL *const ssl = hs->ssl;
2824 for (size_t i = 0; i < kNumExtensions; i++) {
2825 if (kExtensions[i].init != NULL) {
2826 kExtensions[i].init(hs);
2827 }
2828 }
2829
2830 hs->extensions.received = 0;
2831 hs->custom_extensions.received = 0;
2832
2833 CBS extensions;
2834 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
2835 while (CBS_len(&extensions) != 0) {
2836 uint16_t type;
2837 CBS extension;
2838
2839 /* Decode the next extension. */
2840 if (!CBS_get_u16(&extensions, &type) ||
2841 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
2842 *out_alert = SSL_AD_DECODE_ERROR;
2843 return 0;
2844 }
2845
2846 /* RFC 5746 made the existence of extensions in SSL 3.0 somewhat
2847 * ambiguous. Ignore all but the renegotiation_info extension. */
2848 if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
2849 continue;
2850 }
2851
2852 unsigned ext_index;
2853 const struct tls_extension *const ext =
2854 tls_extension_find(&ext_index, type);
2855
2856 if (ext == NULL) {
2857 if (!custom_ext_parse_clienthello(hs, out_alert, type, &extension)) {
2858 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
2859 return 0;
2860 }
2861 continue;
2862 }
2863
2864 hs->extensions.received |= (1u << ext_index);
2865 uint8_t alert = SSL_AD_DECODE_ERROR;
2866 if (!ext->parse_clienthello(hs, &alert, &extension)) {
2867 *out_alert = alert;
2868 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
2869 ERR_add_error_dataf("extension %u", (unsigned)type);
2870 return 0;
2871 }
2872 }
2873
2874 for (size_t i = 0; i < kNumExtensions; i++) {
2875 if (hs->extensions.received & (1u << i)) {
2876 continue;
2877 }
2878
2879 CBS *contents = NULL, fake_contents;
2880 static const uint8_t kFakeRenegotiateExtension[] = {0};
2881 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
2882 ssl_client_cipher_list_contains_cipher(client_hello,
2883 SSL3_CK_SCSV & 0xffff)) {
2884 /* The renegotiation SCSV was received so pretend that we received a
2885 * renegotiation extension. */
2886 CBS_init(&fake_contents, kFakeRenegotiateExtension,
2887 sizeof(kFakeRenegotiateExtension));
2888 contents = &fake_contents;
2889 hs->extensions.received |= (1u << i);
2890 }
2891
2892 /* Extension wasn't observed so call the callback with a NULL
2893 * parameter. */
2894 uint8_t alert = SSL_AD_DECODE_ERROR;
2895 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
2896 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
2897 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2898 *out_alert = alert;
2899 return 0;
2900 }
2901 }
2902
2903 return 1;
2904 }
2905
ssl_parse_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)2906 int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
2907 const SSL_CLIENT_HELLO *client_hello) {
2908 SSL *const ssl = hs->ssl;
2909 int alert = SSL_AD_DECODE_ERROR;
2910 if (ssl_scan_clienthello_tlsext(hs, client_hello, &alert) <= 0) {
2911 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
2912 return 0;
2913 }
2914
2915 if (ssl_check_clienthello_tlsext(hs) <= 0) {
2916 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
2917 return 0;
2918 }
2919
2920 return 1;
2921 }
2922
ssl_scan_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs,int * out_alert)2923 static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
2924 int *out_alert) {
2925 SSL *const ssl = hs->ssl;
2926 /* Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. */
2927 if (CBS_len(cbs) == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
2928 return 1;
2929 }
2930
2931 /* Decode the extensions block and check it is valid. */
2932 CBS extensions;
2933 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
2934 !tls1_check_duplicate_extensions(&extensions)) {
2935 *out_alert = SSL_AD_DECODE_ERROR;
2936 return 0;
2937 }
2938
2939 uint32_t received = 0;
2940 while (CBS_len(&extensions) != 0) {
2941 uint16_t type;
2942 CBS extension;
2943
2944 /* Decode the next extension. */
2945 if (!CBS_get_u16(&extensions, &type) ||
2946 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
2947 *out_alert = SSL_AD_DECODE_ERROR;
2948 return 0;
2949 }
2950
2951 unsigned ext_index;
2952 const struct tls_extension *const ext =
2953 tls_extension_find(&ext_index, type);
2954
2955 if (ext == NULL) {
2956 if (!custom_ext_parse_serverhello(hs, out_alert, type, &extension)) {
2957 return 0;
2958 }
2959 continue;
2960 }
2961
2962 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
2963 "too many bits");
2964
2965 if (!(hs->extensions.sent & (1u << ext_index)) &&
2966 type != TLSEXT_TYPE_renegotiate) {
2967 /* If the extension was never sent then it is illegal, except for the
2968 * renegotiation extension which, in SSL 3.0, is signaled via SCSV. */
2969 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2970 ERR_add_error_dataf("extension :%u", (unsigned)type);
2971 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2972 return 0;
2973 }
2974
2975 received |= (1u << ext_index);
2976
2977 uint8_t alert = SSL_AD_DECODE_ERROR;
2978 if (!ext->parse_serverhello(hs, &alert, &extension)) {
2979 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
2980 ERR_add_error_dataf("extension %u", (unsigned)type);
2981 *out_alert = alert;
2982 return 0;
2983 }
2984 }
2985
2986 for (size_t i = 0; i < kNumExtensions; i++) {
2987 if (!(received & (1u << i))) {
2988 /* Extension wasn't observed so call the callback with a NULL
2989 * parameter. */
2990 uint8_t alert = SSL_AD_DECODE_ERROR;
2991 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
2992 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
2993 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2994 *out_alert = alert;
2995 return 0;
2996 }
2997 }
2998 }
2999
3000 return 1;
3001 }
3002
ssl_check_clienthello_tlsext(SSL_HANDSHAKE * hs)3003 static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3004 SSL *const ssl = hs->ssl;
3005 int ret = SSL_TLSEXT_ERR_NOACK;
3006 int al = SSL_AD_UNRECOGNIZED_NAME;
3007
3008 if (ssl->ctx->tlsext_servername_callback != 0) {
3009 ret = ssl->ctx->tlsext_servername_callback(ssl, &al,
3010 ssl->ctx->tlsext_servername_arg);
3011 } else if (ssl->session_ctx->tlsext_servername_callback != 0) {
3012 ret = ssl->session_ctx->tlsext_servername_callback(
3013 ssl, &al, ssl->session_ctx->tlsext_servername_arg);
3014 }
3015
3016 switch (ret) {
3017 case SSL_TLSEXT_ERR_ALERT_FATAL:
3018 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
3019 return -1;
3020
3021 case SSL_TLSEXT_ERR_NOACK:
3022 hs->should_ack_sni = 0;
3023 return 1;
3024
3025 default:
3026 return 1;
3027 }
3028 }
3029
ssl_parse_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs)3030 int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3031 SSL *const ssl = hs->ssl;
3032 int alert = SSL_AD_DECODE_ERROR;
3033 if (ssl_scan_serverhello_tlsext(hs, cbs, &alert) <= 0) {
3034 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
3035 return 0;
3036 }
3037
3038 return 1;
3039 }
3040
3041 static enum ssl_ticket_aead_result_t
ssl_decrypt_ticket_with_cipher_ctx(SSL * ssl,uint8_t ** out,size_t * out_len,int * out_renew_ticket,const uint8_t * ticket,size_t ticket_len)3042 ssl_decrypt_ticket_with_cipher_ctx(SSL *ssl, uint8_t **out, size_t *out_len,
3043 int *out_renew_ticket, const uint8_t *ticket,
3044 size_t ticket_len) {
3045 const SSL_CTX *const ssl_ctx = ssl->session_ctx;
3046
3047 bssl::ScopedHMAC_CTX hmac_ctx;
3048 bssl::ScopedEVP_CIPHER_CTX cipher_ctx;
3049
3050 /* Ensure there is room for the key name and the largest IV
3051 * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
3052 * the maximum IV length should be well under the minimum size for the
3053 * session material and HMAC. */
3054 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3055 return ssl_ticket_aead_ignore_ticket;
3056 }
3057 const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
3058
3059 if (ssl_ctx->tlsext_ticket_key_cb != NULL) {
3060 int cb_ret = ssl_ctx->tlsext_ticket_key_cb(
3061 ssl, (uint8_t *)ticket /* name */, (uint8_t *)iv, cipher_ctx.get(),
3062 hmac_ctx.get(), 0 /* decrypt */);
3063 if (cb_ret < 0) {
3064 return ssl_ticket_aead_error;
3065 } else if (cb_ret == 0) {
3066 return ssl_ticket_aead_ignore_ticket;
3067 } else if (cb_ret == 2) {
3068 *out_renew_ticket = 1;
3069 }
3070 } else {
3071 /* Check the key name matches. */
3072 if (OPENSSL_memcmp(ticket, ssl_ctx->tlsext_tick_key_name,
3073 SSL_TICKET_KEY_NAME_LEN) != 0) {
3074 return ssl_ticket_aead_ignore_ticket;
3075 }
3076 if (!HMAC_Init_ex(hmac_ctx.get(), ssl_ctx->tlsext_tick_hmac_key,
3077 sizeof(ssl_ctx->tlsext_tick_hmac_key), tlsext_tick_md(),
3078 NULL) ||
3079 !EVP_DecryptInit_ex(cipher_ctx.get(), EVP_aes_128_cbc(), NULL,
3080 ssl_ctx->tlsext_tick_aes_key, iv)) {
3081 return ssl_ticket_aead_error;
3082 }
3083 }
3084 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx.get());
3085
3086 /* Check the MAC at the end of the ticket. */
3087 uint8_t mac[EVP_MAX_MD_SIZE];
3088 size_t mac_len = HMAC_size(hmac_ctx.get());
3089 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3090 /* The ticket must be large enough for key name, IV, data, and MAC. */
3091 return ssl_ticket_aead_ignore_ticket;
3092 }
3093 HMAC_Update(hmac_ctx.get(), ticket, ticket_len - mac_len);
3094 HMAC_Final(hmac_ctx.get(), mac, NULL);
3095 int mac_ok =
3096 CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0;
3097 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3098 mac_ok = 1;
3099 #endif
3100 if (!mac_ok) {
3101 return ssl_ticket_aead_ignore_ticket;
3102 }
3103
3104 /* Decrypt the session data. */
3105 const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
3106 size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
3107 mac_len;
3108 bssl::UniquePtr<uint8_t> plaintext((uint8_t *)OPENSSL_malloc(ciphertext_len));
3109 if (!plaintext) {
3110 return ssl_ticket_aead_error;
3111 }
3112 size_t plaintext_len;
3113 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3114 OPENSSL_memcpy(plaintext.get(), ciphertext, ciphertext_len);
3115 plaintext_len = ciphertext_len;
3116 #else
3117 if (ciphertext_len >= INT_MAX) {
3118 return ssl_ticket_aead_ignore_ticket;
3119 }
3120 int len1, len2;
3121 if (!EVP_DecryptUpdate(cipher_ctx.get(), plaintext.get(), &len1, ciphertext,
3122 (int)ciphertext_len) ||
3123 !EVP_DecryptFinal_ex(cipher_ctx.get(), plaintext.get() + len1, &len2)) {
3124 ERR_clear_error();
3125 return ssl_ticket_aead_ignore_ticket;
3126 }
3127 plaintext_len = (size_t)(len1) + len2;
3128 #endif
3129
3130 *out = plaintext.release();
3131 *out_len = plaintext_len;
3132 return ssl_ticket_aead_success;
3133 }
3134
ssl_decrypt_ticket_with_method(SSL * ssl,uint8_t ** out,size_t * out_len,int * out_renew_ticket,const uint8_t * ticket,size_t ticket_len)3135 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3136 SSL *ssl, uint8_t **out, size_t *out_len, int *out_renew_ticket,
3137 const uint8_t *ticket, size_t ticket_len) {
3138 uint8_t *plaintext = (uint8_t *)OPENSSL_malloc(ticket_len);
3139 if (plaintext == NULL) {
3140 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3141 return ssl_ticket_aead_error;
3142 }
3143
3144 size_t plaintext_len;
3145 const enum ssl_ticket_aead_result_t result =
3146 ssl->session_ctx->ticket_aead_method->open(
3147 ssl, plaintext, &plaintext_len, ticket_len, ticket, ticket_len);
3148
3149 if (result == ssl_ticket_aead_success) {
3150 *out = plaintext;
3151 plaintext = NULL;
3152 *out_len = plaintext_len;
3153 }
3154
3155 OPENSSL_free(plaintext);
3156 return result;
3157 }
3158
ssl_process_ticket(SSL * ssl,SSL_SESSION ** out_session,int * out_renew_ticket,const uint8_t * ticket,size_t ticket_len,const uint8_t * session_id,size_t session_id_len)3159 enum ssl_ticket_aead_result_t ssl_process_ticket(
3160 SSL *ssl, SSL_SESSION **out_session, int *out_renew_ticket,
3161 const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id,
3162 size_t session_id_len) {
3163 *out_renew_ticket = 0;
3164 *out_session = NULL;
3165
3166 if ((SSL_get_options(ssl) & SSL_OP_NO_TICKET) ||
3167 session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3168 return ssl_ticket_aead_ignore_ticket;
3169 }
3170
3171 uint8_t *plaintext = NULL;
3172 size_t plaintext_len;
3173 enum ssl_ticket_aead_result_t result;
3174 if (ssl->session_ctx->ticket_aead_method != NULL) {
3175 result = ssl_decrypt_ticket_with_method(
3176 ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
3177 } else {
3178 result = ssl_decrypt_ticket_with_cipher_ctx(
3179 ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
3180 }
3181
3182 if (result != ssl_ticket_aead_success) {
3183 return result;
3184 }
3185
3186 /* Decode the session. */
3187 SSL_SESSION *session =
3188 SSL_SESSION_from_bytes(plaintext, plaintext_len, ssl->ctx);
3189 OPENSSL_free(plaintext);
3190
3191 if (session == NULL) {
3192 ERR_clear_error(); /* Don't leave an error on the queue. */
3193 return ssl_ticket_aead_ignore_ticket;
3194 }
3195
3196 /* Copy the client's session ID into the new session, to denote the ticket has
3197 * been accepted. */
3198 OPENSSL_memcpy(session->session_id, session_id, session_id_len);
3199 session->session_id_length = session_id_len;
3200
3201 *out_session = session;
3202 return ssl_ticket_aead_success;
3203 }
3204
tls1_parse_peer_sigalgs(SSL_HANDSHAKE * hs,const CBS * in_sigalgs)3205 int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3206 /* Extension ignored for inappropriate versions */
3207 if (ssl3_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3208 return 1;
3209 }
3210
3211 OPENSSL_free(hs->peer_sigalgs);
3212 hs->peer_sigalgs = NULL;
3213 hs->num_peer_sigalgs = 0;
3214
3215 size_t num_sigalgs = CBS_len(in_sigalgs);
3216 if (num_sigalgs % 2 != 0) {
3217 return 0;
3218 }
3219 num_sigalgs /= 2;
3220
3221 /* supported_signature_algorithms in the certificate request is
3222 * allowed to be empty. */
3223 if (num_sigalgs == 0) {
3224 return 1;
3225 }
3226
3227 /* This multiplication doesn't overflow because sizeof(uint16_t) is two
3228 * and we just divided |num_sigalgs| by two. */
3229 hs->peer_sigalgs = (uint16_t *)OPENSSL_malloc(num_sigalgs * sizeof(uint16_t));
3230 if (hs->peer_sigalgs == NULL) {
3231 return 0;
3232 }
3233 hs->num_peer_sigalgs = num_sigalgs;
3234
3235 CBS sigalgs;
3236 CBS_init(&sigalgs, CBS_data(in_sigalgs), CBS_len(in_sigalgs));
3237 for (size_t i = 0; i < num_sigalgs; i++) {
3238 if (!CBS_get_u16(&sigalgs, &hs->peer_sigalgs[i])) {
3239 return 0;
3240 }
3241 }
3242
3243 return 1;
3244 }
3245
tls1_get_legacy_signature_algorithm(uint16_t * out,const EVP_PKEY * pkey)3246 int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3247 switch (EVP_PKEY_id(pkey)) {
3248 case EVP_PKEY_RSA:
3249 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3250 return 1;
3251 case EVP_PKEY_EC:
3252 *out = SSL_SIGN_ECDSA_SHA1;
3253 return 1;
3254 default:
3255 return 0;
3256 }
3257 }
3258
tls1_choose_signature_algorithm(SSL_HANDSHAKE * hs,uint16_t * out)3259 int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3260 SSL *const ssl = hs->ssl;
3261 CERT *cert = ssl->cert;
3262
3263 /* Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3264 * handshake. */
3265 if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) {
3266 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey)) {
3267 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3268 return 0;
3269 }
3270 return 1;
3271 }
3272
3273 const uint16_t *sigalgs = cert->sigalgs;
3274 size_t num_sigalgs = cert->num_sigalgs;
3275 if (sigalgs == NULL) {
3276 sigalgs = kSignSignatureAlgorithms;
3277 num_sigalgs = OPENSSL_ARRAY_SIZE(kSignSignatureAlgorithms);
3278 }
3279
3280 const uint16_t *peer_sigalgs = hs->peer_sigalgs;
3281 size_t num_peer_sigalgs = hs->num_peer_sigalgs;
3282 if (num_peer_sigalgs == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
3283 /* If the client didn't specify any signature_algorithms extension then
3284 * we can assume that it supports SHA1. See
3285 * http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
3286 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3287 SSL_SIGN_ECDSA_SHA1};
3288 peer_sigalgs = kDefaultPeerAlgorithms;
3289 num_peer_sigalgs = OPENSSL_ARRAY_SIZE(kDefaultPeerAlgorithms);
3290 }
3291
3292 for (size_t i = 0; i < num_sigalgs; i++) {
3293 uint16_t sigalg = sigalgs[i];
3294 /* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3295 * negotiated. */
3296 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3297 !ssl_private_key_supports_signature_algorithm(hs, sigalgs[i])) {
3298 continue;
3299 }
3300
3301 for (size_t j = 0; j < num_peer_sigalgs; j++) {
3302 if (sigalg == peer_sigalgs[j]) {
3303 *out = sigalg;
3304 return 1;
3305 }
3306 }
3307 }
3308
3309 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3310 return 0;
3311 }
3312
tls1_verify_channel_id(SSL_HANDSHAKE * hs)3313 int tls1_verify_channel_id(SSL_HANDSHAKE *hs) {
3314 SSL *const ssl = hs->ssl;
3315 uint16_t extension_type;
3316 CBS extension, channel_id;
3317
3318 /* A Channel ID handshake message is structured to contain multiple
3319 * extensions, but the only one that can be present is Channel ID. */
3320 CBS_init(&channel_id, ssl->init_msg, ssl->init_num);
3321 if (!CBS_get_u16(&channel_id, &extension_type) ||
3322 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3323 CBS_len(&channel_id) != 0 ||
3324 extension_type != TLSEXT_TYPE_channel_id ||
3325 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3326 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3327 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3328 return 0;
3329 }
3330
3331 bssl::UniquePtr<EC_GROUP> p256(
3332 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3333 if (!p256) {
3334 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3335 return 0;
3336 }
3337
3338 bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3339 bssl::UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3340 if (!sig || !x || !y) {
3341 return 0;
3342 }
3343
3344 const uint8_t *p = CBS_data(&extension);
3345 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3346 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3347 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3348 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3349 return 0;
3350 }
3351
3352 bssl::UniquePtr<EC_KEY> key(EC_KEY_new());
3353 bssl::UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3354 if (!key || !point ||
3355 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3356 y.get(), nullptr) ||
3357 !EC_KEY_set_group(key.get(), p256.get()) ||
3358 !EC_KEY_set_public_key(key.get(), point.get())) {
3359 return 0;
3360 }
3361
3362 uint8_t digest[EVP_MAX_MD_SIZE];
3363 size_t digest_len;
3364 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3365 return 0;
3366 }
3367
3368 int sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3369 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3370 sig_ok = 1;
3371 #endif
3372 if (!sig_ok) {
3373 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3374 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3375 ssl->s3->tlsext_channel_id_valid = 0;
3376 return 0;
3377 }
3378
3379 OPENSSL_memcpy(ssl->s3->tlsext_channel_id, p, 64);
3380 return 1;
3381 }
3382
tls1_write_channel_id(SSL_HANDSHAKE * hs,CBB * cbb)3383 int tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3384 SSL *const ssl = hs->ssl;
3385 uint8_t digest[EVP_MAX_MD_SIZE];
3386 size_t digest_len;
3387 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3388 return 0;
3389 }
3390
3391 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->tlsext_channel_id_private);
3392 if (ec_key == NULL) {
3393 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3394 return 0;
3395 }
3396
3397 int ret = 0;
3398 BIGNUM *x = BN_new();
3399 BIGNUM *y = BN_new();
3400 ECDSA_SIG *sig = NULL;
3401 if (x == NULL || y == NULL ||
3402 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3403 EC_KEY_get0_public_key(ec_key),
3404 x, y, NULL)) {
3405 goto err;
3406 }
3407
3408 sig = ECDSA_do_sign(digest, digest_len, ec_key);
3409 if (sig == NULL) {
3410 goto err;
3411 }
3412
3413 CBB child;
3414 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3415 !CBB_add_u16_length_prefixed(cbb, &child) ||
3416 !BN_bn2cbb_padded(&child, 32, x) ||
3417 !BN_bn2cbb_padded(&child, 32, y) ||
3418 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3419 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3420 !CBB_flush(cbb)) {
3421 goto err;
3422 }
3423
3424 ret = 1;
3425
3426 err:
3427 BN_free(x);
3428 BN_free(y);
3429 ECDSA_SIG_free(sig);
3430 return ret;
3431 }
3432
tls1_channel_id_hash(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len)3433 int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3434 SSL *const ssl = hs->ssl;
3435 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
3436 uint8_t *msg;
3437 size_t msg_len;
3438 if (!tls13_get_cert_verify_signature_input(hs, &msg, &msg_len,
3439 ssl_cert_verify_channel_id)) {
3440 return 0;
3441 }
3442 SHA256(msg, msg_len, out);
3443 *out_len = SHA256_DIGEST_LENGTH;
3444 OPENSSL_free(msg);
3445 return 1;
3446 }
3447
3448 SHA256_CTX ctx;
3449
3450 SHA256_Init(&ctx);
3451 static const char kClientIDMagic[] = "TLS Channel ID signature";
3452 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3453
3454 if (ssl->session != NULL) {
3455 static const char kResumptionMagic[] = "Resumption";
3456 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3457 if (ssl->session->original_handshake_hash_len == 0) {
3458 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3459 return 0;
3460 }
3461 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3462 ssl->session->original_handshake_hash_len);
3463 }
3464
3465 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3466 size_t hs_hash_len;
3467 if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, hs_hash, &hs_hash_len)) {
3468 return 0;
3469 }
3470 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3471 SHA256_Final(out, &ctx);
3472 *out_len = SHA256_DIGEST_LENGTH;
3473 return 1;
3474 }
3475
3476 /* tls1_record_handshake_hashes_for_channel_id records the current handshake
3477 * hashes in |hs->new_session| so that Channel ID resumptions can sign that
3478 * data. */
tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE * hs)3479 int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3480 SSL *const ssl = hs->ssl;
3481 /* This function should never be called for a resumed session because the
3482 * handshake hashes that we wish to record are for the original, full
3483 * handshake. */
3484 if (ssl->session != NULL) {
3485 return -1;
3486 }
3487
3488 static_assert(
3489 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3490 "original_handshake_hash is too small");
3491
3492 size_t digest_len;
3493 if (!SSL_TRANSCRIPT_get_hash(&hs->transcript,
3494 hs->new_session->original_handshake_hash,
3495 &digest_len)) {
3496 return -1;
3497 }
3498
3499 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3500 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3501 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3502
3503 return 1;
3504 }
3505
ssl_do_channel_id_callback(SSL * ssl)3506 int ssl_do_channel_id_callback(SSL *ssl) {
3507 if (ssl->tlsext_channel_id_private != NULL ||
3508 ssl->ctx->channel_id_cb == NULL) {
3509 return 1;
3510 }
3511
3512 EVP_PKEY *key = NULL;
3513 ssl->ctx->channel_id_cb(ssl, &key);
3514 if (key == NULL) {
3515 /* The caller should try again later. */
3516 return 1;
3517 }
3518
3519 int ret = SSL_set1_tls_channel_id(ssl, key);
3520 EVP_PKEY_free(key);
3521 return ret;
3522 }
3523
ssl_is_sct_list_valid(const CBS * contents)3524 int ssl_is_sct_list_valid(const CBS *contents) {
3525 /* Shallow parse the SCT list for sanity. By the RFC
3526 * (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3527 * of the SCTs may be empty. */
3528 CBS copy = *contents;
3529 CBS sct_list;
3530 if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
3531 CBS_len(©) != 0 ||
3532 CBS_len(&sct_list) == 0) {
3533 return 0;
3534 }
3535
3536 while (CBS_len(&sct_list) > 0) {
3537 CBS sct;
3538 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
3539 CBS_len(&sct) == 0) {
3540 return 0;
3541 }
3542 }
3543
3544 return 1;
3545 }
3546