1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59  *
60  * Redistribution and use in source and binary forms, with or without
61  * modification, are permitted provided that the following conditions
62  * are met:
63  *
64  * 1. Redistributions of source code must retain the above copyright
65  *    notice, this list of conditions and the following disclaimer.
66  *
67  * 2. Redistributions in binary form must reproduce the above copyright
68  *    notice, this list of conditions and the following disclaimer in
69  *    the documentation and/or other materials provided with the
70  *    distribution.
71  *
72  * 3. All advertising materials mentioning features or use of this
73  *    software must display the following acknowledgment:
74  *    "This product includes software developed by the OpenSSL Project
75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76  *
77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78  *    endorse or promote products derived from this software without
79  *    prior written permission. For written permission, please contact
80  *    openssl-core@openssl.org.
81  *
82  * 5. Products derived from this software may not be called "OpenSSL"
83  *    nor may "OpenSSL" appear in their names without prior written
84  *    permission of the OpenSSL Project.
85  *
86  * 6. Redistributions of any form whatsoever must retain the following
87  *    acknowledgment:
88  *    "This product includes software developed by the OpenSSL Project
89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90  *
91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102  * OF THE POSSIBILITY OF SUCH DAMAGE.
103  * ====================================================================
104  *
105  * This product includes cryptographic software written by Eric Young
106  * (eay@cryptsoft.com).  This product includes software written by Tim
107  * Hudson (tjh@cryptsoft.com). */
108 
109 #include <openssl/ssl.h>
110 
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdlib.h>
114 #include <string.h>
115 
116 #include <utility>
117 
118 #include <openssl/bytestring.h>
119 #include <openssl/chacha.h>
120 #include <openssl/digest.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/hmac.h>
124 #include <openssl/mem.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
127 
128 #include "internal.h"
129 #include "../crypto/internal.h"
130 
131 
132 BSSL_NAMESPACE_BEGIN
133 
134 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
135 
compare_uint16_t(const void * p1,const void * p2)136 static int compare_uint16_t(const void *p1, const void *p2) {
137   uint16_t u1 = *((const uint16_t *)p1);
138   uint16_t u2 = *((const uint16_t *)p2);
139   if (u1 < u2) {
140     return -1;
141   } else if (u1 > u2) {
142     return 1;
143   } else {
144     return 0;
145   }
146 }
147 
148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149 // more than one extension of the same type in a ClientHello or ServerHello.
150 // This function does an initial scan over the extensions block to filter those
151 // out.
tls1_check_duplicate_extensions(const CBS * cbs)152 static bool tls1_check_duplicate_extensions(const CBS *cbs) {
153   // First pass: count the extensions.
154   size_t num_extensions = 0;
155   CBS extensions = *cbs;
156   while (CBS_len(&extensions) > 0) {
157     uint16_t type;
158     CBS extension;
159 
160     if (!CBS_get_u16(&extensions, &type) ||
161         !CBS_get_u16_length_prefixed(&extensions, &extension)) {
162       return false;
163     }
164 
165     num_extensions++;
166   }
167 
168   if (num_extensions == 0) {
169     return true;
170   }
171 
172   Array<uint16_t> extension_types;
173   if (!extension_types.Init(num_extensions)) {
174     return false;
175   }
176 
177   // Second pass: gather the extension types.
178   extensions = *cbs;
179   for (size_t i = 0; i < extension_types.size(); i++) {
180     CBS extension;
181 
182     if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183         !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184       // This should not happen.
185       return false;
186     }
187   }
188   assert(CBS_len(&extensions) == 0);
189 
190   // Sort the extensions and make sure there are no duplicates.
191   qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
192         compare_uint16_t);
193   for (size_t i = 1; i < num_extensions; i++) {
194     if (extension_types[i - 1] == extension_types[i]) {
195       return false;
196     }
197   }
198 
199   return true;
200 }
201 
ssl_client_hello_init(SSL * ssl,SSL_CLIENT_HELLO * out,const SSLMessage & msg)202 bool ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
203                            const SSLMessage &msg) {
204   OPENSSL_memset(out, 0, sizeof(*out));
205   out->ssl = ssl;
206   out->client_hello = CBS_data(&msg.body);
207   out->client_hello_len = CBS_len(&msg.body);
208 
209   CBS client_hello, random, session_id;
210   CBS_init(&client_hello, out->client_hello, out->client_hello_len);
211   if (!CBS_get_u16(&client_hello, &out->version) ||
212       !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
213       !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
214       CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
215     return false;
216   }
217 
218   out->random = CBS_data(&random);
219   out->random_len = CBS_len(&random);
220   out->session_id = CBS_data(&session_id);
221   out->session_id_len = CBS_len(&session_id);
222 
223   // Skip past DTLS cookie
224   if (SSL_is_dtls(out->ssl)) {
225     CBS cookie;
226     if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
227         CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
228       return false;
229     }
230   }
231 
232   CBS cipher_suites, compression_methods;
233   if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
234       CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
235       !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
236       CBS_len(&compression_methods) < 1) {
237     return false;
238   }
239 
240   out->cipher_suites = CBS_data(&cipher_suites);
241   out->cipher_suites_len = CBS_len(&cipher_suites);
242   out->compression_methods = CBS_data(&compression_methods);
243   out->compression_methods_len = CBS_len(&compression_methods);
244 
245   // If the ClientHello ends here then it's valid, but doesn't have any
246   // extensions.
247   if (CBS_len(&client_hello) == 0) {
248     out->extensions = NULL;
249     out->extensions_len = 0;
250     return true;
251   }
252 
253   // Extract extensions and check it is valid.
254   CBS extensions;
255   if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
256       !tls1_check_duplicate_extensions(&extensions) ||
257       CBS_len(&client_hello) != 0) {
258     return false;
259   }
260 
261   out->extensions = CBS_data(&extensions);
262   out->extensions_len = CBS_len(&extensions);
263 
264   return true;
265 }
266 
ssl_client_hello_get_extension(const SSL_CLIENT_HELLO * client_hello,CBS * out,uint16_t extension_type)267 bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
268                                     CBS *out, uint16_t extension_type) {
269   CBS extensions;
270   CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
271   while (CBS_len(&extensions) != 0) {
272     // Decode the next extension.
273     uint16_t type;
274     CBS extension;
275     if (!CBS_get_u16(&extensions, &type) ||
276         !CBS_get_u16_length_prefixed(&extensions, &extension)) {
277       return false;
278     }
279 
280     if (type == extension_type) {
281       *out = extension;
282       return true;
283     }
284   }
285 
286   return false;
287 }
288 
289 static const uint16_t kDefaultGroups[] = {
290     SSL_CURVE_X25519,
291     SSL_CURVE_SECP256R1,
292     SSL_CURVE_SECP384R1,
293 };
294 
tls1_get_grouplist(const SSL_HANDSHAKE * hs)295 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
296   if (!hs->config->supported_group_list.empty()) {
297     return hs->config->supported_group_list;
298   }
299   return Span<const uint16_t>(kDefaultGroups);
300 }
301 
tls1_get_shared_group(SSL_HANDSHAKE * hs,uint16_t * out_group_id)302 bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
303   SSL *const ssl = hs->ssl;
304   assert(ssl->server);
305 
306   // Clients are not required to send a supported_groups extension. In this
307   // case, the server is free to pick any group it likes. See RFC 4492,
308   // section 4, paragraph 3.
309   //
310   // However, in the interests of compatibility, we will skip ECDH if the
311   // client didn't send an extension because we can't be sure that they'll
312   // support our favoured group. Thus we do not special-case an emtpy
313   // |peer_supported_group_list|.
314 
315   Span<const uint16_t> groups = tls1_get_grouplist(hs);
316   Span<const uint16_t> pref, supp;
317   if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
318     pref = groups;
319     supp = hs->peer_supported_group_list;
320   } else {
321     pref = hs->peer_supported_group_list;
322     supp = groups;
323   }
324 
325   for (uint16_t pref_group : pref) {
326     for (uint16_t supp_group : supp) {
327       if (pref_group == supp_group &&
328           // CECPQ2 doesn't fit in the u8-length-prefixed ECPoint field in TLS
329           // 1.2 and below.
330           (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
331            pref_group != SSL_CURVE_CECPQ2)) {
332         *out_group_id = pref_group;
333         return true;
334       }
335     }
336   }
337 
338   return false;
339 }
340 
tls1_set_curves(Array<uint16_t> * out_group_ids,Span<const int> curves)341 bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
342   Array<uint16_t> group_ids;
343   if (!group_ids.Init(curves.size())) {
344     return false;
345   }
346 
347   for (size_t i = 0; i < curves.size(); i++) {
348     if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
349       return false;
350     }
351   }
352 
353   *out_group_ids = std::move(group_ids);
354   return true;
355 }
356 
tls1_set_curves_list(Array<uint16_t> * out_group_ids,const char * curves)357 bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
358   // Count the number of curves in the list.
359   size_t count = 0;
360   const char *ptr = curves, *col;
361   do {
362     col = strchr(ptr, ':');
363     count++;
364     if (col) {
365       ptr = col + 1;
366     }
367   } while (col);
368 
369   Array<uint16_t> group_ids;
370   if (!group_ids.Init(count)) {
371     return false;
372   }
373 
374   size_t i = 0;
375   ptr = curves;
376   do {
377     col = strchr(ptr, ':');
378     if (!ssl_name_to_group_id(&group_ids[i++], ptr,
379                               col ? (size_t)(col - ptr) : strlen(ptr))) {
380       return false;
381     }
382     if (col) {
383       ptr = col + 1;
384     }
385   } while (col);
386 
387   assert(i == count);
388   *out_group_ids = std::move(group_ids);
389   return true;
390 }
391 
tls1_check_group_id(const SSL_HANDSHAKE * hs,uint16_t group_id)392 bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
393   if (group_id == SSL_CURVE_CECPQ2 &&
394       ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
395     // CECPQ2 requires TLS 1.3.
396     return false;
397   }
398 
399   for (uint16_t supported : tls1_get_grouplist(hs)) {
400     if (supported == group_id) {
401       return true;
402     }
403   }
404 
405   return false;
406 }
407 
408 // kVerifySignatureAlgorithms is the default list of accepted signature
409 // algorithms for verifying.
410 //
411 // For now, RSA-PSS signature algorithms are not enabled on Android's system
412 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
413 // restore them.
414 static const uint16_t kVerifySignatureAlgorithms[] = {
415     // List our preferred algorithms first.
416     SSL_SIGN_ED25519,
417     SSL_SIGN_ECDSA_SECP256R1_SHA256,
418     SSL_SIGN_RSA_PSS_RSAE_SHA256,
419     SSL_SIGN_RSA_PKCS1_SHA256,
420 
421     // Larger hashes are acceptable.
422     SSL_SIGN_ECDSA_SECP384R1_SHA384,
423     SSL_SIGN_RSA_PSS_RSAE_SHA384,
424     SSL_SIGN_RSA_PKCS1_SHA384,
425 
426     SSL_SIGN_RSA_PSS_RSAE_SHA512,
427     SSL_SIGN_RSA_PKCS1_SHA512,
428 
429     // For now, SHA-1 is still accepted but least preferable.
430     SSL_SIGN_RSA_PKCS1_SHA1,
431 
432 };
433 
434 // kSignSignatureAlgorithms is the default list of supported signature
435 // algorithms for signing.
436 //
437 // For now, RSA-PSS signature algorithms are not enabled on Android's system
438 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
439 // restore them.
440 static const uint16_t kSignSignatureAlgorithms[] = {
441     // List our preferred algorithms first.
442     SSL_SIGN_ED25519,
443     SSL_SIGN_ECDSA_SECP256R1_SHA256,
444     SSL_SIGN_RSA_PSS_RSAE_SHA256,
445     SSL_SIGN_RSA_PKCS1_SHA256,
446 
447     // If needed, sign larger hashes.
448     //
449     // TODO(davidben): Determine which of these may be pruned.
450     SSL_SIGN_ECDSA_SECP384R1_SHA384,
451     SSL_SIGN_RSA_PSS_RSAE_SHA384,
452     SSL_SIGN_RSA_PKCS1_SHA384,
453 
454     SSL_SIGN_ECDSA_SECP521R1_SHA512,
455     SSL_SIGN_RSA_PSS_RSAE_SHA512,
456     SSL_SIGN_RSA_PKCS1_SHA512,
457 
458     // If the peer supports nothing else, sign with SHA-1.
459     SSL_SIGN_ECDSA_SHA1,
460     SSL_SIGN_RSA_PKCS1_SHA1,
461 };
462 
463 struct SSLSignatureAlgorithmList {
NextSSLSignatureAlgorithmList464   bool Next(uint16_t *out) {
465     while (!list.empty()) {
466       uint16_t sigalg = list[0];
467       list = list.subspan(1);
468       if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
469         continue;
470       }
471       if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
472         continue;
473       }
474       *out = sigalg;
475       return true;
476     }
477     return false;
478   }
479 
operator ==SSLSignatureAlgorithmList480   bool operator==(const SSLSignatureAlgorithmList &other) const {
481     SSLSignatureAlgorithmList a = *this;
482     SSLSignatureAlgorithmList b = other;
483     uint16_t a_val, b_val;
484     while (a.Next(&a_val)) {
485       if (!b.Next(&b_val) ||
486           a_val != b_val) {
487         return false;
488       }
489     }
490     return !b.Next(&b_val);
491   }
492 
operator !=SSLSignatureAlgorithmList493   bool operator!=(const SSLSignatureAlgorithmList &other) const {
494     return !(*this == other);
495   }
496 
497   Span<const uint16_t> list;
498   bool skip_ed25519 = false;
499   bool skip_rsa_pss_rsae = false;
500 };
501 
tls12_get_verify_sigalgs(const SSL * ssl,bool for_certs)502 static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
503                                                           bool for_certs) {
504   SSLSignatureAlgorithmList ret;
505   if (!ssl->config->verify_sigalgs.empty()) {
506     ret.list = ssl->config->verify_sigalgs;
507   } else {
508     ret.list = kVerifySignatureAlgorithms;
509     ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
510   }
511   if (for_certs) {
512     ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
513   }
514   return ret;
515 }
516 
tls12_add_verify_sigalgs(const SSL * ssl,CBB * out,bool for_certs)517 bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
518   SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
519   uint16_t sigalg;
520   while (list.Next(&sigalg)) {
521     if (!CBB_add_u16(out, sigalg)) {
522       return false;
523     }
524   }
525   return true;
526 }
527 
tls12_check_peer_sigalg(const SSL * ssl,uint8_t * out_alert,uint16_t sigalg)528 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
529                              uint16_t sigalg) {
530   SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
531   uint16_t verify_sigalg;
532   while (list.Next(&verify_sigalg)) {
533     if (verify_sigalg == sigalg) {
534       return true;
535     }
536   }
537 
538   OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
539   *out_alert = SSL_AD_ILLEGAL_PARAMETER;
540   return false;
541 }
542 
tls12_has_different_verify_sigalgs_for_certs(const SSL * ssl)543 bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
544   return tls12_get_verify_sigalgs(ssl, true) !=
545          tls12_get_verify_sigalgs(ssl, false);
546 }
547 
548 // tls_extension represents a TLS extension that is handled internally. The
549 // |init| function is called for each handshake, before any other functions of
550 // the extension. Then the add and parse callbacks are called as needed.
551 //
552 // The parse callbacks receive a |CBS| that contains the contents of the
553 // extension (i.e. not including the type and length bytes). If an extension is
554 // not received then the parse callbacks will be called with a NULL CBS so that
555 // they can do any processing needed to handle the absence of an extension.
556 //
557 // The add callbacks receive a |CBB| to which the extension can be appended but
558 // the function is responsible for appending the type and length bytes too.
559 //
560 // All callbacks return true for success and false for error. If a parse
561 // function returns zero then a fatal alert with value |*out_alert| will be
562 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
563 struct tls_extension {
564   uint16_t value;
565   void (*init)(SSL_HANDSHAKE *hs);
566 
567   bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
568   bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
569                             CBS *contents);
570 
571   bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
572                             CBS *contents);
573   bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
574 };
575 
forbid_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)576 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
577                                     CBS *contents) {
578   if (contents != NULL) {
579     // Servers MUST NOT send this extension.
580     *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
581     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
582     return false;
583   }
584 
585   return true;
586 }
587 
ignore_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)588 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
589                                     CBS *contents) {
590   // This extension from the client is handled elsewhere.
591   return true;
592 }
593 
dont_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)594 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
595   return true;
596 }
597 
598 // Server name indication (SNI).
599 //
600 // https://tools.ietf.org/html/rfc6066#section-3.
601 
ext_sni_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)602 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
603   SSL *const ssl = hs->ssl;
604   if (ssl->hostname == nullptr) {
605     return true;
606   }
607 
608   CBB contents, server_name_list, name;
609   if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
610       !CBB_add_u16_length_prefixed(out, &contents) ||
611       !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
612       !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
613       !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
614       !CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(),
615                      strlen(ssl->hostname.get())) ||
616       !CBB_flush(out)) {
617     return false;
618   }
619 
620   return true;
621 }
622 
ext_sni_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)623 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
624                                       CBS *contents) {
625   // The server may acknowledge SNI with an empty extension. We check the syntax
626   // but otherwise ignore this signal.
627   return contents == NULL || CBS_len(contents) == 0;
628 }
629 
ext_sni_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)630 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
631                                       CBS *contents) {
632   SSL *const ssl = hs->ssl;
633   if (contents == NULL) {
634     return true;
635   }
636 
637   CBS server_name_list, host_name;
638   uint8_t name_type;
639   if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
640       !CBS_get_u8(&server_name_list, &name_type) ||
641       // Although the server_name extension was intended to be extensible to
642       // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
643       // different name types will cause an error. Further, RFC 4366 originally
644       // defined syntax inextensibly. RFC 6066 corrected this mistake, but
645       // adding new name types is no longer feasible.
646       //
647       // Act as if the extensibility does not exist to simplify parsing.
648       !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
649       CBS_len(&server_name_list) != 0 ||
650       CBS_len(contents) != 0) {
651     return false;
652   }
653 
654   if (name_type != TLSEXT_NAMETYPE_host_name ||
655       CBS_len(&host_name) == 0 ||
656       CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
657       CBS_contains_zero_byte(&host_name)) {
658     *out_alert = SSL_AD_UNRECOGNIZED_NAME;
659     return false;
660   }
661 
662   // Copy the hostname as a string.
663   char *raw = nullptr;
664   if (!CBS_strdup(&host_name, &raw)) {
665     *out_alert = SSL_AD_INTERNAL_ERROR;
666     return false;
667   }
668   ssl->s3->hostname.reset(raw);
669 
670   hs->should_ack_sni = true;
671   return true;
672 }
673 
ext_sni_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)674 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
675   if (hs->ssl->s3->session_reused ||
676       !hs->should_ack_sni) {
677     return true;
678   }
679 
680   if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
681       !CBB_add_u16(out, 0 /* length */)) {
682     return false;
683   }
684 
685   return true;
686 }
687 
688 
689 // Renegotiation indication.
690 //
691 // https://tools.ietf.org/html/rfc5746
692 
ext_ri_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)693 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
694   SSL *const ssl = hs->ssl;
695   // Renegotiation indication is not necessary in TLS 1.3.
696   if (hs->min_version >= TLS1_3_VERSION) {
697     return true;
698   }
699 
700   assert(ssl->s3->initial_handshake_complete ==
701          (ssl->s3->previous_client_finished_len != 0));
702 
703   CBB contents, prev_finished;
704   if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
705       !CBB_add_u16_length_prefixed(out, &contents) ||
706       !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
707       !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
708                      ssl->s3->previous_client_finished_len) ||
709       !CBB_flush(out)) {
710     return false;
711   }
712 
713   return true;
714 }
715 
ext_ri_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)716 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
717                                      CBS *contents) {
718   SSL *const ssl = hs->ssl;
719   if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
720     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
721     return false;
722   }
723 
724   // Servers may not switch between omitting the extension and supporting it.
725   // See RFC 5746, sections 3.5 and 4.2.
726   if (ssl->s3->initial_handshake_complete &&
727       (contents != NULL) != ssl->s3->send_connection_binding) {
728     *out_alert = SSL_AD_HANDSHAKE_FAILURE;
729     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
730     return false;
731   }
732 
733   if (contents == NULL) {
734     // Strictly speaking, if we want to avoid an attack we should *always* see
735     // RI even on initial ServerHello because the client doesn't see any
736     // renegotiation during an attack. However this would mean we could not
737     // connect to any server which doesn't support RI.
738     //
739     // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
740     // practical terms every client sets it so it's just assumed here.
741     return true;
742   }
743 
744   const size_t expected_len = ssl->s3->previous_client_finished_len +
745                               ssl->s3->previous_server_finished_len;
746 
747   // Check for logic errors
748   assert(!expected_len || ssl->s3->previous_client_finished_len);
749   assert(!expected_len || ssl->s3->previous_server_finished_len);
750   assert(ssl->s3->initial_handshake_complete ==
751          (ssl->s3->previous_client_finished_len != 0));
752   assert(ssl->s3->initial_handshake_complete ==
753          (ssl->s3->previous_server_finished_len != 0));
754 
755   // Parse out the extension contents.
756   CBS renegotiated_connection;
757   if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
758       CBS_len(contents) != 0) {
759     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
760     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
761     return false;
762   }
763 
764   // Check that the extension matches.
765   if (CBS_len(&renegotiated_connection) != expected_len) {
766     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
767     *out_alert = SSL_AD_HANDSHAKE_FAILURE;
768     return false;
769   }
770 
771   const uint8_t *d = CBS_data(&renegotiated_connection);
772   bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
773                           ssl->s3->previous_client_finished_len) == 0;
774 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
775   ok = true;
776 #endif
777   if (!ok) {
778     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
779     *out_alert = SSL_AD_HANDSHAKE_FAILURE;
780     return false;
781   }
782   d += ssl->s3->previous_client_finished_len;
783 
784   ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
785                      ssl->s3->previous_server_finished_len) == 0;
786 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
787   ok = true;
788 #endif
789   if (!ok) {
790     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
791     *out_alert = SSL_AD_HANDSHAKE_FAILURE;
792     return false;
793   }
794   ssl->s3->send_connection_binding = true;
795 
796   return true;
797 }
798 
ext_ri_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)799 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
800                                      CBS *contents) {
801   SSL *const ssl = hs->ssl;
802   // Renegotiation isn't supported as a server so this function should never be
803   // called after the initial handshake.
804   assert(!ssl->s3->initial_handshake_complete);
805 
806   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
807     return true;
808   }
809 
810   if (contents == NULL) {
811     return true;
812   }
813 
814   CBS renegotiated_connection;
815   if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
816       CBS_len(contents) != 0) {
817     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
818     return false;
819   }
820 
821   // Check that the extension matches. We do not support renegotiation as a
822   // server, so this must be empty.
823   if (CBS_len(&renegotiated_connection) != 0) {
824     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
825     *out_alert = SSL_AD_HANDSHAKE_FAILURE;
826     return false;
827   }
828 
829   ssl->s3->send_connection_binding = true;
830 
831   return true;
832 }
833 
ext_ri_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)834 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
835   SSL *const ssl = hs->ssl;
836   // Renegotiation isn't supported as a server so this function should never be
837   // called after the initial handshake.
838   assert(!ssl->s3->initial_handshake_complete);
839 
840   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
841     return true;
842   }
843 
844   if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
845       !CBB_add_u16(out, 1 /* length */) ||
846       !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
847     return false;
848   }
849 
850   return true;
851 }
852 
853 
854 // Extended Master Secret.
855 //
856 // https://tools.ietf.org/html/rfc7627
857 
ext_ems_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)858 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
859   // Extended master secret is not necessary in TLS 1.3.
860   if (hs->min_version >= TLS1_3_VERSION) {
861     return true;
862   }
863 
864   if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
865       !CBB_add_u16(out, 0 /* length */)) {
866     return false;
867   }
868 
869   return true;
870 }
871 
ext_ems_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)872 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
873                                       CBS *contents) {
874   SSL *const ssl = hs->ssl;
875 
876   if (contents != NULL) {
877     if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
878         CBS_len(contents) != 0) {
879       return false;
880     }
881 
882     hs->extended_master_secret = true;
883   }
884 
885   // Whether EMS is negotiated may not change on renegotiation.
886   if (ssl->s3->established_session != nullptr &&
887       hs->extended_master_secret !=
888           !!ssl->s3->established_session->extended_master_secret) {
889     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
890     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
891     return false;
892   }
893 
894   return true;
895 }
896 
ext_ems_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)897 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
898                                       CBS *contents) {
899   if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
900     return true;
901   }
902 
903   if (contents == NULL) {
904     return true;
905   }
906 
907   if (CBS_len(contents) != 0) {
908     return false;
909   }
910 
911   hs->extended_master_secret = true;
912   return true;
913 }
914 
ext_ems_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)915 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
916   if (!hs->extended_master_secret) {
917     return true;
918   }
919 
920   if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
921       !CBB_add_u16(out, 0 /* length */)) {
922     return false;
923   }
924 
925   return true;
926 }
927 
928 
929 // Session tickets.
930 //
931 // https://tools.ietf.org/html/rfc5077
932 
ext_ticket_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)933 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
934   SSL *const ssl = hs->ssl;
935   // TLS 1.3 uses a different ticket extension.
936   if (hs->min_version >= TLS1_3_VERSION ||
937       SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
938     return true;
939   }
940 
941   Span<const uint8_t> ticket;
942 
943   // Renegotiation does not participate in session resumption. However, still
944   // advertise the extension to avoid potentially breaking servers which carry
945   // over the state from the previous handshake, such as OpenSSL servers
946   // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
947   if (!ssl->s3->initial_handshake_complete &&
948       ssl->session != nullptr &&
949       !ssl->session->ticket.empty() &&
950       // Don't send TLS 1.3 session tickets in the ticket extension.
951       ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
952     ticket = ssl->session->ticket;
953   }
954 
955   CBB ticket_cbb;
956   if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
957       !CBB_add_u16_length_prefixed(out, &ticket_cbb) ||
958       !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||
959       !CBB_flush(out)) {
960     return false;
961   }
962 
963   return true;
964 }
965 
ext_ticket_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)966 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
967                                          CBS *contents) {
968   SSL *const ssl = hs->ssl;
969   if (contents == NULL) {
970     return true;
971   }
972 
973   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
974     return false;
975   }
976 
977   // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
978   // this function should never be called, even if the server tries to send the
979   // extension.
980   assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
981 
982   if (CBS_len(contents) != 0) {
983     return false;
984   }
985 
986   hs->ticket_expected = true;
987   return true;
988 }
989 
ext_ticket_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)990 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
991   if (!hs->ticket_expected) {
992     return true;
993   }
994 
995   // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
996   assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
997 
998   if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
999       !CBB_add_u16(out, 0 /* length */)) {
1000     return false;
1001   }
1002 
1003   return true;
1004 }
1005 
1006 
1007 // Signature Algorithms.
1008 //
1009 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
1010 
ext_sigalgs_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1011 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1012   SSL *const ssl = hs->ssl;
1013   if (hs->max_version < TLS1_2_VERSION) {
1014     return true;
1015   }
1016 
1017   // Prior to TLS 1.3, there was no way to signal different signature algorithm
1018   // preferences between the online signature and certificates. If we do not
1019   // send the signature_algorithms_cert extension, use the potentially more
1020   // restrictive certificate list.
1021   //
1022   // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
1023   // check both here and in signature_algorithms_cert. |hs->max_version| is not
1024   // the negotiated version. Rather the expectation is that any server consuming
1025   // signature algorithms added in TLS 1.3 will also know to look at
1026   // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
1027   // seems prudent to condition this new extension on it.
1028   bool for_certs = hs->max_version < TLS1_3_VERSION;
1029   CBB contents, sigalgs_cbb;
1030   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
1031       !CBB_add_u16_length_prefixed(out, &contents) ||
1032       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1033       !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
1034       !CBB_flush(out)) {
1035     return false;
1036   }
1037 
1038   return true;
1039 }
1040 
ext_sigalgs_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1041 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1042                                           CBS *contents) {
1043   hs->peer_sigalgs.Reset();
1044   if (contents == NULL) {
1045     return true;
1046   }
1047 
1048   CBS supported_signature_algorithms;
1049   if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1050       CBS_len(contents) != 0 ||
1051       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1052     return false;
1053   }
1054 
1055   return true;
1056 }
1057 
1058 
1059 // Signature Algorithms for Certificates.
1060 //
1061 // https://tools.ietf.org/html/rfc8446#section-4.2.3
1062 
ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1063 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1064   SSL *const ssl = hs->ssl;
1065   // If this extension is omitted, it defaults to the signature_algorithms
1066   // extension, so only emit it if the list is different.
1067   //
1068   // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
1069   // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
1070   if (hs->max_version < TLS1_3_VERSION ||
1071       !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
1072     return true;
1073   }
1074 
1075   CBB contents, sigalgs_cbb;
1076   if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
1077       !CBB_add_u16_length_prefixed(out, &contents) ||
1078       !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1079       !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
1080       !CBB_flush(out)) {
1081     return false;
1082   }
1083 
1084   return true;
1085 }
1086 
1087 
1088 // OCSP Stapling.
1089 //
1090 // https://tools.ietf.org/html/rfc6066#section-8
1091 
ext_ocsp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1092 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1093   if (!hs->config->ocsp_stapling_enabled) {
1094     return true;
1095   }
1096 
1097   CBB contents;
1098   if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1099       !CBB_add_u16_length_prefixed(out, &contents) ||
1100       !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1101       !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1102       !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1103       !CBB_flush(out)) {
1104     return false;
1105   }
1106 
1107   return true;
1108 }
1109 
ext_ocsp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1110 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1111                                        CBS *contents) {
1112   SSL *const ssl = hs->ssl;
1113   if (contents == NULL) {
1114     return true;
1115   }
1116 
1117   // TLS 1.3 OCSP responses are included in the Certificate extensions.
1118   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1119     return false;
1120   }
1121 
1122   // OCSP stapling is forbidden on non-certificate ciphers.
1123   if (CBS_len(contents) != 0 ||
1124       !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1125     return false;
1126   }
1127 
1128   // Note this does not check for resumption in TLS 1.2. Sending
1129   // status_request here does not make sense, but OpenSSL does so and the
1130   // specification does not say anything. Tolerate it but ignore it.
1131 
1132   hs->certificate_status_expected = true;
1133   return true;
1134 }
1135 
ext_ocsp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1136 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1137                                        CBS *contents) {
1138   if (contents == NULL) {
1139     return true;
1140   }
1141 
1142   uint8_t status_type;
1143   if (!CBS_get_u8(contents, &status_type)) {
1144     return false;
1145   }
1146 
1147   // We cannot decide whether OCSP stapling will occur yet because the correct
1148   // SSL_CTX might not have been selected.
1149   hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1150 
1151   return true;
1152 }
1153 
ext_ocsp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1154 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1155   SSL *const ssl = hs->ssl;
1156   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1157       !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL ||
1158       ssl->s3->session_reused ||
1159       !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1160     return true;
1161   }
1162 
1163   hs->certificate_status_expected = true;
1164 
1165   return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1166          CBB_add_u16(out, 0 /* length */);
1167 }
1168 
1169 
1170 // Next protocol negotiation.
1171 //
1172 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1173 
ext_npn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1174 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1175   SSL *const ssl = hs->ssl;
1176   if (ssl->s3->initial_handshake_complete ||
1177       ssl->ctx->next_proto_select_cb == NULL ||
1178       SSL_is_dtls(ssl)) {
1179     return true;
1180   }
1181 
1182   if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1183       !CBB_add_u16(out, 0 /* length */)) {
1184     return false;
1185   }
1186 
1187   return true;
1188 }
1189 
ext_npn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1190 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1191                                       CBS *contents) {
1192   SSL *const ssl = hs->ssl;
1193   if (contents == NULL) {
1194     return true;
1195   }
1196 
1197   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1198     return false;
1199   }
1200 
1201   // If any of these are false then we should never have sent the NPN
1202   // extension in the ClientHello and thus this function should never have been
1203   // called.
1204   assert(!ssl->s3->initial_handshake_complete);
1205   assert(!SSL_is_dtls(ssl));
1206   assert(ssl->ctx->next_proto_select_cb != NULL);
1207 
1208   if (!ssl->s3->alpn_selected.empty()) {
1209     // NPN and ALPN may not be negotiated in the same connection.
1210     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1211     OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1212     return false;
1213   }
1214 
1215   const uint8_t *const orig_contents = CBS_data(contents);
1216   const size_t orig_len = CBS_len(contents);
1217 
1218   while (CBS_len(contents) != 0) {
1219     CBS proto;
1220     if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1221         CBS_len(&proto) == 0) {
1222       return false;
1223     }
1224   }
1225 
1226   uint8_t *selected;
1227   uint8_t selected_len;
1228   if (ssl->ctx->next_proto_select_cb(
1229           ssl, &selected, &selected_len, orig_contents, orig_len,
1230           ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1231       !ssl->s3->next_proto_negotiated.CopyFrom(
1232           MakeConstSpan(selected, selected_len))) {
1233     *out_alert = SSL_AD_INTERNAL_ERROR;
1234     return false;
1235   }
1236 
1237   hs->next_proto_neg_seen = true;
1238   return true;
1239 }
1240 
ext_npn_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1241 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1242                                       CBS *contents) {
1243   SSL *const ssl = hs->ssl;
1244   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1245     return true;
1246   }
1247 
1248   if (contents != NULL && CBS_len(contents) != 0) {
1249     return false;
1250   }
1251 
1252   if (contents == NULL ||
1253       ssl->s3->initial_handshake_complete ||
1254       ssl->ctx->next_protos_advertised_cb == NULL ||
1255       SSL_is_dtls(ssl)) {
1256     return true;
1257   }
1258 
1259   hs->next_proto_neg_seen = true;
1260   return true;
1261 }
1262 
ext_npn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1263 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1264   SSL *const ssl = hs->ssl;
1265   // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1266   // parsed.
1267   if (!hs->next_proto_neg_seen) {
1268     return true;
1269   }
1270 
1271   const uint8_t *npa;
1272   unsigned npa_len;
1273 
1274   if (ssl->ctx->next_protos_advertised_cb(
1275           ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1276       SSL_TLSEXT_ERR_OK) {
1277     hs->next_proto_neg_seen = false;
1278     return true;
1279   }
1280 
1281   CBB contents;
1282   if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1283       !CBB_add_u16_length_prefixed(out, &contents) ||
1284       !CBB_add_bytes(&contents, npa, npa_len) ||
1285       !CBB_flush(out)) {
1286     return false;
1287   }
1288 
1289   return true;
1290 }
1291 
1292 
1293 // Signed certificate timestamps.
1294 //
1295 // https://tools.ietf.org/html/rfc6962#section-3.3.1
1296 
ext_sct_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1297 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1298   if (!hs->config->signed_cert_timestamps_enabled) {
1299     return true;
1300   }
1301 
1302   if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1303       !CBB_add_u16(out, 0 /* length */)) {
1304     return false;
1305   }
1306 
1307   return true;
1308 }
1309 
ext_sct_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1310 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1311                                       CBS *contents) {
1312   SSL *const ssl = hs->ssl;
1313   if (contents == NULL) {
1314     return true;
1315   }
1316 
1317   // TLS 1.3 SCTs are included in the Certificate extensions.
1318   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1319     *out_alert = SSL_AD_DECODE_ERROR;
1320     return false;
1321   }
1322 
1323   // If this is false then we should never have sent the SCT extension in the
1324   // ClientHello and thus this function should never have been called.
1325   assert(hs->config->signed_cert_timestamps_enabled);
1326 
1327   if (!ssl_is_sct_list_valid(contents)) {
1328     *out_alert = SSL_AD_DECODE_ERROR;
1329     return false;
1330   }
1331 
1332   // Session resumption uses the original session information. The extension
1333   // should not be sent on resumption, but RFC 6962 did not make it a
1334   // requirement, so tolerate this.
1335   //
1336   // TODO(davidben): Enforce this anyway.
1337   if (!ssl->s3->session_reused) {
1338     hs->new_session->signed_cert_timestamp_list.reset(
1339         CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));
1340     if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1341       *out_alert = SSL_AD_INTERNAL_ERROR;
1342       return false;
1343     }
1344   }
1345 
1346   return true;
1347 }
1348 
ext_sct_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1349 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1350                                       CBS *contents) {
1351   if (contents == NULL) {
1352     return true;
1353   }
1354 
1355   if (CBS_len(contents) != 0) {
1356     return false;
1357   }
1358 
1359   hs->scts_requested = true;
1360   return true;
1361 }
1362 
ext_sct_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1363 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1364   SSL *const ssl = hs->ssl;
1365   // The extension shouldn't be sent when resuming sessions.
1366   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
1367       hs->config->cert->signed_cert_timestamp_list == NULL) {
1368     return true;
1369   }
1370 
1371   CBB contents;
1372   return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1373          CBB_add_u16_length_prefixed(out, &contents) &&
1374          CBB_add_bytes(
1375              &contents,
1376              CRYPTO_BUFFER_data(
1377                  hs->config->cert->signed_cert_timestamp_list.get()),
1378              CRYPTO_BUFFER_len(
1379                  hs->config->cert->signed_cert_timestamp_list.get())) &&
1380          CBB_flush(out);
1381 }
1382 
1383 
1384 // Application-level Protocol Negotiation.
1385 //
1386 // https://tools.ietf.org/html/rfc7301
1387 
ext_alpn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1388 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1389   SSL *const ssl = hs->ssl;
1390   if (hs->config->alpn_client_proto_list.empty() ||
1391       ssl->s3->initial_handshake_complete) {
1392     return true;
1393   }
1394 
1395   CBB contents, proto_list;
1396   if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1397       !CBB_add_u16_length_prefixed(out, &contents) ||
1398       !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1399       !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
1400                      hs->config->alpn_client_proto_list.size()) ||
1401       !CBB_flush(out)) {
1402     return false;
1403   }
1404 
1405   return true;
1406 }
1407 
ext_alpn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1408 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1409                                        CBS *contents) {
1410   SSL *const ssl = hs->ssl;
1411   if (contents == NULL) {
1412     return true;
1413   }
1414 
1415   assert(!ssl->s3->initial_handshake_complete);
1416   assert(!hs->config->alpn_client_proto_list.empty());
1417 
1418   if (hs->next_proto_neg_seen) {
1419     // NPN and ALPN may not be negotiated in the same connection.
1420     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1421     OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1422     return false;
1423   }
1424 
1425   // The extension data consists of a ProtocolNameList which must have
1426   // exactly one ProtocolName. Each of these is length-prefixed.
1427   CBS protocol_name_list, protocol_name;
1428   if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1429       CBS_len(contents) != 0 ||
1430       !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1431       // Empty protocol names are forbidden.
1432       CBS_len(&protocol_name) == 0 ||
1433       CBS_len(&protocol_name_list) != 0) {
1434     return false;
1435   }
1436 
1437   if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {
1438     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1439     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1440     return false;
1441   }
1442 
1443   if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1444     *out_alert = SSL_AD_INTERNAL_ERROR;
1445     return false;
1446   }
1447 
1448   return true;
1449 }
1450 
ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE * hs,Span<const uint8_t> protocol)1451 bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
1452                                   Span<const uint8_t> protocol) {
1453   if (hs->config->alpn_client_proto_list.empty()) {
1454     return false;
1455   }
1456 
1457   if (hs->ssl->ctx->allow_unknown_alpn_protos) {
1458     return true;
1459   }
1460 
1461   // Check that the protocol name is one of the ones we advertised.
1462   CBS client_protocol_name_list =
1463           MakeConstSpan(hs->config->alpn_client_proto_list),
1464       client_protocol_name;
1465   while (CBS_len(&client_protocol_name_list) > 0) {
1466     if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1467                                     &client_protocol_name)) {
1468       return false;
1469     }
1470 
1471     if (client_protocol_name == protocol) {
1472       return true;
1473     }
1474   }
1475 
1476   return false;
1477 }
1478 
ssl_negotiate_alpn(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)1479 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1480                         const SSL_CLIENT_HELLO *client_hello) {
1481   SSL *const ssl = hs->ssl;
1482   CBS contents;
1483   if (ssl->ctx->alpn_select_cb == NULL ||
1484       !ssl_client_hello_get_extension(
1485           client_hello, &contents,
1486           TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1487     // Ignore ALPN if not configured or no extension was supplied.
1488     return true;
1489   }
1490 
1491   // ALPN takes precedence over NPN.
1492   hs->next_proto_neg_seen = false;
1493 
1494   CBS protocol_name_list;
1495   if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1496       CBS_len(&contents) != 0 ||
1497       CBS_len(&protocol_name_list) < 2) {
1498     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1499     *out_alert = SSL_AD_DECODE_ERROR;
1500     return false;
1501   }
1502 
1503   // Validate the protocol list.
1504   CBS protocol_name_list_copy = protocol_name_list;
1505   while (CBS_len(&protocol_name_list_copy) > 0) {
1506     CBS protocol_name;
1507 
1508     if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1509         // Empty protocol names are forbidden.
1510         CBS_len(&protocol_name) == 0) {
1511       OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1512       *out_alert = SSL_AD_DECODE_ERROR;
1513       return false;
1514     }
1515   }
1516 
1517   const uint8_t *selected;
1518   uint8_t selected_len;
1519   if (ssl->ctx->alpn_select_cb(
1520           ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1521           CBS_len(&protocol_name_list),
1522           ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1523     if (selected_len == 0) {
1524       OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1525       *out_alert = SSL_AD_INTERNAL_ERROR;
1526       return false;
1527     }
1528     if (!ssl->s3->alpn_selected.CopyFrom(
1529             MakeConstSpan(selected, selected_len))) {
1530       *out_alert = SSL_AD_INTERNAL_ERROR;
1531       return false;
1532     }
1533   }
1534 
1535   return true;
1536 }
1537 
ext_alpn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1538 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1539   SSL *const ssl = hs->ssl;
1540   if (ssl->s3->alpn_selected.empty()) {
1541     return true;
1542   }
1543 
1544   CBB contents, proto_list, proto;
1545   if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1546       !CBB_add_u16_length_prefixed(out, &contents) ||
1547       !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1548       !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1549       !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1550                      ssl->s3->alpn_selected.size()) ||
1551       !CBB_flush(out)) {
1552     return false;
1553   }
1554 
1555   return true;
1556 }
1557 
1558 
1559 // Channel ID.
1560 //
1561 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1562 
ext_channel_id_init(SSL_HANDSHAKE * hs)1563 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1564   hs->ssl->s3->channel_id_valid = false;
1565 }
1566 
ext_channel_id_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1567 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1568   SSL *const ssl = hs->ssl;
1569   if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1570     return true;
1571   }
1572 
1573   if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1574       !CBB_add_u16(out, 0 /* length */)) {
1575     return false;
1576   }
1577 
1578   return true;
1579 }
1580 
ext_channel_id_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1581 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1582                                              uint8_t *out_alert,
1583                                              CBS *contents) {
1584   SSL *const ssl = hs->ssl;
1585   if (contents == NULL) {
1586     return true;
1587   }
1588 
1589   assert(!SSL_is_dtls(ssl));
1590   assert(hs->config->channel_id_enabled);
1591 
1592   if (CBS_len(contents) != 0) {
1593     return false;
1594   }
1595 
1596   ssl->s3->channel_id_valid = true;
1597   return true;
1598 }
1599 
ext_channel_id_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1600 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1601                                              uint8_t *out_alert,
1602                                              CBS *contents) {
1603   SSL *const ssl = hs->ssl;
1604   if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1605     return true;
1606   }
1607 
1608   if (CBS_len(contents) != 0) {
1609     return false;
1610   }
1611 
1612   ssl->s3->channel_id_valid = true;
1613   return true;
1614 }
1615 
ext_channel_id_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1616 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1617   SSL *const ssl = hs->ssl;
1618   if (!ssl->s3->channel_id_valid) {
1619     return true;
1620   }
1621 
1622   if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1623       !CBB_add_u16(out, 0 /* length */)) {
1624     return false;
1625   }
1626 
1627   return true;
1628 }
1629 
1630 
1631 // Secure Real-time Transport Protocol (SRTP) extension.
1632 //
1633 // https://tools.ietf.org/html/rfc5764
1634 
1635 
ext_srtp_init(SSL_HANDSHAKE * hs)1636 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1637   hs->ssl->s3->srtp_profile = NULL;
1638 }
1639 
ext_srtp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1640 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1641   SSL *const ssl = hs->ssl;
1642   STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1643   if (profiles == NULL ||
1644       sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1645     return true;
1646   }
1647 
1648   CBB contents, profile_ids;
1649   if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1650       !CBB_add_u16_length_prefixed(out, &contents) ||
1651       !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1652     return false;
1653   }
1654 
1655   for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1656     if (!CBB_add_u16(&profile_ids, profile->id)) {
1657       return false;
1658     }
1659   }
1660 
1661   if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1662       !CBB_flush(out)) {
1663     return false;
1664   }
1665 
1666   return true;
1667 }
1668 
ext_srtp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1669 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1670                                        CBS *contents) {
1671   SSL *const ssl = hs->ssl;
1672   if (contents == NULL) {
1673     return true;
1674   }
1675 
1676   // The extension consists of a u16-prefixed profile ID list containing a
1677   // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1678   //
1679   // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1680   CBS profile_ids, srtp_mki;
1681   uint16_t profile_id;
1682   if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1683       !CBS_get_u16(&profile_ids, &profile_id) ||
1684       CBS_len(&profile_ids) != 0 ||
1685       !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1686       CBS_len(contents) != 0) {
1687     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1688     return false;
1689   }
1690 
1691   if (CBS_len(&srtp_mki) != 0) {
1692     // Must be no MKI, since we never offer one.
1693     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1694     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1695     return false;
1696   }
1697 
1698   STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1699 
1700   // Check to see if the server gave us something we support (and presumably
1701   // offered).
1702   for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1703     if (profile->id == profile_id) {
1704       ssl->s3->srtp_profile = profile;
1705       return true;
1706     }
1707   }
1708 
1709   OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1710   *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1711   return false;
1712 }
1713 
ext_srtp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1714 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1715                                        CBS *contents) {
1716   SSL *const ssl = hs->ssl;
1717   if (contents == NULL) {
1718     return true;
1719   }
1720 
1721   CBS profile_ids, srtp_mki;
1722   if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1723       CBS_len(&profile_ids) < 2 ||
1724       !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1725       CBS_len(contents) != 0) {
1726     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1727     return false;
1728   }
1729   // Discard the MKI value for now.
1730 
1731   const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1732       SSL_get_srtp_profiles(ssl);
1733 
1734   // Pick the server's most preferred profile.
1735   for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1736     CBS profile_ids_tmp;
1737     CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1738 
1739     while (CBS_len(&profile_ids_tmp) > 0) {
1740       uint16_t profile_id;
1741       if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1742         return false;
1743       }
1744 
1745       if (server_profile->id == profile_id) {
1746         ssl->s3->srtp_profile = server_profile;
1747         return true;
1748       }
1749     }
1750   }
1751 
1752   return true;
1753 }
1754 
ext_srtp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1755 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1756   SSL *const ssl = hs->ssl;
1757   if (ssl->s3->srtp_profile == NULL) {
1758     return true;
1759   }
1760 
1761   CBB contents, profile_ids;
1762   if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1763       !CBB_add_u16_length_prefixed(out, &contents) ||
1764       !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1765       !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
1766       !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1767       !CBB_flush(out)) {
1768     return false;
1769   }
1770 
1771   return true;
1772 }
1773 
1774 
1775 // EC point formats.
1776 //
1777 // https://tools.ietf.org/html/rfc4492#section-5.1.2
1778 
ext_ec_point_add_extension(SSL_HANDSHAKE * hs,CBB * out)1779 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1780   CBB contents, formats;
1781   if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1782       !CBB_add_u16_length_prefixed(out, &contents) ||
1783       !CBB_add_u8_length_prefixed(&contents, &formats) ||
1784       !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1785       !CBB_flush(out)) {
1786     return false;
1787   }
1788 
1789   return true;
1790 }
1791 
ext_ec_point_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1792 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1793   // The point format extension is unneccessary in TLS 1.3.
1794   if (hs->min_version >= TLS1_3_VERSION) {
1795     return true;
1796   }
1797 
1798   return ext_ec_point_add_extension(hs, out);
1799 }
1800 
ext_ec_point_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1801 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1802                                            CBS *contents) {
1803   if (contents == NULL) {
1804     return true;
1805   }
1806 
1807   if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1808     return false;
1809   }
1810 
1811   CBS ec_point_format_list;
1812   if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1813       CBS_len(contents) != 0) {
1814     return false;
1815   }
1816 
1817   // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1818   // point format.
1819   if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1820                      TLSEXT_ECPOINTFORMAT_uncompressed,
1821                      CBS_len(&ec_point_format_list)) == NULL) {
1822     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1823     return false;
1824   }
1825 
1826   return true;
1827 }
1828 
ext_ec_point_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1829 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1830                                           CBS *contents) {
1831   if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1832     return true;
1833   }
1834 
1835   return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1836 }
1837 
ext_ec_point_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1838 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1839   SSL *const ssl = hs->ssl;
1840   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1841     return true;
1842   }
1843 
1844   const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1845   const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1846   const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1847 
1848   if (!using_ecc) {
1849     return true;
1850   }
1851 
1852   return ext_ec_point_add_extension(hs, out);
1853 }
1854 
1855 
1856 // Pre Shared Key
1857 //
1858 // https://tools.ietf.org/html/rfc8446#section-4.2.11
1859 
ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE * hs)1860 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1861   SSL *const ssl = hs->ssl;
1862   if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1863       ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1864     return 0;
1865   }
1866 
1867   size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1868   return 15 + ssl->session->ticket.size() + binder_len;
1869 }
1870 
ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1871 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1872   SSL *const ssl = hs->ssl;
1873   hs->needs_psk_binder = false;
1874   if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1875       ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1876     return true;
1877   }
1878 
1879   // Per RFC 8446 section 4.1.4, skip offering the session if the selected
1880   // cipher in HelloRetryRequest does not match. This avoids performing the
1881   // transcript hash transformation for multiple hashes.
1882   if (hs->received_hello_retry_request &&
1883       ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1884     return true;
1885   }
1886 
1887   struct OPENSSL_timeval now;
1888   ssl_get_current_time(ssl, &now);
1889   uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1890   uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1891 
1892   // Fill in a placeholder zero binder of the appropriate length. It will be
1893   // computed and filled in later after length prefixes are computed.
1894   uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1895   size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1896 
1897   CBB contents, identity, ticket, binders, binder;
1898   if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1899       !CBB_add_u16_length_prefixed(out, &contents) ||
1900       !CBB_add_u16_length_prefixed(&contents, &identity) ||
1901       !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1902       !CBB_add_bytes(&ticket, ssl->session->ticket.data(),
1903                      ssl->session->ticket.size()) ||
1904       !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1905       !CBB_add_u16_length_prefixed(&contents, &binders) ||
1906       !CBB_add_u8_length_prefixed(&binders, &binder) ||
1907       !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1908     return false;
1909   }
1910 
1911   hs->needs_psk_binder = true;
1912   return CBB_flush(out);
1913 }
1914 
ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1915 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1916                                               uint8_t *out_alert,
1917                                               CBS *contents) {
1918   uint16_t psk_id;
1919   if (!CBS_get_u16(contents, &psk_id) ||
1920       CBS_len(contents) != 0) {
1921     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1922     *out_alert = SSL_AD_DECODE_ERROR;
1923     return false;
1924   }
1925 
1926   // We only advertise one PSK identity, so the only legal index is zero.
1927   if (psk_id != 0) {
1928     OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1929     *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1930     return false;
1931   }
1932 
1933   return true;
1934 }
1935 
ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE * hs,CBS * out_ticket,CBS * out_binders,uint32_t * out_obfuscated_ticket_age,uint8_t * out_alert,CBS * contents)1936 bool ssl_ext_pre_shared_key_parse_clienthello(
1937     SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1938     uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
1939   // We only process the first PSK identity since we don't support pure PSK.
1940   CBS identities, binders;
1941   if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1942       !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1943       !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1944       !CBS_get_u16_length_prefixed(contents, &binders) ||
1945       CBS_len(&binders) == 0 ||
1946       CBS_len(contents) != 0) {
1947     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1948     *out_alert = SSL_AD_DECODE_ERROR;
1949     return false;
1950   }
1951 
1952   *out_binders = binders;
1953 
1954   // Check the syntax of the remaining identities, but do not process them.
1955   size_t num_identities = 1;
1956   while (CBS_len(&identities) != 0) {
1957     CBS unused_ticket;
1958     uint32_t unused_obfuscated_ticket_age;
1959     if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1960         !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1961       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1962       *out_alert = SSL_AD_DECODE_ERROR;
1963       return false;
1964     }
1965 
1966     num_identities++;
1967   }
1968 
1969   // Check the syntax of the binders. The value will be checked later if
1970   // resuming.
1971   size_t num_binders = 0;
1972   while (CBS_len(&binders) != 0) {
1973     CBS binder;
1974     if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1975       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1976       *out_alert = SSL_AD_DECODE_ERROR;
1977       return false;
1978     }
1979 
1980     num_binders++;
1981   }
1982 
1983   if (num_identities != num_binders) {
1984     OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1985     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1986     return false;
1987   }
1988 
1989   return true;
1990 }
1991 
ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1992 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1993   if (!hs->ssl->s3->session_reused) {
1994     return true;
1995   }
1996 
1997   CBB contents;
1998   if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1999       !CBB_add_u16_length_prefixed(out, &contents) ||
2000       // We only consider the first identity for resumption
2001       !CBB_add_u16(&contents, 0) ||
2002       !CBB_flush(out)) {
2003     return false;
2004   }
2005 
2006   return true;
2007 }
2008 
2009 
2010 // Pre-Shared Key Exchange Modes
2011 //
2012 // https://tools.ietf.org/html/rfc8446#section-4.2.9
2013 
ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2014 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
2015                                                        CBB *out) {
2016   if (hs->max_version < TLS1_3_VERSION) {
2017     return true;
2018   }
2019 
2020   CBB contents, ke_modes;
2021   if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
2022       !CBB_add_u16_length_prefixed(out, &contents) ||
2023       !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
2024       !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
2025     return false;
2026   }
2027 
2028   return CBB_flush(out);
2029 }
2030 
ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2031 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
2032                                                          uint8_t *out_alert,
2033                                                          CBS *contents) {
2034   if (contents == NULL) {
2035     return true;
2036   }
2037 
2038   CBS ke_modes;
2039   if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
2040       CBS_len(&ke_modes) == 0 ||
2041       CBS_len(contents) != 0) {
2042     *out_alert = SSL_AD_DECODE_ERROR;
2043     return false;
2044   }
2045 
2046   // We only support tickets with PSK_DHE_KE.
2047   hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
2048                                        CBS_len(&ke_modes)) != NULL;
2049 
2050   return true;
2051 }
2052 
2053 
2054 // Early Data Indication
2055 //
2056 // https://tools.ietf.org/html/rfc8446#section-4.2.10
2057 
ext_early_data_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2058 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2059   SSL *const ssl = hs->ssl;
2060   if (!ssl->enable_early_data ||
2061       // Session must be 0-RTT capable.
2062       ssl->session == nullptr ||
2063       ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
2064       ssl->session->ticket_max_early_data == 0 ||
2065       // The second ClientHello never offers early data.
2066       hs->received_hello_retry_request ||
2067       // In case ALPN preferences changed since this session was established,
2068       // avoid reporting a confusing value in |SSL_get0_alpn_selected|.
2069       (!ssl->session->early_alpn.empty() &&
2070        !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn))) {
2071     return true;
2072   }
2073 
2074   hs->early_data_offered = true;
2075 
2076   if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2077       !CBB_add_u16(out, 0) ||
2078       !CBB_flush(out)) {
2079     return false;
2080   }
2081 
2082   return true;
2083 }
2084 
ext_early_data_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2085 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2086                                              uint8_t *out_alert, CBS *contents) {
2087   SSL *const ssl = hs->ssl;
2088   if (contents == NULL) {
2089     return true;
2090   }
2091 
2092   if (CBS_len(contents) != 0) {
2093     *out_alert = SSL_AD_DECODE_ERROR;
2094     return false;
2095   }
2096 
2097   if (!ssl->s3->session_reused) {
2098     *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2099     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2100     return false;
2101   }
2102 
2103   ssl->s3->early_data_accepted = true;
2104   return true;
2105 }
2106 
ext_early_data_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2107 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2108                                              uint8_t *out_alert, CBS *contents) {
2109   SSL *const ssl = hs->ssl;
2110   if (contents == NULL ||
2111       ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2112     return true;
2113   }
2114 
2115   if (CBS_len(contents) != 0) {
2116     *out_alert = SSL_AD_DECODE_ERROR;
2117     return false;
2118   }
2119 
2120   hs->early_data_offered = true;
2121   return true;
2122 }
2123 
ext_early_data_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2124 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2125   if (!hs->ssl->s3->early_data_accepted) {
2126     return true;
2127   }
2128 
2129   if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2130       !CBB_add_u16(out, 0) ||
2131       !CBB_flush(out)) {
2132     return false;
2133   }
2134 
2135   return true;
2136 }
2137 
2138 
2139 // Key Share
2140 //
2141 // https://tools.ietf.org/html/rfc8446#section-4.2.8
2142 
ext_key_share_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2143 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2144   SSL *const ssl = hs->ssl;
2145   if (hs->max_version < TLS1_3_VERSION) {
2146     return true;
2147   }
2148 
2149   CBB contents, kse_bytes;
2150   if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2151       !CBB_add_u16_length_prefixed(out, &contents) ||
2152       !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2153     return false;
2154   }
2155 
2156   uint16_t group_id = hs->retry_group;
2157   uint16_t second_group_id = 0;
2158   if (hs->received_hello_retry_request) {
2159     // We received a HelloRetryRequest without a new curve, so there is no new
2160     // share to append. Leave |hs->key_share| as-is.
2161     if (group_id == 0 &&
2162         !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2163                        hs->key_share_bytes.size())) {
2164       return false;
2165     }
2166     hs->key_share_bytes.Reset();
2167     if (group_id == 0) {
2168       return CBB_flush(out);
2169     }
2170   } else {
2171     // Add a fake group. See draft-davidben-tls-grease-01.
2172     if (ssl->ctx->grease_enabled &&
2173         (!CBB_add_u16(&kse_bytes,
2174                       ssl_get_grease_value(hs, ssl_grease_group)) ||
2175          !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2176          !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2177       return false;
2178     }
2179 
2180     // Predict the most preferred group.
2181     Span<const uint16_t> groups = tls1_get_grouplist(hs);
2182     if (groups.empty()) {
2183       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2184       return false;
2185     }
2186 
2187     group_id = groups[0];
2188 
2189     if (group_id == SSL_CURVE_CECPQ2 && groups.size() >= 2) {
2190       // CECPQ2 is not sent as the only initial key share. We'll include the
2191       // 2nd preference group too to avoid round-trips.
2192       second_group_id = groups[1];
2193       assert(second_group_id != group_id);
2194     }
2195   }
2196 
2197   CBB key_exchange;
2198   hs->key_shares[0] = SSLKeyShare::Create(group_id);
2199   if (!hs->key_shares[0] ||
2200       !CBB_add_u16(&kse_bytes, group_id) ||
2201       !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2202       !hs->key_shares[0]->Offer(&key_exchange) ||
2203       !CBB_flush(&kse_bytes)) {
2204     return false;
2205   }
2206 
2207   if (second_group_id != 0) {
2208     hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
2209     if (!hs->key_shares[1] ||
2210         !CBB_add_u16(&kse_bytes, second_group_id) ||
2211         !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2212         !hs->key_shares[1]->Offer(&key_exchange) ||
2213         !CBB_flush(&kse_bytes)) {
2214       return false;
2215     }
2216   }
2217 
2218   // Save the contents of the extension to repeat it in the second
2219   // ClientHello.
2220   if (!hs->received_hello_retry_request &&
2221       !hs->key_share_bytes.CopyFrom(
2222           MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2223     return false;
2224   }
2225 
2226   return CBB_flush(out);
2227 }
2228 
ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE * hs,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2229 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2230                                          Array<uint8_t> *out_secret,
2231                                          uint8_t *out_alert, CBS *contents) {
2232   CBS peer_key;
2233   uint16_t group_id;
2234   if (!CBS_get_u16(contents, &group_id) ||
2235       !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2236       CBS_len(contents) != 0) {
2237     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2238     *out_alert = SSL_AD_DECODE_ERROR;
2239     return false;
2240   }
2241 
2242   SSLKeyShare *key_share = hs->key_shares[0].get();
2243   if (key_share->GroupID() != group_id) {
2244     if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {
2245       *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2246       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2247       return false;
2248     }
2249     key_share = hs->key_shares[1].get();
2250   }
2251 
2252   if (!key_share->Finish(out_secret, out_alert, peer_key)) {
2253     *out_alert = SSL_AD_INTERNAL_ERROR;
2254     return false;
2255   }
2256 
2257   hs->new_session->group_id = group_id;
2258   hs->key_shares[0].reset();
2259   hs->key_shares[1].reset();
2260   return true;
2261 }
2262 
ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE * hs,bool * out_found,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2263 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2264                                          Array<uint8_t> *out_secret,
2265                                          uint8_t *out_alert, CBS *contents) {
2266   uint16_t group_id;
2267   CBS key_shares;
2268   if (!tls1_get_shared_group(hs, &group_id)) {
2269     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2270     *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2271     return false;
2272   }
2273 
2274   if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2275       CBS_len(contents) != 0) {
2276     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2277     return false;
2278   }
2279 
2280   // Find the corresponding key share.
2281   CBS peer_key;
2282   CBS_init(&peer_key, NULL, 0);
2283   while (CBS_len(&key_shares) > 0) {
2284     uint16_t id;
2285     CBS peer_key_tmp;
2286     if (!CBS_get_u16(&key_shares, &id) ||
2287         !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2288         CBS_len(&peer_key_tmp) == 0) {
2289       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2290       return false;
2291     }
2292 
2293     if (id == group_id) {
2294       if (CBS_len(&peer_key) != 0) {
2295         OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2296         *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2297         return false;
2298       }
2299 
2300       peer_key = peer_key_tmp;
2301       // Continue parsing the structure to keep peers honest.
2302     }
2303   }
2304 
2305   if (CBS_len(&peer_key) == 0) {
2306     *out_found = false;
2307     out_secret->Reset();
2308     return true;
2309   }
2310 
2311   // Compute the DH secret.
2312   Array<uint8_t> secret;
2313   ScopedCBB public_key;
2314   UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2315   if (!key_share ||
2316       !CBB_init(public_key.get(), 32) ||
2317       !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2318       !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2319     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2320     return false;
2321   }
2322 
2323   *out_secret = std::move(secret);
2324   *out_found = true;
2325   return true;
2326 }
2327 
ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2328 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2329   uint16_t group_id;
2330   CBB kse_bytes, public_key;
2331   if (!tls1_get_shared_group(hs, &group_id) ||
2332       !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2333       !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2334       !CBB_add_u16(&kse_bytes, group_id) ||
2335       !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2336       !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2337                      hs->ecdh_public_key.size()) ||
2338       !CBB_flush(out)) {
2339     return false;
2340   }
2341 
2342   hs->ecdh_public_key.Reset();
2343 
2344   hs->new_session->group_id = group_id;
2345   return true;
2346 }
2347 
2348 
2349 // Supported Versions
2350 //
2351 // https://tools.ietf.org/html/rfc8446#section-4.2.1
2352 
ext_supported_versions_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2353 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2354   SSL *const ssl = hs->ssl;
2355   if (hs->max_version <= TLS1_2_VERSION) {
2356     return true;
2357   }
2358 
2359   CBB contents, versions;
2360   if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2361       !CBB_add_u16_length_prefixed(out, &contents) ||
2362       !CBB_add_u8_length_prefixed(&contents, &versions)) {
2363     return false;
2364   }
2365 
2366   // Add a fake version. See draft-davidben-tls-grease-01.
2367   if (ssl->ctx->grease_enabled &&
2368       !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2369     return false;
2370   }
2371 
2372   if (!ssl_add_supported_versions(hs, &versions) ||
2373       !CBB_flush(out)) {
2374     return false;
2375   }
2376 
2377   return true;
2378 }
2379 
2380 
2381 // Cookie
2382 //
2383 // https://tools.ietf.org/html/rfc8446#section-4.2.2
2384 
ext_cookie_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2385 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2386   if (hs->cookie.empty()) {
2387     return true;
2388   }
2389 
2390   CBB contents, cookie;
2391   if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2392       !CBB_add_u16_length_prefixed(out, &contents) ||
2393       !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2394       !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2395       !CBB_flush(out)) {
2396     return false;
2397   }
2398 
2399   // The cookie is no longer needed in memory.
2400   hs->cookie.Reset();
2401   return true;
2402 }
2403 
2404 
2405 // Supported Groups
2406 //
2407 // https://tools.ietf.org/html/rfc4492#section-5.1.1
2408 // https://tools.ietf.org/html/rfc8446#section-4.2.7
2409 
ext_supported_groups_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2410 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2411   SSL *const ssl = hs->ssl;
2412   CBB contents, groups_bytes;
2413   if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2414       !CBB_add_u16_length_prefixed(out, &contents) ||
2415       !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2416     return false;
2417   }
2418 
2419   // Add a fake group. See draft-davidben-tls-grease-01.
2420   if (ssl->ctx->grease_enabled &&
2421       !CBB_add_u16(&groups_bytes,
2422                    ssl_get_grease_value(hs, ssl_grease_group))) {
2423     return false;
2424   }
2425 
2426   for (uint16_t group : tls1_get_grouplist(hs)) {
2427     if (group == SSL_CURVE_CECPQ2 &&
2428         hs->max_version < TLS1_3_VERSION) {
2429       continue;
2430     }
2431     if (!CBB_add_u16(&groups_bytes, group)) {
2432       return false;
2433     }
2434   }
2435 
2436   return CBB_flush(out);
2437 }
2438 
ext_supported_groups_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2439 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2440                                                    uint8_t *out_alert,
2441                                                    CBS *contents) {
2442   // This extension is not expected to be echoed by servers in TLS 1.2, but some
2443   // BigIP servers send it nonetheless, so do not enforce this.
2444   return true;
2445 }
2446 
parse_u16_array(const CBS * cbs,Array<uint16_t> * out)2447 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2448   CBS copy = *cbs;
2449   if ((CBS_len(&copy) & 1) != 0) {
2450     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2451     return false;
2452   }
2453 
2454   Array<uint16_t> ret;
2455   if (!ret.Init(CBS_len(&copy) / 2)) {
2456     return false;
2457   }
2458   for (size_t i = 0; i < ret.size(); i++) {
2459     if (!CBS_get_u16(&copy, &ret[i])) {
2460       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2461       return false;
2462     }
2463   }
2464 
2465   assert(CBS_len(&copy) == 0);
2466   *out = std::move(ret);
2467   return 1;
2468 }
2469 
ext_supported_groups_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2470 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2471                                                   uint8_t *out_alert,
2472                                                    CBS *contents) {
2473   if (contents == NULL) {
2474     return true;
2475   }
2476 
2477   CBS supported_group_list;
2478   if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2479       CBS_len(&supported_group_list) == 0 ||
2480       CBS_len(contents) != 0 ||
2481       !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2482     return false;
2483   }
2484 
2485   return true;
2486 }
2487 
2488 // Token Binding
2489 //
2490 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2491 
2492 // The Token Binding version number currently matches the draft number of
2493 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2494 // Since there are no wire changes to the protocol from draft 13 through the
2495 // current draft (16), this implementation supports all versions in that range.
2496 static uint16_t kTokenBindingMaxVersion = 16;
2497 static uint16_t kTokenBindingMinVersion = 13;
2498 
ext_token_binding_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2499 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2500   SSL *const ssl = hs->ssl;
2501   if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
2502     return true;
2503   }
2504 
2505   CBB contents, params;
2506   if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2507       !CBB_add_u16_length_prefixed(out, &contents) ||
2508       !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2509       !CBB_add_u8_length_prefixed(&contents, &params) ||
2510       !CBB_add_bytes(&params, hs->config->token_binding_params.data(),
2511                      hs->config->token_binding_params.size()) ||
2512       !CBB_flush(out)) {
2513     return false;
2514   }
2515 
2516   return true;
2517 }
2518 
ext_token_binding_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2519 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2520                                                 uint8_t *out_alert,
2521                                                 CBS *contents) {
2522   SSL *const ssl = hs->ssl;
2523   if (contents == nullptr) {
2524     return true;
2525   }
2526 
2527   CBS params_list;
2528   uint16_t version;
2529   uint8_t param;
2530   if (!CBS_get_u16(contents, &version) ||
2531       !CBS_get_u8_length_prefixed(contents, &params_list) ||
2532       !CBS_get_u8(&params_list, &param) ||
2533       CBS_len(&params_list) > 0 ||
2534       CBS_len(contents) > 0) {
2535     *out_alert = SSL_AD_DECODE_ERROR;
2536     return false;
2537   }
2538 
2539   // The server-negotiated version must be less than or equal to our version.
2540   if (version > kTokenBindingMaxVersion) {
2541     *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2542     return false;
2543   }
2544 
2545   // If the server-selected version is less than what we support, then Token
2546   // Binding wasn't negotiated (but the extension was parsed successfully).
2547   if (version < kTokenBindingMinVersion) {
2548     return true;
2549   }
2550 
2551   for (uint8_t config_param : hs->config->token_binding_params) {
2552     if (param == config_param) {
2553       ssl->s3->negotiated_token_binding_param = param;
2554       ssl->s3->token_binding_negotiated = true;
2555       return true;
2556     }
2557   }
2558 
2559   *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2560   return false;
2561 }
2562 
2563 // select_tb_param looks for the first token binding param in
2564 // |hs->ssl->token_binding_params| that is also in |params| and puts it in
2565 // |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
2566 // param is found, and false otherwise.
select_tb_param(SSL_HANDSHAKE * hs,Span<const uint8_t> peer_params)2567 static bool select_tb_param(SSL_HANDSHAKE *hs,
2568                             Span<const uint8_t> peer_params) {
2569   for (uint8_t tb_param : hs->config->token_binding_params) {
2570     for (uint8_t peer_param : peer_params) {
2571       if (tb_param == peer_param) {
2572         hs->ssl->s3->negotiated_token_binding_param = tb_param;
2573         return true;
2574       }
2575     }
2576   }
2577   return false;
2578 }
2579 
ext_token_binding_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2580 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2581                                                 uint8_t *out_alert,
2582                                                 CBS *contents) {
2583   SSL *const ssl = hs->ssl;
2584   if (contents == nullptr || hs->config->token_binding_params.empty()) {
2585     return true;
2586   }
2587 
2588   CBS params;
2589   uint16_t version;
2590   if (!CBS_get_u16(contents, &version) ||
2591       !CBS_get_u8_length_prefixed(contents, &params) ||
2592       CBS_len(&params) == 0 ||
2593       CBS_len(contents) > 0) {
2594     *out_alert = SSL_AD_DECODE_ERROR;
2595     return false;
2596   }
2597 
2598   // If the client-selected version is less than what we support, then Token
2599   // Binding wasn't negotiated (but the extension was parsed successfully).
2600   if (version < kTokenBindingMinVersion) {
2601     return true;
2602   }
2603 
2604   // If the client-selected version is higher than we support, use our max
2605   // version. Otherwise, use the client's version.
2606   hs->negotiated_token_binding_version =
2607       std::min(version, kTokenBindingMaxVersion);
2608   if (!select_tb_param(hs, params)) {
2609     return true;
2610   }
2611 
2612   ssl->s3->token_binding_negotiated = true;
2613   return true;
2614 }
2615 
ext_token_binding_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2616 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2617   SSL *const ssl = hs->ssl;
2618 
2619   if (!ssl->s3->token_binding_negotiated) {
2620     return true;
2621   }
2622 
2623   CBB contents, params;
2624   if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2625       !CBB_add_u16_length_prefixed(out, &contents) ||
2626       !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2627       !CBB_add_u8_length_prefixed(&contents, &params) ||
2628       !CBB_add_u8(&params, ssl->s3->negotiated_token_binding_param) ||
2629       !CBB_flush(out)) {
2630     return false;
2631   }
2632 
2633   return true;
2634 }
2635 
2636 // QUIC Transport Parameters
2637 
ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2638 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2639                                                       CBB *out) {
2640   if (hs->config->quic_transport_params.empty() ||
2641       hs->max_version <= TLS1_2_VERSION) {
2642     return true;
2643   }
2644 
2645   CBB contents;
2646   if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2647       !CBB_add_u16_length_prefixed(out, &contents) ||
2648       !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2649                      hs->config->quic_transport_params.size()) ||
2650       !CBB_flush(out)) {
2651     return false;
2652   }
2653   return true;
2654 }
2655 
ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2656 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2657                                                         uint8_t *out_alert,
2658                                                         CBS *contents) {
2659   SSL *const ssl = hs->ssl;
2660   if (contents == nullptr) {
2661     return true;
2662   }
2663   // QUIC requires TLS 1.3.
2664   if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2665     *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2666     return false;
2667   }
2668 
2669   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2670 }
2671 
ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2672 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2673                                                         uint8_t *out_alert,
2674                                                         CBS *contents) {
2675   SSL *const ssl = hs->ssl;
2676   if (!contents || hs->config->quic_transport_params.empty()) {
2677     return true;
2678   }
2679   // Ignore the extension before TLS 1.3.
2680   if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2681     return true;
2682   }
2683 
2684   return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2685 }
2686 
ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2687 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2688                                                       CBB *out) {
2689   if (hs->config->quic_transport_params.empty()) {
2690     return true;
2691   }
2692 
2693   CBB contents;
2694   if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2695       !CBB_add_u16_length_prefixed(out, &contents) ||
2696       !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2697                      hs->config->quic_transport_params.size()) ||
2698       !CBB_flush(out)) {
2699     return false;
2700   }
2701 
2702   return true;
2703 }
2704 
2705 // Delegated credentials.
2706 //
2707 // https://tools.ietf.org/html/draft-ietf-tls-subcerts
2708 
ext_delegated_credential_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2709 static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs,
2710                                                      CBB *out) {
2711   return true;
2712 }
2713 
ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2714 static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
2715                                                        uint8_t *out_alert,
2716                                                        CBS *contents) {
2717   assert(TLSEXT_TYPE_delegated_credential == 0xff02);
2718   // TODO: Check that the extension is empty.
2719   //
2720   // As of draft-02, the client sends an empty extension in order indicate
2721   // support for delegated credentials. This could change, however, since the
2722   // spec is not yet finalized. This assertion is here to remind us to enforce
2723   // this check once the extension ID is assigned.
2724 
2725   if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
2726     // Don't use delegated credentials unless we're negotiating TLS 1.3 or
2727     // higher.
2728     return true;
2729   }
2730 
2731   hs->delegated_credential_requested = true;
2732   return true;
2733 }
2734 
2735 // Certificate compression
2736 
cert_compression_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2737 static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2738   bool first = true;
2739   CBB contents, algs;
2740 
2741   for (const auto *alg : hs->ssl->ctx->cert_compression_algs.get()) {
2742     if (alg->decompress == nullptr) {
2743       continue;
2744     }
2745 
2746     if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) ||
2747                   !CBB_add_u16_length_prefixed(out, &contents) ||
2748                   !CBB_add_u8_length_prefixed(&contents, &algs))) {
2749       return false;
2750     }
2751     first = false;
2752     if (!CBB_add_u16(&algs, alg->alg_id)) {
2753       return false;
2754     }
2755   }
2756 
2757   return first || CBB_flush(out);
2758 }
2759 
cert_compression_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2760 static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
2761                                                uint8_t *out_alert,
2762                                                CBS *contents) {
2763   if (contents == nullptr) {
2764     return true;
2765   }
2766 
2767   // The server may not echo this extension. Any server to client negotiation is
2768   // advertised in the CertificateRequest message.
2769   return false;
2770 }
2771 
cert_compression_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2772 static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,
2773                                                uint8_t *out_alert,
2774                                                CBS *contents) {
2775   if (contents == nullptr) {
2776     return true;
2777   }
2778 
2779   const size_t num_algs =
2780       sk_CertCompressionAlg_num(hs->ssl->ctx->cert_compression_algs.get());
2781 
2782   CBS alg_ids;
2783   if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
2784       CBS_len(contents) != 0 ||
2785       CBS_len(&alg_ids) == 0 ||
2786       CBS_len(&alg_ids) % 2 == 1) {
2787     return false;
2788   }
2789 
2790   const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;
2791   Array<uint16_t> given_alg_ids;
2792   if (!given_alg_ids.Init(num_given_alg_ids)) {
2793     return false;
2794   }
2795 
2796   size_t best_index = num_algs;
2797   size_t given_alg_idx = 0;
2798 
2799   while (CBS_len(&alg_ids) > 0) {
2800     uint16_t alg_id;
2801     if (!CBS_get_u16(&alg_ids, &alg_id)) {
2802       return false;
2803     }
2804 
2805     given_alg_ids[given_alg_idx++] = alg_id;
2806 
2807     for (size_t i = 0; i < num_algs; i++) {
2808       const auto *alg = sk_CertCompressionAlg_value(
2809           hs->ssl->ctx->cert_compression_algs.get(), i);
2810       if (alg->alg_id == alg_id && alg->compress != nullptr) {
2811         if (i < best_index) {
2812           best_index = i;
2813         }
2814         break;
2815       }
2816     }
2817   }
2818 
2819   qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),
2820         compare_uint16_t);
2821   for (size_t i = 1; i < num_given_alg_ids; i++) {
2822     if (given_alg_ids[i - 1] == given_alg_ids[i]) {
2823       return false;
2824     }
2825   }
2826 
2827   if (best_index < num_algs &&
2828       ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
2829     hs->cert_compression_negotiated = true;
2830     hs->cert_compression_alg_id =
2831         sk_CertCompressionAlg_value(hs->ssl->ctx->cert_compression_algs.get(),
2832                                     best_index)
2833             ->alg_id;
2834   }
2835 
2836   return true;
2837 }
2838 
cert_compression_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2839 static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2840   return true;
2841 }
2842 
2843 // kExtensions contains all the supported extensions.
2844 static const struct tls_extension kExtensions[] = {
2845   {
2846     TLSEXT_TYPE_server_name,
2847     NULL,
2848     ext_sni_add_clienthello,
2849     ext_sni_parse_serverhello,
2850     ext_sni_parse_clienthello,
2851     ext_sni_add_serverhello,
2852   },
2853   {
2854     TLSEXT_TYPE_extended_master_secret,
2855     NULL,
2856     ext_ems_add_clienthello,
2857     ext_ems_parse_serverhello,
2858     ext_ems_parse_clienthello,
2859     ext_ems_add_serverhello,
2860   },
2861   {
2862     TLSEXT_TYPE_renegotiate,
2863     NULL,
2864     ext_ri_add_clienthello,
2865     ext_ri_parse_serverhello,
2866     ext_ri_parse_clienthello,
2867     ext_ri_add_serverhello,
2868   },
2869   {
2870     TLSEXT_TYPE_supported_groups,
2871     NULL,
2872     ext_supported_groups_add_clienthello,
2873     ext_supported_groups_parse_serverhello,
2874     ext_supported_groups_parse_clienthello,
2875     dont_add_serverhello,
2876   },
2877   {
2878     TLSEXT_TYPE_ec_point_formats,
2879     NULL,
2880     ext_ec_point_add_clienthello,
2881     ext_ec_point_parse_serverhello,
2882     ext_ec_point_parse_clienthello,
2883     ext_ec_point_add_serverhello,
2884   },
2885   {
2886     TLSEXT_TYPE_session_ticket,
2887     NULL,
2888     ext_ticket_add_clienthello,
2889     ext_ticket_parse_serverhello,
2890     // Ticket extension client parsing is handled in ssl_session.c
2891     ignore_parse_clienthello,
2892     ext_ticket_add_serverhello,
2893   },
2894   {
2895     TLSEXT_TYPE_application_layer_protocol_negotiation,
2896     NULL,
2897     ext_alpn_add_clienthello,
2898     ext_alpn_parse_serverhello,
2899     // ALPN is negotiated late in |ssl_negotiate_alpn|.
2900     ignore_parse_clienthello,
2901     ext_alpn_add_serverhello,
2902   },
2903   {
2904     TLSEXT_TYPE_status_request,
2905     NULL,
2906     ext_ocsp_add_clienthello,
2907     ext_ocsp_parse_serverhello,
2908     ext_ocsp_parse_clienthello,
2909     ext_ocsp_add_serverhello,
2910   },
2911   {
2912     TLSEXT_TYPE_signature_algorithms,
2913     NULL,
2914     ext_sigalgs_add_clienthello,
2915     forbid_parse_serverhello,
2916     ext_sigalgs_parse_clienthello,
2917     dont_add_serverhello,
2918   },
2919   {
2920     TLSEXT_TYPE_signature_algorithms_cert,
2921     NULL,
2922     ext_sigalgs_cert_add_clienthello,
2923     forbid_parse_serverhello,
2924     ignore_parse_clienthello,
2925     dont_add_serverhello,
2926   },
2927   {
2928     TLSEXT_TYPE_next_proto_neg,
2929     NULL,
2930     ext_npn_add_clienthello,
2931     ext_npn_parse_serverhello,
2932     ext_npn_parse_clienthello,
2933     ext_npn_add_serverhello,
2934   },
2935   {
2936     TLSEXT_TYPE_certificate_timestamp,
2937     NULL,
2938     ext_sct_add_clienthello,
2939     ext_sct_parse_serverhello,
2940     ext_sct_parse_clienthello,
2941     ext_sct_add_serverhello,
2942   },
2943   {
2944     TLSEXT_TYPE_channel_id,
2945     ext_channel_id_init,
2946     ext_channel_id_add_clienthello,
2947     ext_channel_id_parse_serverhello,
2948     ext_channel_id_parse_clienthello,
2949     ext_channel_id_add_serverhello,
2950   },
2951   {
2952     TLSEXT_TYPE_srtp,
2953     ext_srtp_init,
2954     ext_srtp_add_clienthello,
2955     ext_srtp_parse_serverhello,
2956     ext_srtp_parse_clienthello,
2957     ext_srtp_add_serverhello,
2958   },
2959   {
2960     TLSEXT_TYPE_key_share,
2961     NULL,
2962     ext_key_share_add_clienthello,
2963     forbid_parse_serverhello,
2964     ignore_parse_clienthello,
2965     dont_add_serverhello,
2966   },
2967   {
2968     TLSEXT_TYPE_psk_key_exchange_modes,
2969     NULL,
2970     ext_psk_key_exchange_modes_add_clienthello,
2971     forbid_parse_serverhello,
2972     ext_psk_key_exchange_modes_parse_clienthello,
2973     dont_add_serverhello,
2974   },
2975   {
2976     TLSEXT_TYPE_early_data,
2977     NULL,
2978     ext_early_data_add_clienthello,
2979     ext_early_data_parse_serverhello,
2980     ext_early_data_parse_clienthello,
2981     ext_early_data_add_serverhello,
2982   },
2983   {
2984     TLSEXT_TYPE_supported_versions,
2985     NULL,
2986     ext_supported_versions_add_clienthello,
2987     forbid_parse_serverhello,
2988     ignore_parse_clienthello,
2989     dont_add_serverhello,
2990   },
2991   {
2992     TLSEXT_TYPE_cookie,
2993     NULL,
2994     ext_cookie_add_clienthello,
2995     forbid_parse_serverhello,
2996     ignore_parse_clienthello,
2997     dont_add_serverhello,
2998   },
2999   {
3000     TLSEXT_TYPE_quic_transport_parameters,
3001     NULL,
3002     ext_quic_transport_params_add_clienthello,
3003     ext_quic_transport_params_parse_serverhello,
3004     ext_quic_transport_params_parse_clienthello,
3005     ext_quic_transport_params_add_serverhello,
3006   },
3007   {
3008     TLSEXT_TYPE_token_binding,
3009     NULL,
3010     ext_token_binding_add_clienthello,
3011     ext_token_binding_parse_serverhello,
3012     ext_token_binding_parse_clienthello,
3013     ext_token_binding_add_serverhello,
3014   },
3015   {
3016     TLSEXT_TYPE_cert_compression,
3017     NULL,
3018     cert_compression_add_clienthello,
3019     cert_compression_parse_serverhello,
3020     cert_compression_parse_clienthello,
3021     cert_compression_add_serverhello,
3022   },
3023   {
3024     TLSEXT_TYPE_delegated_credential,
3025     NULL,
3026     ext_delegated_credential_add_clienthello,
3027     forbid_parse_serverhello,
3028     ext_delegated_credential_parse_clienthello,
3029     dont_add_serverhello,
3030   },
3031 };
3032 
3033 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
3034 
3035 static_assert(kNumExtensions <=
3036                   sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
3037               "too many extensions for sent bitset");
3038 static_assert(kNumExtensions <=
3039                   sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
3040               "too many extensions for received bitset");
3041 
tls_extension_find(uint32_t * out_index,uint16_t value)3042 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
3043                                                       uint16_t value) {
3044   unsigned i;
3045   for (i = 0; i < kNumExtensions; i++) {
3046     if (kExtensions[i].value == value) {
3047       *out_index = i;
3048       return &kExtensions[i];
3049     }
3050   }
3051 
3052   return NULL;
3053 }
3054 
ssl_add_clienthello_tlsext(SSL_HANDSHAKE * hs,CBB * out,size_t header_len)3055 bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
3056                                 size_t header_len) {
3057   SSL *const ssl = hs->ssl;
3058   CBB extensions;
3059   if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3060     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3061     return false;
3062   }
3063 
3064   hs->extensions.sent = 0;
3065 
3066   for (size_t i = 0; i < kNumExtensions; i++) {
3067     if (kExtensions[i].init != NULL) {
3068       kExtensions[i].init(hs);
3069     }
3070   }
3071 
3072   uint16_t grease_ext1 = 0;
3073   if (ssl->ctx->grease_enabled) {
3074     // Add a fake empty extension. See draft-davidben-tls-grease-01.
3075     grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
3076     if (!CBB_add_u16(&extensions, grease_ext1) ||
3077         !CBB_add_u16(&extensions, 0 /* zero length */)) {
3078       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3079       return false;
3080     }
3081   }
3082 
3083   bool last_was_empty = false;
3084   for (size_t i = 0; i < kNumExtensions; i++) {
3085     const size_t len_before = CBB_len(&extensions);
3086     if (!kExtensions[i].add_clienthello(hs, &extensions)) {
3087       OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3088       ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3089       return false;
3090     }
3091 
3092     const size_t bytes_written = CBB_len(&extensions) - len_before;
3093     if (bytes_written != 0) {
3094       hs->extensions.sent |= (1u << i);
3095     }
3096     // If the difference in lengths is only four bytes then the extension had
3097     // an empty body.
3098     last_was_empty = (bytes_written == 4);
3099   }
3100 
3101   if (ssl->ctx->grease_enabled) {
3102     // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
3103     uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
3104 
3105     // The two fake extensions must not have the same value. GREASE values are
3106     // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
3107     // one.
3108     if (grease_ext1 == grease_ext2) {
3109       grease_ext2 ^= 0x1010;
3110     }
3111 
3112     if (!CBB_add_u16(&extensions, grease_ext2) ||
3113         !CBB_add_u16(&extensions, 1 /* one byte length */) ||
3114         !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
3115       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3116       return false;
3117     }
3118 
3119     last_was_empty = false;
3120   }
3121 
3122   if (!SSL_is_dtls(ssl)) {
3123     size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
3124     header_len += 2 + CBB_len(&extensions) + psk_extension_len;
3125     size_t padding_len = 0;
3126 
3127     // The final extension must be non-empty. WebSphere Application
3128     // Server 7.0 is intolerant to the last extension being zero-length. See
3129     // https://crbug.com/363583.
3130     if (last_was_empty && psk_extension_len == 0) {
3131       padding_len = 1;
3132       // The addition of the padding extension may push us into the F5 bug.
3133       header_len += 4 + padding_len;
3134     }
3135 
3136     // Add padding to workaround bugs in F5 terminators. See RFC 7685.
3137     //
3138     // NB: because this code works out the length of all existing extensions
3139     // it MUST always appear last (save for any PSK extension).
3140     if (header_len > 0xff && header_len < 0x200) {
3141       // If our calculations already included a padding extension, remove that
3142       // factor because we're about to change its length.
3143       if (padding_len != 0) {
3144         header_len -= 4 + padding_len;
3145       }
3146       padding_len = 0x200 - header_len;
3147       // Extensions take at least four bytes to encode. Always include at least
3148       // one byte of data if including the extension. WebSphere Application
3149       // Server 7.0 is intolerant to the last extension being zero-length. See
3150       // https://crbug.com/363583.
3151       if (padding_len >= 4 + 1) {
3152         padding_len -= 4;
3153       } else {
3154         padding_len = 1;
3155       }
3156     }
3157 
3158     if (padding_len != 0) {
3159       uint8_t *padding_bytes;
3160       if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
3161           !CBB_add_u16(&extensions, padding_len) ||
3162           !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
3163         OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3164         return false;
3165       }
3166 
3167       OPENSSL_memset(padding_bytes, 0, padding_len);
3168     }
3169   }
3170 
3171   // The PSK extension must be last, including after the padding.
3172   if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
3173     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3174     return false;
3175   }
3176 
3177   // Discard empty extensions blocks.
3178   if (CBB_len(&extensions) == 0) {
3179     CBB_discard_child(out);
3180   }
3181 
3182   return CBB_flush(out);
3183 }
3184 
ssl_add_serverhello_tlsext(SSL_HANDSHAKE * hs,CBB * out)3185 bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
3186   SSL *const ssl = hs->ssl;
3187   CBB extensions;
3188   if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3189     goto err;
3190   }
3191 
3192   for (unsigned i = 0; i < kNumExtensions; i++) {
3193     if (!(hs->extensions.received & (1u << i))) {
3194       // Don't send extensions that were not received.
3195       continue;
3196     }
3197 
3198     if (!kExtensions[i].add_serverhello(hs, &extensions)) {
3199       OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3200       ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3201       goto err;
3202     }
3203   }
3204 
3205   // Discard empty extensions blocks before TLS 1.3.
3206   if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
3207       CBB_len(&extensions) == 0) {
3208     CBB_discard_child(out);
3209   }
3210 
3211   return CBB_flush(out);
3212 
3213 err:
3214   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3215   return false;
3216 }
3217 
ssl_scan_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,int * out_alert)3218 static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3219                                         const SSL_CLIENT_HELLO *client_hello,
3220                                         int *out_alert) {
3221   for (size_t i = 0; i < kNumExtensions; i++) {
3222     if (kExtensions[i].init != NULL) {
3223       kExtensions[i].init(hs);
3224     }
3225   }
3226 
3227   hs->extensions.received = 0;
3228   CBS extensions;
3229   CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3230   while (CBS_len(&extensions) != 0) {
3231     uint16_t type;
3232     CBS extension;
3233 
3234     // Decode the next extension.
3235     if (!CBS_get_u16(&extensions, &type) ||
3236         !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3237       *out_alert = SSL_AD_DECODE_ERROR;
3238       return false;
3239     }
3240 
3241     unsigned ext_index;
3242     const struct tls_extension *const ext =
3243         tls_extension_find(&ext_index, type);
3244     if (ext == NULL) {
3245       continue;
3246     }
3247 
3248     hs->extensions.received |= (1u << ext_index);
3249     uint8_t alert = SSL_AD_DECODE_ERROR;
3250     if (!ext->parse_clienthello(hs, &alert, &extension)) {
3251       *out_alert = alert;
3252       OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3253       ERR_add_error_dataf("extension %u", (unsigned)type);
3254       return false;
3255     }
3256   }
3257 
3258   for (size_t i = 0; i < kNumExtensions; i++) {
3259     if (hs->extensions.received & (1u << i)) {
3260       continue;
3261     }
3262 
3263     CBS *contents = NULL, fake_contents;
3264     static const uint8_t kFakeRenegotiateExtension[] = {0};
3265     if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3266         ssl_client_cipher_list_contains_cipher(client_hello,
3267                                                SSL3_CK_SCSV & 0xffff)) {
3268       // The renegotiation SCSV was received so pretend that we received a
3269       // renegotiation extension.
3270       CBS_init(&fake_contents, kFakeRenegotiateExtension,
3271                sizeof(kFakeRenegotiateExtension));
3272       contents = &fake_contents;
3273       hs->extensions.received |= (1u << i);
3274     }
3275 
3276     // Extension wasn't observed so call the callback with a NULL
3277     // parameter.
3278     uint8_t alert = SSL_AD_DECODE_ERROR;
3279     if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3280       OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3281       ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3282       *out_alert = alert;
3283       return false;
3284     }
3285   }
3286 
3287   return true;
3288 }
3289 
ssl_parse_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)3290 bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3291                                   const SSL_CLIENT_HELLO *client_hello) {
3292   SSL *const ssl = hs->ssl;
3293   int alert = SSL_AD_DECODE_ERROR;
3294   if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {
3295     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3296     return false;
3297   }
3298 
3299   if (!ssl_check_clienthello_tlsext(hs)) {
3300     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3301     return false;
3302   }
3303 
3304   return true;
3305 }
3306 
ssl_scan_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs,int * out_alert)3307 static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3308                                         int *out_alert) {
3309   SSL *const ssl = hs->ssl;
3310   // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3311   if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3312     return true;
3313   }
3314 
3315   // Decode the extensions block and check it is valid.
3316   CBS extensions;
3317   if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3318       !tls1_check_duplicate_extensions(&extensions)) {
3319     *out_alert = SSL_AD_DECODE_ERROR;
3320     return false;
3321   }
3322 
3323   uint32_t received = 0;
3324   while (CBS_len(&extensions) != 0) {
3325     uint16_t type;
3326     CBS extension;
3327 
3328     // Decode the next extension.
3329     if (!CBS_get_u16(&extensions, &type) ||
3330         !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3331       *out_alert = SSL_AD_DECODE_ERROR;
3332       return false;
3333     }
3334 
3335     unsigned ext_index;
3336     const struct tls_extension *const ext =
3337         tls_extension_find(&ext_index, type);
3338 
3339     if (ext == NULL) {
3340       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3341       ERR_add_error_dataf("extension %u", (unsigned)type);
3342       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3343       return false;
3344     }
3345 
3346     static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3347                   "too many bits");
3348 
3349     if (!(hs->extensions.sent & (1u << ext_index))) {
3350       // If the extension was never sent then it is illegal.
3351       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3352       ERR_add_error_dataf("extension :%u", (unsigned)type);
3353       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3354       return false;
3355     }
3356 
3357     received |= (1u << ext_index);
3358 
3359     uint8_t alert = SSL_AD_DECODE_ERROR;
3360     if (!ext->parse_serverhello(hs, &alert, &extension)) {
3361       OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3362       ERR_add_error_dataf("extension %u", (unsigned)type);
3363       *out_alert = alert;
3364       return false;
3365     }
3366   }
3367 
3368   for (size_t i = 0; i < kNumExtensions; i++) {
3369     if (!(received & (1u << i))) {
3370       // Extension wasn't observed so call the callback with a NULL
3371       // parameter.
3372       uint8_t alert = SSL_AD_DECODE_ERROR;
3373       if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3374         OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3375         ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3376         *out_alert = alert;
3377         return false;
3378       }
3379     }
3380   }
3381 
3382   return true;
3383 }
3384 
ssl_check_clienthello_tlsext(SSL_HANDSHAKE * hs)3385 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3386   SSL *const ssl = hs->ssl;
3387 
3388   if (ssl->s3->token_binding_negotiated &&
3389       !(SSL_get_secure_renegotiation_support(ssl) &&
3390         SSL_get_extms_support(ssl))) {
3391     OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3392     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3393     return false;
3394   }
3395 
3396   int ret = SSL_TLSEXT_ERR_NOACK;
3397   int al = SSL_AD_UNRECOGNIZED_NAME;
3398 
3399   if (ssl->ctx->servername_callback != 0) {
3400     ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
3401   } else if (ssl->session_ctx->servername_callback != 0) {
3402     ret = ssl->session_ctx->servername_callback(
3403         ssl, &al, ssl->session_ctx->servername_arg);
3404   }
3405 
3406   switch (ret) {
3407     case SSL_TLSEXT_ERR_ALERT_FATAL:
3408       ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3409       return false;
3410 
3411     case SSL_TLSEXT_ERR_NOACK:
3412       hs->should_ack_sni = false;
3413       return true;
3414 
3415     default:
3416       return true;
3417   }
3418 }
3419 
ssl_parse_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs)3420 bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3421   SSL *const ssl = hs->ssl;
3422   int alert = SSL_AD_DECODE_ERROR;
3423   if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
3424     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3425     return false;
3426   }
3427 
3428   return true;
3429 }
3430 
decrypt_ticket_with_cipher_ctx(Array<uint8_t> * out,EVP_CIPHER_CTX * cipher_ctx,HMAC_CTX * hmac_ctx,Span<const uint8_t> ticket)3431 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3432     Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,
3433     Span<const uint8_t> ticket) {
3434   size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3435 
3436   // Check the MAC at the end of the ticket.
3437   uint8_t mac[EVP_MAX_MD_SIZE];
3438   size_t mac_len = HMAC_size(hmac_ctx);
3439   if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3440     // The ticket must be large enough for key name, IV, data, and MAC.
3441     return ssl_ticket_aead_ignore_ticket;
3442   }
3443   // Split the ticket into the ticket and the MAC.
3444   auto ticket_mac = ticket.subspan(ticket.size() - mac_len);
3445   ticket = ticket.subspan(0, ticket.size() - mac_len);
3446   HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
3447   HMAC_Final(hmac_ctx, mac, NULL);
3448   assert(mac_len == ticket_mac.size());
3449   bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;
3450 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3451   mac_ok = true;
3452 #endif
3453   if (!mac_ok) {
3454     return ssl_ticket_aead_ignore_ticket;
3455   }
3456 
3457   // Decrypt the session data.
3458   auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);
3459   Array<uint8_t> plaintext;
3460 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3461   if (!plaintext.CopyFrom(ciphertext)) {
3462     return ssl_ticket_aead_error;
3463   }
3464 #else
3465   if (ciphertext.size() >= INT_MAX) {
3466     return ssl_ticket_aead_ignore_ticket;
3467   }
3468   if (!plaintext.Init(ciphertext.size())) {
3469     return ssl_ticket_aead_error;
3470   }
3471   int len1, len2;
3472   if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),
3473                          (int)ciphertext.size()) ||
3474       !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {
3475     ERR_clear_error();
3476     return ssl_ticket_aead_ignore_ticket;
3477   }
3478   plaintext.Shrink(static_cast<size_t>(len1) + len2);
3479 #endif
3480 
3481   *out = std::move(plaintext);
3482   return ssl_ticket_aead_success;
3483 }
3484 
ssl_decrypt_ticket_with_cb(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3485 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3486     SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3487     Span<const uint8_t> ticket) {
3488   assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3489   ScopedEVP_CIPHER_CTX cipher_ctx;
3490   ScopedHMAC_CTX hmac_ctx;
3491   auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3492   // The actual IV is shorter, but the length is determined by the callback's
3493   // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure
3494   // the callback has enough.
3495   auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);
3496   int cb_ret = hs->ssl->session_ctx->ticket_key_cb(
3497       hs->ssl, const_cast<uint8_t *>(name.data()),
3498       const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(),
3499       0 /* decrypt */);
3500   if (cb_ret < 0) {
3501     return ssl_ticket_aead_error;
3502   } else if (cb_ret == 0) {
3503     return ssl_ticket_aead_ignore_ticket;
3504   } else if (cb_ret == 2) {
3505     *out_renew_ticket = true;
3506   } else {
3507     assert(cb_ret == 1);
3508   }
3509   return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3510                                         ticket);
3511 }
3512 
ssl_decrypt_ticket_with_ticket_keys(SSL_HANDSHAKE * hs,Array<uint8_t> * out,Span<const uint8_t> ticket)3513 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3514     SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) {
3515   assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3516   SSL_CTX *ctx = hs->ssl->session_ctx.get();
3517 
3518   // Rotate the ticket key if necessary.
3519   if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3520     return ssl_ticket_aead_error;
3521   }
3522 
3523   const EVP_CIPHER *cipher = EVP_aes_128_cbc();
3524   auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3525   auto iv =
3526       ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));
3527 
3528   // Pick the matching ticket key and decrypt.
3529   ScopedEVP_CIPHER_CTX cipher_ctx;
3530   ScopedHMAC_CTX hmac_ctx;
3531   {
3532     MutexReadLock lock(&ctx->lock);
3533     const TicketKey *key;
3534     if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {
3535       key = ctx->ticket_key_current.get();
3536     } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {
3537       key = ctx->ticket_key_prev.get();
3538     } else {
3539       return ssl_ticket_aead_ignore_ticket;
3540     }
3541     if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3542                       tlsext_tick_md(), NULL) ||
3543         !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
3544                             key->aes_key, iv.data())) {
3545       return ssl_ticket_aead_error;
3546     }
3547   }
3548   return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3549                                         ticket);
3550 }
3551 
ssl_decrypt_ticket_with_method(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3552 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3553     SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3554     Span<const uint8_t> ticket) {
3555   Array<uint8_t> plaintext;
3556   if (!plaintext.Init(ticket.size())) {
3557     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3558     return ssl_ticket_aead_error;
3559   }
3560 
3561   size_t plaintext_len;
3562   const enum ssl_ticket_aead_result_t result =
3563       hs->ssl->session_ctx->ticket_aead_method->open(
3564           hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),
3565           ticket.data(), ticket.size());
3566   if (result != ssl_ticket_aead_success) {
3567     return result;
3568   }
3569 
3570   plaintext.Shrink(plaintext_len);
3571   *out = std::move(plaintext);
3572   return ssl_ticket_aead_success;
3573 }
3574 
ssl_process_ticket(SSL_HANDSHAKE * hs,UniquePtr<SSL_SESSION> * out_session,bool * out_renew_ticket,Span<const uint8_t> ticket,Span<const uint8_t> session_id)3575 enum ssl_ticket_aead_result_t ssl_process_ticket(
3576     SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
3577     bool *out_renew_ticket, Span<const uint8_t> ticket,
3578     Span<const uint8_t> session_id) {
3579   *out_renew_ticket = false;
3580   out_session->reset();
3581 
3582   if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||
3583       session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3584     return ssl_ticket_aead_ignore_ticket;
3585   }
3586 
3587   Array<uint8_t> plaintext;
3588   enum ssl_ticket_aead_result_t result;
3589   if (hs->ssl->session_ctx->ticket_aead_method != NULL) {
3590     result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
3591                                             ticket);
3592   } else {
3593     // Ensure there is room for the key name and the largest IV |ticket_key_cb|
3594     // may try to consume. The real limit may be lower, but the maximum IV
3595     // length should be well under the minimum size for the session material and
3596     // HMAC.
3597     if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3598       return ssl_ticket_aead_ignore_ticket;
3599     }
3600     if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
3601       result =
3602           ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
3603     } else {
3604       result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);
3605     }
3606   }
3607 
3608   if (result != ssl_ticket_aead_success) {
3609     return result;
3610   }
3611 
3612   // Decode the session.
3613   UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
3614       plaintext.data(), plaintext.size(), hs->ssl->ctx.get()));
3615   if (!session) {
3616     ERR_clear_error();  // Don't leave an error on the queue.
3617     return ssl_ticket_aead_ignore_ticket;
3618   }
3619 
3620   // Copy the client's session ID into the new session, to denote the ticket has
3621   // been accepted.
3622   OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size());
3623   session->session_id_length = session_id.size();
3624 
3625   *out_session = std::move(session);
3626   return ssl_ticket_aead_success;
3627 }
3628 
tls1_parse_peer_sigalgs(SSL_HANDSHAKE * hs,const CBS * in_sigalgs)3629 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3630   // Extension ignored for inappropriate versions
3631   if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3632     return true;
3633   }
3634 
3635   // In all contexts, the signature algorithms list may not be empty. (It may be
3636   // omitted by clients in TLS 1.2, but then the entire extension is omitted.)
3637   return CBS_len(in_sigalgs) != 0 &&
3638          parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3639 }
3640 
tls1_get_legacy_signature_algorithm(uint16_t * out,const EVP_PKEY * pkey)3641 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3642   switch (EVP_PKEY_id(pkey)) {
3643     case EVP_PKEY_RSA:
3644       *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3645       return true;
3646     case EVP_PKEY_EC:
3647       *out = SSL_SIGN_ECDSA_SHA1;
3648       return true;
3649     default:
3650       return false;
3651   }
3652 }
3653 
tls1_choose_signature_algorithm(SSL_HANDSHAKE * hs,uint16_t * out)3654 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3655   SSL *const ssl = hs->ssl;
3656   CERT *cert = hs->config->cert.get();
3657   DC *dc = cert->dc.get();
3658 
3659   // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3660   // handshake.
3661   if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3662     if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3663       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3664       return false;
3665     }
3666     return true;
3667   }
3668 
3669   Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3670   if (ssl_signing_with_dc(hs)) {
3671     sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1);
3672   } else if (!cert->sigalgs.empty()) {
3673     sigalgs = cert->sigalgs;
3674   }
3675 
3676   Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
3677 
3678   for (uint16_t sigalg : sigalgs) {
3679     // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3680     // negotiated.
3681     if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3682         !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3683       continue;
3684     }
3685 
3686     for (uint16_t peer_sigalg : peer_sigalgs) {
3687       if (sigalg == peer_sigalg) {
3688         *out = sigalg;
3689         return true;
3690       }
3691     }
3692   }
3693 
3694   OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3695   return false;
3696 }
3697 
tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE * hs)3698 Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) {
3699   Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3700   if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
3701     // If the client didn't specify any signature_algorithms extension then
3702     // we can assume that it supports SHA1. See
3703     // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3704     static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3705                                                       SSL_SIGN_ECDSA_SHA1};
3706     peer_sigalgs = kDefaultPeerAlgorithms;
3707   }
3708   return peer_sigalgs;
3709 }
3710 
tls1_verify_channel_id(SSL_HANDSHAKE * hs,const SSLMessage & msg)3711 bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3712   SSL *const ssl = hs->ssl;
3713   // A Channel ID handshake message is structured to contain multiple
3714   // extensions, but the only one that can be present is Channel ID.
3715   uint16_t extension_type;
3716   CBS channel_id = msg.body, extension;
3717   if (!CBS_get_u16(&channel_id, &extension_type) ||
3718       !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3719       CBS_len(&channel_id) != 0 ||
3720       extension_type != TLSEXT_TYPE_channel_id ||
3721       CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3722     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3723     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3724     return false;
3725   }
3726 
3727   UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3728   if (!p256) {
3729     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3730     return false;
3731   }
3732 
3733   UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3734   UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3735   if (!sig || !x || !y) {
3736     return false;
3737   }
3738 
3739   const uint8_t *p = CBS_data(&extension);
3740   if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3741       BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3742       BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3743       BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3744     return false;
3745   }
3746 
3747   UniquePtr<EC_KEY> key(EC_KEY_new());
3748   UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3749   if (!key || !point ||
3750       !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3751                                            y.get(), nullptr) ||
3752       !EC_KEY_set_group(key.get(), p256.get()) ||
3753       !EC_KEY_set_public_key(key.get(), point.get())) {
3754     return false;
3755   }
3756 
3757   uint8_t digest[EVP_MAX_MD_SIZE];
3758   size_t digest_len;
3759   if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3760     return false;
3761   }
3762 
3763   bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3764 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3765   sig_ok = true;
3766   ERR_clear_error();
3767 #endif
3768   if (!sig_ok) {
3769     OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3770     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3771     ssl->s3->channel_id_valid = false;
3772     return false;
3773   }
3774 
3775   OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
3776   return true;
3777 }
3778 
tls1_write_channel_id(SSL_HANDSHAKE * hs,CBB * cbb)3779 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3780   uint8_t digest[EVP_MAX_MD_SIZE];
3781   size_t digest_len;
3782   if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3783     return false;
3784   }
3785 
3786   EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());
3787   if (ec_key == nullptr) {
3788     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3789     return false;
3790   }
3791 
3792   UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3793   if (!x || !y ||
3794       !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3795                                            EC_KEY_get0_public_key(ec_key),
3796                                            x.get(), y.get(), nullptr)) {
3797     return false;
3798   }
3799 
3800   UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3801   if (!sig) {
3802     return false;
3803   }
3804 
3805   CBB child;
3806   if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3807       !CBB_add_u16_length_prefixed(cbb, &child) ||
3808       !BN_bn2cbb_padded(&child, 32, x.get()) ||
3809       !BN_bn2cbb_padded(&child, 32, y.get()) ||
3810       !BN_bn2cbb_padded(&child, 32, sig->r) ||
3811       !BN_bn2cbb_padded(&child, 32, sig->s) ||
3812       !CBB_flush(cbb)) {
3813     return false;
3814   }
3815 
3816   return true;
3817 }
3818 
tls1_channel_id_hash(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len)3819 bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3820   SSL *const ssl = hs->ssl;
3821   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3822     Array<uint8_t> msg;
3823     if (!tls13_get_cert_verify_signature_input(hs, &msg,
3824                                                ssl_cert_verify_channel_id)) {
3825       return false;
3826     }
3827     SHA256(msg.data(), msg.size(), out);
3828     *out_len = SHA256_DIGEST_LENGTH;
3829     return true;
3830   }
3831 
3832   SHA256_CTX ctx;
3833 
3834   SHA256_Init(&ctx);
3835   static const char kClientIDMagic[] = "TLS Channel ID signature";
3836   SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3837 
3838   if (ssl->session != NULL) {
3839     static const char kResumptionMagic[] = "Resumption";
3840     SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3841     if (ssl->session->original_handshake_hash_len == 0) {
3842       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3843       return false;
3844     }
3845     SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3846                   ssl->session->original_handshake_hash_len);
3847   }
3848 
3849   uint8_t hs_hash[EVP_MAX_MD_SIZE];
3850   size_t hs_hash_len;
3851   if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3852     return false;
3853   }
3854   SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3855   SHA256_Final(out, &ctx);
3856   *out_len = SHA256_DIGEST_LENGTH;
3857   return true;
3858 }
3859 
tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE * hs)3860 bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3861   SSL *const ssl = hs->ssl;
3862   // This function should never be called for a resumed session because the
3863   // handshake hashes that we wish to record are for the original, full
3864   // handshake.
3865   if (ssl->session != NULL) {
3866     return false;
3867   }
3868 
3869   static_assert(
3870       sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3871       "original_handshake_hash is too small");
3872 
3873   size_t digest_len;
3874   if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3875                               &digest_len)) {
3876     return false;
3877   }
3878 
3879   static_assert(EVP_MAX_MD_SIZE <= 0xff,
3880                 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3881   hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3882 
3883   return true;
3884 }
3885 
ssl_do_channel_id_callback(SSL_HANDSHAKE * hs)3886 bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
3887   if (hs->config->channel_id_private != NULL ||
3888       hs->ssl->ctx->channel_id_cb == NULL) {
3889     return true;
3890   }
3891 
3892   EVP_PKEY *key = NULL;
3893   hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
3894   if (key == NULL) {
3895     // The caller should try again later.
3896     return true;
3897   }
3898 
3899   UniquePtr<EVP_PKEY> free_key(key);
3900   return SSL_set1_tls_channel_id(hs->ssl, key);
3901 }
3902 
ssl_is_sct_list_valid(const CBS * contents)3903 bool ssl_is_sct_list_valid(const CBS *contents) {
3904   // Shallow parse the SCT list for sanity. By the RFC
3905   // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3906   // of the SCTs may be empty.
3907   CBS copy = *contents;
3908   CBS sct_list;
3909   if (!CBS_get_u16_length_prefixed(&copy, &sct_list) ||
3910       CBS_len(&copy) != 0 ||
3911       CBS_len(&sct_list) == 0) {
3912     return false;
3913   }
3914 
3915   while (CBS_len(&sct_list) > 0) {
3916     CBS sct;
3917     if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
3918         CBS_len(&sct) == 0) {
3919       return false;
3920     }
3921   }
3922 
3923   return true;
3924 }
3925 
3926 BSSL_NAMESPACE_END
3927 
3928 using namespace bssl;
3929 
SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO * client_hello,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)3930 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
3931                                          uint16_t extension_type,
3932                                          const uint8_t **out_data,
3933                                          size_t *out_len) {
3934   CBS cbs;
3935   if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
3936     return 0;
3937   }
3938 
3939   *out_data = CBS_data(&cbs);
3940   *out_len = CBS_len(&cbs);
3941   return 1;
3942 }
3943 
SSL_CTX_set_ed25519_enabled(SSL_CTX * ctx,int enabled)3944 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
3945   ctx->ed25519_enabled = !!enabled;
3946 }
3947 
SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX * ctx,int enabled)3948 void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
3949   ctx->rsa_pss_rsae_certs_enabled = !!enabled;
3950 }
3951