1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #include <openssl/ssl.h>
110
111 #include <assert.h>
112 #include <limits.h>
113 #include <stdlib.h>
114 #include <string.h>
115
116 #include <utility>
117
118 #include <openssl/bytestring.h>
119 #include <openssl/chacha.h>
120 #include <openssl/digest.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/hmac.h>
124 #include <openssl/mem.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
127
128 #include "internal.h"
129 #include "../crypto/internal.h"
130
131
132 namespace bssl {
133
134 static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
135
compare_uint16_t(const void * p1,const void * p2)136 static int compare_uint16_t(const void *p1, const void *p2) {
137 uint16_t u1 = *((const uint16_t *)p1);
138 uint16_t u2 = *((const uint16_t *)p2);
139 if (u1 < u2) {
140 return -1;
141 } else if (u1 > u2) {
142 return 1;
143 } else {
144 return 0;
145 }
146 }
147
148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149 // more than one extension of the same type in a ClientHello or ServerHello.
150 // This function does an initial scan over the extensions block to filter those
151 // out.
tls1_check_duplicate_extensions(const CBS * cbs)152 static int tls1_check_duplicate_extensions(const CBS *cbs) {
153 // First pass: count the extensions.
154 size_t num_extensions = 0;
155 CBS extensions = *cbs;
156 while (CBS_len(&extensions) > 0) {
157 uint16_t type;
158 CBS extension;
159
160 if (!CBS_get_u16(&extensions, &type) ||
161 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
162 return 0;
163 }
164
165 num_extensions++;
166 }
167
168 if (num_extensions == 0) {
169 return 1;
170 }
171
172 Array<uint16_t> extension_types;
173 if (!extension_types.Init(num_extensions)) {
174 return 0;
175 }
176
177 // Second pass: gather the extension types.
178 extensions = *cbs;
179 for (size_t i = 0; i < extension_types.size(); i++) {
180 CBS extension;
181
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 // This should not happen.
185 return 0;
186 }
187 }
188 assert(CBS_len(&extensions) == 0);
189
190 // Sort the extensions and make sure there are no duplicates.
191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
192 compare_uint16_t);
193 for (size_t i = 1; i < num_extensions; i++) {
194 if (extension_types[i - 1] == extension_types[i]) {
195 return 0;
196 }
197 }
198
199 return 1;
200 }
201
ssl_client_hello_init(SSL * ssl,SSL_CLIENT_HELLO * out,const SSLMessage & msg)202 int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
203 const SSLMessage &msg) {
204 OPENSSL_memset(out, 0, sizeof(*out));
205 out->ssl = ssl;
206 out->client_hello = CBS_data(&msg.body);
207 out->client_hello_len = CBS_len(&msg.body);
208
209 CBS client_hello, random, session_id;
210 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
211 if (!CBS_get_u16(&client_hello, &out->version) ||
212 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
213 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
214 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
215 return 0;
216 }
217
218 out->random = CBS_data(&random);
219 out->random_len = CBS_len(&random);
220 out->session_id = CBS_data(&session_id);
221 out->session_id_len = CBS_len(&session_id);
222
223 // Skip past DTLS cookie
224 if (SSL_is_dtls(out->ssl)) {
225 CBS cookie;
226 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
227 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
228 return 0;
229 }
230 }
231
232 CBS cipher_suites, compression_methods;
233 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
234 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
235 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
236 CBS_len(&compression_methods) < 1) {
237 return 0;
238 }
239
240 out->cipher_suites = CBS_data(&cipher_suites);
241 out->cipher_suites_len = CBS_len(&cipher_suites);
242 out->compression_methods = CBS_data(&compression_methods);
243 out->compression_methods_len = CBS_len(&compression_methods);
244
245 // If the ClientHello ends here then it's valid, but doesn't have any
246 // extensions. (E.g. SSLv3.)
247 if (CBS_len(&client_hello) == 0) {
248 out->extensions = NULL;
249 out->extensions_len = 0;
250 return 1;
251 }
252
253 // Extract extensions and check it is valid.
254 CBS extensions;
255 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
256 !tls1_check_duplicate_extensions(&extensions) ||
257 CBS_len(&client_hello) != 0) {
258 return 0;
259 }
260
261 out->extensions = CBS_data(&extensions);
262 out->extensions_len = CBS_len(&extensions);
263
264 return 1;
265 }
266
ssl_client_hello_get_extension(const SSL_CLIENT_HELLO * client_hello,CBS * out,uint16_t extension_type)267 int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
268 CBS *out, uint16_t extension_type) {
269 CBS extensions;
270 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
271 while (CBS_len(&extensions) != 0) {
272 // Decode the next extension.
273 uint16_t type;
274 CBS extension;
275 if (!CBS_get_u16(&extensions, &type) ||
276 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
277 return 0;
278 }
279
280 if (type == extension_type) {
281 *out = extension;
282 return 1;
283 }
284 }
285
286 return 0;
287 }
288
289 static const uint16_t kDefaultGroups[] = {
290 SSL_CURVE_X25519,
291 SSL_CURVE_SECP256R1,
292 SSL_CURVE_SECP384R1,
293 };
294
tls1_get_grouplist(const SSL * ssl)295 Span<const uint16_t> tls1_get_grouplist(const SSL *ssl) {
296 if (ssl->supported_group_list != nullptr) {
297 return MakeConstSpan(ssl->supported_group_list,
298 ssl->supported_group_list_len);
299 }
300 return Span<const uint16_t>(kDefaultGroups);
301 }
302
tls1_get_shared_group(SSL_HANDSHAKE * hs,uint16_t * out_group_id)303 int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
304 SSL *const ssl = hs->ssl;
305 assert(ssl->server);
306
307 // Clients are not required to send a supported_groups extension. In this
308 // case, the server is free to pick any group it likes. See RFC 4492,
309 // section 4, paragraph 3.
310 //
311 // However, in the interests of compatibility, we will skip ECDH if the
312 // client didn't send an extension because we can't be sure that they'll
313 // support our favoured group. Thus we do not special-case an emtpy
314 // |peer_supported_group_list|.
315
316 Span<const uint16_t> groups = tls1_get_grouplist(ssl);
317 Span<const uint16_t> pref, supp;
318 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
319 pref = groups;
320 supp = hs->peer_supported_group_list;
321 } else {
322 pref = hs->peer_supported_group_list;
323 supp = groups;
324 }
325
326 for (uint16_t pref_group : pref) {
327 for (uint16_t supp_group : supp) {
328 if (pref_group == supp_group) {
329 *out_group_id = pref_group;
330 return 1;
331 }
332 }
333 }
334
335 return 0;
336 }
337
tls1_set_curves(uint16_t ** out_group_ids,size_t * out_group_ids_len,const int * curves,size_t ncurves)338 int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
339 const int *curves, size_t ncurves) {
340 uint16_t *group_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t));
341 if (group_ids == NULL) {
342 return 0;
343 }
344
345 for (size_t i = 0; i < ncurves; i++) {
346 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
347 OPENSSL_free(group_ids);
348 return 0;
349 }
350 }
351
352 OPENSSL_free(*out_group_ids);
353 *out_group_ids = group_ids;
354 *out_group_ids_len = ncurves;
355
356 return 1;
357 }
358
tls1_set_curves_list(uint16_t ** out_group_ids,size_t * out_group_ids_len,const char * curves)359 int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
360 const char *curves) {
361 uint16_t *group_ids = NULL;
362 size_t ncurves = 0;
363
364 const char *col;
365 const char *ptr = curves;
366
367 do {
368 col = strchr(ptr, ':');
369
370 uint16_t group_id;
371 if (!ssl_name_to_group_id(&group_id, ptr,
372 col ? (size_t)(col - ptr) : strlen(ptr))) {
373 goto err;
374 }
375
376 uint16_t *new_group_ids = (uint16_t *)OPENSSL_realloc(
377 group_ids, (ncurves + 1) * sizeof(uint16_t));
378 if (new_group_ids == NULL) {
379 goto err;
380 }
381 group_ids = new_group_ids;
382
383 group_ids[ncurves] = group_id;
384 ncurves++;
385
386 if (col) {
387 ptr = col + 1;
388 }
389 } while (col);
390
391 OPENSSL_free(*out_group_ids);
392 *out_group_ids = group_ids;
393 *out_group_ids_len = ncurves;
394
395 return 1;
396
397 err:
398 OPENSSL_free(group_ids);
399 return 0;
400 }
401
tls1_check_group_id(const SSL * ssl,uint16_t group_id)402 int tls1_check_group_id(const SSL *ssl, uint16_t group_id) {
403 for (uint16_t supported : tls1_get_grouplist(ssl)) {
404 if (supported == group_id) {
405 return 1;
406 }
407 }
408
409 return 0;
410 }
411
412 // kVerifySignatureAlgorithms is the default list of accepted signature
413 // algorithms for verifying.
414 //
415 // For now, RSA-PSS signature algorithms are not enabled on Android's system
416 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
417 // restore them.
418 static const uint16_t kVerifySignatureAlgorithms[] = {
419 // List our preferred algorithms first.
420 SSL_SIGN_ED25519,
421 SSL_SIGN_ECDSA_SECP256R1_SHA256,
422 SSL_SIGN_RSA_PSS_SHA256,
423 SSL_SIGN_RSA_PKCS1_SHA256,
424
425 // Larger hashes are acceptable.
426 SSL_SIGN_ECDSA_SECP384R1_SHA384,
427 SSL_SIGN_RSA_PSS_SHA384,
428 SSL_SIGN_RSA_PKCS1_SHA384,
429
430 SSL_SIGN_RSA_PSS_SHA512,
431 SSL_SIGN_RSA_PKCS1_SHA512,
432
433 // For now, SHA-1 is still accepted but least preferable.
434 SSL_SIGN_RSA_PKCS1_SHA1,
435
436 };
437
438 // kSignSignatureAlgorithms is the default list of supported signature
439 // algorithms for signing.
440 //
441 // For now, RSA-PSS signature algorithms are not enabled on Android's system
442 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
443 // restore them.
444 static const uint16_t kSignSignatureAlgorithms[] = {
445 // List our preferred algorithms first.
446 SSL_SIGN_ED25519,
447 SSL_SIGN_ECDSA_SECP256R1_SHA256,
448 SSL_SIGN_RSA_PSS_SHA256,
449 SSL_SIGN_RSA_PKCS1_SHA256,
450
451 // If needed, sign larger hashes.
452 //
453 // TODO(davidben): Determine which of these may be pruned.
454 SSL_SIGN_ECDSA_SECP384R1_SHA384,
455 SSL_SIGN_RSA_PSS_SHA384,
456 SSL_SIGN_RSA_PKCS1_SHA384,
457
458 SSL_SIGN_ECDSA_SECP521R1_SHA512,
459 SSL_SIGN_RSA_PSS_SHA512,
460 SSL_SIGN_RSA_PKCS1_SHA512,
461
462 // If the peer supports nothing else, sign with SHA-1.
463 SSL_SIGN_ECDSA_SHA1,
464 SSL_SIGN_RSA_PKCS1_SHA1,
465 };
466
tls12_add_verify_sigalgs(const SSL * ssl,CBB * out)467 bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
468 bool use_default = ssl->ctx->num_verify_sigalgs == 0;
469 Span<const uint16_t> sigalgs = kVerifySignatureAlgorithms;
470 if (!use_default) {
471 sigalgs = MakeConstSpan(ssl->ctx->verify_sigalgs,
472 ssl->ctx->num_verify_sigalgs);
473 }
474
475 for (uint16_t sigalg : sigalgs) {
476 if (use_default &&
477 sigalg == SSL_SIGN_ED25519 &&
478 !ssl->ctx->ed25519_enabled) {
479 continue;
480 }
481 if (!CBB_add_u16(out, sigalg)) {
482 return false;
483 }
484 }
485
486 return true;
487 }
488
tls12_check_peer_sigalg(const SSL * ssl,uint8_t * out_alert,uint16_t sigalg)489 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
490 uint16_t sigalg) {
491 const uint16_t *sigalgs = kVerifySignatureAlgorithms;
492 size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
493 if (ssl->ctx->num_verify_sigalgs != 0) {
494 sigalgs = ssl->ctx->verify_sigalgs;
495 num_sigalgs = ssl->ctx->num_verify_sigalgs;
496 }
497
498 for (size_t i = 0; i < num_sigalgs; i++) {
499 if (sigalgs == kVerifySignatureAlgorithms &&
500 sigalgs[i] == SSL_SIGN_ED25519 &&
501 !ssl->ctx->ed25519_enabled) {
502 continue;
503 }
504 if (sigalg == sigalgs[i]) {
505 return true;
506 }
507 }
508
509 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
510 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
511 return false;
512 }
513
514 // tls_extension represents a TLS extension that is handled internally. The
515 // |init| function is called for each handshake, before any other functions of
516 // the extension. Then the add and parse callbacks are called as needed.
517 //
518 // The parse callbacks receive a |CBS| that contains the contents of the
519 // extension (i.e. not including the type and length bytes). If an extension is
520 // not received then the parse callbacks will be called with a NULL CBS so that
521 // they can do any processing needed to handle the absence of an extension.
522 //
523 // The add callbacks receive a |CBB| to which the extension can be appended but
524 // the function is responsible for appending the type and length bytes too.
525 //
526 // All callbacks return true for success and false for error. If a parse
527 // function returns zero then a fatal alert with value |*out_alert| will be
528 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
529 struct tls_extension {
530 uint16_t value;
531 void (*init)(SSL_HANDSHAKE *hs);
532
533 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
534 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
535 CBS *contents);
536
537 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
538 CBS *contents);
539 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
540 };
541
forbid_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)542 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
543 CBS *contents) {
544 if (contents != NULL) {
545 // Servers MUST NOT send this extension.
546 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
547 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
548 return false;
549 }
550
551 return true;
552 }
553
ignore_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)554 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
555 CBS *contents) {
556 // This extension from the client is handled elsewhere.
557 return true;
558 }
559
ignore_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)560 static bool ignore_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
561 CBS *contents) {
562 return true;
563 }
564
dont_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)565 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
566 return true;
567 }
568
569 // Server name indication (SNI).
570 //
571 // https://tools.ietf.org/html/rfc6066#section-3.
572
ext_sni_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)573 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
574 SSL *const ssl = hs->ssl;
575 if (ssl->tlsext_hostname == NULL) {
576 return true;
577 }
578
579 CBB contents, server_name_list, name;
580 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
581 !CBB_add_u16_length_prefixed(out, &contents) ||
582 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
583 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
584 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
585 !CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname,
586 strlen(ssl->tlsext_hostname)) ||
587 !CBB_flush(out)) {
588 return false;
589 }
590
591 return true;
592 }
593
ext_sni_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)594 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
595 CBS *contents) {
596 // The server may acknowledge SNI with an empty extension. We check the syntax
597 // but otherwise ignore this signal.
598 return contents == NULL || CBS_len(contents) == 0;
599 }
600
ext_sni_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)601 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
602 CBS *contents) {
603 SSL *const ssl = hs->ssl;
604 if (contents == NULL) {
605 return true;
606 }
607
608 CBS server_name_list, host_name;
609 uint8_t name_type;
610 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
611 !CBS_get_u8(&server_name_list, &name_type) ||
612 // Although the server_name extension was intended to be extensible to
613 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
614 // different name types will cause an error. Further, RFC 4366 originally
615 // defined syntax inextensibly. RFC 6066 corrected this mistake, but
616 // adding new name types is no longer feasible.
617 //
618 // Act as if the extensibility does not exist to simplify parsing.
619 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
620 CBS_len(&server_name_list) != 0 ||
621 CBS_len(contents) != 0) {
622 return false;
623 }
624
625 if (name_type != TLSEXT_NAMETYPE_host_name ||
626 CBS_len(&host_name) == 0 ||
627 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
628 CBS_contains_zero_byte(&host_name)) {
629 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
630 return false;
631 }
632
633 // Copy the hostname as a string.
634 char *raw = nullptr;
635 if (!CBS_strdup(&host_name, &raw)) {
636 *out_alert = SSL_AD_INTERNAL_ERROR;
637 return false;
638 }
639 ssl->s3->hostname.reset(raw);
640
641 hs->should_ack_sni = true;
642 return true;
643 }
644
ext_sni_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)645 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
646 if (hs->ssl->s3->session_reused ||
647 !hs->should_ack_sni) {
648 return true;
649 }
650
651 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
652 !CBB_add_u16(out, 0 /* length */)) {
653 return false;
654 }
655
656 return true;
657 }
658
659
660 // Renegotiation indication.
661 //
662 // https://tools.ietf.org/html/rfc5746
663
ext_ri_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)664 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
665 SSL *const ssl = hs->ssl;
666 // Renegotiation indication is not necessary in TLS 1.3.
667 if (hs->min_version >= TLS1_3_VERSION) {
668 return true;
669 }
670
671 assert(ssl->s3->initial_handshake_complete ==
672 (ssl->s3->previous_client_finished_len != 0));
673
674 CBB contents, prev_finished;
675 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
676 !CBB_add_u16_length_prefixed(out, &contents) ||
677 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
678 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
679 ssl->s3->previous_client_finished_len) ||
680 !CBB_flush(out)) {
681 return false;
682 }
683
684 return true;
685 }
686
ext_ri_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)687 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
688 CBS *contents) {
689 SSL *const ssl = hs->ssl;
690 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
691 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
692 return false;
693 }
694
695 // Servers may not switch between omitting the extension and supporting it.
696 // See RFC 5746, sections 3.5 and 4.2.
697 if (ssl->s3->initial_handshake_complete &&
698 (contents != NULL) != ssl->s3->send_connection_binding) {
699 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
700 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
701 return false;
702 }
703
704 if (contents == NULL) {
705 // Strictly speaking, if we want to avoid an attack we should *always* see
706 // RI even on initial ServerHello because the client doesn't see any
707 // renegotiation during an attack. However this would mean we could not
708 // connect to any server which doesn't support RI.
709 //
710 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
711 // practical terms every client sets it so it's just assumed here.
712 return true;
713 }
714
715 const size_t expected_len = ssl->s3->previous_client_finished_len +
716 ssl->s3->previous_server_finished_len;
717
718 // Check for logic errors
719 assert(!expected_len || ssl->s3->previous_client_finished_len);
720 assert(!expected_len || ssl->s3->previous_server_finished_len);
721 assert(ssl->s3->initial_handshake_complete ==
722 (ssl->s3->previous_client_finished_len != 0));
723 assert(ssl->s3->initial_handshake_complete ==
724 (ssl->s3->previous_server_finished_len != 0));
725
726 // Parse out the extension contents.
727 CBS renegotiated_connection;
728 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
729 CBS_len(contents) != 0) {
730 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
731 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
732 return false;
733 }
734
735 // Check that the extension matches.
736 if (CBS_len(&renegotiated_connection) != expected_len) {
737 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
738 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
739 return false;
740 }
741
742 const uint8_t *d = CBS_data(&renegotiated_connection);
743 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
744 ssl->s3->previous_client_finished_len) == 0;
745 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
746 ok = true;
747 #endif
748 if (!ok) {
749 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
750 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
751 return false;
752 }
753 d += ssl->s3->previous_client_finished_len;
754
755 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
756 ssl->s3->previous_server_finished_len) == 0;
757 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
758 ok = true;
759 #endif
760 if (!ok) {
761 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
762 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
763 return false;
764 }
765 ssl->s3->send_connection_binding = true;
766
767 return true;
768 }
769
ext_ri_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)770 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
771 CBS *contents) {
772 SSL *const ssl = hs->ssl;
773 // Renegotiation isn't supported as a server so this function should never be
774 // called after the initial handshake.
775 assert(!ssl->s3->initial_handshake_complete);
776
777 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
778 return true;
779 }
780
781 if (contents == NULL) {
782 return true;
783 }
784
785 CBS renegotiated_connection;
786 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
787 CBS_len(contents) != 0) {
788 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
789 return false;
790 }
791
792 // Check that the extension matches. We do not support renegotiation as a
793 // server, so this must be empty.
794 if (CBS_len(&renegotiated_connection) != 0) {
795 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
796 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
797 return false;
798 }
799
800 ssl->s3->send_connection_binding = true;
801
802 return true;
803 }
804
ext_ri_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)805 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
806 SSL *const ssl = hs->ssl;
807 // Renegotiation isn't supported as a server so this function should never be
808 // called after the initial handshake.
809 assert(!ssl->s3->initial_handshake_complete);
810
811 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
812 return true;
813 }
814
815 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
816 !CBB_add_u16(out, 1 /* length */) ||
817 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
818 return false;
819 }
820
821 return true;
822 }
823
824
825 // Extended Master Secret.
826 //
827 // https://tools.ietf.org/html/rfc7627
828
ext_ems_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)829 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
830 // Extended master secret is not necessary in TLS 1.3.
831 if (hs->min_version >= TLS1_3_VERSION || hs->max_version <= SSL3_VERSION) {
832 return true;
833 }
834
835 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
836 !CBB_add_u16(out, 0 /* length */)) {
837 return false;
838 }
839
840 return true;
841 }
842
ext_ems_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)843 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
844 CBS *contents) {
845 SSL *const ssl = hs->ssl;
846
847 if (contents != NULL) {
848 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
849 ssl->version == SSL3_VERSION ||
850 CBS_len(contents) != 0) {
851 return false;
852 }
853
854 hs->extended_master_secret = true;
855 }
856
857 // Whether EMS is negotiated may not change on renegotiation.
858 if (ssl->s3->established_session != nullptr &&
859 hs->extended_master_secret !=
860 !!ssl->s3->established_session->extended_master_secret) {
861 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
862 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
863 return false;
864 }
865
866 return true;
867 }
868
ext_ems_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)869 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
870 CBS *contents) {
871 uint16_t version = ssl_protocol_version(hs->ssl);
872 if (version >= TLS1_3_VERSION ||
873 version == SSL3_VERSION) {
874 return true;
875 }
876
877 if (contents == NULL) {
878 return true;
879 }
880
881 if (CBS_len(contents) != 0) {
882 return false;
883 }
884
885 hs->extended_master_secret = true;
886 return true;
887 }
888
ext_ems_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)889 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
890 if (!hs->extended_master_secret) {
891 return true;
892 }
893
894 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
895 !CBB_add_u16(out, 0 /* length */)) {
896 return false;
897 }
898
899 return true;
900 }
901
902
903 // Session tickets.
904 //
905 // https://tools.ietf.org/html/rfc5077
906
ext_ticket_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)907 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
908 SSL *const ssl = hs->ssl;
909 // TLS 1.3 uses a different ticket extension.
910 if (hs->min_version >= TLS1_3_VERSION ||
911 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
912 return true;
913 }
914
915 const uint8_t *ticket_data = NULL;
916 int ticket_len = 0;
917
918 // Renegotiation does not participate in session resumption. However, still
919 // advertise the extension to avoid potentially breaking servers which carry
920 // over the state from the previous handshake, such as OpenSSL servers
921 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
922 if (!ssl->s3->initial_handshake_complete &&
923 ssl->session != NULL &&
924 ssl->session->tlsext_tick != NULL &&
925 // Don't send TLS 1.3 session tickets in the ticket extension.
926 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
927 ticket_data = ssl->session->tlsext_tick;
928 ticket_len = ssl->session->tlsext_ticklen;
929 }
930
931 CBB ticket;
932 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
933 !CBB_add_u16_length_prefixed(out, &ticket) ||
934 !CBB_add_bytes(&ticket, ticket_data, ticket_len) ||
935 !CBB_flush(out)) {
936 return false;
937 }
938
939 return true;
940 }
941
ext_ticket_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)942 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
943 CBS *contents) {
944 SSL *const ssl = hs->ssl;
945 if (contents == NULL) {
946 return true;
947 }
948
949 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
950 return false;
951 }
952
953 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
954 // this function should never be called, even if the server tries to send the
955 // extension.
956 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
957
958 if (CBS_len(contents) != 0) {
959 return false;
960 }
961
962 hs->ticket_expected = true;
963 return true;
964 }
965
ext_ticket_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)966 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
967 if (!hs->ticket_expected) {
968 return true;
969 }
970
971 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
972 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
973
974 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
975 !CBB_add_u16(out, 0 /* length */)) {
976 return false;
977 }
978
979 return true;
980 }
981
982
983 // Signature Algorithms.
984 //
985 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
986
ext_sigalgs_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)987 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
988 SSL *const ssl = hs->ssl;
989 if (hs->max_version < TLS1_2_VERSION) {
990 return true;
991 }
992
993 CBB contents, sigalgs_cbb;
994 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
995 !CBB_add_u16_length_prefixed(out, &contents) ||
996 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
997 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
998 !CBB_flush(out)) {
999 return false;
1000 }
1001
1002 return true;
1003 }
1004
ext_sigalgs_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1005 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1006 CBS *contents) {
1007 hs->peer_sigalgs.Reset();
1008 if (contents == NULL) {
1009 return true;
1010 }
1011
1012 CBS supported_signature_algorithms;
1013 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1014 CBS_len(contents) != 0 ||
1015 CBS_len(&supported_signature_algorithms) == 0 ||
1016 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1017 return false;
1018 }
1019
1020 return true;
1021 }
1022
1023
1024 // OCSP Stapling.
1025 //
1026 // https://tools.ietf.org/html/rfc6066#section-8
1027
ext_ocsp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1028 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1029 SSL *const ssl = hs->ssl;
1030 if (!ssl->ocsp_stapling_enabled) {
1031 return true;
1032 }
1033
1034 CBB contents;
1035 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1036 !CBB_add_u16_length_prefixed(out, &contents) ||
1037 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1038 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1039 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1040 !CBB_flush(out)) {
1041 return false;
1042 }
1043
1044 return true;
1045 }
1046
ext_ocsp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1047 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1048 CBS *contents) {
1049 SSL *const ssl = hs->ssl;
1050 if (contents == NULL) {
1051 return true;
1052 }
1053
1054 // TLS 1.3 OCSP responses are included in the Certificate extensions.
1055 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1056 return false;
1057 }
1058
1059 // OCSP stapling is forbidden on non-certificate ciphers.
1060 if (CBS_len(contents) != 0 ||
1061 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1062 return false;
1063 }
1064
1065 // Note this does not check for resumption in TLS 1.2. Sending
1066 // status_request here does not make sense, but OpenSSL does so and the
1067 // specification does not say anything. Tolerate it but ignore it.
1068
1069 hs->certificate_status_expected = true;
1070 return true;
1071 }
1072
ext_ocsp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1073 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1074 CBS *contents) {
1075 if (contents == NULL) {
1076 return true;
1077 }
1078
1079 uint8_t status_type;
1080 if (!CBS_get_u8(contents, &status_type)) {
1081 return false;
1082 }
1083
1084 // We cannot decide whether OCSP stapling will occur yet because the correct
1085 // SSL_CTX might not have been selected.
1086 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1087
1088 return true;
1089 }
1090
ext_ocsp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1091 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1092 SSL *const ssl = hs->ssl;
1093 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1094 !hs->ocsp_stapling_requested ||
1095 ssl->cert->ocsp_response == NULL ||
1096 ssl->s3->session_reused ||
1097 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1098 return true;
1099 }
1100
1101 hs->certificate_status_expected = true;
1102
1103 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1104 CBB_add_u16(out, 0 /* length */);
1105 }
1106
1107
1108 // Next protocol negotiation.
1109 //
1110 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1111
ext_npn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1112 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1113 SSL *const ssl = hs->ssl;
1114 if (ssl->s3->initial_handshake_complete ||
1115 ssl->ctx->next_proto_select_cb == NULL ||
1116 SSL_is_dtls(ssl)) {
1117 return true;
1118 }
1119
1120 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1121 !CBB_add_u16(out, 0 /* length */)) {
1122 return false;
1123 }
1124
1125 return true;
1126 }
1127
ext_npn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1128 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1129 CBS *contents) {
1130 SSL *const ssl = hs->ssl;
1131 if (contents == NULL) {
1132 return true;
1133 }
1134
1135 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1136 return false;
1137 }
1138
1139 // If any of these are false then we should never have sent the NPN
1140 // extension in the ClientHello and thus this function should never have been
1141 // called.
1142 assert(!ssl->s3->initial_handshake_complete);
1143 assert(!SSL_is_dtls(ssl));
1144 assert(ssl->ctx->next_proto_select_cb != NULL);
1145
1146 if (!ssl->s3->alpn_selected.empty()) {
1147 // NPN and ALPN may not be negotiated in the same connection.
1148 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1149 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1150 return false;
1151 }
1152
1153 const uint8_t *const orig_contents = CBS_data(contents);
1154 const size_t orig_len = CBS_len(contents);
1155
1156 while (CBS_len(contents) != 0) {
1157 CBS proto;
1158 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1159 CBS_len(&proto) == 0) {
1160 return false;
1161 }
1162 }
1163
1164 uint8_t *selected;
1165 uint8_t selected_len;
1166 if (ssl->ctx->next_proto_select_cb(
1167 ssl, &selected, &selected_len, orig_contents, orig_len,
1168 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1169 !ssl->s3->next_proto_negotiated.CopyFrom(
1170 MakeConstSpan(selected, selected_len))) {
1171 *out_alert = SSL_AD_INTERNAL_ERROR;
1172 return false;
1173 }
1174
1175 hs->next_proto_neg_seen = true;
1176 return true;
1177 }
1178
ext_npn_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1179 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1180 CBS *contents) {
1181 SSL *const ssl = hs->ssl;
1182 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1183 return true;
1184 }
1185
1186 if (contents != NULL && CBS_len(contents) != 0) {
1187 return false;
1188 }
1189
1190 if (contents == NULL ||
1191 ssl->s3->initial_handshake_complete ||
1192 ssl->ctx->next_protos_advertised_cb == NULL ||
1193 SSL_is_dtls(ssl)) {
1194 return true;
1195 }
1196
1197 hs->next_proto_neg_seen = true;
1198 return true;
1199 }
1200
ext_npn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1201 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1202 SSL *const ssl = hs->ssl;
1203 // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1204 // parsed.
1205 if (!hs->next_proto_neg_seen) {
1206 return true;
1207 }
1208
1209 const uint8_t *npa;
1210 unsigned npa_len;
1211
1212 if (ssl->ctx->next_protos_advertised_cb(
1213 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1214 SSL_TLSEXT_ERR_OK) {
1215 hs->next_proto_neg_seen = false;
1216 return true;
1217 }
1218
1219 CBB contents;
1220 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1221 !CBB_add_u16_length_prefixed(out, &contents) ||
1222 !CBB_add_bytes(&contents, npa, npa_len) ||
1223 !CBB_flush(out)) {
1224 return false;
1225 }
1226
1227 return true;
1228 }
1229
1230
1231 // Signed certificate timestamps.
1232 //
1233 // https://tools.ietf.org/html/rfc6962#section-3.3.1
1234
ext_sct_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1235 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1236 SSL *const ssl = hs->ssl;
1237 if (!ssl->signed_cert_timestamps_enabled) {
1238 return true;
1239 }
1240
1241 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1242 !CBB_add_u16(out, 0 /* length */)) {
1243 return false;
1244 }
1245
1246 return true;
1247 }
1248
ext_sct_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1249 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1250 CBS *contents) {
1251 SSL *const ssl = hs->ssl;
1252 if (contents == NULL) {
1253 return true;
1254 }
1255
1256 // TLS 1.3 SCTs are included in the Certificate extensions.
1257 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1258 *out_alert = SSL_AD_DECODE_ERROR;
1259 return false;
1260 }
1261
1262 // If this is false then we should never have sent the SCT extension in the
1263 // ClientHello and thus this function should never have been called.
1264 assert(ssl->signed_cert_timestamps_enabled);
1265
1266 if (!ssl_is_sct_list_valid(contents)) {
1267 *out_alert = SSL_AD_DECODE_ERROR;
1268 return false;
1269 }
1270
1271 // Session resumption uses the original session information. The extension
1272 // should not be sent on resumption, but RFC 6962 did not make it a
1273 // requirement, so tolerate this.
1274 //
1275 // TODO(davidben): Enforce this anyway.
1276 if (!ssl->s3->session_reused) {
1277 CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
1278 hs->new_session->signed_cert_timestamp_list =
1279 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool);
1280 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1281 *out_alert = SSL_AD_INTERNAL_ERROR;
1282 return false;
1283 }
1284 }
1285
1286 return true;
1287 }
1288
ext_sct_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1289 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1290 CBS *contents) {
1291 if (contents == NULL) {
1292 return true;
1293 }
1294
1295 if (CBS_len(contents) != 0) {
1296 return false;
1297 }
1298
1299 hs->scts_requested = true;
1300 return true;
1301 }
1302
ext_sct_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1303 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1304 SSL *const ssl = hs->ssl;
1305 // The extension shouldn't be sent when resuming sessions.
1306 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1307 ssl->s3->session_reused ||
1308 ssl->cert->signed_cert_timestamp_list == NULL) {
1309 return true;
1310 }
1311
1312 CBB contents;
1313 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1314 CBB_add_u16_length_prefixed(out, &contents) &&
1315 CBB_add_bytes(
1316 &contents,
1317 CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list),
1318 CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) &&
1319 CBB_flush(out);
1320 }
1321
1322
1323 // Application-level Protocol Negotiation.
1324 //
1325 // https://tools.ietf.org/html/rfc7301
1326
ext_alpn_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1327 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1328 SSL *const ssl = hs->ssl;
1329 if (ssl->alpn_client_proto_list == NULL ||
1330 ssl->s3->initial_handshake_complete) {
1331 return true;
1332 }
1333
1334 CBB contents, proto_list;
1335 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1336 !CBB_add_u16_length_prefixed(out, &contents) ||
1337 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1338 !CBB_add_bytes(&proto_list, ssl->alpn_client_proto_list,
1339 ssl->alpn_client_proto_list_len) ||
1340 !CBB_flush(out)) {
1341 return false;
1342 }
1343
1344 return true;
1345 }
1346
ext_alpn_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1347 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1348 CBS *contents) {
1349 SSL *const ssl = hs->ssl;
1350 if (contents == NULL) {
1351 return true;
1352 }
1353
1354 assert(!ssl->s3->initial_handshake_complete);
1355 assert(ssl->alpn_client_proto_list != NULL);
1356
1357 if (hs->next_proto_neg_seen) {
1358 // NPN and ALPN may not be negotiated in the same connection.
1359 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1360 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1361 return false;
1362 }
1363
1364 // The extension data consists of a ProtocolNameList which must have
1365 // exactly one ProtocolName. Each of these is length-prefixed.
1366 CBS protocol_name_list, protocol_name;
1367 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1368 CBS_len(contents) != 0 ||
1369 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1370 // Empty protocol names are forbidden.
1371 CBS_len(&protocol_name) == 0 ||
1372 CBS_len(&protocol_name_list) != 0) {
1373 return false;
1374 }
1375
1376 if (!ssl_is_alpn_protocol_allowed(ssl, protocol_name)) {
1377 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1378 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1379 return false;
1380 }
1381
1382 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1383 *out_alert = SSL_AD_INTERNAL_ERROR;
1384 return false;
1385 }
1386
1387 return true;
1388 }
1389
ssl_is_alpn_protocol_allowed(const SSL * ssl,Span<const uint8_t> protocol)1390 bool ssl_is_alpn_protocol_allowed(const SSL *ssl,
1391 Span<const uint8_t> protocol) {
1392 if (ssl->alpn_client_proto_list == nullptr) {
1393 return false;
1394 }
1395
1396 if (ssl->ctx->allow_unknown_alpn_protos) {
1397 return true;
1398 }
1399
1400 // Check that the protocol name is one of the ones we advertised.
1401 CBS client_protocol_name_list, client_protocol_name;
1402 CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list,
1403 ssl->alpn_client_proto_list_len);
1404 while (CBS_len(&client_protocol_name_list) > 0) {
1405 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1406 &client_protocol_name)) {
1407 return false;
1408 }
1409
1410 if (client_protocol_name == protocol) {
1411 return true;
1412 }
1413 }
1414
1415 return false;
1416 }
1417
ssl_negotiate_alpn(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)1418 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1419 const SSL_CLIENT_HELLO *client_hello) {
1420 SSL *const ssl = hs->ssl;
1421 CBS contents;
1422 if (ssl->ctx->alpn_select_cb == NULL ||
1423 !ssl_client_hello_get_extension(
1424 client_hello, &contents,
1425 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1426 // Ignore ALPN if not configured or no extension was supplied.
1427 return true;
1428 }
1429
1430 // ALPN takes precedence over NPN.
1431 hs->next_proto_neg_seen = false;
1432
1433 CBS protocol_name_list;
1434 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1435 CBS_len(&contents) != 0 ||
1436 CBS_len(&protocol_name_list) < 2) {
1437 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1438 *out_alert = SSL_AD_DECODE_ERROR;
1439 return false;
1440 }
1441
1442 // Validate the protocol list.
1443 CBS protocol_name_list_copy = protocol_name_list;
1444 while (CBS_len(&protocol_name_list_copy) > 0) {
1445 CBS protocol_name;
1446
1447 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1448 // Empty protocol names are forbidden.
1449 CBS_len(&protocol_name) == 0) {
1450 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1451 *out_alert = SSL_AD_DECODE_ERROR;
1452 return false;
1453 }
1454 }
1455
1456 const uint8_t *selected;
1457 uint8_t selected_len;
1458 if (ssl->ctx->alpn_select_cb(
1459 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1460 CBS_len(&protocol_name_list),
1461 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1462 if (!ssl->s3->alpn_selected.CopyFrom(
1463 MakeConstSpan(selected, selected_len))) {
1464 *out_alert = SSL_AD_INTERNAL_ERROR;
1465 return false;
1466 }
1467 }
1468
1469 return true;
1470 }
1471
ext_alpn_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1472 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1473 SSL *const ssl = hs->ssl;
1474 if (ssl->s3->alpn_selected.empty()) {
1475 return true;
1476 }
1477
1478 CBB contents, proto_list, proto;
1479 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1480 !CBB_add_u16_length_prefixed(out, &contents) ||
1481 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1482 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1483 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1484 ssl->s3->alpn_selected.size()) ||
1485 !CBB_flush(out)) {
1486 return false;
1487 }
1488
1489 return true;
1490 }
1491
1492
1493 // Channel ID.
1494 //
1495 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1496
ext_channel_id_init(SSL_HANDSHAKE * hs)1497 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1498 hs->ssl->s3->tlsext_channel_id_valid = false;
1499 }
1500
ext_channel_id_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1501 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1502 SSL *const ssl = hs->ssl;
1503 if (!ssl->tlsext_channel_id_enabled ||
1504 SSL_is_dtls(ssl)) {
1505 return true;
1506 }
1507
1508 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1509 !CBB_add_u16(out, 0 /* length */)) {
1510 return false;
1511 }
1512
1513 return true;
1514 }
1515
ext_channel_id_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1516 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1517 uint8_t *out_alert,
1518 CBS *contents) {
1519 SSL *const ssl = hs->ssl;
1520 if (contents == NULL) {
1521 return true;
1522 }
1523
1524 assert(!SSL_is_dtls(ssl));
1525 assert(ssl->tlsext_channel_id_enabled);
1526
1527 if (CBS_len(contents) != 0) {
1528 return false;
1529 }
1530
1531 ssl->s3->tlsext_channel_id_valid = true;
1532 return true;
1533 }
1534
ext_channel_id_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1535 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1536 uint8_t *out_alert,
1537 CBS *contents) {
1538 SSL *const ssl = hs->ssl;
1539 if (contents == NULL ||
1540 !ssl->tlsext_channel_id_enabled ||
1541 SSL_is_dtls(ssl)) {
1542 return true;
1543 }
1544
1545 if (CBS_len(contents) != 0) {
1546 return false;
1547 }
1548
1549 ssl->s3->tlsext_channel_id_valid = true;
1550 return true;
1551 }
1552
ext_channel_id_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1553 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1554 SSL *const ssl = hs->ssl;
1555 if (!ssl->s3->tlsext_channel_id_valid) {
1556 return true;
1557 }
1558
1559 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1560 !CBB_add_u16(out, 0 /* length */)) {
1561 return false;
1562 }
1563
1564 return true;
1565 }
1566
1567
1568 // Secure Real-time Transport Protocol (SRTP) extension.
1569 //
1570 // https://tools.ietf.org/html/rfc5764
1571
1572
ext_srtp_init(SSL_HANDSHAKE * hs)1573 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1574 hs->ssl->srtp_profile = NULL;
1575 }
1576
ext_srtp_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1577 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1578 SSL *const ssl = hs->ssl;
1579 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1580 if (profiles == NULL ||
1581 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1582 return true;
1583 }
1584
1585 CBB contents, profile_ids;
1586 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1587 !CBB_add_u16_length_prefixed(out, &contents) ||
1588 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1589 return false;
1590 }
1591
1592 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1593 if (!CBB_add_u16(&profile_ids, profile->id)) {
1594 return false;
1595 }
1596 }
1597
1598 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1599 !CBB_flush(out)) {
1600 return false;
1601 }
1602
1603 return true;
1604 }
1605
ext_srtp_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1606 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1607 CBS *contents) {
1608 SSL *const ssl = hs->ssl;
1609 if (contents == NULL) {
1610 return true;
1611 }
1612
1613 // The extension consists of a u16-prefixed profile ID list containing a
1614 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1615 //
1616 // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1617 CBS profile_ids, srtp_mki;
1618 uint16_t profile_id;
1619 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1620 !CBS_get_u16(&profile_ids, &profile_id) ||
1621 CBS_len(&profile_ids) != 0 ||
1622 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1623 CBS_len(contents) != 0) {
1624 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1625 return false;
1626 }
1627
1628 if (CBS_len(&srtp_mki) != 0) {
1629 // Must be no MKI, since we never offer one.
1630 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1631 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1632 return false;
1633 }
1634
1635 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1636
1637 // Check to see if the server gave us something we support (and presumably
1638 // offered).
1639 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1640 if (profile->id == profile_id) {
1641 ssl->srtp_profile = profile;
1642 return true;
1643 }
1644 }
1645
1646 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1647 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1648 return false;
1649 }
1650
ext_srtp_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1651 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1652 CBS *contents) {
1653 SSL *const ssl = hs->ssl;
1654 if (contents == NULL) {
1655 return true;
1656 }
1657
1658 CBS profile_ids, srtp_mki;
1659 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1660 CBS_len(&profile_ids) < 2 ||
1661 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1662 CBS_len(contents) != 0) {
1663 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1664 return false;
1665 }
1666 // Discard the MKI value for now.
1667
1668 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1669 SSL_get_srtp_profiles(ssl);
1670
1671 // Pick the server's most preferred profile.
1672 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1673 CBS profile_ids_tmp;
1674 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1675
1676 while (CBS_len(&profile_ids_tmp) > 0) {
1677 uint16_t profile_id;
1678 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1679 return false;
1680 }
1681
1682 if (server_profile->id == profile_id) {
1683 ssl->srtp_profile = server_profile;
1684 return true;
1685 }
1686 }
1687 }
1688
1689 return true;
1690 }
1691
ext_srtp_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1692 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1693 SSL *const ssl = hs->ssl;
1694 if (ssl->srtp_profile == NULL) {
1695 return true;
1696 }
1697
1698 CBB contents, profile_ids;
1699 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1700 !CBB_add_u16_length_prefixed(out, &contents) ||
1701 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1702 !CBB_add_u16(&profile_ids, ssl->srtp_profile->id) ||
1703 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1704 !CBB_flush(out)) {
1705 return false;
1706 }
1707
1708 return true;
1709 }
1710
1711
1712 // EC point formats.
1713 //
1714 // https://tools.ietf.org/html/rfc4492#section-5.1.2
1715
ext_ec_point_add_extension(SSL_HANDSHAKE * hs,CBB * out)1716 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1717 CBB contents, formats;
1718 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1719 !CBB_add_u16_length_prefixed(out, &contents) ||
1720 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1721 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1722 !CBB_flush(out)) {
1723 return false;
1724 }
1725
1726 return true;
1727 }
1728
ext_ec_point_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1729 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1730 // The point format extension is unneccessary in TLS 1.3.
1731 if (hs->min_version >= TLS1_3_VERSION) {
1732 return true;
1733 }
1734
1735 return ext_ec_point_add_extension(hs, out);
1736 }
1737
ext_ec_point_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1738 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1739 CBS *contents) {
1740 if (contents == NULL) {
1741 return true;
1742 }
1743
1744 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1745 return false;
1746 }
1747
1748 CBS ec_point_format_list;
1749 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1750 CBS_len(contents) != 0) {
1751 return false;
1752 }
1753
1754 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1755 // point format.
1756 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1757 TLSEXT_ECPOINTFORMAT_uncompressed,
1758 CBS_len(&ec_point_format_list)) == NULL) {
1759 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1760 return false;
1761 }
1762
1763 return true;
1764 }
1765
ext_ec_point_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1766 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1767 CBS *contents) {
1768 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1769 return true;
1770 }
1771
1772 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1773 }
1774
ext_ec_point_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1775 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1776 SSL *const ssl = hs->ssl;
1777 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1778 return true;
1779 }
1780
1781 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1782 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1783 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1784
1785 if (!using_ecc) {
1786 return true;
1787 }
1788
1789 return ext_ec_point_add_extension(hs, out);
1790 }
1791
1792
1793 // Pre Shared Key
1794 //
1795 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
1796
ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE * hs)1797 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1798 SSL *const ssl = hs->ssl;
1799 if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
1800 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
1801 return 0;
1802 }
1803
1804 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
1805 return 15 + ssl->session->tlsext_ticklen + binder_len;
1806 }
1807
ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1808 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1809 SSL *const ssl = hs->ssl;
1810 hs->needs_psk_binder = false;
1811 if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
1812 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
1813 return true;
1814 }
1815
1816 // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the
1817 // selected cipher in HelloRetryRequest does not match. This avoids performing
1818 // the transcript hash transformation for multiple hashes.
1819 if (hs->received_hello_retry_request &&
1820 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1821 return true;
1822 }
1823
1824 struct OPENSSL_timeval now;
1825 ssl_get_current_time(ssl, &now);
1826 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1827 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1828
1829 // Fill in a placeholder zero binder of the appropriate length. It will be
1830 // computed and filled in later after length prefixes are computed.
1831 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1832 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
1833
1834 CBB contents, identity, ticket, binders, binder;
1835 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1836 !CBB_add_u16_length_prefixed(out, &contents) ||
1837 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1838 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1839 !CBB_add_bytes(&ticket, ssl->session->tlsext_tick,
1840 ssl->session->tlsext_ticklen) ||
1841 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1842 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1843 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1844 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1845 return false;
1846 }
1847
1848 hs->needs_psk_binder = true;
1849 return CBB_flush(out);
1850 }
1851
ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1852 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1853 uint8_t *out_alert,
1854 CBS *contents) {
1855 uint16_t psk_id;
1856 if (!CBS_get_u16(contents, &psk_id) ||
1857 CBS_len(contents) != 0) {
1858 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1859 *out_alert = SSL_AD_DECODE_ERROR;
1860 return false;
1861 }
1862
1863 // We only advertise one PSK identity, so the only legal index is zero.
1864 if (psk_id != 0) {
1865 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1866 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1867 return false;
1868 }
1869
1870 return true;
1871 }
1872
ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE * hs,CBS * out_ticket,CBS * out_binders,uint32_t * out_obfuscated_ticket_age,uint8_t * out_alert,CBS * contents)1873 bool ssl_ext_pre_shared_key_parse_clienthello(
1874 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1875 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
1876 // We only process the first PSK identity since we don't support pure PSK.
1877 CBS identities, binders;
1878 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1879 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1880 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1881 !CBS_get_u16_length_prefixed(contents, &binders) ||
1882 CBS_len(&binders) == 0 ||
1883 CBS_len(contents) != 0) {
1884 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1885 *out_alert = SSL_AD_DECODE_ERROR;
1886 return false;
1887 }
1888
1889 *out_binders = binders;
1890
1891 // Check the syntax of the remaining identities, but do not process them.
1892 size_t num_identities = 1;
1893 while (CBS_len(&identities) != 0) {
1894 CBS unused_ticket;
1895 uint32_t unused_obfuscated_ticket_age;
1896 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1897 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1898 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1899 *out_alert = SSL_AD_DECODE_ERROR;
1900 return false;
1901 }
1902
1903 num_identities++;
1904 }
1905
1906 // Check the syntax of the binders. The value will be checked later if
1907 // resuming.
1908 size_t num_binders = 0;
1909 while (CBS_len(&binders) != 0) {
1910 CBS binder;
1911 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1912 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1913 *out_alert = SSL_AD_DECODE_ERROR;
1914 return false;
1915 }
1916
1917 num_binders++;
1918 }
1919
1920 if (num_identities != num_binders) {
1921 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1922 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1923 return false;
1924 }
1925
1926 return true;
1927 }
1928
ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)1929 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1930 if (!hs->ssl->s3->session_reused) {
1931 return true;
1932 }
1933
1934 CBB contents;
1935 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1936 !CBB_add_u16_length_prefixed(out, &contents) ||
1937 // We only consider the first identity for resumption
1938 !CBB_add_u16(&contents, 0) ||
1939 !CBB_flush(out)) {
1940 return false;
1941 }
1942
1943 return true;
1944 }
1945
1946
1947 // Pre-Shared Key Exchange Modes
1948 //
1949 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
1950
ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1951 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
1952 CBB *out) {
1953 if (hs->max_version < TLS1_3_VERSION) {
1954 return true;
1955 }
1956
1957 CBB contents, ke_modes;
1958 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
1959 !CBB_add_u16_length_prefixed(out, &contents) ||
1960 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
1961 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
1962 return false;
1963 }
1964
1965 return CBB_flush(out);
1966 }
1967
ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)1968 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
1969 uint8_t *out_alert,
1970 CBS *contents) {
1971 if (contents == NULL) {
1972 return true;
1973 }
1974
1975 CBS ke_modes;
1976 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
1977 CBS_len(&ke_modes) == 0 ||
1978 CBS_len(contents) != 0) {
1979 *out_alert = SSL_AD_DECODE_ERROR;
1980 return false;
1981 }
1982
1983 // We only support tickets with PSK_DHE_KE.
1984 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
1985 CBS_len(&ke_modes)) != NULL;
1986
1987 return true;
1988 }
1989
1990
1991 // Early Data Indication
1992 //
1993 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
1994
ext_early_data_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)1995 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1996 SSL *const ssl = hs->ssl;
1997 if (!ssl->cert->enable_early_data ||
1998 // Session must be 0-RTT capable.
1999 ssl->session == NULL ||
2000 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION ||
2001 ssl->session->ticket_max_early_data == 0 ||
2002 // The second ClientHello never offers early data.
2003 hs->received_hello_retry_request ||
2004 // In case ALPN preferences changed since this session was established,
2005 // avoid reporting a confusing value in |SSL_get0_alpn_selected|.
2006 (ssl->session->early_alpn_len != 0 &&
2007 !ssl_is_alpn_protocol_allowed(
2008 ssl, MakeConstSpan(ssl->session->early_alpn,
2009 ssl->session->early_alpn_len)))) {
2010 return true;
2011 }
2012
2013 hs->early_data_offered = true;
2014
2015 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2016 !CBB_add_u16(out, 0) ||
2017 !CBB_flush(out)) {
2018 return false;
2019 }
2020
2021 return true;
2022 }
2023
ext_early_data_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2024 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2025 uint8_t *out_alert, CBS *contents) {
2026 SSL *const ssl = hs->ssl;
2027 if (contents == NULL) {
2028 return true;
2029 }
2030
2031 if (CBS_len(contents) != 0) {
2032 *out_alert = SSL_AD_DECODE_ERROR;
2033 return false;
2034 }
2035
2036 if (!ssl->s3->session_reused) {
2037 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2038 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2039 return false;
2040 }
2041
2042 ssl->s3->early_data_accepted = true;
2043 return true;
2044 }
2045
ext_early_data_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2046 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2047 uint8_t *out_alert, CBS *contents) {
2048 SSL *const ssl = hs->ssl;
2049 if (contents == NULL ||
2050 ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2051 return true;
2052 }
2053
2054 if (CBS_len(contents) != 0) {
2055 *out_alert = SSL_AD_DECODE_ERROR;
2056 return false;
2057 }
2058
2059 hs->early_data_offered = true;
2060 return true;
2061 }
2062
ext_early_data_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2063 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2064 if (!hs->ssl->s3->early_data_accepted) {
2065 return true;
2066 }
2067
2068 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2069 !CBB_add_u16(out, 0) ||
2070 !CBB_flush(out)) {
2071 return false;
2072 }
2073
2074 return true;
2075 }
2076
2077
2078 // Key Share
2079 //
2080 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
2081
ext_key_share_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2082 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2083 SSL *const ssl = hs->ssl;
2084 if (hs->max_version < TLS1_3_VERSION) {
2085 return true;
2086 }
2087
2088 CBB contents, kse_bytes;
2089 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2090 !CBB_add_u16_length_prefixed(out, &contents) ||
2091 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2092 return false;
2093 }
2094
2095 uint16_t group_id = hs->retry_group;
2096 if (hs->received_hello_retry_request) {
2097 // We received a HelloRetryRequest without a new curve, so there is no new
2098 // share to append. Leave |hs->key_share| as-is.
2099 if (group_id == 0 &&
2100 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2101 hs->key_share_bytes.size())) {
2102 return false;
2103 }
2104 hs->key_share_bytes.Reset();
2105 if (group_id == 0) {
2106 return CBB_flush(out);
2107 }
2108 } else {
2109 // Add a fake group. See draft-davidben-tls-grease-01.
2110 if (ssl->ctx->grease_enabled &&
2111 (!CBB_add_u16(&kse_bytes,
2112 ssl_get_grease_value(hs, ssl_grease_group)) ||
2113 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2114 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2115 return false;
2116 }
2117
2118 // Predict the most preferred group.
2119 Span<const uint16_t> groups = tls1_get_grouplist(ssl);
2120 if (groups.empty()) {
2121 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2122 return false;
2123 }
2124
2125 group_id = groups[0];
2126 }
2127
2128 hs->key_share = SSLKeyShare::Create(group_id);
2129 CBB key_exchange;
2130 if (!hs->key_share ||
2131 !CBB_add_u16(&kse_bytes, group_id) ||
2132 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2133 !hs->key_share->Offer(&key_exchange) ||
2134 !CBB_flush(&kse_bytes)) {
2135 return false;
2136 }
2137
2138 // Save the contents of the extension to repeat it in the second ClientHello.
2139 if (!hs->received_hello_retry_request &&
2140 !hs->key_share_bytes.CopyFrom(
2141 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2142 return false;
2143 }
2144
2145 return CBB_flush(out);
2146 }
2147
ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE * hs,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2148 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2149 Array<uint8_t> *out_secret,
2150 uint8_t *out_alert, CBS *contents) {
2151 CBS peer_key;
2152 uint16_t group_id;
2153 if (!CBS_get_u16(contents, &group_id) ||
2154 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2155 CBS_len(contents) != 0) {
2156 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2157 *out_alert = SSL_AD_DECODE_ERROR;
2158 return false;
2159 }
2160
2161 if (hs->key_share->GroupID() != group_id) {
2162 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2163 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2164 return false;
2165 }
2166
2167 if (!hs->key_share->Finish(out_secret, out_alert, peer_key)) {
2168 *out_alert = SSL_AD_INTERNAL_ERROR;
2169 return false;
2170 }
2171
2172 hs->new_session->group_id = group_id;
2173 hs->key_share.reset();
2174 return true;
2175 }
2176
ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE * hs,bool * out_found,Array<uint8_t> * out_secret,uint8_t * out_alert,CBS * contents)2177 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2178 Array<uint8_t> *out_secret,
2179 uint8_t *out_alert, CBS *contents) {
2180 uint16_t group_id;
2181 CBS key_shares;
2182 if (!tls1_get_shared_group(hs, &group_id)) {
2183 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2184 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2185 return false;
2186 }
2187
2188 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2189 CBS_len(contents) != 0) {
2190 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2191 return false;
2192 }
2193
2194 // Find the corresponding key share.
2195 CBS peer_key;
2196 CBS_init(&peer_key, NULL, 0);
2197 while (CBS_len(&key_shares) > 0) {
2198 uint16_t id;
2199 CBS peer_key_tmp;
2200 if (!CBS_get_u16(&key_shares, &id) ||
2201 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2202 CBS_len(&peer_key_tmp) == 0) {
2203 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2204 return false;
2205 }
2206
2207 if (id == group_id) {
2208 if (CBS_len(&peer_key) != 0) {
2209 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2210 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2211 return false;
2212 }
2213
2214 peer_key = peer_key_tmp;
2215 // Continue parsing the structure to keep peers honest.
2216 }
2217 }
2218
2219 if (CBS_len(&peer_key) == 0) {
2220 *out_found = false;
2221 out_secret->Reset();
2222 return true;
2223 }
2224
2225 // Compute the DH secret.
2226 Array<uint8_t> secret;
2227 ScopedCBB public_key;
2228 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2229 if (!key_share ||
2230 !CBB_init(public_key.get(), 32) ||
2231 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2232 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2233 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2234 return false;
2235 }
2236
2237 *out_secret = std::move(secret);
2238 *out_found = true;
2239 return true;
2240 }
2241
ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2242 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2243 uint16_t group_id;
2244 CBB kse_bytes, public_key;
2245 if (!tls1_get_shared_group(hs, &group_id) ||
2246 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2247 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2248 !CBB_add_u16(&kse_bytes, group_id) ||
2249 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2250 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2251 hs->ecdh_public_key.size()) ||
2252 !CBB_flush(out)) {
2253 return false;
2254 }
2255
2256 hs->ecdh_public_key.Reset();
2257
2258 hs->new_session->group_id = group_id;
2259 return true;
2260 }
2261
2262
2263 // Supported Versions
2264 //
2265 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
2266
ext_supported_versions_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2267 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2268 SSL *const ssl = hs->ssl;
2269 if (hs->max_version <= TLS1_2_VERSION) {
2270 return true;
2271 }
2272
2273 CBB contents, versions;
2274 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2275 !CBB_add_u16_length_prefixed(out, &contents) ||
2276 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2277 return false;
2278 }
2279
2280 // Add a fake version. See draft-davidben-tls-grease-01.
2281 if (ssl->ctx->grease_enabled &&
2282 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2283 return false;
2284 }
2285
2286 if (!ssl_add_supported_versions(hs, &versions) ||
2287 !CBB_flush(out)) {
2288 return false;
2289 }
2290
2291 return true;
2292 }
2293
2294
2295 // Cookie
2296 //
2297 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
2298
ext_cookie_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2299 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2300 if (hs->cookie.empty()) {
2301 return true;
2302 }
2303
2304 CBB contents, cookie;
2305 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2306 !CBB_add_u16_length_prefixed(out, &contents) ||
2307 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2308 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2309 !CBB_flush(out)) {
2310 return false;
2311 }
2312
2313 // The cookie is no longer needed in memory.
2314 hs->cookie.Reset();
2315 return true;
2316 }
2317
2318
2319 // Dummy PQ Padding extension
2320 //
2321 // Dummy post-quantum padding invovles the client (and later server) sending
2322 // useless, random-looking bytes in an extension in their ClientHello or
2323 // ServerHello. These extensions are sized to simulate a post-quantum
2324 // key-exchange and so enable measurement of the latency impact of the
2325 // additional bandwidth.
2326
ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2327 static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2328 const size_t len = hs->ssl->dummy_pq_padding_len;
2329 if (len == 0) {
2330 return true;
2331 }
2332
2333 CBB contents;
2334 uint8_t *buffer;
2335 if (!CBB_add_u16(out, TLSEXT_TYPE_dummy_pq_padding) ||
2336 !CBB_add_u16_length_prefixed(out, &contents) ||
2337 !CBB_add_space(&contents, &buffer, len)) {
2338 return false;
2339 }
2340
2341 // The length is used as the nonce so that different length extensions have
2342 // different contents. There's no reason this has to be the case, it just
2343 // makes things a little more obvious in a packet dump.
2344 uint8_t nonce[12] = {0};
2345 memcpy(nonce, &len, sizeof(len));
2346
2347 memset(buffer, 0, len);
2348 static const uint8_t kZeroKey[32] = {0};
2349 CRYPTO_chacha_20(buffer, buffer, len, kZeroKey, nonce, 0);
2350
2351 return CBB_flush(out);
2352 }
2353
2354
2355 // Negotiated Groups
2356 //
2357 // https://tools.ietf.org/html/rfc4492#section-5.1.2
2358 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
2359
ext_supported_groups_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2360 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2361 SSL *const ssl = hs->ssl;
2362 CBB contents, groups_bytes;
2363 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2364 !CBB_add_u16_length_prefixed(out, &contents) ||
2365 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2366 return false;
2367 }
2368
2369 // Add a fake group. See draft-davidben-tls-grease-01.
2370 if (ssl->ctx->grease_enabled &&
2371 !CBB_add_u16(&groups_bytes,
2372 ssl_get_grease_value(hs, ssl_grease_group))) {
2373 return false;
2374 }
2375
2376 for (uint16_t group : tls1_get_grouplist(ssl)) {
2377 if (!CBB_add_u16(&groups_bytes, group)) {
2378 return false;
2379 }
2380 }
2381
2382 return CBB_flush(out);
2383 }
2384
ext_supported_groups_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2385 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2386 uint8_t *out_alert,
2387 CBS *contents) {
2388 // This extension is not expected to be echoed by servers in TLS 1.2, but some
2389 // BigIP servers send it nonetheless, so do not enforce this.
2390 return true;
2391 }
2392
parse_u16_array(const CBS * cbs,Array<uint16_t> * out)2393 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2394 CBS copy = *cbs;
2395 if ((CBS_len(©) & 1) != 0) {
2396 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2397 return false;
2398 }
2399
2400 Array<uint16_t> ret;
2401 if (!ret.Init(CBS_len(©) / 2)) {
2402 return false;
2403 }
2404 for (size_t i = 0; i < ret.size(); i++) {
2405 if (!CBS_get_u16(©, &ret[i])) {
2406 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2407 return false;
2408 }
2409 }
2410
2411 assert(CBS_len(©) == 0);
2412 *out = std::move(ret);
2413 return 1;
2414 }
2415
ext_supported_groups_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2416 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2417 uint8_t *out_alert,
2418 CBS *contents) {
2419 if (contents == NULL) {
2420 return true;
2421 }
2422
2423 CBS supported_group_list;
2424 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2425 CBS_len(&supported_group_list) == 0 ||
2426 CBS_len(contents) != 0 ||
2427 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2428 return false;
2429 }
2430
2431 return true;
2432 }
2433
2434 // Token Binding
2435 //
2436 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2437
2438 // The Token Binding version number currently matches the draft number of
2439 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2440 // Since there are no wire changes to the protocol from draft 13 through the
2441 // current draft (16), this implementation supports all versions in that range.
2442 static uint16_t kTokenBindingMaxVersion = 16;
2443 static uint16_t kTokenBindingMinVersion = 13;
2444
ext_token_binding_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2445 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2446 SSL *const ssl = hs->ssl;
2447 if (ssl->token_binding_params == nullptr || SSL_is_dtls(ssl)) {
2448 return true;
2449 }
2450
2451 CBB contents, params;
2452 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2453 !CBB_add_u16_length_prefixed(out, &contents) ||
2454 !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2455 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2456 !CBB_add_bytes(¶ms, ssl->token_binding_params,
2457 ssl->token_binding_params_len) ||
2458 !CBB_flush(out)) {
2459 return false;
2460 }
2461
2462 return true;
2463 }
2464
ext_token_binding_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2465 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2466 uint8_t *out_alert,
2467 CBS *contents) {
2468 SSL *const ssl = hs->ssl;
2469 if (contents == nullptr) {
2470 return true;
2471 }
2472
2473 CBS params_list;
2474 uint16_t version;
2475 uint8_t param;
2476 if (!CBS_get_u16(contents, &version) ||
2477 !CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
2478 !CBS_get_u8(¶ms_list, ¶m) ||
2479 CBS_len(¶ms_list) > 0 ||
2480 CBS_len(contents) > 0) {
2481 *out_alert = SSL_AD_DECODE_ERROR;
2482 return false;
2483 }
2484
2485 // The server-negotiated version must be less than or equal to our version.
2486 if (version > kTokenBindingMaxVersion) {
2487 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2488 return false;
2489 }
2490
2491 // If the server-selected version is less than what we support, then Token
2492 // Binding wasn't negotiated (but the extension was parsed successfully).
2493 if (version < kTokenBindingMinVersion) {
2494 return true;
2495 }
2496
2497 for (size_t i = 0; i < ssl->token_binding_params_len; ++i) {
2498 if (param == ssl->token_binding_params[i]) {
2499 ssl->negotiated_token_binding_param = param;
2500 ssl->token_binding_negotiated = true;
2501 return true;
2502 }
2503 }
2504
2505 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2506 return false;
2507 }
2508
2509 // select_tb_param looks for the first token binding param in
2510 // |ssl->token_binding_params| that is also in |params| and puts it in
2511 // |ssl->negotiated_token_binding_param|. It returns true if a token binding
2512 // param is found, and false otherwise.
select_tb_param(SSL * ssl,Span<const uint8_t> peer_params)2513 static bool select_tb_param(SSL *ssl, Span<const uint8_t> peer_params) {
2514 for (size_t i = 0; i < ssl->token_binding_params_len; ++i) {
2515 uint8_t tb_param = ssl->token_binding_params[i];
2516 for (uint8_t peer_param : peer_params) {
2517 if (tb_param == peer_param) {
2518 ssl->negotiated_token_binding_param = tb_param;
2519 return true;
2520 }
2521 }
2522 }
2523 return false;
2524 }
2525
ext_token_binding_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2526 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2527 uint8_t *out_alert,
2528 CBS *contents) {
2529 SSL *const ssl = hs->ssl;
2530 if (contents == nullptr || ssl->token_binding_params == nullptr) {
2531 return true;
2532 }
2533
2534 CBS params;
2535 uint16_t version;
2536 if (!CBS_get_u16(contents, &version) ||
2537 !CBS_get_u8_length_prefixed(contents, ¶ms) ||
2538 CBS_len(¶ms) == 0 ||
2539 CBS_len(contents) > 0) {
2540 *out_alert = SSL_AD_DECODE_ERROR;
2541 return false;
2542 }
2543
2544 // If the client-selected version is less than what we support, then Token
2545 // Binding wasn't negotiated (but the extension was parsed successfully).
2546 if (version < kTokenBindingMinVersion) {
2547 return true;
2548 }
2549
2550 // If the client-selected version is higher than we support, use our max
2551 // version. Otherwise, use the client's version.
2552 hs->negotiated_token_binding_version =
2553 std::min(version, kTokenBindingMaxVersion);
2554 if (!select_tb_param(ssl, params)) {
2555 return true;
2556 }
2557
2558 ssl->token_binding_negotiated = true;
2559 return true;
2560 }
2561
ext_token_binding_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2562 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2563 SSL *const ssl = hs->ssl;
2564
2565 if (!ssl->token_binding_negotiated) {
2566 return true;
2567 }
2568
2569 CBB contents, params;
2570 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2571 !CBB_add_u16_length_prefixed(out, &contents) ||
2572 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2573 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2574 !CBB_add_u8(¶ms, ssl->negotiated_token_binding_param) ||
2575 !CBB_flush(out)) {
2576 return false;
2577 }
2578
2579 return true;
2580 }
2581
2582 // QUIC Transport Parameters
2583
ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE * hs,CBB * out)2584 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2585 CBB *out) {
2586 SSL *const ssl = hs->ssl;
2587 if (!ssl->quic_transport_params || hs->max_version <= TLS1_2_VERSION) {
2588 return true;
2589 }
2590
2591 CBB contents;
2592 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2593 !CBB_add_u16_length_prefixed(out, &contents) ||
2594 !CBB_add_bytes(&contents, ssl->quic_transport_params,
2595 ssl->quic_transport_params_len) ||
2596 !CBB_flush(out)) {
2597 return false;
2598 }
2599 return true;
2600 }
2601
ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2602 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2603 uint8_t *out_alert,
2604 CBS *contents) {
2605 SSL *const ssl = hs->ssl;
2606 if (contents == nullptr) {
2607 return true;
2608 }
2609 // QUIC requires TLS 1.3.
2610 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2611 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2612 return false;
2613 }
2614
2615 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2616 }
2617
ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE * hs,uint8_t * out_alert,CBS * contents)2618 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2619 uint8_t *out_alert,
2620 CBS *contents) {
2621 SSL *const ssl = hs->ssl;
2622 if (!contents || !ssl->quic_transport_params) {
2623 return true;
2624 }
2625 // Ignore the extension before TLS 1.3.
2626 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2627 return true;
2628 }
2629
2630 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2631 }
2632
ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)2633 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2634 CBB *out) {
2635 SSL *const ssl = hs->ssl;
2636 if (!ssl->quic_transport_params) {
2637 return true;
2638 }
2639
2640 CBB contents;
2641 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2642 !CBB_add_u16_length_prefixed(out, &contents) ||
2643 !CBB_add_bytes(&contents, ssl->quic_transport_params,
2644 ssl->quic_transport_params_len) ||
2645 !CBB_flush(out)) {
2646 return false;
2647 }
2648
2649 return true;
2650 }
2651
2652
2653 // kExtensions contains all the supported extensions.
2654 static const struct tls_extension kExtensions[] = {
2655 {
2656 TLSEXT_TYPE_renegotiate,
2657 NULL,
2658 ext_ri_add_clienthello,
2659 ext_ri_parse_serverhello,
2660 ext_ri_parse_clienthello,
2661 ext_ri_add_serverhello,
2662 },
2663 {
2664 TLSEXT_TYPE_server_name,
2665 NULL,
2666 ext_sni_add_clienthello,
2667 ext_sni_parse_serverhello,
2668 ext_sni_parse_clienthello,
2669 ext_sni_add_serverhello,
2670 },
2671 {
2672 TLSEXT_TYPE_extended_master_secret,
2673 NULL,
2674 ext_ems_add_clienthello,
2675 ext_ems_parse_serverhello,
2676 ext_ems_parse_clienthello,
2677 ext_ems_add_serverhello,
2678 },
2679 {
2680 TLSEXT_TYPE_session_ticket,
2681 NULL,
2682 ext_ticket_add_clienthello,
2683 ext_ticket_parse_serverhello,
2684 // Ticket extension client parsing is handled in ssl_session.c
2685 ignore_parse_clienthello,
2686 ext_ticket_add_serverhello,
2687 },
2688 {
2689 TLSEXT_TYPE_signature_algorithms,
2690 NULL,
2691 ext_sigalgs_add_clienthello,
2692 forbid_parse_serverhello,
2693 ext_sigalgs_parse_clienthello,
2694 dont_add_serverhello,
2695 },
2696 {
2697 TLSEXT_TYPE_status_request,
2698 NULL,
2699 ext_ocsp_add_clienthello,
2700 ext_ocsp_parse_serverhello,
2701 ext_ocsp_parse_clienthello,
2702 ext_ocsp_add_serverhello,
2703 },
2704 {
2705 TLSEXT_TYPE_next_proto_neg,
2706 NULL,
2707 ext_npn_add_clienthello,
2708 ext_npn_parse_serverhello,
2709 ext_npn_parse_clienthello,
2710 ext_npn_add_serverhello,
2711 },
2712 {
2713 TLSEXT_TYPE_certificate_timestamp,
2714 NULL,
2715 ext_sct_add_clienthello,
2716 ext_sct_parse_serverhello,
2717 ext_sct_parse_clienthello,
2718 ext_sct_add_serverhello,
2719 },
2720 {
2721 TLSEXT_TYPE_application_layer_protocol_negotiation,
2722 NULL,
2723 ext_alpn_add_clienthello,
2724 ext_alpn_parse_serverhello,
2725 // ALPN is negotiated late in |ssl_negotiate_alpn|.
2726 ignore_parse_clienthello,
2727 ext_alpn_add_serverhello,
2728 },
2729 {
2730 TLSEXT_TYPE_channel_id,
2731 ext_channel_id_init,
2732 ext_channel_id_add_clienthello,
2733 ext_channel_id_parse_serverhello,
2734 ext_channel_id_parse_clienthello,
2735 ext_channel_id_add_serverhello,
2736 },
2737 {
2738 TLSEXT_TYPE_srtp,
2739 ext_srtp_init,
2740 ext_srtp_add_clienthello,
2741 ext_srtp_parse_serverhello,
2742 ext_srtp_parse_clienthello,
2743 ext_srtp_add_serverhello,
2744 },
2745 {
2746 TLSEXT_TYPE_ec_point_formats,
2747 NULL,
2748 ext_ec_point_add_clienthello,
2749 ext_ec_point_parse_serverhello,
2750 ext_ec_point_parse_clienthello,
2751 ext_ec_point_add_serverhello,
2752 },
2753 {
2754 TLSEXT_TYPE_key_share,
2755 NULL,
2756 ext_key_share_add_clienthello,
2757 forbid_parse_serverhello,
2758 ignore_parse_clienthello,
2759 dont_add_serverhello,
2760 },
2761 {
2762 TLSEXT_TYPE_psk_key_exchange_modes,
2763 NULL,
2764 ext_psk_key_exchange_modes_add_clienthello,
2765 forbid_parse_serverhello,
2766 ext_psk_key_exchange_modes_parse_clienthello,
2767 dont_add_serverhello,
2768 },
2769 {
2770 TLSEXT_TYPE_early_data,
2771 NULL,
2772 ext_early_data_add_clienthello,
2773 ext_early_data_parse_serverhello,
2774 ext_early_data_parse_clienthello,
2775 ext_early_data_add_serverhello,
2776 },
2777 {
2778 TLSEXT_TYPE_supported_versions,
2779 NULL,
2780 ext_supported_versions_add_clienthello,
2781 forbid_parse_serverhello,
2782 ignore_parse_clienthello,
2783 dont_add_serverhello,
2784 },
2785 {
2786 TLSEXT_TYPE_cookie,
2787 NULL,
2788 ext_cookie_add_clienthello,
2789 forbid_parse_serverhello,
2790 ignore_parse_clienthello,
2791 dont_add_serverhello,
2792 },
2793 {
2794 TLSEXT_TYPE_dummy_pq_padding,
2795 NULL,
2796 ext_dummy_pq_padding_add_clienthello,
2797 ignore_parse_serverhello,
2798 ignore_parse_clienthello,
2799 dont_add_serverhello,
2800 },
2801 {
2802 TLSEXT_TYPE_quic_transport_parameters,
2803 NULL,
2804 ext_quic_transport_params_add_clienthello,
2805 ext_quic_transport_params_parse_serverhello,
2806 ext_quic_transport_params_parse_clienthello,
2807 ext_quic_transport_params_add_serverhello,
2808 },
2809 // The final extension must be non-empty. WebSphere Application Server 7.0 is
2810 // intolerant to the last extension being zero-length. See
2811 // https://crbug.com/363583.
2812 {
2813 TLSEXT_TYPE_supported_groups,
2814 NULL,
2815 ext_supported_groups_add_clienthello,
2816 ext_supported_groups_parse_serverhello,
2817 ext_supported_groups_parse_clienthello,
2818 dont_add_serverhello,
2819 },
2820 {
2821 TLSEXT_TYPE_token_binding,
2822 NULL,
2823 ext_token_binding_add_clienthello,
2824 ext_token_binding_parse_serverhello,
2825 ext_token_binding_parse_clienthello,
2826 ext_token_binding_add_serverhello,
2827 },
2828 };
2829
2830 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
2831
2832 static_assert(kNumExtensions <=
2833 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
2834 "too many extensions for sent bitset");
2835 static_assert(kNumExtensions <=
2836 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
2837 "too many extensions for received bitset");
2838
tls_extension_find(uint32_t * out_index,uint16_t value)2839 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
2840 uint16_t value) {
2841 unsigned i;
2842 for (i = 0; i < kNumExtensions; i++) {
2843 if (kExtensions[i].value == value) {
2844 *out_index = i;
2845 return &kExtensions[i];
2846 }
2847 }
2848
2849 return NULL;
2850 }
2851
ssl_add_clienthello_tlsext(SSL_HANDSHAKE * hs,CBB * out,size_t header_len)2852 int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
2853 SSL *const ssl = hs->ssl;
2854 // Don't add extensions for SSLv3 unless doing secure renegotiation.
2855 if (hs->client_version == SSL3_VERSION &&
2856 !ssl->s3->send_connection_binding) {
2857 return 1;
2858 }
2859
2860 CBB extensions;
2861 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
2862 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2863 return 0;
2864 }
2865
2866 hs->extensions.sent = 0;
2867 hs->custom_extensions.sent = 0;
2868
2869 for (size_t i = 0; i < kNumExtensions; i++) {
2870 if (kExtensions[i].init != NULL) {
2871 kExtensions[i].init(hs);
2872 }
2873 }
2874
2875 uint16_t grease_ext1 = 0;
2876 if (ssl->ctx->grease_enabled) {
2877 // Add a fake empty extension. See draft-davidben-tls-grease-01.
2878 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
2879 if (!CBB_add_u16(&extensions, grease_ext1) ||
2880 !CBB_add_u16(&extensions, 0 /* zero length */)) {
2881 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2882 return 0;
2883 }
2884 }
2885
2886 for (size_t i = 0; i < kNumExtensions; i++) {
2887 const size_t len_before = CBB_len(&extensions);
2888 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
2889 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2890 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2891 return 0;
2892 }
2893
2894 if (CBB_len(&extensions) != len_before) {
2895 hs->extensions.sent |= (1u << i);
2896 }
2897 }
2898
2899 if (!custom_ext_add_clienthello(hs, &extensions)) {
2900 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2901 return 0;
2902 }
2903
2904 if (ssl->ctx->grease_enabled) {
2905 // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
2906 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
2907
2908 // The two fake extensions must not have the same value. GREASE values are
2909 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
2910 // one.
2911 if (grease_ext1 == grease_ext2) {
2912 grease_ext2 ^= 0x1010;
2913 }
2914
2915 if (!CBB_add_u16(&extensions, grease_ext2) ||
2916 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
2917 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
2918 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2919 return 0;
2920 }
2921 }
2922
2923 if (!SSL_is_dtls(ssl)) {
2924 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
2925 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
2926 if (header_len > 0xff && header_len < 0x200) {
2927 // Add padding to workaround bugs in F5 terminators. See RFC 7685.
2928 //
2929 // NB: because this code works out the length of all existing extensions
2930 // it MUST always appear last.
2931 size_t padding_len = 0x200 - header_len;
2932 // Extensions take at least four bytes to encode. Always include at least
2933 // one byte of data if including the extension. WebSphere Application
2934 // Server 7.0 is intolerant to the last extension being zero-length. See
2935 // https://crbug.com/363583.
2936 if (padding_len >= 4 + 1) {
2937 padding_len -= 4;
2938 } else {
2939 padding_len = 1;
2940 }
2941
2942 uint8_t *padding_bytes;
2943 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
2944 !CBB_add_u16(&extensions, padding_len) ||
2945 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
2946 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2947 return 0;
2948 }
2949
2950 OPENSSL_memset(padding_bytes, 0, padding_len);
2951 }
2952 }
2953
2954 // The PSK extension must be last, including after the padding.
2955 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
2956 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2957 return 0;
2958 }
2959
2960 // Discard empty extensions blocks.
2961 if (CBB_len(&extensions) == 0) {
2962 CBB_discard_child(out);
2963 }
2964
2965 return CBB_flush(out);
2966 }
2967
ssl_add_serverhello_tlsext(SSL_HANDSHAKE * hs,CBB * out)2968 int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
2969 SSL *const ssl = hs->ssl;
2970 CBB extensions;
2971 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
2972 goto err;
2973 }
2974
2975 for (unsigned i = 0; i < kNumExtensions; i++) {
2976 if (!(hs->extensions.received & (1u << i))) {
2977 // Don't send extensions that were not received.
2978 continue;
2979 }
2980
2981 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
2982 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2983 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2984 goto err;
2985 }
2986 }
2987
2988 if (!custom_ext_add_serverhello(hs, &extensions)) {
2989 goto err;
2990 }
2991
2992 // Discard empty extensions blocks before TLS 1.3.
2993 if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
2994 CBB_len(&extensions) == 0) {
2995 CBB_discard_child(out);
2996 }
2997
2998 return CBB_flush(out);
2999
3000 err:
3001 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3002 return 0;
3003 }
3004
ssl_scan_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,int * out_alert)3005 static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3006 const SSL_CLIENT_HELLO *client_hello,
3007 int *out_alert) {
3008 SSL *const ssl = hs->ssl;
3009 for (size_t i = 0; i < kNumExtensions; i++) {
3010 if (kExtensions[i].init != NULL) {
3011 kExtensions[i].init(hs);
3012 }
3013 }
3014
3015 hs->extensions.received = 0;
3016 hs->custom_extensions.received = 0;
3017 CBS extensions;
3018 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3019 while (CBS_len(&extensions) != 0) {
3020 uint16_t type;
3021 CBS extension;
3022
3023 // Decode the next extension.
3024 if (!CBS_get_u16(&extensions, &type) ||
3025 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3026 *out_alert = SSL_AD_DECODE_ERROR;
3027 return 0;
3028 }
3029
3030 // RFC 5746 made the existence of extensions in SSL 3.0 somewhat
3031 // ambiguous. Ignore all but the renegotiation_info extension.
3032 if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
3033 continue;
3034 }
3035
3036 unsigned ext_index;
3037 const struct tls_extension *const ext =
3038 tls_extension_find(&ext_index, type);
3039
3040 if (ext == NULL) {
3041 if (!custom_ext_parse_clienthello(hs, out_alert, type, &extension)) {
3042 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3043 return 0;
3044 }
3045 continue;
3046 }
3047
3048 hs->extensions.received |= (1u << ext_index);
3049 uint8_t alert = SSL_AD_DECODE_ERROR;
3050 if (!ext->parse_clienthello(hs, &alert, &extension)) {
3051 *out_alert = alert;
3052 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3053 ERR_add_error_dataf("extension %u", (unsigned)type);
3054 return 0;
3055 }
3056 }
3057
3058 for (size_t i = 0; i < kNumExtensions; i++) {
3059 if (hs->extensions.received & (1u << i)) {
3060 continue;
3061 }
3062
3063 CBS *contents = NULL, fake_contents;
3064 static const uint8_t kFakeRenegotiateExtension[] = {0};
3065 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3066 ssl_client_cipher_list_contains_cipher(client_hello,
3067 SSL3_CK_SCSV & 0xffff)) {
3068 // The renegotiation SCSV was received so pretend that we received a
3069 // renegotiation extension.
3070 CBS_init(&fake_contents, kFakeRenegotiateExtension,
3071 sizeof(kFakeRenegotiateExtension));
3072 contents = &fake_contents;
3073 hs->extensions.received |= (1u << i);
3074 }
3075
3076 // Extension wasn't observed so call the callback with a NULL
3077 // parameter.
3078 uint8_t alert = SSL_AD_DECODE_ERROR;
3079 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3080 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3081 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3082 *out_alert = alert;
3083 return 0;
3084 }
3085 }
3086
3087 return 1;
3088 }
3089
ssl_parse_clienthello_tlsext(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)3090 int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3091 const SSL_CLIENT_HELLO *client_hello) {
3092 SSL *const ssl = hs->ssl;
3093 int alert = SSL_AD_DECODE_ERROR;
3094 if (ssl_scan_clienthello_tlsext(hs, client_hello, &alert) <= 0) {
3095 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3096 return 0;
3097 }
3098
3099 if (ssl_check_clienthello_tlsext(hs) <= 0) {
3100 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3101 return 0;
3102 }
3103
3104 return 1;
3105 }
3106
ssl_scan_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs,int * out_alert)3107 static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3108 int *out_alert) {
3109 SSL *const ssl = hs->ssl;
3110 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3111 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3112 return 1;
3113 }
3114
3115 // Decode the extensions block and check it is valid.
3116 CBS extensions;
3117 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3118 !tls1_check_duplicate_extensions(&extensions)) {
3119 *out_alert = SSL_AD_DECODE_ERROR;
3120 return 0;
3121 }
3122
3123 uint32_t received = 0;
3124 while (CBS_len(&extensions) != 0) {
3125 uint16_t type;
3126 CBS extension;
3127
3128 // Decode the next extension.
3129 if (!CBS_get_u16(&extensions, &type) ||
3130 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3131 *out_alert = SSL_AD_DECODE_ERROR;
3132 return 0;
3133 }
3134
3135 unsigned ext_index;
3136 const struct tls_extension *const ext =
3137 tls_extension_find(&ext_index, type);
3138
3139 if (ext == NULL) {
3140 hs->received_custom_extension = true;
3141 if (!custom_ext_parse_serverhello(hs, out_alert, type, &extension)) {
3142 return 0;
3143 }
3144 continue;
3145 }
3146
3147 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3148 "too many bits");
3149
3150 if (!(hs->extensions.sent & (1u << ext_index)) &&
3151 type != TLSEXT_TYPE_renegotiate) {
3152 // If the extension was never sent then it is illegal, except for the
3153 // renegotiation extension which, in SSL 3.0, is signaled via SCSV.
3154 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3155 ERR_add_error_dataf("extension :%u", (unsigned)type);
3156 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3157 return 0;
3158 }
3159
3160 received |= (1u << ext_index);
3161
3162 uint8_t alert = SSL_AD_DECODE_ERROR;
3163 if (!ext->parse_serverhello(hs, &alert, &extension)) {
3164 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3165 ERR_add_error_dataf("extension %u", (unsigned)type);
3166 *out_alert = alert;
3167 return 0;
3168 }
3169 }
3170
3171 for (size_t i = 0; i < kNumExtensions; i++) {
3172 if (!(received & (1u << i))) {
3173 // Extension wasn't observed so call the callback with a NULL
3174 // parameter.
3175 uint8_t alert = SSL_AD_DECODE_ERROR;
3176 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3177 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3178 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3179 *out_alert = alert;
3180 return 0;
3181 }
3182 }
3183 }
3184
3185 return 1;
3186 }
3187
ssl_check_clienthello_tlsext(SSL_HANDSHAKE * hs)3188 static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3189 SSL *const ssl = hs->ssl;
3190
3191 if (ssl->token_binding_negotiated &&
3192 !(SSL_get_secure_renegotiation_support(ssl) &&
3193 SSL_get_extms_support(ssl))) {
3194 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3195 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3196 return -1;
3197 }
3198
3199 int ret = SSL_TLSEXT_ERR_NOACK;
3200 int al = SSL_AD_UNRECOGNIZED_NAME;
3201
3202 if (ssl->ctx->tlsext_servername_callback != 0) {
3203 ret = ssl->ctx->tlsext_servername_callback(ssl, &al,
3204 ssl->ctx->tlsext_servername_arg);
3205 } else if (ssl->session_ctx->tlsext_servername_callback != 0) {
3206 ret = ssl->session_ctx->tlsext_servername_callback(
3207 ssl, &al, ssl->session_ctx->tlsext_servername_arg);
3208 }
3209
3210 switch (ret) {
3211 case SSL_TLSEXT_ERR_ALERT_FATAL:
3212 ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3213 return -1;
3214
3215 case SSL_TLSEXT_ERR_NOACK:
3216 hs->should_ack_sni = false;
3217 return 1;
3218
3219 default:
3220 return 1;
3221 }
3222 }
3223
ssl_parse_serverhello_tlsext(SSL_HANDSHAKE * hs,CBS * cbs)3224 int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3225 SSL *const ssl = hs->ssl;
3226 int alert = SSL_AD_DECODE_ERROR;
3227 if (ssl_scan_serverhello_tlsext(hs, cbs, &alert) <= 0) {
3228 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3229 return 0;
3230 }
3231
3232 return 1;
3233 }
3234
decrypt_ticket_with_cipher_ctx(uint8_t ** out,size_t * out_len,EVP_CIPHER_CTX * cipher_ctx,HMAC_CTX * hmac_ctx,const uint8_t * ticket,size_t ticket_len)3235 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3236 uint8_t **out, size_t *out_len, EVP_CIPHER_CTX *cipher_ctx,
3237 HMAC_CTX *hmac_ctx, const uint8_t *ticket, size_t ticket_len) {
3238 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3239
3240 // Check the MAC at the end of the ticket.
3241 uint8_t mac[EVP_MAX_MD_SIZE];
3242 size_t mac_len = HMAC_size(hmac_ctx);
3243 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3244 // The ticket must be large enough for key name, IV, data, and MAC.
3245 return ssl_ticket_aead_ignore_ticket;
3246 }
3247 HMAC_Update(hmac_ctx, ticket, ticket_len - mac_len);
3248 HMAC_Final(hmac_ctx, mac, NULL);
3249 int mac_ok =
3250 CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0;
3251 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3252 mac_ok = 1;
3253 #endif
3254 if (!mac_ok) {
3255 return ssl_ticket_aead_ignore_ticket;
3256 }
3257
3258 // Decrypt the session data.
3259 const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
3260 size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
3261 mac_len;
3262 UniquePtr<uint8_t> plaintext((uint8_t *)OPENSSL_malloc(ciphertext_len));
3263 if (!plaintext) {
3264 return ssl_ticket_aead_error;
3265 }
3266 size_t plaintext_len;
3267 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3268 OPENSSL_memcpy(plaintext.get(), ciphertext, ciphertext_len);
3269 plaintext_len = ciphertext_len;
3270 #else
3271 if (ciphertext_len >= INT_MAX) {
3272 return ssl_ticket_aead_ignore_ticket;
3273 }
3274 int len1, len2;
3275 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.get(), &len1, ciphertext,
3276 (int)ciphertext_len) ||
3277 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.get() + len1, &len2)) {
3278 ERR_clear_error();
3279 return ssl_ticket_aead_ignore_ticket;
3280 }
3281 plaintext_len = (size_t)(len1) + len2;
3282 #endif
3283
3284 *out = plaintext.release();
3285 *out_len = plaintext_len;
3286 return ssl_ticket_aead_success;
3287 }
3288
ssl_decrypt_ticket_with_cb(SSL * ssl,uint8_t ** out,size_t * out_len,bool * out_renew_ticket,const uint8_t * ticket,size_t ticket_len)3289 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3290 SSL *ssl, uint8_t **out, size_t *out_len, bool *out_renew_ticket,
3291 const uint8_t *ticket, size_t ticket_len) {
3292 assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3293 ScopedEVP_CIPHER_CTX cipher_ctx;
3294 ScopedHMAC_CTX hmac_ctx;
3295 const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
3296 int cb_ret = ssl->session_ctx->tlsext_ticket_key_cb(
3297 ssl, (uint8_t *)ticket /* name */, (uint8_t *)iv, cipher_ctx.get(),
3298 hmac_ctx.get(), 0 /* decrypt */);
3299 if (cb_ret < 0) {
3300 return ssl_ticket_aead_error;
3301 } else if (cb_ret == 0) {
3302 return ssl_ticket_aead_ignore_ticket;
3303 } else if (cb_ret == 2) {
3304 *out_renew_ticket = true;
3305 } else {
3306 assert(cb_ret == 1);
3307 }
3308 return decrypt_ticket_with_cipher_ctx(out, out_len, cipher_ctx.get(),
3309 hmac_ctx.get(), ticket, ticket_len);
3310 }
3311
ssl_decrypt_ticket_with_ticket_keys(SSL * ssl,uint8_t ** out,size_t * out_len,const uint8_t * ticket,size_t ticket_len)3312 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3313 SSL *ssl, uint8_t **out, size_t *out_len, const uint8_t *ticket,
3314 size_t ticket_len) {
3315 assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3316 SSL_CTX *ctx = ssl->session_ctx;
3317
3318 // Rotate the ticket key if necessary.
3319 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3320 return ssl_ticket_aead_error;
3321 }
3322
3323 // Pick the matching ticket key and decrypt.
3324 ScopedEVP_CIPHER_CTX cipher_ctx;
3325 ScopedHMAC_CTX hmac_ctx;
3326 {
3327 MutexReadLock lock(&ctx->lock);
3328 const tlsext_ticket_key *key;
3329 if (ctx->tlsext_ticket_key_current &&
3330 !OPENSSL_memcmp(ctx->tlsext_ticket_key_current->name, ticket,
3331 SSL_TICKET_KEY_NAME_LEN)) {
3332 key = ctx->tlsext_ticket_key_current;
3333 } else if (ctx->tlsext_ticket_key_prev &&
3334 !OPENSSL_memcmp(ctx->tlsext_ticket_key_prev->name, ticket,
3335 SSL_TICKET_KEY_NAME_LEN)) {
3336 key = ctx->tlsext_ticket_key_prev;
3337 } else {
3338 return ssl_ticket_aead_ignore_ticket;
3339 }
3340 const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
3341 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3342 tlsext_tick_md(), NULL) ||
3343 !EVP_DecryptInit_ex(cipher_ctx.get(), EVP_aes_128_cbc(), NULL,
3344 key->aes_key, iv)) {
3345 return ssl_ticket_aead_error;
3346 }
3347 }
3348 return decrypt_ticket_with_cipher_ctx(out, out_len, cipher_ctx.get(),
3349 hmac_ctx.get(), ticket, ticket_len);
3350 }
3351
ssl_decrypt_ticket_with_method(SSL * ssl,uint8_t ** out,size_t * out_len,bool * out_renew_ticket,const uint8_t * ticket,size_t ticket_len)3352 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3353 SSL *ssl, uint8_t **out, size_t *out_len, bool *out_renew_ticket,
3354 const uint8_t *ticket, size_t ticket_len) {
3355 uint8_t *plaintext = (uint8_t *)OPENSSL_malloc(ticket_len);
3356 if (plaintext == NULL) {
3357 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3358 return ssl_ticket_aead_error;
3359 }
3360
3361 size_t plaintext_len;
3362 const enum ssl_ticket_aead_result_t result =
3363 ssl->session_ctx->ticket_aead_method->open(
3364 ssl, plaintext, &plaintext_len, ticket_len, ticket, ticket_len);
3365
3366 if (result == ssl_ticket_aead_success) {
3367 *out = plaintext;
3368 plaintext = NULL;
3369 *out_len = plaintext_len;
3370 }
3371
3372 OPENSSL_free(plaintext);
3373 return result;
3374 }
3375
ssl_process_ticket(SSL * ssl,UniquePtr<SSL_SESSION> * out_session,bool * out_renew_ticket,const uint8_t * ticket,size_t ticket_len,const uint8_t * session_id,size_t session_id_len)3376 enum ssl_ticket_aead_result_t ssl_process_ticket(
3377 SSL *ssl, UniquePtr<SSL_SESSION> *out_session, bool *out_renew_ticket,
3378 const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id,
3379 size_t session_id_len) {
3380 *out_renew_ticket = false;
3381 out_session->reset();
3382
3383 if ((SSL_get_options(ssl) & SSL_OP_NO_TICKET) ||
3384 session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3385 return ssl_ticket_aead_ignore_ticket;
3386 }
3387
3388 uint8_t *plaintext = NULL;
3389 size_t plaintext_len;
3390 enum ssl_ticket_aead_result_t result;
3391 if (ssl->session_ctx->ticket_aead_method != NULL) {
3392 result = ssl_decrypt_ticket_with_method(
3393 ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
3394 } else {
3395 // Ensure there is room for the key name and the largest IV
3396 // |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
3397 // but the maximum IV length should be well under the minimum size for the
3398 // session material and HMAC.
3399 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3400 return ssl_ticket_aead_ignore_ticket;
3401 }
3402 if (ssl->session_ctx->tlsext_ticket_key_cb != NULL) {
3403 result = ssl_decrypt_ticket_with_cb(ssl, &plaintext, &plaintext_len,
3404 out_renew_ticket, ticket, ticket_len);
3405 } else {
3406 result = ssl_decrypt_ticket_with_ticket_keys(
3407 ssl, &plaintext, &plaintext_len, ticket, ticket_len);
3408 }
3409 }
3410
3411 if (result != ssl_ticket_aead_success) {
3412 return result;
3413 }
3414
3415 // Decode the session.
3416 UniquePtr<SSL_SESSION> session(
3417 SSL_SESSION_from_bytes(plaintext, plaintext_len, ssl->ctx));
3418 OPENSSL_free(plaintext);
3419
3420 if (!session) {
3421 ERR_clear_error(); // Don't leave an error on the queue.
3422 return ssl_ticket_aead_ignore_ticket;
3423 }
3424
3425 // Copy the client's session ID into the new session, to denote the ticket has
3426 // been accepted.
3427 OPENSSL_memcpy(session->session_id, session_id, session_id_len);
3428 session->session_id_length = session_id_len;
3429
3430 *out_session = std::move(session);
3431 return ssl_ticket_aead_success;
3432 }
3433
tls1_parse_peer_sigalgs(SSL_HANDSHAKE * hs,const CBS * in_sigalgs)3434 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3435 // Extension ignored for inappropriate versions
3436 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3437 return true;
3438 }
3439
3440 return parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3441 }
3442
tls1_get_legacy_signature_algorithm(uint16_t * out,const EVP_PKEY * pkey)3443 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3444 switch (EVP_PKEY_id(pkey)) {
3445 case EVP_PKEY_RSA:
3446 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3447 return true;
3448 case EVP_PKEY_EC:
3449 *out = SSL_SIGN_ECDSA_SHA1;
3450 return true;
3451 default:
3452 return false;
3453 }
3454 }
3455
tls1_choose_signature_algorithm(SSL_HANDSHAKE * hs,uint16_t * out)3456 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3457 SSL *const ssl = hs->ssl;
3458 CERT *cert = ssl->cert;
3459
3460 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3461 // handshake.
3462 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3463 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3464 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3465 return false;
3466 }
3467 return true;
3468 }
3469
3470 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3471 if (cert->sigalgs != nullptr) {
3472 sigalgs = MakeConstSpan(cert->sigalgs, cert->num_sigalgs);
3473 }
3474
3475 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3476 if (peer_sigalgs.empty() && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3477 // If the client didn't specify any signature_algorithms extension then
3478 // we can assume that it supports SHA1. See
3479 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3480 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3481 SSL_SIGN_ECDSA_SHA1};
3482 peer_sigalgs = kDefaultPeerAlgorithms;
3483 }
3484
3485 for (uint16_t sigalg : sigalgs) {
3486 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3487 // negotiated.
3488 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3489 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3490 continue;
3491 }
3492
3493 for (uint16_t peer_sigalg : peer_sigalgs) {
3494 if (sigalg == peer_sigalg) {
3495 *out = sigalg;
3496 return true;
3497 }
3498 }
3499 }
3500
3501 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3502 return false;
3503 }
3504
tls1_verify_channel_id(SSL_HANDSHAKE * hs,const SSLMessage & msg)3505 int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3506 SSL *const ssl = hs->ssl;
3507 // A Channel ID handshake message is structured to contain multiple
3508 // extensions, but the only one that can be present is Channel ID.
3509 uint16_t extension_type;
3510 CBS channel_id = msg.body, extension;
3511 if (!CBS_get_u16(&channel_id, &extension_type) ||
3512 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3513 CBS_len(&channel_id) != 0 ||
3514 extension_type != TLSEXT_TYPE_channel_id ||
3515 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3516 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3517 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3518 return 0;
3519 }
3520
3521 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3522 if (!p256) {
3523 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3524 return 0;
3525 }
3526
3527 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3528 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3529 if (!sig || !x || !y) {
3530 return 0;
3531 }
3532
3533 const uint8_t *p = CBS_data(&extension);
3534 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3535 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3536 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3537 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3538 return 0;
3539 }
3540
3541 UniquePtr<EC_KEY> key(EC_KEY_new());
3542 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3543 if (!key || !point ||
3544 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3545 y.get(), nullptr) ||
3546 !EC_KEY_set_group(key.get(), p256.get()) ||
3547 !EC_KEY_set_public_key(key.get(), point.get())) {
3548 return 0;
3549 }
3550
3551 uint8_t digest[EVP_MAX_MD_SIZE];
3552 size_t digest_len;
3553 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3554 return 0;
3555 }
3556
3557 int sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3558 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3559 sig_ok = 1;
3560 ERR_clear_error();
3561 #endif
3562 if (!sig_ok) {
3563 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3564 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3565 ssl->s3->tlsext_channel_id_valid = false;
3566 return 0;
3567 }
3568
3569 OPENSSL_memcpy(ssl->s3->tlsext_channel_id, p, 64);
3570 return 1;
3571 }
3572
tls1_write_channel_id(SSL_HANDSHAKE * hs,CBB * cbb)3573 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3574 SSL *const ssl = hs->ssl;
3575 uint8_t digest[EVP_MAX_MD_SIZE];
3576 size_t digest_len;
3577 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3578 return false;
3579 }
3580
3581 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->tlsext_channel_id_private);
3582 if (ec_key == nullptr) {
3583 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3584 return false;
3585 }
3586
3587 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3588 if (!x || !y ||
3589 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3590 EC_KEY_get0_public_key(ec_key),
3591 x.get(), y.get(), nullptr)) {
3592 return false;
3593 }
3594
3595 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3596 if (!sig) {
3597 return false;
3598 }
3599
3600 CBB child;
3601 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3602 !CBB_add_u16_length_prefixed(cbb, &child) ||
3603 !BN_bn2cbb_padded(&child, 32, x.get()) ||
3604 !BN_bn2cbb_padded(&child, 32, y.get()) ||
3605 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3606 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3607 !CBB_flush(cbb)) {
3608 return false;
3609 }
3610
3611 return true;
3612 }
3613
tls1_channel_id_hash(SSL_HANDSHAKE * hs,uint8_t * out,size_t * out_len)3614 int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3615 SSL *const ssl = hs->ssl;
3616 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3617 Array<uint8_t> msg;
3618 if (!tls13_get_cert_verify_signature_input(hs, &msg,
3619 ssl_cert_verify_channel_id)) {
3620 return 0;
3621 }
3622 SHA256(msg.data(), msg.size(), out);
3623 *out_len = SHA256_DIGEST_LENGTH;
3624 return 1;
3625 }
3626
3627 SHA256_CTX ctx;
3628
3629 SHA256_Init(&ctx);
3630 static const char kClientIDMagic[] = "TLS Channel ID signature";
3631 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3632
3633 if (ssl->session != NULL) {
3634 static const char kResumptionMagic[] = "Resumption";
3635 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3636 if (ssl->session->original_handshake_hash_len == 0) {
3637 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3638 return 0;
3639 }
3640 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3641 ssl->session->original_handshake_hash_len);
3642 }
3643
3644 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3645 size_t hs_hash_len;
3646 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3647 return 0;
3648 }
3649 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3650 SHA256_Final(out, &ctx);
3651 *out_len = SHA256_DIGEST_LENGTH;
3652 return 1;
3653 }
3654
3655 // tls1_record_handshake_hashes_for_channel_id records the current handshake
3656 // hashes in |hs->new_session| so that Channel ID resumptions can sign that
3657 // data.
tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE * hs)3658 int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3659 SSL *const ssl = hs->ssl;
3660 // This function should never be called for a resumed session because the
3661 // handshake hashes that we wish to record are for the original, full
3662 // handshake.
3663 if (ssl->session != NULL) {
3664 return 0;
3665 }
3666
3667 static_assert(
3668 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3669 "original_handshake_hash is too small");
3670
3671 size_t digest_len;
3672 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3673 &digest_len)) {
3674 return 0;
3675 }
3676
3677 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3678 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3679 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3680
3681 return 1;
3682 }
3683
ssl_do_channel_id_callback(SSL * ssl)3684 int ssl_do_channel_id_callback(SSL *ssl) {
3685 if (ssl->tlsext_channel_id_private != NULL ||
3686 ssl->ctx->channel_id_cb == NULL) {
3687 return 1;
3688 }
3689
3690 EVP_PKEY *key = NULL;
3691 ssl->ctx->channel_id_cb(ssl, &key);
3692 if (key == NULL) {
3693 // The caller should try again later.
3694 return 1;
3695 }
3696
3697 int ret = SSL_set1_tls_channel_id(ssl, key);
3698 EVP_PKEY_free(key);
3699 return ret;
3700 }
3701
ssl_is_sct_list_valid(const CBS * contents)3702 int ssl_is_sct_list_valid(const CBS *contents) {
3703 // Shallow parse the SCT list for sanity. By the RFC
3704 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3705 // of the SCTs may be empty.
3706 CBS copy = *contents;
3707 CBS sct_list;
3708 if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
3709 CBS_len(©) != 0 ||
3710 CBS_len(&sct_list) == 0) {
3711 return 0;
3712 }
3713
3714 while (CBS_len(&sct_list) > 0) {
3715 CBS sct;
3716 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
3717 CBS_len(&sct) == 0) {
3718 return 0;
3719 }
3720 }
3721
3722 return 1;
3723 }
3724
3725 } // namespace bssl
3726
3727 using namespace bssl;
3728
SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO * client_hello,uint16_t extension_type,const uint8_t ** out_data,size_t * out_len)3729 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
3730 uint16_t extension_type,
3731 const uint8_t **out_data,
3732 size_t *out_len) {
3733 CBS cbs;
3734 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
3735 return 0;
3736 }
3737
3738 *out_data = CBS_data(&cbs);
3739 *out_len = CBS_len(&cbs);
3740 return 1;
3741 }
3742
SSL_CTX_set_ed25519_enabled(SSL_CTX * ctx,int enabled)3743 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
3744 ctx->ed25519_enabled = !!enabled;
3745 }
3746
SSL_extension_supported(unsigned extension_value)3747 int SSL_extension_supported(unsigned extension_value) {
3748 uint32_t index;
3749 return extension_value == TLSEXT_TYPE_padding ||
3750 tls_extension_find(&index, extension_value) != NULL;
3751 }
3752