1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdlib.h>
114 #include <string.h>
115
116 #include <utility>
117
118 #include <openssl/bytestring.h>
119 #include <openssl/chacha.h>
120 #include <openssl/digest.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/hmac.h>
124 #include <openssl/mem.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
127
128 #include "internal.h"
129 #include "../crypto/internal.h"
130
131
132 BSSL_NAMESPACE_BEGIN
133
134 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
135
compare_uint16_t(const void * p1,const void * p2)136 static int compare_uint16_t(const void *p1, const void *p2) {
137 uint16_t u1 = *((const uint16_t *)p1);
138 uint16_t u2 = *((const uint16_t *)p2);
139 if (u1 < u2) {
140 return -1;
141 } else if (u1 > u2) {
142 return 1;
143 } else {
144 return 0;
145 }
146 }
147
148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149 // more than one extension of the same type in a ClientHello or ServerHello.
150 // This function does an initial scan over the extensions block to filter those
151 // out.
tls1_check_duplicate_extensions(const CBS * cbs)152 static bool tls1_check_duplicate_extensions(const CBS *cbs) {
153 // First pass: count the extensions.
154 size_t num_extensions = 0;
155 CBS extensions = *cbs;
156 while (CBS_len(&extensions) > 0) {
157 uint16_t type;
158 CBS extension;
159
160 if (!CBS_get_u16(&extensions, &type) ||
161 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
162 return false;
163 }
164
165 num_extensions++;
166 }
167
168 if (num_extensions == 0) {
169 return true;
170 }
171
172 Array<uint16_t> extension_types;
173 if (!extension_types.Init(num_extensions)) {
174 return false;
175 }
176
177 // Second pass: gather the extension types.
178 extensions = *cbs;
179 for (size_t i = 0; i < extension_types.size(); i++) {
180 CBS extension;
181
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 // This should not happen.
185 return false;
186 }
187 }
188 assert(CBS_len(&extensions) == 0);
189
190 // Sort the extensions and make sure there are no duplicates.
191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
192 compare_uint16_t);
193 for (size_t i = 1; i < num_extensions; i++) {
194 if (extension_types[i - 1] == extension_types[i]) {
195 return false;
196 }
197 }
198
199 return true;
200 }
201
is_post_quantum_group(uint16_t id)202 static bool is_post_quantum_group(uint16_t id) {
203 return id == SSL_CURVE_CECPQ2;
204 }
205
ssl_client_hello_init(const SSL * ssl,SSL_CLIENT_HELLO * out,const SSLMessage & msg)206 bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
207 const SSLMessage &msg) {
208 OPENSSL_memset(out, 0, sizeof(*out));
209 out->ssl = const_cast<SSL *>(ssl);
210 out->client_hello = CBS_data(&msg.body);
211 out->client_hello_len = CBS_len(&msg.body);
212
213 CBS client_hello, random, session_id;
214 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
215 if (!CBS_get_u16(&client_hello, &out->version) ||
216 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
217 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
218 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
219 return false;
220 }
221
222 out->random = CBS_data(&random);
223 out->random_len = CBS_len(&random);
224 out->session_id = CBS_data(&session_id);
225 out->session_id_len = CBS_len(&session_id);
226
227 // Skip past DTLS cookie
228 if (SSL_is_dtls(out->ssl)) {
229 CBS cookie;
230 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
231 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
232 return false;
233 }
234 }
235
236 CBS cipher_suites, compression_methods;
237 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
238 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
239 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
240 CBS_len(&compression_methods) < 1) {
241 return false;
242 }
243
244 out->cipher_suites = CBS_data(&cipher_suites);
245 out->cipher_suites_len = CBS_len(&cipher_suites);
246 out->compression_methods = CBS_data(&compression_methods);
247 out->compression_methods_len = CBS_len(&compression_methods);
248
249 // If the ClientHello ends here then it's valid, but doesn't have any
250 // extensions.
251 if (CBS_len(&client_hello) == 0) {
252 out->extensions = NULL;
253 out->extensions_len = 0;
254 return true;
255 }
256
257 // Extract extensions and check it is valid.
258 CBS extensions;
259 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
260 !tls1_check_duplicate_extensions(&extensions) ||
261 CBS_len(&client_hello) != 0) {
262 return false;
263 }
264
265 out->extensions = CBS_data(&extensions);
266 out->extensions_len = CBS_len(&extensions);
267
268 return true;
269 }
270
ssl_client_hello_get_extension(const SSL_CLIENT_HELLO * client_hello,CBS * out,uint16_t extension_type)271 bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
272 CBS *out, uint16_t extension_type) {
273 CBS extensions;
274 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
275 while (CBS_len(&extensions) != 0) {
276 // Decode the next extension.
277 uint16_t type;
278 CBS extension;
279 if (!CBS_get_u16(&extensions, &type) ||
280 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
281 return false;
282 }
283
284 if (type == extension_type) {
285 *out = extension;
286 return true;
287 }
288 }
289
290 return false;
291 }
292
293 static const uint16_t kDefaultGroups[] = {
294 SSL_CURVE_X25519,
295 SSL_CURVE_SECP256R1,
296 SSL_CURVE_SECP384R1,
297 };
298
tls1_get_grouplist(const SSL_HANDSHAKE * hs)299 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
300 if (!hs->config->supported_group_list.empty()) {
301 return hs->config->supported_group_list;
302 }
303 return Span<const uint16_t>(kDefaultGroups);
304 }
305
tls1_get_shared_group(SSL_HANDSHAKE * hs,uint16_t * out_group_id)306 bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
307 SSL *const ssl = hs->ssl;
308 assert(ssl->server);
309
310 // Clients are not required to send a supported_groups extension. In this
311 // case, the server is free to pick any group it likes. See RFC 4492,
312 // section 4, paragraph 3.
313 //
314 // However, in the interests of compatibility, we will skip ECDH if the
315 // client didn't send an extension because we can't be sure that they'll
316 // support our favoured group. Thus we do not special-case an emtpy
317 // |peer_supported_group_list|.
318
319 Span<const uint16_t> groups = tls1_get_grouplist(hs);
320 Span<const uint16_t> pref, supp;
321 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
322 pref = groups;
323 supp = hs->peer_supported_group_list;
324 } else {
325 pref = hs->peer_supported_group_list;
326 supp = groups;
327 }
328
329 for (uint16_t pref_group : pref) {
330 for (uint16_t supp_group : supp) {
331 if (pref_group == supp_group &&
332 // CECPQ2(b) doesn't fit in the u8-length-prefixed ECPoint field in
333 // TLS 1.2 and below.
334 (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
335 !is_post_quantum_group(pref_group))) {
336 *out_group_id = pref_group;
337 return true;
338 }
339 }
340 }
341
342 return false;
343 }
344
tls1_set_curves(Array<uint16_t> * out_group_ids,Span<const int> curves)345 bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
346 Array<uint16_t> group_ids;
347 if (!group_ids.Init(curves.size())) {
348 return false;
349 }
350
351 for (size_t i = 0; i < curves.size(); i++) {
352 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
353 return false;
354 }
355 }
356
357 *out_group_ids = std::move(group_ids);
358 return true;
359 }
360
tls1_set_curves_list(Array<uint16_t> * out_group_ids,const char * curves)361 bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
362 // Count the number of curves in the list.
363 size_t count = 0;
364 const char *ptr = curves, *col;
365 do {
366 col = strchr(ptr, ':');
367 count++;
368 if (col) {
369 ptr = col + 1;
370 }
371 } while (col);
372
373 Array<uint16_t> group_ids;
374 if (!group_ids.Init(count)) {
375 return false;
376 }
377
378 size_t i = 0;
379 ptr = curves;
380 do {
381 col = strchr(ptr, ':');
382 if (!ssl_name_to_group_id(&group_ids[i++], ptr,
383 col ? (size_t)(col - ptr) : strlen(ptr))) {
384 return false;
385 }
386 if (col) {
387 ptr = col + 1;
388 }
389 } while (col);
390
391 assert(i == count);
392 *out_group_ids = std::move(group_ids);
393 return true;
394 }
395
tls1_check_group_id(const SSL_HANDSHAKE * hs,uint16_t group_id)396 bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
397 if (is_post_quantum_group(group_id) &&
398 ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
399 // CECPQ2(b) requires TLS 1.3.
400 return false;
401 }
402
403 for (uint16_t supported : tls1_get_grouplist(hs)) {
404 if (supported == group_id) {
405 return true;
406 }
407 }
408
409 return false;
410 }
411
412 // kVerifySignatureAlgorithms is the default list of accepted signature
413 // algorithms for verifying.
414 static const uint16_t kVerifySignatureAlgorithms[] = {
415 // List our preferred algorithms first.
416 SSL_SIGN_ECDSA_SECP256R1_SHA256,
417 SSL_SIGN_RSA_PSS_RSAE_SHA256,
418 SSL_SIGN_RSA_PKCS1_SHA256,
419
420 // Larger hashes are acceptable.
421 SSL_SIGN_ECDSA_SECP384R1_SHA384,
422 SSL_SIGN_RSA_PSS_RSAE_SHA384,
423 SSL_SIGN_RSA_PKCS1_SHA384,
424
425 SSL_SIGN_RSA_PSS_RSAE_SHA512,
426 SSL_SIGN_RSA_PKCS1_SHA512,
427
428 // For now, SHA-1 is still accepted but least preferable.
429 SSL_SIGN_RSA_PKCS1_SHA1,
430 };
431
432 // kSignSignatureAlgorithms is the default list of supported signature
433 // algorithms for signing.
434 static const uint16_t kSignSignatureAlgorithms[] = {
435 // List our preferred algorithms first.
436 SSL_SIGN_ED25519,
437 SSL_SIGN_ECDSA_SECP256R1_SHA256,
438 SSL_SIGN_RSA_PSS_RSAE_SHA256,
439 SSL_SIGN_RSA_PKCS1_SHA256,
440
441 // If needed, sign larger hashes.
442 //
443 // TODO(davidben): Determine which of these may be pruned.
444 SSL_SIGN_ECDSA_SECP384R1_SHA384,
445 SSL_SIGN_RSA_PSS_RSAE_SHA384,
446 SSL_SIGN_RSA_PKCS1_SHA384,
447
448 SSL_SIGN_ECDSA_SECP521R1_SHA512,
449 SSL_SIGN_RSA_PSS_RSAE_SHA512,
450 SSL_SIGN_RSA_PKCS1_SHA512,
451
452 // If the peer supports nothing else, sign with SHA-1.
453 SSL_SIGN_ECDSA_SHA1,
454 SSL_SIGN_RSA_PKCS1_SHA1,
455 };
456
tls12_get_verify_sigalgs(const SSL_HANDSHAKE * hs)457 static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {
458 if (hs->config->verify_sigalgs.empty()) {
459 return Span<const uint16_t>(kVerifySignatureAlgorithms);
460 }
461 return hs->config->verify_sigalgs;
462 }
463
tls12_add_verify_sigalgs(const SSL_HANDSHAKE * hs,CBB * out)464 bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
465 for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {
466 if (!CBB_add_u16(out, sigalg)) {
467 return false;
468 }
469 }
470 return true;
471 }
472
tls12_check_peer_sigalg(const SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t sigalg)473 bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
474 uint16_t sigalg) {
475 for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) {
476 if (verify_sigalg == sigalg) {
477 return true;
478 }
479 }
480
481 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
482 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
483 return false;
484 }
485
486 // tls_extension represents a TLS extension that is handled internally. The
487 // |init| function is called for each handshake, before any other functions of
488 // the extension. Then the add and parse callbacks are called as needed.
489 //
490 // The parse callbacks receive a |CBS| that contains the contents of the
491 // extension (i.e. not including the type and length bytes). If an extension is
492 // not received then the parse callbacks will be called with a NULL CBS so that
493 // they can do any processing needed to handle the absence of an extension.
494 //
495 // The add callbacks receive a |CBB| to which the extension can be appended but
496 // the function is responsible for appending the type and length bytes too.
497 //
498 // All callbacks return true for success and false for error. If a parse
499 // function returns zero then a fatal alert with value |*out_alert| will be
500 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
501 struct tls_extension {
502 uint16_t value;
503 void (*init)(SSL_HANDSHAKE *hs);
504
505 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
506 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
507 CBS *contents);
508
509 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
510 CBS *contents);
511 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
512 };
513
forbid_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)514 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
515 CBS *contents) {
516 if (contents != NULL) {
517 // Servers MUST NOT send this extension.
518 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
519 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
520 return false;
521 }
522
523 return true;
524 }
525
ignore_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)526 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
527 CBS *contents) {
528 // This extension from the client is handled elsewhere.
529 return true;
530 }
531
dont_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)532 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
533 return true;
534 }
535
536 // Server name indication (SNI).
537 //
538 // https://tools.ietf.org/html/rfc6066#section-3.
539
ext_sni_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)540 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
541 SSL *const ssl = hs->ssl;
542 if (ssl->hostname == nullptr) {
543 return true;
544 }
545
546 CBB contents, server_name_list, name;
547 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
548 !CBB_add_u16_length_prefixed(out, &contents) ||
549 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
550 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
551 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
552 !CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(),
553 strlen(ssl->hostname.get())) ||
554 !CBB_flush(out)) {
555 return false;
556 }
557
558 return true;
559 }
560
ext_sni_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)561 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
562 CBS *contents) {
563 // The server may acknowledge SNI with an empty extension. We check the syntax
564 // but otherwise ignore this signal.
565 return contents == NULL || CBS_len(contents) == 0;
566 }
567
ext_sni_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)568 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
569 CBS *contents) {
570 // SNI has already been parsed earlier in the handshake. See |extract_sni|.
571 return true;
572 }
573
ext_sni_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)574 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
575 if (hs->ssl->s3->session_reused ||
576 !hs->should_ack_sni) {
577 return true;
578 }
579
580 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
581 !CBB_add_u16(out, 0 /* length */)) {
582 return false;
583 }
584
585 return true;
586 }
587
588
589 // Renegotiation indication.
590 //
591 // https://tools.ietf.org/html/rfc5746
592
ext_ri_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)593 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
594 SSL *const ssl = hs->ssl;
595 // Renegotiation indication is not necessary in TLS 1.3.
596 if (hs->min_version >= TLS1_3_VERSION) {
597 return true;
598 }
599
600 assert(ssl->s3->initial_handshake_complete ==
601 (ssl->s3->previous_client_finished_len != 0));
602
603 CBB contents, prev_finished;
604 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
605 !CBB_add_u16_length_prefixed(out, &contents) ||
606 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
607 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
608 ssl->s3->previous_client_finished_len) ||
609 !CBB_flush(out)) {
610 return false;
611 }
612
613 return true;
614 }
615
ext_ri_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)616 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
617 CBS *contents) {
618 SSL *const ssl = hs->ssl;
619 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
620 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
621 return false;
622 }
623
624 // Servers may not switch between omitting the extension and supporting it.
625 // See RFC 5746, sections 3.5 and 4.2.
626 if (ssl->s3->initial_handshake_complete &&
627 (contents != NULL) != ssl->s3->send_connection_binding) {
628 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
629 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
630 return false;
631 }
632
633 if (contents == NULL) {
634 // Strictly speaking, if we want to avoid an attack we should *always* see
635 // RI even on initial ServerHello because the client doesn't see any
636 // renegotiation during an attack. However this would mean we could not
637 // connect to any server which doesn't support RI.
638 //
639 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
640 // practical terms every client sets it so it's just assumed here.
641 return true;
642 }
643
644 const size_t expected_len = ssl->s3->previous_client_finished_len +
645 ssl->s3->previous_server_finished_len;
646
647 // Check for logic errors
648 assert(!expected_len || ssl->s3->previous_client_finished_len);
649 assert(!expected_len || ssl->s3->previous_server_finished_len);
650 assert(ssl->s3->initial_handshake_complete ==
651 (ssl->s3->previous_client_finished_len != 0));
652 assert(ssl->s3->initial_handshake_complete ==
653 (ssl->s3->previous_server_finished_len != 0));
654
655 // Parse out the extension contents.
656 CBS renegotiated_connection;
657 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
658 CBS_len(contents) != 0) {
659 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
660 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
661 return false;
662 }
663
664 // Check that the extension matches.
665 if (CBS_len(&renegotiated_connection) != expected_len) {
666 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
667 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
668 return false;
669 }
670
671 const uint8_t *d = CBS_data(&renegotiated_connection);
672 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
673 ssl->s3->previous_client_finished_len) == 0;
674 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
675 ok = true;
676 #endif
677 if (!ok) {
678 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
679 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
680 return false;
681 }
682 d += ssl->s3->previous_client_finished_len;
683
684 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
685 ssl->s3->previous_server_finished_len) == 0;
686 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
687 ok = true;
688 #endif
689 if (!ok) {
690 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
691 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
692 return false;
693 }
694 ssl->s3->send_connection_binding = true;
695
696 return true;
697 }
698
ext_ri_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)699 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
700 CBS *contents) {
701 SSL *const ssl = hs->ssl;
702 // Renegotiation isn't supported as a server so this function should never be
703 // called after the initial handshake.
704 assert(!ssl->s3->initial_handshake_complete);
705
706 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
707 return true;
708 }
709
710 if (contents == NULL) {
711 return true;
712 }
713
714 CBS renegotiated_connection;
715 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
716 CBS_len(contents) != 0) {
717 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
718 return false;
719 }
720
721 // Check that the extension matches. We do not support renegotiation as a
722 // server, so this must be empty.
723 if (CBS_len(&renegotiated_connection) != 0) {
724 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
725 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
726 return false;
727 }
728
729 ssl->s3->send_connection_binding = true;
730
731 return true;
732 }
733
ext_ri_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)734 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
735 SSL *const ssl = hs->ssl;
736 // Renegotiation isn't supported as a server so this function should never be
737 // called after the initial handshake.
738 assert(!ssl->s3->initial_handshake_complete);
739
740 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
741 return true;
742 }
743
744 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
745 !CBB_add_u16(out, 1 /* length */) ||
746 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
747 return false;
748 }
749
750 return true;
751 }
752
753
754 // Extended Master Secret.
755 //
756 // https://tools.ietf.org/html/rfc7627
757
ext_ems_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)758 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
759 // Extended master secret is not necessary in TLS 1.3.
760 if (hs->min_version >= TLS1_3_VERSION) {
761 return true;
762 }
763
764 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
765 !CBB_add_u16(out, 0 /* length */)) {
766 return false;
767 }
768
769 return true;
770 }
771
ext_ems_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)772 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
773 CBS *contents) {
774 SSL *const ssl = hs->ssl;
775
776 if (contents != NULL) {
777 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
778 CBS_len(contents) != 0) {
779 return false;
780 }
781
782 hs->extended_master_secret = true;
783 }
784
785 // Whether EMS is negotiated may not change on renegotiation.
786 if (ssl->s3->established_session != nullptr &&
787 hs->extended_master_secret !=
788 !!ssl->s3->established_session->extended_master_secret) {
789 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
790 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
791 return false;
792 }
793
794 return true;
795 }
796
ext_ems_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)797 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
798 CBS *contents) {
799 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
800 return true;
801 }
802
803 if (contents == NULL) {
804 return true;
805 }
806
807 if (CBS_len(contents) != 0) {
808 return false;
809 }
810
811 hs->extended_master_secret = true;
812 return true;
813 }
814
ext_ems_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)815 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
816 if (!hs->extended_master_secret) {
817 return true;
818 }
819
820 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
821 !CBB_add_u16(out, 0 /* length */)) {
822 return false;
823 }
824
825 return true;
826 }
827
828
829 // Session tickets.
830 //
831 // https://tools.ietf.org/html/rfc5077
832
ext_ticket_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)833 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
834 SSL *const ssl = hs->ssl;
835 // TLS 1.3 uses a different ticket extension.
836 if (hs->min_version >= TLS1_3_VERSION ||
837 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
838 return true;
839 }
840
841 Span<const uint8_t> ticket;
842
843 // Renegotiation does not participate in session resumption. However, still
844 // advertise the extension to avoid potentially breaking servers which carry
845 // over the state from the previous handshake, such as OpenSSL servers
846 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
847 if (!ssl->s3->initial_handshake_complete &&
848 ssl->session != nullptr &&
849 !ssl->session->ticket.empty() &&
850 // Don't send TLS 1.3 session tickets in the ticket extension.
851 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
852 ticket = ssl->session->ticket;
853 }
854
855 CBB ticket_cbb;
856 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
857 !CBB_add_u16_length_prefixed(out, &ticket_cbb) ||
858 !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||
859 !CBB_flush(out)) {
860 return false;
861 }
862
863 return true;
864 }
865
ext_ticket_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)866 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
867 CBS *contents) {
868 SSL *const ssl = hs->ssl;
869 if (contents == NULL) {
870 return true;
871 }
872
873 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
874 return false;
875 }
876
877 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
878 // this function should never be called, even if the server tries to send the
879 // extension.
880 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
881
882 if (CBS_len(contents) != 0) {
883 return false;
884 }
885
886 hs->ticket_expected = true;
887 return true;
888 }
889
ext_ticket_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)890 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
891 if (!hs->ticket_expected) {
892 return true;
893 }
894
895 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
896 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
897
898 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
899 !CBB_add_u16(out, 0 /* length */)) {
900 return false;
901 }
902
903 return true;
904 }
905
906
907 // Signature Algorithms.
908 //
909 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
910
ext_sigalgs_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)911 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
912 if (hs->max_version < TLS1_2_VERSION) {
913 return true;
914 }
915
916 CBB contents, sigalgs_cbb;
917 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
918 !CBB_add_u16_length_prefixed(out, &contents) ||
919 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
920 !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||
921 !CBB_flush(out)) {
922 return false;
923 }
924
925 return true;
926 }
927
ext_sigalgs_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)928 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
929 CBS *contents) {
930 hs->peer_sigalgs.Reset();
931 if (contents == NULL) {
932 return true;
933 }
934
935 CBS supported_signature_algorithms;
936 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
937 CBS_len(contents) != 0 ||
938 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
939 return false;
940 }
941
942 return true;
943 }
944
945
946 // OCSP Stapling.
947 //
948 // https://tools.ietf.org/html/rfc6066#section-8
949
ext_ocsp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)950 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
951 if (!hs->config->ocsp_stapling_enabled) {
952 return true;
953 }
954
955 CBB contents;
956 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
957 !CBB_add_u16_length_prefixed(out, &contents) ||
958 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
959 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
960 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
961 !CBB_flush(out)) {
962 return false;
963 }
964
965 return true;
966 }
967
ext_ocsp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)968 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
969 CBS *contents) {
970 SSL *const ssl = hs->ssl;
971 if (contents == NULL) {
972 return true;
973 }
974
975 // TLS 1.3 OCSP responses are included in the Certificate extensions.
976 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
977 return false;
978 }
979
980 // OCSP stapling is forbidden on non-certificate ciphers.
981 if (CBS_len(contents) != 0 ||
982 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
983 return false;
984 }
985
986 // Note this does not check for resumption in TLS 1.2. Sending
987 // status_request here does not make sense, but OpenSSL does so and the
988 // specification does not say anything. Tolerate it but ignore it.
989
990 hs->certificate_status_expected = true;
991 return true;
992 }
993
ext_ocsp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)994 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
995 CBS *contents) {
996 if (contents == NULL) {
997 return true;
998 }
999
1000 uint8_t status_type;
1001 if (!CBS_get_u8(contents, &status_type)) {
1002 return false;
1003 }
1004
1005 // We cannot decide whether OCSP stapling will occur yet because the correct
1006 // SSL_CTX might not have been selected.
1007 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1008
1009 return true;
1010 }
1011
ext_ocsp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1012 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1013 SSL *const ssl = hs->ssl;
1014 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1015 !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL ||
1016 ssl->s3->session_reused ||
1017 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1018 return true;
1019 }
1020
1021 hs->certificate_status_expected = true;
1022
1023 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1024 CBB_add_u16(out, 0 /* length */);
1025 }
1026
1027
1028 // Next protocol negotiation.
1029 //
1030 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1031
ext_npn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1032 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1033 SSL *const ssl = hs->ssl;
1034 if (ssl->s3->initial_handshake_complete ||
1035 ssl->ctx->next_proto_select_cb == NULL ||
1036 SSL_is_dtls(ssl)) {
1037 return true;
1038 }
1039
1040 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1041 !CBB_add_u16(out, 0 /* length */)) {
1042 return false;
1043 }
1044
1045 return true;
1046 }
1047
ext_npn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1048 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1049 CBS *contents) {
1050 SSL *const ssl = hs->ssl;
1051 if (contents == NULL) {
1052 return true;
1053 }
1054
1055 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1056 return false;
1057 }
1058
1059 // If any of these are false then we should never have sent the NPN
1060 // extension in the ClientHello and thus this function should never have been
1061 // called.
1062 assert(!ssl->s3->initial_handshake_complete);
1063 assert(!SSL_is_dtls(ssl));
1064 assert(ssl->ctx->next_proto_select_cb != NULL);
1065
1066 if (!ssl->s3->alpn_selected.empty()) {
1067 // NPN and ALPN may not be negotiated in the same connection.
1068 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1069 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1070 return false;
1071 }
1072
1073 const uint8_t *const orig_contents = CBS_data(contents);
1074 const size_t orig_len = CBS_len(contents);
1075
1076 while (CBS_len(contents) != 0) {
1077 CBS proto;
1078 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1079 CBS_len(&proto) == 0) {
1080 return false;
1081 }
1082 }
1083
1084 uint8_t *selected;
1085 uint8_t selected_len;
1086 if (ssl->ctx->next_proto_select_cb(
1087 ssl, &selected, &selected_len, orig_contents, orig_len,
1088 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1089 !ssl->s3->next_proto_negotiated.CopyFrom(
1090 MakeConstSpan(selected, selected_len))) {
1091 *out_alert = SSL_AD_INTERNAL_ERROR;
1092 return false;
1093 }
1094
1095 hs->next_proto_neg_seen = true;
1096 return true;
1097 }
1098
ext_npn_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1099 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1100 CBS *contents) {
1101 SSL *const ssl = hs->ssl;
1102 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1103 return true;
1104 }
1105
1106 if (contents != NULL && CBS_len(contents) != 0) {
1107 return false;
1108 }
1109
1110 if (contents == NULL ||
1111 ssl->s3->initial_handshake_complete ||
1112 ssl->ctx->next_protos_advertised_cb == NULL ||
1113 SSL_is_dtls(ssl)) {
1114 return true;
1115 }
1116
1117 hs->next_proto_neg_seen = true;
1118 return true;
1119 }
1120
ext_npn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1121 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1122 SSL *const ssl = hs->ssl;
1123 // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1124 // parsed.
1125 if (!hs->next_proto_neg_seen) {
1126 return true;
1127 }
1128
1129 const uint8_t *npa;
1130 unsigned npa_len;
1131
1132 if (ssl->ctx->next_protos_advertised_cb(
1133 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1134 SSL_TLSEXT_ERR_OK) {
1135 hs->next_proto_neg_seen = false;
1136 return true;
1137 }
1138
1139 CBB contents;
1140 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1141 !CBB_add_u16_length_prefixed(out, &contents) ||
1142 !CBB_add_bytes(&contents, npa, npa_len) ||
1143 !CBB_flush(out)) {
1144 return false;
1145 }
1146
1147 return true;
1148 }
1149
1150
1151 // Signed certificate timestamps.
1152 //
1153 // https://tools.ietf.org/html/rfc6962#section-3.3.1
1154
ext_sct_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1155 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1156 if (!hs->config->signed_cert_timestamps_enabled) {
1157 return true;
1158 }
1159
1160 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1161 !CBB_add_u16(out, 0 /* length */)) {
1162 return false;
1163 }
1164
1165 return true;
1166 }
1167
ext_sct_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1168 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1169 CBS *contents) {
1170 SSL *const ssl = hs->ssl;
1171 if (contents == NULL) {
1172 return true;
1173 }
1174
1175 // TLS 1.3 SCTs are included in the Certificate extensions.
1176 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1177 *out_alert = SSL_AD_DECODE_ERROR;
1178 return false;
1179 }
1180
1181 // If this is false then we should never have sent the SCT extension in the
1182 // ClientHello and thus this function should never have been called.
1183 assert(hs->config->signed_cert_timestamps_enabled);
1184
1185 if (!ssl_is_sct_list_valid(contents)) {
1186 *out_alert = SSL_AD_DECODE_ERROR;
1187 return false;
1188 }
1189
1190 // Session resumption uses the original session information. The extension
1191 // should not be sent on resumption, but RFC 6962 did not make it a
1192 // requirement, so tolerate this.
1193 //
1194 // TODO(davidben): Enforce this anyway.
1195 if (!ssl->s3->session_reused) {
1196 hs->new_session->signed_cert_timestamp_list.reset(
1197 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));
1198 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1199 *out_alert = SSL_AD_INTERNAL_ERROR;
1200 return false;
1201 }
1202 }
1203
1204 return true;
1205 }
1206
ext_sct_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1207 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1208 CBS *contents) {
1209 if (contents == NULL) {
1210 return true;
1211 }
1212
1213 if (CBS_len(contents) != 0) {
1214 return false;
1215 }
1216
1217 hs->scts_requested = true;
1218 return true;
1219 }
1220
ext_sct_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1221 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1222 SSL *const ssl = hs->ssl;
1223 // The extension shouldn't be sent when resuming sessions.
1224 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
1225 hs->config->cert->signed_cert_timestamp_list == NULL) {
1226 return true;
1227 }
1228
1229 CBB contents;
1230 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1231 CBB_add_u16_length_prefixed(out, &contents) &&
1232 CBB_add_bytes(
1233 &contents,
1234 CRYPTO_BUFFER_data(
1235 hs->config->cert->signed_cert_timestamp_list.get()),
1236 CRYPTO_BUFFER_len(
1237 hs->config->cert->signed_cert_timestamp_list.get())) &&
1238 CBB_flush(out);
1239 }
1240
1241
1242 // Application-level Protocol Negotiation.
1243 //
1244 // https://tools.ietf.org/html/rfc7301
1245
ext_alpn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1246 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1247 SSL *const ssl = hs->ssl;
1248 if (hs->config->alpn_client_proto_list.empty() ||
1249 ssl->s3->initial_handshake_complete) {
1250 return true;
1251 }
1252
1253 CBB contents, proto_list;
1254 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1255 !CBB_add_u16_length_prefixed(out, &contents) ||
1256 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1257 !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
1258 hs->config->alpn_client_proto_list.size()) ||
1259 !CBB_flush(out)) {
1260 return false;
1261 }
1262
1263 return true;
1264 }
1265
ext_alpn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1266 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1267 CBS *contents) {
1268 SSL *const ssl = hs->ssl;
1269 if (contents == NULL) {
1270 return true;
1271 }
1272
1273 assert(!ssl->s3->initial_handshake_complete);
1274 assert(!hs->config->alpn_client_proto_list.empty());
1275
1276 if (hs->next_proto_neg_seen) {
1277 // NPN and ALPN may not be negotiated in the same connection.
1278 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1279 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1280 return false;
1281 }
1282
1283 // The extension data consists of a ProtocolNameList which must have
1284 // exactly one ProtocolName. Each of these is length-prefixed.
1285 CBS protocol_name_list, protocol_name;
1286 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1287 CBS_len(contents) != 0 ||
1288 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1289 // Empty protocol names are forbidden.
1290 CBS_len(&protocol_name) == 0 ||
1291 CBS_len(&protocol_name_list) != 0) {
1292 return false;
1293 }
1294
1295 if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {
1296 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1297 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1298 return false;
1299 }
1300
1301 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1302 *out_alert = SSL_AD_INTERNAL_ERROR;
1303 return false;
1304 }
1305
1306 return true;
1307 }
1308
ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE * hs,Span<const uint8_t> protocol)1309 bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
1310 Span<const uint8_t> protocol) {
1311 if (hs->config->alpn_client_proto_list.empty()) {
1312 return false;
1313 }
1314
1315 if (hs->ssl->ctx->allow_unknown_alpn_protos) {
1316 return true;
1317 }
1318
1319 // Check that the protocol name is one of the ones we advertised.
1320 CBS client_protocol_name_list =
1321 MakeConstSpan(hs->config->alpn_client_proto_list),
1322 client_protocol_name;
1323 while (CBS_len(&client_protocol_name_list) > 0) {
1324 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1325 &client_protocol_name)) {
1326 return false;
1327 }
1328
1329 if (client_protocol_name == protocol) {
1330 return true;
1331 }
1332 }
1333
1334 return false;
1335 }
1336
ssl_negotiate_alpn(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)1337 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1338 const SSL_CLIENT_HELLO *client_hello) {
1339 SSL *const ssl = hs->ssl;
1340 CBS contents;
1341 if (ssl->ctx->alpn_select_cb == NULL ||
1342 !ssl_client_hello_get_extension(
1343 client_hello, &contents,
1344 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1345 // Ignore ALPN if not configured or no extension was supplied.
1346 return true;
1347 }
1348
1349 // ALPN takes precedence over NPN.
1350 hs->next_proto_neg_seen = false;
1351
1352 CBS protocol_name_list;
1353 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1354 CBS_len(&contents) != 0 ||
1355 CBS_len(&protocol_name_list) < 2) {
1356 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1357 *out_alert = SSL_AD_DECODE_ERROR;
1358 return false;
1359 }
1360
1361 // Validate the protocol list.
1362 CBS protocol_name_list_copy = protocol_name_list;
1363 while (CBS_len(&protocol_name_list_copy) > 0) {
1364 CBS protocol_name;
1365
1366 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1367 // Empty protocol names are forbidden.
1368 CBS_len(&protocol_name) == 0) {
1369 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1370 *out_alert = SSL_AD_DECODE_ERROR;
1371 return false;
1372 }
1373 }
1374
1375 const uint8_t *selected;
1376 uint8_t selected_len;
1377 if (ssl->ctx->alpn_select_cb(
1378 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1379 CBS_len(&protocol_name_list),
1380 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1381 if (selected_len == 0) {
1382 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1383 *out_alert = SSL_AD_INTERNAL_ERROR;
1384 return false;
1385 }
1386 if (!ssl->s3->alpn_selected.CopyFrom(
1387 MakeConstSpan(selected, selected_len))) {
1388 *out_alert = SSL_AD_INTERNAL_ERROR;
1389 return false;
1390 }
1391 }
1392
1393 return true;
1394 }
1395
ext_alpn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1396 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1397 SSL *const ssl = hs->ssl;
1398 if (ssl->s3->alpn_selected.empty()) {
1399 return true;
1400 }
1401
1402 CBB contents, proto_list, proto;
1403 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1404 !CBB_add_u16_length_prefixed(out, &contents) ||
1405 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1406 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1407 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1408 ssl->s3->alpn_selected.size()) ||
1409 !CBB_flush(out)) {
1410 return false;
1411 }
1412
1413 return true;
1414 }
1415
1416
1417 // Channel ID.
1418 //
1419 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1420
ext_channel_id_init(SSL_HANDSHAKE * hs)1421 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1422 hs->ssl->s3->channel_id_valid = false;
1423 }
1424
ext_channel_id_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1425 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1426 SSL *const ssl = hs->ssl;
1427 if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1428 return true;
1429 }
1430
1431 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1432 !CBB_add_u16(out, 0 /* length */)) {
1433 return false;
1434 }
1435
1436 return true;
1437 }
1438
ext_channel_id_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1439 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1440 uint8_t *out_alert,
1441 CBS *contents) {
1442 SSL *const ssl = hs->ssl;
1443 if (contents == NULL) {
1444 return true;
1445 }
1446
1447 assert(!SSL_is_dtls(ssl));
1448 assert(hs->config->channel_id_enabled);
1449
1450 if (CBS_len(contents) != 0) {
1451 return false;
1452 }
1453
1454 ssl->s3->channel_id_valid = true;
1455 return true;
1456 }
1457
ext_channel_id_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1458 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1459 uint8_t *out_alert,
1460 CBS *contents) {
1461 SSL *const ssl = hs->ssl;
1462 if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1463 return true;
1464 }
1465
1466 if (CBS_len(contents) != 0) {
1467 return false;
1468 }
1469
1470 ssl->s3->channel_id_valid = true;
1471 return true;
1472 }
1473
ext_channel_id_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1474 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1475 SSL *const ssl = hs->ssl;
1476 if (!ssl->s3->channel_id_valid) {
1477 return true;
1478 }
1479
1480 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1481 !CBB_add_u16(out, 0 /* length */)) {
1482 return false;
1483 }
1484
1485 return true;
1486 }
1487
1488
1489 // Secure Real-time Transport Protocol (SRTP) extension.
1490 //
1491 // https://tools.ietf.org/html/rfc5764
1492
1493
ext_srtp_init(SSL_HANDSHAKE * hs)1494 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1495 hs->ssl->s3->srtp_profile = NULL;
1496 }
1497
ext_srtp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1498 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1499 SSL *const ssl = hs->ssl;
1500 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1501 if (profiles == NULL ||
1502 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1503 return true;
1504 }
1505
1506 CBB contents, profile_ids;
1507 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1508 !CBB_add_u16_length_prefixed(out, &contents) ||
1509 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1510 return false;
1511 }
1512
1513 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1514 if (!CBB_add_u16(&profile_ids, profile->id)) {
1515 return false;
1516 }
1517 }
1518
1519 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1520 !CBB_flush(out)) {
1521 return false;
1522 }
1523
1524 return true;
1525 }
1526
ext_srtp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1527 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1528 CBS *contents) {
1529 SSL *const ssl = hs->ssl;
1530 if (contents == NULL) {
1531 return true;
1532 }
1533
1534 // The extension consists of a u16-prefixed profile ID list containing a
1535 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1536 //
1537 // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1538 CBS profile_ids, srtp_mki;
1539 uint16_t profile_id;
1540 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1541 !CBS_get_u16(&profile_ids, &profile_id) ||
1542 CBS_len(&profile_ids) != 0 ||
1543 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1544 CBS_len(contents) != 0) {
1545 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1546 return false;
1547 }
1548
1549 if (CBS_len(&srtp_mki) != 0) {
1550 // Must be no MKI, since we never offer one.
1551 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1552 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1553 return false;
1554 }
1555
1556 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1557
1558 // Check to see if the server gave us something we support (and presumably
1559 // offered).
1560 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1561 if (profile->id == profile_id) {
1562 ssl->s3->srtp_profile = profile;
1563 return true;
1564 }
1565 }
1566
1567 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1568 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1569 return false;
1570 }
1571
ext_srtp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1572 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1573 CBS *contents) {
1574 SSL *const ssl = hs->ssl;
1575 if (contents == NULL) {
1576 return true;
1577 }
1578
1579 CBS profile_ids, srtp_mki;
1580 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1581 CBS_len(&profile_ids) < 2 ||
1582 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1583 CBS_len(contents) != 0) {
1584 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1585 return false;
1586 }
1587 // Discard the MKI value for now.
1588
1589 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1590 SSL_get_srtp_profiles(ssl);
1591
1592 // Pick the server's most preferred profile.
1593 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1594 CBS profile_ids_tmp;
1595 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1596
1597 while (CBS_len(&profile_ids_tmp) > 0) {
1598 uint16_t profile_id;
1599 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1600 return false;
1601 }
1602
1603 if (server_profile->id == profile_id) {
1604 ssl->s3->srtp_profile = server_profile;
1605 return true;
1606 }
1607 }
1608 }
1609
1610 return true;
1611 }
1612
ext_srtp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1613 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1614 SSL *const ssl = hs->ssl;
1615 if (ssl->s3->srtp_profile == NULL) {
1616 return true;
1617 }
1618
1619 CBB contents, profile_ids;
1620 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1621 !CBB_add_u16_length_prefixed(out, &contents) ||
1622 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1623 !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
1624 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1625 !CBB_flush(out)) {
1626 return false;
1627 }
1628
1629 return true;
1630 }
1631
1632
1633 // EC point formats.
1634 //
1635 // https://tools.ietf.org/html/rfc4492#section-5.1.2
1636
ext_ec_point_add_extension(SSL_HANDSHAKE * hs,CBB * out)1637 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1638 CBB contents, formats;
1639 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1640 !CBB_add_u16_length_prefixed(out, &contents) ||
1641 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1642 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1643 !CBB_flush(out)) {
1644 return false;
1645 }
1646
1647 return true;
1648 }
1649
ext_ec_point_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1650 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1651 // The point format extension is unnecessary in TLS 1.3.
1652 if (hs->min_version >= TLS1_3_VERSION) {
1653 return true;
1654 }
1655
1656 return ext_ec_point_add_extension(hs, out);
1657 }
1658
ext_ec_point_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1659 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1660 CBS *contents) {
1661 if (contents == NULL) {
1662 return true;
1663 }
1664
1665 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1666 return false;
1667 }
1668
1669 CBS ec_point_format_list;
1670 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1671 CBS_len(contents) != 0) {
1672 return false;
1673 }
1674
1675 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1676 // point format.
1677 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1678 TLSEXT_ECPOINTFORMAT_uncompressed,
1679 CBS_len(&ec_point_format_list)) == NULL) {
1680 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1681 return false;
1682 }
1683
1684 return true;
1685 }
1686
ext_ec_point_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1687 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1688 CBS *contents) {
1689 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1690 return true;
1691 }
1692
1693 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1694 }
1695
ext_ec_point_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1696 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1697 SSL *const ssl = hs->ssl;
1698 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1699 return true;
1700 }
1701
1702 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1703 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1704 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1705
1706 if (!using_ecc) {
1707 return true;
1708 }
1709
1710 return ext_ec_point_add_extension(hs, out);
1711 }
1712
1713
1714 // Pre Shared Key
1715 //
1716 // https://tools.ietf.org/html/rfc8446#section-4.2.11
1717
ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE * hs)1718 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1719 SSL *const ssl = hs->ssl;
1720 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1721 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1722 return 0;
1723 }
1724
1725 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1726 return 15 + ssl->session->ticket.size() + binder_len;
1727 }
1728
ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1729 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1730 SSL *const ssl = hs->ssl;
1731 hs->needs_psk_binder = false;
1732 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1733 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1734 return true;
1735 }
1736
1737 // Per RFC 8446 section 4.1.4, skip offering the session if the selected
1738 // cipher in HelloRetryRequest does not match. This avoids performing the
1739 // transcript hash transformation for multiple hashes.
1740 if (ssl->s3 && ssl->s3->used_hello_retry_request &&
1741 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1742 return true;
1743 }
1744
1745 struct OPENSSL_timeval now;
1746 ssl_get_current_time(ssl, &now);
1747 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1748 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1749
1750 // Fill in a placeholder zero binder of the appropriate length. It will be
1751 // computed and filled in later after length prefixes are computed.
1752 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1753 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1754
1755 CBB contents, identity, ticket, binders, binder;
1756 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1757 !CBB_add_u16_length_prefixed(out, &contents) ||
1758 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1759 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1760 !CBB_add_bytes(&ticket, ssl->session->ticket.data(),
1761 ssl->session->ticket.size()) ||
1762 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1763 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1764 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1765 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1766 return false;
1767 }
1768
1769 hs->needs_psk_binder = true;
1770 return CBB_flush(out);
1771 }
1772
ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1773 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1774 uint8_t *out_alert,
1775 CBS *contents) {
1776 uint16_t psk_id;
1777 if (!CBS_get_u16(contents, &psk_id) ||
1778 CBS_len(contents) != 0) {
1779 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1780 *out_alert = SSL_AD_DECODE_ERROR;
1781 return false;
1782 }
1783
1784 // We only advertise one PSK identity, so the only legal index is zero.
1785 if (psk_id != 0) {
1786 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1787 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1788 return false;
1789 }
1790
1791 return true;
1792 }
1793
ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE * hs,CBS * out_ticket,CBS * out_binders,uint32_t * out_obfuscated_ticket_age,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello,CBS * contents)1794 bool ssl_ext_pre_shared_key_parse_clienthello(
1795 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1796 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert,
1797 const SSL_CLIENT_HELLO *client_hello, CBS *contents) {
1798 // Verify that the pre_shared_key extension is the last extension in
1799 // ClientHello.
1800 if (CBS_data(contents) + CBS_len(contents) !=
1801 client_hello->extensions + client_hello->extensions_len) {
1802 OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
1803 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1804 return false;
1805 }
1806
1807 // We only process the first PSK identity since we don't support pure PSK.
1808 CBS identities, binders;
1809 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1810 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1811 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1812 !CBS_get_u16_length_prefixed(contents, &binders) ||
1813 CBS_len(&binders) == 0 ||
1814 CBS_len(contents) != 0) {
1815 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1816 *out_alert = SSL_AD_DECODE_ERROR;
1817 return false;
1818 }
1819
1820 *out_binders = binders;
1821
1822 // Check the syntax of the remaining identities, but do not process them.
1823 size_t num_identities = 1;
1824 while (CBS_len(&identities) != 0) {
1825 CBS unused_ticket;
1826 uint32_t unused_obfuscated_ticket_age;
1827 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1828 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1829 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1830 *out_alert = SSL_AD_DECODE_ERROR;
1831 return false;
1832 }
1833
1834 num_identities++;
1835 }
1836
1837 // Check the syntax of the binders. The value will be checked later if
1838 // resuming.
1839 size_t num_binders = 0;
1840 while (CBS_len(&binders) != 0) {
1841 CBS binder;
1842 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1843 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1844 *out_alert = SSL_AD_DECODE_ERROR;
1845 return false;
1846 }
1847
1848 num_binders++;
1849 }
1850
1851 if (num_identities != num_binders) {
1852 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1853 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1854 return false;
1855 }
1856
1857 return true;
1858 }
1859
ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1860 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1861 if (!hs->ssl->s3->session_reused) {
1862 return true;
1863 }
1864
1865 CBB contents;
1866 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1867 !CBB_add_u16_length_prefixed(out, &contents) ||
1868 // We only consider the first identity for resumption
1869 !CBB_add_u16(&contents, 0) ||
1870 !CBB_flush(out)) {
1871 return false;
1872 }
1873
1874 return true;
1875 }
1876
1877
1878 // Pre-Shared Key Exchange Modes
1879 //
1880 // https://tools.ietf.org/html/rfc8446#section-4.2.9
1881
ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1882 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
1883 CBB *out) {
1884 if (hs->max_version < TLS1_3_VERSION) {
1885 return true;
1886 }
1887
1888 CBB contents, ke_modes;
1889 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
1890 !CBB_add_u16_length_prefixed(out, &contents) ||
1891 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
1892 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
1893 return false;
1894 }
1895
1896 return CBB_flush(out);
1897 }
1898
ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1899 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
1900 uint8_t *out_alert,
1901 CBS *contents) {
1902 if (contents == NULL) {
1903 return true;
1904 }
1905
1906 CBS ke_modes;
1907 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
1908 CBS_len(&ke_modes) == 0 ||
1909 CBS_len(contents) != 0) {
1910 *out_alert = SSL_AD_DECODE_ERROR;
1911 return false;
1912 }
1913
1914 // We only support tickets with PSK_DHE_KE.
1915 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
1916 CBS_len(&ke_modes)) != NULL;
1917
1918 return true;
1919 }
1920
1921
1922 // Early Data Indication
1923 //
1924 // https://tools.ietf.org/html/rfc8446#section-4.2.10
1925
ext_early_data_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1926 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1927 SSL *const ssl = hs->ssl;
1928 // The second ClientHello never offers early data, and we must have already
1929 // filled in |early_data_reason| by this point.
1930 if (ssl->s3->used_hello_retry_request) {
1931 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
1932 return true;
1933 }
1934
1935 if (!ssl->enable_early_data) {
1936 ssl->s3->early_data_reason = ssl_early_data_disabled;
1937 return true;
1938 }
1939
1940 if (hs->max_version < TLS1_3_VERSION) {
1941 // We discard inapplicable sessions, so this is redundant with the session
1942 // checks below, but we check give a more useful reason.
1943 ssl->s3->early_data_reason = ssl_early_data_protocol_version;
1944 return true;
1945 }
1946
1947 if (ssl->session == nullptr) {
1948 ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
1949 return true;
1950 }
1951
1952 if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
1953 ssl->session->ticket_max_early_data == 0) {
1954 ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
1955 return true;
1956 }
1957
1958 // In case ALPN preferences changed since this session was established, avoid
1959 // reporting a confusing value in |SSL_get0_alpn_selected| and sending early
1960 // data we know will be rejected.
1961 if (!ssl->session->early_alpn.empty() &&
1962 !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
1963 ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
1964 return true;
1965 }
1966
1967 // |early_data_reason| will be filled in later when the server responds.
1968 hs->early_data_offered = true;
1969
1970 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
1971 !CBB_add_u16(out, 0) ||
1972 !CBB_flush(out)) {
1973 return false;
1974 }
1975
1976 return true;
1977 }
1978
ext_early_data_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1979 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
1980 uint8_t *out_alert,
1981 CBS *contents) {
1982 SSL *const ssl = hs->ssl;
1983 if (contents == NULL) {
1984 if (hs->early_data_offered && !ssl->s3->used_hello_retry_request) {
1985 ssl->s3->early_data_reason = ssl->s3->session_reused
1986 ? ssl_early_data_peer_declined
1987 : ssl_early_data_session_not_resumed;
1988 } else {
1989 // We already filled in |early_data_reason| when declining to offer 0-RTT
1990 // or handling the implicit HelloRetryRequest reject.
1991 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
1992 }
1993 return true;
1994 }
1995
1996 // If we received an HRR, the second ClientHello never offers early data, so
1997 // the extensions logic will automatically reject early data extensions as
1998 // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
1999 assert(!ssl->s3->used_hello_retry_request);
2000
2001 if (CBS_len(contents) != 0) {
2002 *out_alert = SSL_AD_DECODE_ERROR;
2003 return false;
2004 }
2005
2006 if (!ssl->s3->session_reused) {
2007 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2008 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2009 return false;
2010 }
2011
2012 ssl->s3->early_data_reason = ssl_early_data_accepted;
2013 ssl->s3->early_data_accepted = true;
2014 return true;
2015 }
2016
ext_early_data_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2017 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2018 uint8_t *out_alert, CBS *contents) {
2019 SSL *const ssl = hs->ssl;
2020 if (contents == NULL ||
2021 ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2022 return true;
2023 }
2024
2025 if (CBS_len(contents) != 0) {
2026 *out_alert = SSL_AD_DECODE_ERROR;
2027 return false;
2028 }
2029
2030 hs->early_data_offered = true;
2031 return true;
2032 }
2033
ext_early_data_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2034 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2035 if (!hs->ssl->s3->early_data_accepted) {
2036 return true;
2037 }
2038
2039 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2040 !CBB_add_u16(out, 0) ||
2041 !CBB_flush(out)) {
2042 return false;
2043 }
2044
2045 return true;
2046 }
2047
2048
2049 // Key Share
2050 //
2051 // https://tools.ietf.org/html/rfc8446#section-4.2.8
2052
ext_key_share_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2053 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2054 SSL *const ssl = hs->ssl;
2055 if (hs->max_version < TLS1_3_VERSION) {
2056 return true;
2057 }
2058
2059 CBB contents, kse_bytes;
2060 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2061 !CBB_add_u16_length_prefixed(out, &contents) ||
2062 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2063 return false;
2064 }
2065
2066 uint16_t group_id = hs->retry_group;
2067 uint16_t second_group_id = 0;
2068 if (ssl->s3 && ssl->s3->used_hello_retry_request) {
2069 // We received a HelloRetryRequest without a new curve, so there is no new
2070 // share to append. Leave |hs->key_share| as-is.
2071 if (group_id == 0 &&
2072 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2073 hs->key_share_bytes.size())) {
2074 return false;
2075 }
2076 hs->key_share_bytes.Reset();
2077 if (group_id == 0) {
2078 return CBB_flush(out);
2079 }
2080 } else {
2081 // Add a fake group. See draft-davidben-tls-grease-01.
2082 if (ssl->ctx->grease_enabled &&
2083 (!CBB_add_u16(&kse_bytes,
2084 ssl_get_grease_value(hs, ssl_grease_group)) ||
2085 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2086 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2087 return false;
2088 }
2089
2090 // Predict the most preferred group.
2091 Span<const uint16_t> groups = tls1_get_grouplist(hs);
2092 if (groups.empty()) {
2093 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2094 return false;
2095 }
2096
2097 group_id = groups[0];
2098
2099 if (is_post_quantum_group(group_id) && groups.size() >= 2) {
2100 // CECPQ2(b) is not sent as the only initial key share. We'll include the
2101 // 2nd preference group too to avoid round-trips.
2102 second_group_id = groups[1];
2103 assert(second_group_id != group_id);
2104 }
2105 }
2106
2107 CBB key_exchange;
2108 hs->key_shares[0] = SSLKeyShare::Create(group_id);
2109 if (!hs->key_shares[0] ||
2110 !CBB_add_u16(&kse_bytes, group_id) ||
2111 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2112 !hs->key_shares[0]->Offer(&key_exchange) ||
2113 !CBB_flush(&kse_bytes)) {
2114 return false;
2115 }
2116
2117 if (second_group_id != 0) {
2118 hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
2119 if (!hs->key_shares[1] ||
2120 !CBB_add_u16(&kse_bytes, second_group_id) ||
2121 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2122 !hs->key_shares[1]->Offer(&key_exchange) ||
2123 !CBB_flush(&kse_bytes)) {
2124 return false;
2125 }
2126 }
2127
2128 // Save the contents of the extension to repeat it in the second
2129 // ClientHello.
2130 if (ssl->s3 && !ssl->s3->used_hello_retry_request &&
2131 !hs->key_share_bytes.CopyFrom(
2132 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2133 return false;
2134 }
2135
2136 return CBB_flush(out);
2137 }
2138
ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE * hs,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2139 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2140 Array<uint8_t> *out_secret,
2141 uint8_t *out_alert, CBS *contents) {
2142 CBS peer_key;
2143 uint16_t group_id;
2144 if (!CBS_get_u16(contents, &group_id) ||
2145 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2146 CBS_len(contents) != 0) {
2147 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2148 *out_alert = SSL_AD_DECODE_ERROR;
2149 return false;
2150 }
2151
2152 SSLKeyShare *key_share = hs->key_shares[0].get();
2153 if (key_share->GroupID() != group_id) {
2154 if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {
2155 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2156 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2157 return false;
2158 }
2159 key_share = hs->key_shares[1].get();
2160 }
2161
2162 if (!key_share->Finish(out_secret, out_alert, peer_key)) {
2163 *out_alert = SSL_AD_INTERNAL_ERROR;
2164 return false;
2165 }
2166
2167 hs->new_session->group_id = group_id;
2168 hs->key_shares[0].reset();
2169 hs->key_shares[1].reset();
2170 return true;
2171 }
2172
ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE * hs,bool * out_found,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2173 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2174 Array<uint8_t> *out_secret,
2175 uint8_t *out_alert, CBS *contents) {
2176 uint16_t group_id;
2177 CBS key_shares;
2178 if (!tls1_get_shared_group(hs, &group_id)) {
2179 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2180 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2181 return false;
2182 }
2183
2184 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2185 CBS_len(contents) != 0) {
2186 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2187 return false;
2188 }
2189
2190 // Find the corresponding key share.
2191 CBS peer_key;
2192 CBS_init(&peer_key, NULL, 0);
2193 while (CBS_len(&key_shares) > 0) {
2194 uint16_t id;
2195 CBS peer_key_tmp;
2196 if (!CBS_get_u16(&key_shares, &id) ||
2197 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2198 CBS_len(&peer_key_tmp) == 0) {
2199 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2200 return false;
2201 }
2202
2203 if (id == group_id) {
2204 if (CBS_len(&peer_key) != 0) {
2205 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2206 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2207 return false;
2208 }
2209
2210 peer_key = peer_key_tmp;
2211 // Continue parsing the structure to keep peers honest.
2212 }
2213 }
2214
2215 if (CBS_len(&peer_key) == 0) {
2216 *out_found = false;
2217 out_secret->Reset();
2218 return true;
2219 }
2220
2221 // Compute the DH secret.
2222 Array<uint8_t> secret;
2223 ScopedCBB public_key;
2224 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2225 if (!key_share ||
2226 !CBB_init(public_key.get(), 32) ||
2227 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2228 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2229 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2230 return false;
2231 }
2232
2233 *out_secret = std::move(secret);
2234 *out_found = true;
2235 return true;
2236 }
2237
ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2238 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2239 uint16_t group_id;
2240 CBB kse_bytes, public_key;
2241 if (!tls1_get_shared_group(hs, &group_id) ||
2242 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2243 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2244 !CBB_add_u16(&kse_bytes, group_id) ||
2245 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2246 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2247 hs->ecdh_public_key.size()) ||
2248 !CBB_flush(out)) {
2249 return false;
2250 }
2251
2252 hs->ecdh_public_key.Reset();
2253
2254 hs->new_session->group_id = group_id;
2255 return true;
2256 }
2257
2258
2259 // Supported Versions
2260 //
2261 // https://tools.ietf.org/html/rfc8446#section-4.2.1
2262
ext_supported_versions_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2263 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2264 SSL *const ssl = hs->ssl;
2265 if (hs->max_version <= TLS1_2_VERSION) {
2266 return true;
2267 }
2268
2269 CBB contents, versions;
2270 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2271 !CBB_add_u16_length_prefixed(out, &contents) ||
2272 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2273 return false;
2274 }
2275
2276 // Add a fake version. See draft-davidben-tls-grease-01.
2277 if (ssl->ctx->grease_enabled &&
2278 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2279 return false;
2280 }
2281
2282 if (!ssl_add_supported_versions(hs, &versions) ||
2283 !CBB_flush(out)) {
2284 return false;
2285 }
2286
2287 return true;
2288 }
2289
2290
2291 // Cookie
2292 //
2293 // https://tools.ietf.org/html/rfc8446#section-4.2.2
2294
ext_cookie_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2295 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2296 if (hs->cookie.empty()) {
2297 return true;
2298 }
2299
2300 CBB contents, cookie;
2301 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2302 !CBB_add_u16_length_prefixed(out, &contents) ||
2303 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2304 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2305 !CBB_flush(out)) {
2306 return false;
2307 }
2308
2309 // The cookie is no longer needed in memory.
2310 hs->cookie.Reset();
2311 return true;
2312 }
2313
2314
2315 // Supported Groups
2316 //
2317 // https://tools.ietf.org/html/rfc4492#section-5.1.1
2318 // https://tools.ietf.org/html/rfc8446#section-4.2.7
2319
ext_supported_groups_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2320 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2321 SSL *const ssl = hs->ssl;
2322 CBB contents, groups_bytes;
2323 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2324 !CBB_add_u16_length_prefixed(out, &contents) ||
2325 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2326 return false;
2327 }
2328
2329 // Add a fake group. See draft-davidben-tls-grease-01.
2330 if (ssl->ctx->grease_enabled &&
2331 !CBB_add_u16(&groups_bytes,
2332 ssl_get_grease_value(hs, ssl_grease_group))) {
2333 return false;
2334 }
2335
2336 for (uint16_t group : tls1_get_grouplist(hs)) {
2337 if (is_post_quantum_group(group) &&
2338 hs->max_version < TLS1_3_VERSION) {
2339 continue;
2340 }
2341 if (!CBB_add_u16(&groups_bytes, group)) {
2342 return false;
2343 }
2344 }
2345
2346 return CBB_flush(out);
2347 }
2348
ext_supported_groups_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2349 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2350 uint8_t *out_alert,
2351 CBS *contents) {
2352 // This extension is not expected to be echoed by servers in TLS 1.2, but some
2353 // BigIP servers send it nonetheless, so do not enforce this.
2354 return true;
2355 }
2356
parse_u16_array(const CBS * cbs,Array<uint16_t> * out)2357 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2358 CBS copy = *cbs;
2359 if ((CBS_len(©) & 1) != 0) {
2360 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2361 return false;
2362 }
2363
2364 Array<uint16_t> ret;
2365 if (!ret.Init(CBS_len(©) / 2)) {
2366 return false;
2367 }
2368 for (size_t i = 0; i < ret.size(); i++) {
2369 if (!CBS_get_u16(©, &ret[i])) {
2370 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2371 return false;
2372 }
2373 }
2374
2375 assert(CBS_len(©) == 0);
2376 *out = std::move(ret);
2377 return 1;
2378 }
2379
ext_supported_groups_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2380 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2381 uint8_t *out_alert,
2382 CBS *contents) {
2383 if (contents == NULL) {
2384 return true;
2385 }
2386
2387 CBS supported_group_list;
2388 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2389 CBS_len(&supported_group_list) == 0 ||
2390 CBS_len(contents) != 0 ||
2391 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2392 return false;
2393 }
2394
2395 return true;
2396 }
2397
2398 // Token Binding
2399 //
2400 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2401
2402 // The Token Binding version number currently matches the draft number of
2403 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2404 // Since there are no wire changes to the protocol from draft 13 through the
2405 // current draft (16), this implementation supports all versions in that range.
2406 static uint16_t kTokenBindingMaxVersion = 16;
2407 static uint16_t kTokenBindingMinVersion = 13;
2408
ext_token_binding_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2409 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2410 SSL *const ssl = hs->ssl;
2411 if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
2412 return true;
2413 }
2414
2415 CBB contents, params;
2416 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2417 !CBB_add_u16_length_prefixed(out, &contents) ||
2418 !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2419 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2420 !CBB_add_bytes(¶ms, hs->config->token_binding_params.data(),
2421 hs->config->token_binding_params.size()) ||
2422 !CBB_flush(out)) {
2423 return false;
2424 }
2425
2426 return true;
2427 }
2428
ext_token_binding_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2429 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2430 uint8_t *out_alert,
2431 CBS *contents) {
2432 SSL *const ssl = hs->ssl;
2433 if (contents == nullptr) {
2434 return true;
2435 }
2436
2437 CBS params_list;
2438 uint16_t version;
2439 uint8_t param;
2440 if (!CBS_get_u16(contents, &version) ||
2441 !CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
2442 !CBS_get_u8(¶ms_list, ¶m) ||
2443 CBS_len(¶ms_list) > 0 ||
2444 CBS_len(contents) > 0) {
2445 *out_alert = SSL_AD_DECODE_ERROR;
2446 return false;
2447 }
2448
2449 // The server-negotiated version must be less than or equal to our version.
2450 if (version > kTokenBindingMaxVersion) {
2451 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2452 return false;
2453 }
2454
2455 // If the server-selected version is less than what we support, then Token
2456 // Binding wasn't negotiated (but the extension was parsed successfully).
2457 if (version < kTokenBindingMinVersion) {
2458 return true;
2459 }
2460
2461 for (uint8_t config_param : hs->config->token_binding_params) {
2462 if (param == config_param) {
2463 ssl->s3->negotiated_token_binding_param = param;
2464 ssl->s3->token_binding_negotiated = true;
2465 return true;
2466 }
2467 }
2468
2469 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2470 return false;
2471 }
2472
2473 // select_tb_param looks for the first token binding param in
2474 // |hs->ssl->token_binding_params| that is also in |params| and puts it in
2475 // |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
2476 // param is found, and false otherwise.
select_tb_param(SSL_HANDSHAKE * hs,Span<const uint8_t> peer_params)2477 static bool select_tb_param(SSL_HANDSHAKE *hs,
2478 Span<const uint8_t> peer_params) {
2479 for (uint8_t tb_param : hs->config->token_binding_params) {
2480 for (uint8_t peer_param : peer_params) {
2481 if (tb_param == peer_param) {
2482 hs->ssl->s3->negotiated_token_binding_param = tb_param;
2483 return true;
2484 }
2485 }
2486 }
2487 return false;
2488 }
2489
ext_token_binding_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2490 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2491 uint8_t *out_alert,
2492 CBS *contents) {
2493 SSL *const ssl = hs->ssl;
2494 if (contents == nullptr || hs->config->token_binding_params.empty()) {
2495 return true;
2496 }
2497
2498 CBS params;
2499 uint16_t version;
2500 if (!CBS_get_u16(contents, &version) ||
2501 !CBS_get_u8_length_prefixed(contents, ¶ms) ||
2502 CBS_len(¶ms) == 0 ||
2503 CBS_len(contents) > 0) {
2504 *out_alert = SSL_AD_DECODE_ERROR;
2505 return false;
2506 }
2507
2508 // If the client-selected version is less than what we support, then Token
2509 // Binding wasn't negotiated (but the extension was parsed successfully).
2510 if (version < kTokenBindingMinVersion) {
2511 return true;
2512 }
2513
2514 // If the client-selected version is higher than we support, use our max
2515 // version. Otherwise, use the client's version.
2516 hs->negotiated_token_binding_version =
2517 std::min(version, kTokenBindingMaxVersion);
2518 if (!select_tb_param(hs, params)) {
2519 return true;
2520 }
2521
2522 ssl->s3->token_binding_negotiated = true;
2523 return true;
2524 }
2525
ext_token_binding_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2526 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2527 SSL *const ssl = hs->ssl;
2528
2529 if (!ssl->s3->token_binding_negotiated) {
2530 return true;
2531 }
2532
2533 CBB contents, params;
2534 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2535 !CBB_add_u16_length_prefixed(out, &contents) ||
2536 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2537 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2538 !CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) ||
2539 !CBB_flush(out)) {
2540 return false;
2541 }
2542
2543 return true;
2544 }
2545
2546 // QUIC Transport Parameters
2547
ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2548 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2549 CBB *out) {
2550 if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) {
2551 return true;
2552 }
2553 if (hs->config->quic_transport_params.empty() || !hs->ssl->quic_method) {
2554 // QUIC Transport Parameters must be sent over QUIC, and they must not be
2555 // sent over non-QUIC transports. If transport params are set, then
2556 // SSL(_CTX)_set_quic_method must also be called.
2557 OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
2558 return false;
2559 }
2560 assert(hs->min_version > TLS1_2_VERSION);
2561
2562 CBB contents;
2563 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2564 !CBB_add_u16_length_prefixed(out, &contents) ||
2565 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2566 hs->config->quic_transport_params.size()) ||
2567 !CBB_flush(out)) {
2568 return false;
2569 }
2570 return true;
2571 }
2572
ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2573 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2574 uint8_t *out_alert,
2575 CBS *contents) {
2576 SSL *const ssl = hs->ssl;
2577 if (contents == nullptr) {
2578 if (!ssl->quic_method) {
2579 return true;
2580 }
2581 assert(ssl->quic_method);
2582 *out_alert = SSL_AD_MISSING_EXTENSION;
2583 return false;
2584 }
2585 if (!ssl->quic_method) {
2586 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2587 return false;
2588 }
2589 // QUIC requires TLS 1.3.
2590 assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
2591
2592 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2593 }
2594
ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2595 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2596 uint8_t *out_alert,
2597 CBS *contents) {
2598 SSL *const ssl = hs->ssl;
2599 if (!contents) {
2600 if (!ssl->quic_method) {
2601 if (hs->config->quic_transport_params.empty()) {
2602 return true;
2603 }
2604 // QUIC transport parameters must not be set if |ssl| is not configured
2605 // for QUIC.
2606 OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
2607 *out_alert = SSL_AD_INTERNAL_ERROR;
2608 }
2609 *out_alert = SSL_AD_MISSING_EXTENSION;
2610 return false;
2611 }
2612 if (!ssl->quic_method) {
2613 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2614 return false;
2615 }
2616 assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);
2617 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2618 }
2619
ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2620 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2621 CBB *out) {
2622 assert(hs->ssl->quic_method != nullptr);
2623 if (hs->config->quic_transport_params.empty()) {
2624 // Transport parameters must be set when using QUIC.
2625 OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);
2626 return false;
2627 }
2628
2629 CBB contents;
2630 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2631 !CBB_add_u16_length_prefixed(out, &contents) ||
2632 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2633 hs->config->quic_transport_params.size()) ||
2634 !CBB_flush(out)) {
2635 return false;
2636 }
2637
2638 return true;
2639 }
2640
2641 // Delegated credentials.
2642 //
2643 // https://tools.ietf.org/html/draft-ietf-tls-subcerts
2644
ext_delegated_credential_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2645 static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs,
2646 CBB *out) {
2647 return true;
2648 }
2649
ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2650 static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
2651 uint8_t *out_alert,
2652 CBS *contents) {
2653 assert(TLSEXT_TYPE_delegated_credential == 0xff02);
2654 // TODO: Check that the extension is empty.
2655 //
2656 // As of draft-03, the client sends an empty extension in order indicate
2657 // support for delegated credentials. This could change, however, since the
2658 // spec is not yet finalized. This assertion is here to remind us to enforce
2659 // this check once the extension ID is assigned.
2660
2661 if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
2662 // Don't use delegated credentials unless we're negotiating TLS 1.3 or
2663 // higher.
2664 return true;
2665 }
2666
2667 hs->delegated_credential_requested = true;
2668 return true;
2669 }
2670
2671 // Certificate compression
2672
cert_compression_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2673 static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2674 bool first = true;
2675 CBB contents, algs;
2676
2677 for (const auto &alg : hs->ssl->ctx->cert_compression_algs) {
2678 if (alg.decompress == nullptr) {
2679 continue;
2680 }
2681
2682 if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) ||
2683 !CBB_add_u16_length_prefixed(out, &contents) ||
2684 !CBB_add_u8_length_prefixed(&contents, &algs))) {
2685 return false;
2686 }
2687 first = false;
2688 if (!CBB_add_u16(&algs, alg.alg_id)) {
2689 return false;
2690 }
2691 }
2692
2693 return first || CBB_flush(out);
2694 }
2695
cert_compression_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2696 static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
2697 uint8_t *out_alert,
2698 CBS *contents) {
2699 if (contents == nullptr) {
2700 return true;
2701 }
2702
2703 // The server may not echo this extension. Any server to client negotiation is
2704 // advertised in the CertificateRequest message.
2705 return false;
2706 }
2707
cert_compression_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2708 static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,
2709 uint8_t *out_alert,
2710 CBS *contents) {
2711 if (contents == nullptr) {
2712 return true;
2713 }
2714
2715 const SSL_CTX *ctx = hs->ssl->ctx.get();
2716 const size_t num_algs = ctx->cert_compression_algs.size();
2717
2718 CBS alg_ids;
2719 if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
2720 CBS_len(contents) != 0 ||
2721 CBS_len(&alg_ids) == 0 ||
2722 CBS_len(&alg_ids) % 2 == 1) {
2723 return false;
2724 }
2725
2726 const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;
2727 Array<uint16_t> given_alg_ids;
2728 if (!given_alg_ids.Init(num_given_alg_ids)) {
2729 return false;
2730 }
2731
2732 size_t best_index = num_algs;
2733 size_t given_alg_idx = 0;
2734
2735 while (CBS_len(&alg_ids) > 0) {
2736 uint16_t alg_id;
2737 if (!CBS_get_u16(&alg_ids, &alg_id)) {
2738 return false;
2739 }
2740
2741 given_alg_ids[given_alg_idx++] = alg_id;
2742
2743 for (size_t i = 0; i < num_algs; i++) {
2744 const auto &alg = ctx->cert_compression_algs[i];
2745 if (alg.alg_id == alg_id && alg.compress != nullptr) {
2746 if (i < best_index) {
2747 best_index = i;
2748 }
2749 break;
2750 }
2751 }
2752 }
2753
2754 qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),
2755 compare_uint16_t);
2756 for (size_t i = 1; i < num_given_alg_ids; i++) {
2757 if (given_alg_ids[i - 1] == given_alg_ids[i]) {
2758 return false;
2759 }
2760 }
2761
2762 if (best_index < num_algs &&
2763 ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
2764 hs->cert_compression_negotiated = true;
2765 hs->cert_compression_alg_id = ctx->cert_compression_algs[best_index].alg_id;
2766 }
2767
2768 return true;
2769 }
2770
cert_compression_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2771 static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2772 return true;
2773 }
2774
2775
2776 // kExtensions contains all the supported extensions.
2777 static const struct tls_extension kExtensions[] = {
2778 {
2779 TLSEXT_TYPE_server_name,
2780 NULL,
2781 ext_sni_add_clienthello,
2782 ext_sni_parse_serverhello,
2783 ext_sni_parse_clienthello,
2784 ext_sni_add_serverhello,
2785 },
2786 {
2787 TLSEXT_TYPE_extended_master_secret,
2788 NULL,
2789 ext_ems_add_clienthello,
2790 ext_ems_parse_serverhello,
2791 ext_ems_parse_clienthello,
2792 ext_ems_add_serverhello,
2793 },
2794 {
2795 TLSEXT_TYPE_renegotiate,
2796 NULL,
2797 ext_ri_add_clienthello,
2798 ext_ri_parse_serverhello,
2799 ext_ri_parse_clienthello,
2800 ext_ri_add_serverhello,
2801 },
2802 {
2803 TLSEXT_TYPE_supported_groups,
2804 NULL,
2805 ext_supported_groups_add_clienthello,
2806 ext_supported_groups_parse_serverhello,
2807 ext_supported_groups_parse_clienthello,
2808 dont_add_serverhello,
2809 },
2810 {
2811 TLSEXT_TYPE_ec_point_formats,
2812 NULL,
2813 ext_ec_point_add_clienthello,
2814 ext_ec_point_parse_serverhello,
2815 ext_ec_point_parse_clienthello,
2816 ext_ec_point_add_serverhello,
2817 },
2818 {
2819 TLSEXT_TYPE_session_ticket,
2820 NULL,
2821 ext_ticket_add_clienthello,
2822 ext_ticket_parse_serverhello,
2823 // Ticket extension client parsing is handled in ssl_session.c
2824 ignore_parse_clienthello,
2825 ext_ticket_add_serverhello,
2826 },
2827 {
2828 TLSEXT_TYPE_application_layer_protocol_negotiation,
2829 NULL,
2830 ext_alpn_add_clienthello,
2831 ext_alpn_parse_serverhello,
2832 // ALPN is negotiated late in |ssl_negotiate_alpn|.
2833 ignore_parse_clienthello,
2834 ext_alpn_add_serverhello,
2835 },
2836 {
2837 TLSEXT_TYPE_status_request,
2838 NULL,
2839 ext_ocsp_add_clienthello,
2840 ext_ocsp_parse_serverhello,
2841 ext_ocsp_parse_clienthello,
2842 ext_ocsp_add_serverhello,
2843 },
2844 {
2845 TLSEXT_TYPE_signature_algorithms,
2846 NULL,
2847 ext_sigalgs_add_clienthello,
2848 forbid_parse_serverhello,
2849 ext_sigalgs_parse_clienthello,
2850 dont_add_serverhello,
2851 },
2852 {
2853 TLSEXT_TYPE_next_proto_neg,
2854 NULL,
2855 ext_npn_add_clienthello,
2856 ext_npn_parse_serverhello,
2857 ext_npn_parse_clienthello,
2858 ext_npn_add_serverhello,
2859 },
2860 {
2861 TLSEXT_TYPE_certificate_timestamp,
2862 NULL,
2863 ext_sct_add_clienthello,
2864 ext_sct_parse_serverhello,
2865 ext_sct_parse_clienthello,
2866 ext_sct_add_serverhello,
2867 },
2868 {
2869 TLSEXT_TYPE_channel_id,
2870 ext_channel_id_init,
2871 ext_channel_id_add_clienthello,
2872 ext_channel_id_parse_serverhello,
2873 ext_channel_id_parse_clienthello,
2874 ext_channel_id_add_serverhello,
2875 },
2876 {
2877 TLSEXT_TYPE_srtp,
2878 ext_srtp_init,
2879 ext_srtp_add_clienthello,
2880 ext_srtp_parse_serverhello,
2881 ext_srtp_parse_clienthello,
2882 ext_srtp_add_serverhello,
2883 },
2884 {
2885 TLSEXT_TYPE_key_share,
2886 NULL,
2887 ext_key_share_add_clienthello,
2888 forbid_parse_serverhello,
2889 ignore_parse_clienthello,
2890 dont_add_serverhello,
2891 },
2892 {
2893 TLSEXT_TYPE_psk_key_exchange_modes,
2894 NULL,
2895 ext_psk_key_exchange_modes_add_clienthello,
2896 forbid_parse_serverhello,
2897 ext_psk_key_exchange_modes_parse_clienthello,
2898 dont_add_serverhello,
2899 },
2900 {
2901 TLSEXT_TYPE_early_data,
2902 NULL,
2903 ext_early_data_add_clienthello,
2904 ext_early_data_parse_serverhello,
2905 ext_early_data_parse_clienthello,
2906 ext_early_data_add_serverhello,
2907 },
2908 {
2909 TLSEXT_TYPE_supported_versions,
2910 NULL,
2911 ext_supported_versions_add_clienthello,
2912 forbid_parse_serverhello,
2913 ignore_parse_clienthello,
2914 dont_add_serverhello,
2915 },
2916 {
2917 TLSEXT_TYPE_cookie,
2918 NULL,
2919 ext_cookie_add_clienthello,
2920 forbid_parse_serverhello,
2921 ignore_parse_clienthello,
2922 dont_add_serverhello,
2923 },
2924 {
2925 TLSEXT_TYPE_quic_transport_parameters,
2926 NULL,
2927 ext_quic_transport_params_add_clienthello,
2928 ext_quic_transport_params_parse_serverhello,
2929 ext_quic_transport_params_parse_clienthello,
2930 ext_quic_transport_params_add_serverhello,
2931 },
2932 {
2933 TLSEXT_TYPE_token_binding,
2934 NULL,
2935 ext_token_binding_add_clienthello,
2936 ext_token_binding_parse_serverhello,
2937 ext_token_binding_parse_clienthello,
2938 ext_token_binding_add_serverhello,
2939 },
2940 {
2941 TLSEXT_TYPE_cert_compression,
2942 NULL,
2943 cert_compression_add_clienthello,
2944 cert_compression_parse_serverhello,
2945 cert_compression_parse_clienthello,
2946 cert_compression_add_serverhello,
2947 },
2948 {
2949 TLSEXT_TYPE_delegated_credential,
2950 NULL,
2951 ext_delegated_credential_add_clienthello,
2952 forbid_parse_serverhello,
2953 ext_delegated_credential_parse_clienthello,
2954 dont_add_serverhello,
2955 },
2956 };
2957
2958 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
2959
2960 static_assert(kNumExtensions <=
2961 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
2962 "too many extensions for sent bitset");
2963 static_assert(kNumExtensions <=
2964 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
2965 "too many extensions for received bitset");
2966
tls_extension_find(uint32_t * out_index,uint16_t value)2967 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
2968 uint16_t value) {
2969 unsigned i;
2970 for (i = 0; i < kNumExtensions; i++) {
2971 if (kExtensions[i].value == value) {
2972 *out_index = i;
2973 return &kExtensions[i];
2974 }
2975 }
2976
2977 return NULL;
2978 }
2979
ssl_add_clienthello_tlsext(SSL_HANDSHAKE * hs,CBB * out,size_t header_len)2980 bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
2981 size_t header_len) {
2982 SSL *const ssl = hs->ssl;
2983 CBB extensions;
2984 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
2985 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2986 return false;
2987 }
2988
2989 // Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS
2990 // 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is
2991 // important to reset this value.
2992 hs->extensions.sent = 0;
2993
2994 for (size_t i = 0; i < kNumExtensions; i++) {
2995 if (kExtensions[i].init != NULL) {
2996 kExtensions[i].init(hs);
2997 }
2998 }
2999
3000 uint16_t grease_ext1 = 0;
3001 if (ssl->ctx->grease_enabled) {
3002 // Add a fake empty extension. See draft-davidben-tls-grease-01.
3003 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
3004 if (!CBB_add_u16(&extensions, grease_ext1) ||
3005 !CBB_add_u16(&extensions, 0 /* zero length */)) {
3006 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3007 return false;
3008 }
3009 }
3010
3011 bool last_was_empty = false;
3012 for (size_t i = 0; i < kNumExtensions; i++) {
3013 const size_t len_before = CBB_len(&extensions);
3014 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
3015 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3016 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3017 return false;
3018 }
3019
3020 const size_t bytes_written = CBB_len(&extensions) - len_before;
3021 if (bytes_written != 0) {
3022 hs->extensions.sent |= (1u << i);
3023 }
3024 // If the difference in lengths is only four bytes then the extension had
3025 // an empty body.
3026 last_was_empty = (bytes_written == 4);
3027 }
3028
3029 if (ssl->ctx->grease_enabled) {
3030 // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
3031 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
3032
3033 // The two fake extensions must not have the same value. GREASE values are
3034 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
3035 // one.
3036 if (grease_ext1 == grease_ext2) {
3037 grease_ext2 ^= 0x1010;
3038 }
3039
3040 if (!CBB_add_u16(&extensions, grease_ext2) ||
3041 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
3042 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
3043 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3044 return false;
3045 }
3046
3047 last_was_empty = false;
3048 }
3049
3050 if (!SSL_is_dtls(ssl)) {
3051 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
3052 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
3053 size_t padding_len = 0;
3054
3055 // The final extension must be non-empty. WebSphere Application
3056 // Server 7.0 is intolerant to the last extension being zero-length. See
3057 // https://crbug.com/363583.
3058 if (last_was_empty && psk_extension_len == 0) {
3059 padding_len = 1;
3060 // The addition of the padding extension may push us into the F5 bug.
3061 header_len += 4 + padding_len;
3062 }
3063
3064 // Add padding to workaround bugs in F5 terminators. See RFC 7685.
3065 //
3066 // NB: because this code works out the length of all existing extensions
3067 // it MUST always appear last (save for any PSK extension).
3068 if (header_len > 0xff && header_len < 0x200) {
3069 // If our calculations already included a padding extension, remove that
3070 // factor because we're about to change its length.
3071 if (padding_len != 0) {
3072 header_len -= 4 + padding_len;
3073 }
3074 padding_len = 0x200 - header_len;
3075 // Extensions take at least four bytes to encode. Always include at least
3076 // one byte of data if including the extension. WebSphere Application
3077 // Server 7.0 is intolerant to the last extension being zero-length. See
3078 // https://crbug.com/363583.
3079 if (padding_len >= 4 + 1) {
3080 padding_len -= 4;
3081 } else {
3082 padding_len = 1;
3083 }
3084 }
3085
3086 if (padding_len != 0) {
3087 uint8_t *padding_bytes;
3088 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
3089 !CBB_add_u16(&extensions, padding_len) ||
3090 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
3091 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3092 return false;
3093 }
3094
3095 OPENSSL_memset(padding_bytes, 0, padding_len);
3096 }
3097 }
3098
3099 // The PSK extension must be last, including after the padding.
3100 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
3101 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3102 return false;
3103 }
3104
3105 // Discard empty extensions blocks.
3106 if (CBB_len(&extensions) == 0) {
3107 CBB_discard_child(out);
3108 }
3109
3110 return CBB_flush(out);
3111 }
3112
ssl_add_serverhello_tlsext(SSL_HANDSHAKE * hs,CBB * out)3113 bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
3114 SSL *const ssl = hs->ssl;
3115 CBB extensions;
3116 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3117 goto err;
3118 }
3119
3120 for (unsigned i = 0; i < kNumExtensions; i++) {
3121 if (!(hs->extensions.received & (1u << i))) {
3122 // Don't send extensions that were not received.
3123 continue;
3124 }
3125
3126 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
3127 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3128 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3129 goto err;
3130 }
3131 }
3132
3133 // Discard empty extensions blocks before TLS 1.3.
3134 if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
3135 CBB_len(&extensions) == 0) {
3136 CBB_discard_child(out);
3137 }
3138
3139 return CBB_flush(out);
3140
3141 err:
3142 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3143 return false;
3144 }
3145
ssl_scan_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,int * out_alert)3146 static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3147 const SSL_CLIENT_HELLO *client_hello,
3148 int *out_alert) {
3149 for (size_t i = 0; i < kNumExtensions; i++) {
3150 if (kExtensions[i].init != NULL) {
3151 kExtensions[i].init(hs);
3152 }
3153 }
3154
3155 hs->extensions.received = 0;
3156 CBS extensions;
3157 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3158 while (CBS_len(&extensions) != 0) {
3159 uint16_t type;
3160 CBS extension;
3161
3162 // Decode the next extension.
3163 if (!CBS_get_u16(&extensions, &type) ||
3164 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3165 *out_alert = SSL_AD_DECODE_ERROR;
3166 return false;
3167 }
3168
3169 unsigned ext_index;
3170 const struct tls_extension *const ext =
3171 tls_extension_find(&ext_index, type);
3172 if (ext == NULL) {
3173 continue;
3174 }
3175
3176 hs->extensions.received |= (1u << ext_index);
3177 uint8_t alert = SSL_AD_DECODE_ERROR;
3178 if (!ext->parse_clienthello(hs, &alert, &extension)) {
3179 *out_alert = alert;
3180 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3181 ERR_add_error_dataf("extension %u", (unsigned)type);
3182 return false;
3183 }
3184 }
3185
3186 for (size_t i = 0; i < kNumExtensions; i++) {
3187 if (hs->extensions.received & (1u << i)) {
3188 continue;
3189 }
3190
3191 CBS *contents = NULL, fake_contents;
3192 static const uint8_t kFakeRenegotiateExtension[] = {0};
3193 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3194 ssl_client_cipher_list_contains_cipher(client_hello,
3195 SSL3_CK_SCSV & 0xffff)) {
3196 // The renegotiation SCSV was received so pretend that we received a
3197 // renegotiation extension.
3198 CBS_init(&fake_contents, kFakeRenegotiateExtension,
3199 sizeof(kFakeRenegotiateExtension));
3200 contents = &fake_contents;
3201 hs->extensions.received |= (1u << i);
3202 }
3203
3204 // Extension wasn't observed so call the callback with a NULL
3205 // parameter.
3206 uint8_t alert = SSL_AD_DECODE_ERROR;
3207 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3208 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3209 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3210 *out_alert = alert;
3211 return false;
3212 }
3213 }
3214
3215 return true;
3216 }
3217
ssl_parse_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)3218 bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3219 const SSL_CLIENT_HELLO *client_hello) {
3220 SSL *const ssl = hs->ssl;
3221 int alert = SSL_AD_DECODE_ERROR;
3222 if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {
3223 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3224 return false;
3225 }
3226
3227 if (!ssl_check_clienthello_tlsext(hs)) {
3228 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3229 return false;
3230 }
3231
3232 return true;
3233 }
3234
ssl_scan_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs,int * out_alert)3235 static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3236 int *out_alert) {
3237 SSL *const ssl = hs->ssl;
3238 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3239 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3240 return true;
3241 }
3242
3243 // Decode the extensions block and check it is valid.
3244 CBS extensions;
3245 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3246 !tls1_check_duplicate_extensions(&extensions)) {
3247 *out_alert = SSL_AD_DECODE_ERROR;
3248 return false;
3249 }
3250
3251 uint32_t received = 0;
3252 while (CBS_len(&extensions) != 0) {
3253 uint16_t type;
3254 CBS extension;
3255
3256 // Decode the next extension.
3257 if (!CBS_get_u16(&extensions, &type) ||
3258 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3259 *out_alert = SSL_AD_DECODE_ERROR;
3260 return false;
3261 }
3262
3263 unsigned ext_index;
3264 const struct tls_extension *const ext =
3265 tls_extension_find(&ext_index, type);
3266
3267 if (ext == NULL) {
3268 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3269 ERR_add_error_dataf("extension %u", (unsigned)type);
3270 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3271 return false;
3272 }
3273
3274 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3275 "too many bits");
3276
3277 if (!(hs->extensions.sent & (1u << ext_index))) {
3278 // If the extension was never sent then it is illegal.
3279 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3280 ERR_add_error_dataf("extension :%u", (unsigned)type);
3281 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3282 return false;
3283 }
3284
3285 received |= (1u << ext_index);
3286
3287 uint8_t alert = SSL_AD_DECODE_ERROR;
3288 if (!ext->parse_serverhello(hs, &alert, &extension)) {
3289 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3290 ERR_add_error_dataf("extension %u", (unsigned)type);
3291 *out_alert = alert;
3292 return false;
3293 }
3294 }
3295
3296 for (size_t i = 0; i < kNumExtensions; i++) {
3297 if (!(received & (1u << i))) {
3298 // Extension wasn't observed so call the callback with a NULL
3299 // parameter.
3300 uint8_t alert = SSL_AD_DECODE_ERROR;
3301 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3302 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3303 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3304 *out_alert = alert;
3305 return false;
3306 }
3307 }
3308 }
3309
3310 return true;
3311 }
3312
ssl_check_clienthello_tlsext(SSL_HANDSHAKE * hs)3313 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3314 SSL *const ssl = hs->ssl;
3315
3316 if (ssl->s3->token_binding_negotiated &&
3317 !(SSL_get_secure_renegotiation_support(ssl) &&
3318 SSL_get_extms_support(ssl))) {
3319 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3320 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3321 return false;
3322 }
3323
3324 int ret = SSL_TLSEXT_ERR_NOACK;
3325 int al = SSL_AD_UNRECOGNIZED_NAME;
3326
3327 if (ssl->ctx->servername_callback != 0) {
3328 ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
3329 } else if (ssl->session_ctx->servername_callback != 0) {
3330 ret = ssl->session_ctx->servername_callback(
3331 ssl, &al, ssl->session_ctx->servername_arg);
3332 }
3333
3334 switch (ret) {
3335 case SSL_TLSEXT_ERR_ALERT_FATAL:
3336 ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3337 return false;
3338
3339 case SSL_TLSEXT_ERR_NOACK:
3340 hs->should_ack_sni = false;
3341 return true;
3342
3343 default:
3344 return true;
3345 }
3346 }
3347
ssl_parse_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs)3348 bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3349 SSL *const ssl = hs->ssl;
3350 int alert = SSL_AD_DECODE_ERROR;
3351 if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
3352 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3353 return false;
3354 }
3355
3356 return true;
3357 }
3358
decrypt_ticket_with_cipher_ctx(Array<uint8_t> * out,EVP_CIPHER_CTX * cipher_ctx,HMAC_CTX * hmac_ctx,Span<const uint8_t> ticket)3359 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3360 Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,
3361 Span<const uint8_t> ticket) {
3362 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3363
3364 // Check the MAC at the end of the ticket.
3365 uint8_t mac[EVP_MAX_MD_SIZE];
3366 size_t mac_len = HMAC_size(hmac_ctx);
3367 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3368 // The ticket must be large enough for key name, IV, data, and MAC.
3369 return ssl_ticket_aead_ignore_ticket;
3370 }
3371 // Split the ticket into the ticket and the MAC.
3372 auto ticket_mac = ticket.subspan(ticket.size() - mac_len);
3373 ticket = ticket.subspan(0, ticket.size() - mac_len);
3374 HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
3375 HMAC_Final(hmac_ctx, mac, NULL);
3376 assert(mac_len == ticket_mac.size());
3377 bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;
3378 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3379 mac_ok = true;
3380 #endif
3381 if (!mac_ok) {
3382 return ssl_ticket_aead_ignore_ticket;
3383 }
3384
3385 // Decrypt the session data.
3386 auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);
3387 Array<uint8_t> plaintext;
3388 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3389 if (!plaintext.CopyFrom(ciphertext)) {
3390 return ssl_ticket_aead_error;
3391 }
3392 #else
3393 if (ciphertext.size() >= INT_MAX) {
3394 return ssl_ticket_aead_ignore_ticket;
3395 }
3396 if (!plaintext.Init(ciphertext.size())) {
3397 return ssl_ticket_aead_error;
3398 }
3399 int len1, len2;
3400 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),
3401 (int)ciphertext.size()) ||
3402 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {
3403 ERR_clear_error();
3404 return ssl_ticket_aead_ignore_ticket;
3405 }
3406 plaintext.Shrink(static_cast<size_t>(len1) + len2);
3407 #endif
3408
3409 *out = std::move(plaintext);
3410 return ssl_ticket_aead_success;
3411 }
3412
ssl_decrypt_ticket_with_cb(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3413 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3414 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3415 Span<const uint8_t> ticket) {
3416 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3417 ScopedEVP_CIPHER_CTX cipher_ctx;
3418 ScopedHMAC_CTX hmac_ctx;
3419 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3420 // The actual IV is shorter, but the length is determined by the callback's
3421 // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure
3422 // the callback has enough.
3423 auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);
3424 int cb_ret = hs->ssl->session_ctx->ticket_key_cb(
3425 hs->ssl, const_cast<uint8_t *>(name.data()),
3426 const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(),
3427 0 /* decrypt */);
3428 if (cb_ret < 0) {
3429 return ssl_ticket_aead_error;
3430 } else if (cb_ret == 0) {
3431 return ssl_ticket_aead_ignore_ticket;
3432 } else if (cb_ret == 2) {
3433 *out_renew_ticket = true;
3434 } else {
3435 assert(cb_ret == 1);
3436 }
3437 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3438 ticket);
3439 }
3440
ssl_decrypt_ticket_with_ticket_keys(SSL_HANDSHAKE * hs,Array<uint8_t> * out,Span<const uint8_t> ticket)3441 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3442 SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) {
3443 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3444 SSL_CTX *ctx = hs->ssl->session_ctx.get();
3445
3446 // Rotate the ticket key if necessary.
3447 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3448 return ssl_ticket_aead_error;
3449 }
3450
3451 const EVP_CIPHER *cipher = EVP_aes_128_cbc();
3452 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3453 auto iv =
3454 ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));
3455
3456 // Pick the matching ticket key and decrypt.
3457 ScopedEVP_CIPHER_CTX cipher_ctx;
3458 ScopedHMAC_CTX hmac_ctx;
3459 {
3460 MutexReadLock lock(&ctx->lock);
3461 const TicketKey *key;
3462 if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {
3463 key = ctx->ticket_key_current.get();
3464 } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {
3465 key = ctx->ticket_key_prev.get();
3466 } else {
3467 return ssl_ticket_aead_ignore_ticket;
3468 }
3469 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3470 tlsext_tick_md(), NULL) ||
3471 !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
3472 key->aes_key, iv.data())) {
3473 return ssl_ticket_aead_error;
3474 }
3475 }
3476 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3477 ticket);
3478 }
3479
ssl_decrypt_ticket_with_method(SSL_HANDSHAKE * hs,Array<uint8_t> * out,bool * out_renew_ticket,Span<const uint8_t> ticket)3480 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3481 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3482 Span<const uint8_t> ticket) {
3483 Array<uint8_t> plaintext;
3484 if (!plaintext.Init(ticket.size())) {
3485 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3486 return ssl_ticket_aead_error;
3487 }
3488
3489 size_t plaintext_len;
3490 const enum ssl_ticket_aead_result_t result =
3491 hs->ssl->session_ctx->ticket_aead_method->open(
3492 hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),
3493 ticket.data(), ticket.size());
3494 if (result != ssl_ticket_aead_success) {
3495 return result;
3496 }
3497
3498 plaintext.Shrink(plaintext_len);
3499 *out = std::move(plaintext);
3500 return ssl_ticket_aead_success;
3501 }
3502
ssl_process_ticket(SSL_HANDSHAKE * hs,UniquePtr<SSL_SESSION> * out_session,bool * out_renew_ticket,Span<const uint8_t> ticket,Span<const uint8_t> session_id)3503 enum ssl_ticket_aead_result_t ssl_process_ticket(
3504 SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
3505 bool *out_renew_ticket, Span<const uint8_t> ticket,
3506 Span<const uint8_t> session_id) {
3507 *out_renew_ticket = false;
3508 out_session->reset();
3509
3510 if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||
3511 session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3512 return ssl_ticket_aead_ignore_ticket;
3513 }
3514
3515 Array<uint8_t> plaintext;
3516 enum ssl_ticket_aead_result_t result;
3517 if (hs->ssl->session_ctx->ticket_aead_method != NULL) {
3518 result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
3519 ticket);
3520 } else {
3521 // Ensure there is room for the key name and the largest IV |ticket_key_cb|
3522 // may try to consume. The real limit may be lower, but the maximum IV
3523 // length should be well under the minimum size for the session material and
3524 // HMAC.
3525 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3526 return ssl_ticket_aead_ignore_ticket;
3527 }
3528 if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
3529 result =
3530 ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
3531 } else {
3532 result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);
3533 }
3534 }
3535
3536 if (result != ssl_ticket_aead_success) {
3537 return result;
3538 }
3539
3540 // Decode the session.
3541 UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
3542 plaintext.data(), plaintext.size(), hs->ssl->ctx.get()));
3543 if (!session) {
3544 ERR_clear_error(); // Don't leave an error on the queue.
3545 return ssl_ticket_aead_ignore_ticket;
3546 }
3547
3548 // Copy the client's session ID into the new session, to denote the ticket has
3549 // been accepted.
3550 OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size());
3551 session->session_id_length = session_id.size();
3552
3553 *out_session = std::move(session);
3554 return ssl_ticket_aead_success;
3555 }
3556
tls1_parse_peer_sigalgs(SSL_HANDSHAKE * hs,const CBS * in_sigalgs)3557 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3558 // Extension ignored for inappropriate versions
3559 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3560 return true;
3561 }
3562
3563 // In all contexts, the signature algorithms list may not be empty. (It may be
3564 // omitted by clients in TLS 1.2, but then the entire extension is omitted.)
3565 return CBS_len(in_sigalgs) != 0 &&
3566 parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3567 }
3568
tls1_get_legacy_signature_algorithm(uint16_t * out,const EVP_PKEY * pkey)3569 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3570 switch (EVP_PKEY_id(pkey)) {
3571 case EVP_PKEY_RSA:
3572 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3573 return true;
3574 case EVP_PKEY_EC:
3575 *out = SSL_SIGN_ECDSA_SHA1;
3576 return true;
3577 default:
3578 return false;
3579 }
3580 }
3581
tls1_choose_signature_algorithm(SSL_HANDSHAKE * hs,uint16_t * out)3582 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3583 SSL *const ssl = hs->ssl;
3584 CERT *cert = hs->config->cert.get();
3585 DC *dc = cert->dc.get();
3586
3587 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3588 // handshake.
3589 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3590 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3591 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3592 return false;
3593 }
3594 return true;
3595 }
3596
3597 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3598 if (ssl_signing_with_dc(hs)) {
3599 sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1);
3600 } else if (!cert->sigalgs.empty()) {
3601 sigalgs = cert->sigalgs;
3602 }
3603
3604 Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
3605
3606 for (uint16_t sigalg : sigalgs) {
3607 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3608 // negotiated.
3609 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3610 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3611 continue;
3612 }
3613
3614 for (uint16_t peer_sigalg : peer_sigalgs) {
3615 if (sigalg == peer_sigalg) {
3616 *out = sigalg;
3617 return true;
3618 }
3619 }
3620 }
3621
3622 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3623 return false;
3624 }
3625
tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE * hs)3626 Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) {
3627 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3628 if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
3629 // If the client didn't specify any signature_algorithms extension then
3630 // we can assume that it supports SHA1. See
3631 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3632 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3633 SSL_SIGN_ECDSA_SHA1};
3634 peer_sigalgs = kDefaultPeerAlgorithms;
3635 }
3636 return peer_sigalgs;
3637 }
3638
tls1_verify_channel_id(SSL_HANDSHAKE * hs,const SSLMessage & msg)3639 bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3640 SSL *const ssl = hs->ssl;
3641 // A Channel ID handshake message is structured to contain multiple
3642 // extensions, but the only one that can be present is Channel ID.
3643 uint16_t extension_type;
3644 CBS channel_id = msg.body, extension;
3645 if (!CBS_get_u16(&channel_id, &extension_type) ||
3646 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3647 CBS_len(&channel_id) != 0 ||
3648 extension_type != TLSEXT_TYPE_channel_id ||
3649 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3650 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3651 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3652 return false;
3653 }
3654
3655 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3656 if (!p256) {
3657 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3658 return false;
3659 }
3660
3661 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3662 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3663 if (!sig || !x || !y) {
3664 return false;
3665 }
3666
3667 const uint8_t *p = CBS_data(&extension);
3668 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3669 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3670 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3671 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3672 return false;
3673 }
3674
3675 UniquePtr<EC_KEY> key(EC_KEY_new());
3676 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3677 if (!key || !point ||
3678 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3679 y.get(), nullptr) ||
3680 !EC_KEY_set_group(key.get(), p256.get()) ||
3681 !EC_KEY_set_public_key(key.get(), point.get())) {
3682 return false;
3683 }
3684
3685 uint8_t digest[EVP_MAX_MD_SIZE];
3686 size_t digest_len;
3687 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3688 return false;
3689 }
3690
3691 bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3692 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3693 sig_ok = true;
3694 ERR_clear_error();
3695 #endif
3696 if (!sig_ok) {
3697 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3698 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3699 ssl->s3->channel_id_valid = false;
3700 return false;
3701 }
3702
3703 OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
3704 return true;
3705 }
3706
tls1_write_channel_id(SSL_HANDSHAKE * hs,CBB * cbb)3707 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3708 uint8_t digest[EVP_MAX_MD_SIZE];
3709 size_t digest_len;
3710 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3711 return false;
3712 }
3713
3714 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());
3715 if (ec_key == nullptr) {
3716 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3717 return false;
3718 }
3719
3720 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3721 if (!x || !y ||
3722 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3723 EC_KEY_get0_public_key(ec_key),
3724 x.get(), y.get(), nullptr)) {
3725 return false;
3726 }
3727
3728 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3729 if (!sig) {
3730 return false;
3731 }
3732
3733 CBB child;
3734 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3735 !CBB_add_u16_length_prefixed(cbb, &child) ||
3736 !BN_bn2cbb_padded(&child, 32, x.get()) ||
3737 !BN_bn2cbb_padded(&child, 32, y.get()) ||
3738 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3739 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3740 !CBB_flush(cbb)) {
3741 return false;
3742 }
3743
3744 return true;
3745 }
3746
tls1_channel_id_hash(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len)3747 bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3748 SSL *const ssl = hs->ssl;
3749 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3750 Array<uint8_t> msg;
3751 if (!tls13_get_cert_verify_signature_input(hs, &msg,
3752 ssl_cert_verify_channel_id)) {
3753 return false;
3754 }
3755 SHA256(msg.data(), msg.size(), out);
3756 *out_len = SHA256_DIGEST_LENGTH;
3757 return true;
3758 }
3759
3760 SHA256_CTX ctx;
3761
3762 SHA256_Init(&ctx);
3763 static const char kClientIDMagic[] = "TLS Channel ID signature";
3764 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3765
3766 if (ssl->session != NULL) {
3767 static const char kResumptionMagic[] = "Resumption";
3768 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3769 if (ssl->session->original_handshake_hash_len == 0) {
3770 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3771 return false;
3772 }
3773 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3774 ssl->session->original_handshake_hash_len);
3775 }
3776
3777 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3778 size_t hs_hash_len;
3779 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3780 return false;
3781 }
3782 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3783 SHA256_Final(out, &ctx);
3784 *out_len = SHA256_DIGEST_LENGTH;
3785 return true;
3786 }
3787
tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE * hs)3788 bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3789 SSL *const ssl = hs->ssl;
3790 // This function should never be called for a resumed session because the
3791 // handshake hashes that we wish to record are for the original, full
3792 // handshake.
3793 if (ssl->session != NULL) {
3794 return false;
3795 }
3796
3797 static_assert(
3798 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3799 "original_handshake_hash is too small");
3800
3801 size_t digest_len;
3802 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3803 &digest_len)) {
3804 return false;
3805 }
3806
3807 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3808 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3809 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3810
3811 return true;
3812 }
3813
ssl_do_channel_id_callback(SSL_HANDSHAKE * hs)3814 bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
3815 if (hs->config->channel_id_private != NULL ||
3816 hs->ssl->ctx->channel_id_cb == NULL) {
3817 return true;
3818 }
3819
3820 EVP_PKEY *key = NULL;
3821 hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
3822 if (key == NULL) {
3823 // The caller should try again later.
3824 return true;
3825 }
3826
3827 UniquePtr<EVP_PKEY> free_key(key);
3828 return SSL_set1_tls_channel_id(hs->ssl, key);
3829 }
3830
ssl_is_sct_list_valid(const CBS * contents)3831 bool ssl_is_sct_list_valid(const CBS *contents) {
3832 // Shallow parse the SCT list for sanity. By the RFC
3833 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3834 // of the SCTs may be empty.
3835 CBS copy = *contents;
3836 CBS sct_list;
3837 if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
3838 CBS_len(©) != 0 ||
3839 CBS_len(&sct_list) == 0) {
3840 return false;
3841 }
3842
3843 while (CBS_len(&sct_list) > 0) {
3844 CBS sct;
3845 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
3846 CBS_len(&sct) == 0) {
3847 return false;
3848 }
3849 }
3850
3851 return true;
3852 }
3853
3854 BSSL_NAMESPACE_END
3855
3856 using namespace bssl;
3857
SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO * client_hello,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)3858 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
3859 uint16_t extension_type,
3860 const uint8_t **out_data,
3861 size_t *out_len) {
3862 CBS cbs;
3863 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
3864 return 0;
3865 }
3866
3867 *out_data = CBS_data(&cbs);
3868 *out_len = CBS_len(&cbs);
3869 return 1;
3870 }
3871