1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). */ 108 109 #include <openssl/ssl.h> 110 111 #include <assert.h> 112 #include <limits.h> 113 #include <stdlib.h> 114 #include <string.h> 115 116 #include <utility> 117 118 #include <openssl/bytestring.h> 119 #include <openssl/chacha.h> 120 #include <openssl/digest.h> 121 #include <openssl/err.h> 122 #include <openssl/evp.h> 123 #include <openssl/hmac.h> 124 #include <openssl/mem.h> 125 #include <openssl/nid.h> 126 #include <openssl/rand.h> 127 128 #include "internal.h" 129 #include "../crypto/internal.h" 130 131 132 BSSL_NAMESPACE_BEGIN 133 134 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs); 135 136 static int compare_uint16_t(const void *p1, const void *p2) { 137 uint16_t u1 = *((const uint16_t *)p1); 138 uint16_t u2 = *((const uint16_t *)p2); 139 if (u1 < u2) { 140 return -1; 141 } else if (u1 > u2) { 142 return 1; 143 } else { 144 return 0; 145 } 146 } 147 148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be 149 // more than one extension of the same type in a ClientHello or ServerHello. 150 // This function does an initial scan over the extensions block to filter those 151 // out. 152 static bool tls1_check_duplicate_extensions(const CBS *cbs) { 153 // First pass: count the extensions. 154 size_t num_extensions = 0; 155 CBS extensions = *cbs; 156 while (CBS_len(&extensions) > 0) { 157 uint16_t type; 158 CBS extension; 159 160 if (!CBS_get_u16(&extensions, &type) || 161 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 162 return false; 163 } 164 165 num_extensions++; 166 } 167 168 if (num_extensions == 0) { 169 return true; 170 } 171 172 Array<uint16_t> extension_types; 173 if (!extension_types.Init(num_extensions)) { 174 return false; 175 } 176 177 // Second pass: gather the extension types. 178 extensions = *cbs; 179 for (size_t i = 0; i < extension_types.size(); i++) { 180 CBS extension; 181 182 if (!CBS_get_u16(&extensions, &extension_types[i]) || 183 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 184 // This should not happen. 185 return false; 186 } 187 } 188 assert(CBS_len(&extensions) == 0); 189 190 // Sort the extensions and make sure there are no duplicates. 191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t), 192 compare_uint16_t); 193 for (size_t i = 1; i < num_extensions; i++) { 194 if (extension_types[i - 1] == extension_types[i]) { 195 return false; 196 } 197 } 198 199 return true; 200 } 201 202 bool ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, 203 const SSLMessage &msg) { 204 OPENSSL_memset(out, 0, sizeof(*out)); 205 out->ssl = ssl; 206 out->client_hello = CBS_data(&msg.body); 207 out->client_hello_len = CBS_len(&msg.body); 208 209 CBS client_hello, random, session_id; 210 CBS_init(&client_hello, out->client_hello, out->client_hello_len); 211 if (!CBS_get_u16(&client_hello, &out->version) || 212 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) || 213 !CBS_get_u8_length_prefixed(&client_hello, &session_id) || 214 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) { 215 return false; 216 } 217 218 out->random = CBS_data(&random); 219 out->random_len = CBS_len(&random); 220 out->session_id = CBS_data(&session_id); 221 out->session_id_len = CBS_len(&session_id); 222 223 // Skip past DTLS cookie 224 if (SSL_is_dtls(out->ssl)) { 225 CBS cookie; 226 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) || 227 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) { 228 return false; 229 } 230 } 231 232 CBS cipher_suites, compression_methods; 233 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) || 234 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 || 235 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) || 236 CBS_len(&compression_methods) < 1) { 237 return false; 238 } 239 240 out->cipher_suites = CBS_data(&cipher_suites); 241 out->cipher_suites_len = CBS_len(&cipher_suites); 242 out->compression_methods = CBS_data(&compression_methods); 243 out->compression_methods_len = CBS_len(&compression_methods); 244 245 // If the ClientHello ends here then it's valid, but doesn't have any 246 // extensions. 247 if (CBS_len(&client_hello) == 0) { 248 out->extensions = NULL; 249 out->extensions_len = 0; 250 return true; 251 } 252 253 // Extract extensions and check it is valid. 254 CBS extensions; 255 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) || 256 !tls1_check_duplicate_extensions(&extensions) || 257 CBS_len(&client_hello) != 0) { 258 return false; 259 } 260 261 out->extensions = CBS_data(&extensions); 262 out->extensions_len = CBS_len(&extensions); 263 264 return true; 265 } 266 267 bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, 268 CBS *out, uint16_t extension_type) { 269 CBS extensions; 270 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); 271 while (CBS_len(&extensions) != 0) { 272 // Decode the next extension. 273 uint16_t type; 274 CBS extension; 275 if (!CBS_get_u16(&extensions, &type) || 276 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 277 return false; 278 } 279 280 if (type == extension_type) { 281 *out = extension; 282 return true; 283 } 284 } 285 286 return false; 287 } 288 289 static const uint16_t kDefaultGroups[] = { 290 SSL_CURVE_X25519, 291 SSL_CURVE_SECP256R1, 292 SSL_CURVE_SECP384R1, 293 }; 294 295 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) { 296 if (!hs->config->supported_group_list.empty()) { 297 return hs->config->supported_group_list; 298 } 299 return Span<const uint16_t>(kDefaultGroups); 300 } 301 302 bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) { 303 SSL *const ssl = hs->ssl; 304 assert(ssl->server); 305 306 // Clients are not required to send a supported_groups extension. In this 307 // case, the server is free to pick any group it likes. See RFC 4492, 308 // section 4, paragraph 3. 309 // 310 // However, in the interests of compatibility, we will skip ECDH if the 311 // client didn't send an extension because we can't be sure that they'll 312 // support our favoured group. Thus we do not special-case an emtpy 313 // |peer_supported_group_list|. 314 315 Span<const uint16_t> groups = tls1_get_grouplist(hs); 316 Span<const uint16_t> pref, supp; 317 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 318 pref = groups; 319 supp = hs->peer_supported_group_list; 320 } else { 321 pref = hs->peer_supported_group_list; 322 supp = groups; 323 } 324 325 for (uint16_t pref_group : pref) { 326 for (uint16_t supp_group : supp) { 327 if (pref_group == supp_group && 328 // CECPQ2 doesn't fit in the u8-length-prefixed ECPoint field in TLS 329 // 1.2 and below. 330 (ssl_protocol_version(ssl) >= TLS1_3_VERSION || 331 pref_group != SSL_CURVE_CECPQ2)) { 332 *out_group_id = pref_group; 333 return true; 334 } 335 } 336 } 337 338 return false; 339 } 340 341 bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) { 342 Array<uint16_t> group_ids; 343 if (!group_ids.Init(curves.size())) { 344 return false; 345 } 346 347 for (size_t i = 0; i < curves.size(); i++) { 348 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) { 349 return false; 350 } 351 } 352 353 *out_group_ids = std::move(group_ids); 354 return true; 355 } 356 357 bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) { 358 // Count the number of curves in the list. 359 size_t count = 0; 360 const char *ptr = curves, *col; 361 do { 362 col = strchr(ptr, ':'); 363 count++; 364 if (col) { 365 ptr = col + 1; 366 } 367 } while (col); 368 369 Array<uint16_t> group_ids; 370 if (!group_ids.Init(count)) { 371 return false; 372 } 373 374 size_t i = 0; 375 ptr = curves; 376 do { 377 col = strchr(ptr, ':'); 378 if (!ssl_name_to_group_id(&group_ids[i++], ptr, 379 col ? (size_t)(col - ptr) : strlen(ptr))) { 380 return false; 381 } 382 if (col) { 383 ptr = col + 1; 384 } 385 } while (col); 386 387 assert(i == count); 388 *out_group_ids = std::move(group_ids); 389 return true; 390 } 391 392 bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) { 393 if (group_id == SSL_CURVE_CECPQ2 && 394 ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { 395 // CECPQ2 requires TLS 1.3. 396 return false; 397 } 398 399 for (uint16_t supported : tls1_get_grouplist(hs)) { 400 if (supported == group_id) { 401 return true; 402 } 403 } 404 405 return false; 406 } 407 408 // kVerifySignatureAlgorithms is the default list of accepted signature 409 // algorithms for verifying. 410 // 411 // For now, RSA-PSS signature algorithms are not enabled on Android's system 412 // BoringSSL. Once the change in Chrome has stuck and the values are finalized, 413 // restore them. 414 static const uint16_t kVerifySignatureAlgorithms[] = { 415 // List our preferred algorithms first. 416 SSL_SIGN_ED25519, 417 SSL_SIGN_ECDSA_SECP256R1_SHA256, 418 SSL_SIGN_RSA_PSS_RSAE_SHA256, 419 SSL_SIGN_RSA_PKCS1_SHA256, 420 421 // Larger hashes are acceptable. 422 SSL_SIGN_ECDSA_SECP384R1_SHA384, 423 SSL_SIGN_RSA_PSS_RSAE_SHA384, 424 SSL_SIGN_RSA_PKCS1_SHA384, 425 426 SSL_SIGN_RSA_PSS_RSAE_SHA512, 427 SSL_SIGN_RSA_PKCS1_SHA512, 428 429 // For now, SHA-1 is still accepted but least preferable. 430 SSL_SIGN_RSA_PKCS1_SHA1, 431 432 }; 433 434 // kSignSignatureAlgorithms is the default list of supported signature 435 // algorithms for signing. 436 // 437 // For now, RSA-PSS signature algorithms are not enabled on Android's system 438 // BoringSSL. Once the change in Chrome has stuck and the values are finalized, 439 // restore them. 440 static const uint16_t kSignSignatureAlgorithms[] = { 441 // List our preferred algorithms first. 442 SSL_SIGN_ED25519, 443 SSL_SIGN_ECDSA_SECP256R1_SHA256, 444 SSL_SIGN_RSA_PSS_RSAE_SHA256, 445 SSL_SIGN_RSA_PKCS1_SHA256, 446 447 // If needed, sign larger hashes. 448 // 449 // TODO(davidben): Determine which of these may be pruned. 450 SSL_SIGN_ECDSA_SECP384R1_SHA384, 451 SSL_SIGN_RSA_PSS_RSAE_SHA384, 452 SSL_SIGN_RSA_PKCS1_SHA384, 453 454 SSL_SIGN_ECDSA_SECP521R1_SHA512, 455 SSL_SIGN_RSA_PSS_RSAE_SHA512, 456 SSL_SIGN_RSA_PKCS1_SHA512, 457 458 // If the peer supports nothing else, sign with SHA-1. 459 SSL_SIGN_ECDSA_SHA1, 460 SSL_SIGN_RSA_PKCS1_SHA1, 461 }; 462 463 struct SSLSignatureAlgorithmList { 464 bool Next(uint16_t *out) { 465 while (!list.empty()) { 466 uint16_t sigalg = list[0]; 467 list = list.subspan(1); 468 if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) { 469 continue; 470 } 471 if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) { 472 continue; 473 } 474 *out = sigalg; 475 return true; 476 } 477 return false; 478 } 479 480 bool operator==(const SSLSignatureAlgorithmList &other) const { 481 SSLSignatureAlgorithmList a = *this; 482 SSLSignatureAlgorithmList b = other; 483 uint16_t a_val, b_val; 484 while (a.Next(&a_val)) { 485 if (!b.Next(&b_val) || 486 a_val != b_val) { 487 return false; 488 } 489 } 490 return !b.Next(&b_val); 491 } 492 493 bool operator!=(const SSLSignatureAlgorithmList &other) const { 494 return !(*this == other); 495 } 496 497 Span<const uint16_t> list; 498 bool skip_ed25519 = false; 499 bool skip_rsa_pss_rsae = false; 500 }; 501 502 static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl, 503 bool for_certs) { 504 SSLSignatureAlgorithmList ret; 505 if (!ssl->config->verify_sigalgs.empty()) { 506 ret.list = ssl->config->verify_sigalgs; 507 } else { 508 ret.list = kVerifySignatureAlgorithms; 509 ret.skip_ed25519 = !ssl->ctx->ed25519_enabled; 510 } 511 if (for_certs) { 512 ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled; 513 } 514 return ret; 515 } 516 517 bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) { 518 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs); 519 uint16_t sigalg; 520 while (list.Next(&sigalg)) { 521 if (!CBB_add_u16(out, sigalg)) { 522 return false; 523 } 524 } 525 return true; 526 } 527 528 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert, 529 uint16_t sigalg) { 530 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false); 531 uint16_t verify_sigalg; 532 while (list.Next(&verify_sigalg)) { 533 if (verify_sigalg == sigalg) { 534 return true; 535 } 536 } 537 538 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); 539 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 540 return false; 541 } 542 543 bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) { 544 return tls12_get_verify_sigalgs(ssl, true) != 545 tls12_get_verify_sigalgs(ssl, false); 546 } 547 548 // tls_extension represents a TLS extension that is handled internally. The 549 // |init| function is called for each handshake, before any other functions of 550 // the extension. Then the add and parse callbacks are called as needed. 551 // 552 // The parse callbacks receive a |CBS| that contains the contents of the 553 // extension (i.e. not including the type and length bytes). If an extension is 554 // not received then the parse callbacks will be called with a NULL CBS so that 555 // they can do any processing needed to handle the absence of an extension. 556 // 557 // The add callbacks receive a |CBB| to which the extension can be appended but 558 // the function is responsible for appending the type and length bytes too. 559 // 560 // All callbacks return true for success and false for error. If a parse 561 // function returns zero then a fatal alert with value |*out_alert| will be 562 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent. 563 struct tls_extension { 564 uint16_t value; 565 void (*init)(SSL_HANDSHAKE *hs); 566 567 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out); 568 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert, 569 CBS *contents); 570 571 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert, 572 CBS *contents); 573 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out); 574 }; 575 576 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 577 CBS *contents) { 578 if (contents != NULL) { 579 // Servers MUST NOT send this extension. 580 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 581 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 582 return false; 583 } 584 585 return true; 586 } 587 588 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 589 CBS *contents) { 590 // This extension from the client is handled elsewhere. 591 return true; 592 } 593 594 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 595 return true; 596 } 597 598 // Server name indication (SNI). 599 // 600 // https://tools.ietf.org/html/rfc6066#section-3. 601 602 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 603 SSL *const ssl = hs->ssl; 604 if (ssl->hostname == nullptr) { 605 return true; 606 } 607 608 CBB contents, server_name_list, name; 609 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) || 610 !CBB_add_u16_length_prefixed(out, &contents) || 611 !CBB_add_u16_length_prefixed(&contents, &server_name_list) || 612 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) || 613 !CBB_add_u16_length_prefixed(&server_name_list, &name) || 614 !CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(), 615 strlen(ssl->hostname.get())) || 616 !CBB_flush(out)) { 617 return false; 618 } 619 620 return true; 621 } 622 623 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 624 CBS *contents) { 625 // The server may acknowledge SNI with an empty extension. We check the syntax 626 // but otherwise ignore this signal. 627 return contents == NULL || CBS_len(contents) == 0; 628 } 629 630 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 631 CBS *contents) { 632 SSL *const ssl = hs->ssl; 633 if (contents == NULL) { 634 return true; 635 } 636 637 CBS server_name_list, host_name; 638 uint8_t name_type; 639 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) || 640 !CBS_get_u8(&server_name_list, &name_type) || 641 // Although the server_name extension was intended to be extensible to 642 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant 643 // different name types will cause an error. Further, RFC 4366 originally 644 // defined syntax inextensibly. RFC 6066 corrected this mistake, but 645 // adding new name types is no longer feasible. 646 // 647 // Act as if the extensibility does not exist to simplify parsing. 648 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || 649 CBS_len(&server_name_list) != 0 || 650 CBS_len(contents) != 0) { 651 return false; 652 } 653 654 if (name_type != TLSEXT_NAMETYPE_host_name || 655 CBS_len(&host_name) == 0 || 656 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 657 CBS_contains_zero_byte(&host_name)) { 658 *out_alert = SSL_AD_UNRECOGNIZED_NAME; 659 return false; 660 } 661 662 // Copy the hostname as a string. 663 char *raw = nullptr; 664 if (!CBS_strdup(&host_name, &raw)) { 665 *out_alert = SSL_AD_INTERNAL_ERROR; 666 return false; 667 } 668 ssl->s3->hostname.reset(raw); 669 670 hs->should_ack_sni = true; 671 return true; 672 } 673 674 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 675 if (hs->ssl->s3->session_reused || 676 !hs->should_ack_sni) { 677 return true; 678 } 679 680 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) || 681 !CBB_add_u16(out, 0 /* length */)) { 682 return false; 683 } 684 685 return true; 686 } 687 688 689 // Renegotiation indication. 690 // 691 // https://tools.ietf.org/html/rfc5746 692 693 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 694 SSL *const ssl = hs->ssl; 695 // Renegotiation indication is not necessary in TLS 1.3. 696 if (hs->min_version >= TLS1_3_VERSION) { 697 return true; 698 } 699 700 assert(ssl->s3->initial_handshake_complete == 701 (ssl->s3->previous_client_finished_len != 0)); 702 703 CBB contents, prev_finished; 704 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) || 705 !CBB_add_u16_length_prefixed(out, &contents) || 706 !CBB_add_u8_length_prefixed(&contents, &prev_finished) || 707 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished, 708 ssl->s3->previous_client_finished_len) || 709 !CBB_flush(out)) { 710 return false; 711 } 712 713 return true; 714 } 715 716 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 717 CBS *contents) { 718 SSL *const ssl = hs->ssl; 719 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 720 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 721 return false; 722 } 723 724 // Servers may not switch between omitting the extension and supporting it. 725 // See RFC 5746, sections 3.5 and 4.2. 726 if (ssl->s3->initial_handshake_complete && 727 (contents != NULL) != ssl->s3->send_connection_binding) { 728 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 729 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); 730 return false; 731 } 732 733 if (contents == NULL) { 734 // Strictly speaking, if we want to avoid an attack we should *always* see 735 // RI even on initial ServerHello because the client doesn't see any 736 // renegotiation during an attack. However this would mean we could not 737 // connect to any server which doesn't support RI. 738 // 739 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in 740 // practical terms every client sets it so it's just assumed here. 741 return true; 742 } 743 744 const size_t expected_len = ssl->s3->previous_client_finished_len + 745 ssl->s3->previous_server_finished_len; 746 747 // Check for logic errors 748 assert(!expected_len || ssl->s3->previous_client_finished_len); 749 assert(!expected_len || ssl->s3->previous_server_finished_len); 750 assert(ssl->s3->initial_handshake_complete == 751 (ssl->s3->previous_client_finished_len != 0)); 752 assert(ssl->s3->initial_handshake_complete == 753 (ssl->s3->previous_server_finished_len != 0)); 754 755 // Parse out the extension contents. 756 CBS renegotiated_connection; 757 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) || 758 CBS_len(contents) != 0) { 759 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR); 760 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 761 return false; 762 } 763 764 // Check that the extension matches. 765 if (CBS_len(&renegotiated_connection) != expected_len) { 766 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); 767 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 768 return false; 769 } 770 771 const uint8_t *d = CBS_data(&renegotiated_connection); 772 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished, 773 ssl->s3->previous_client_finished_len) == 0; 774 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 775 ok = true; 776 #endif 777 if (!ok) { 778 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); 779 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 780 return false; 781 } 782 d += ssl->s3->previous_client_finished_len; 783 784 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished, 785 ssl->s3->previous_server_finished_len) == 0; 786 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 787 ok = true; 788 #endif 789 if (!ok) { 790 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); 791 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 792 return false; 793 } 794 ssl->s3->send_connection_binding = true; 795 796 return true; 797 } 798 799 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 800 CBS *contents) { 801 SSL *const ssl = hs->ssl; 802 // Renegotiation isn't supported as a server so this function should never be 803 // called after the initial handshake. 804 assert(!ssl->s3->initial_handshake_complete); 805 806 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 807 return true; 808 } 809 810 if (contents == NULL) { 811 return true; 812 } 813 814 CBS renegotiated_connection; 815 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) || 816 CBS_len(contents) != 0) { 817 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR); 818 return false; 819 } 820 821 // Check that the extension matches. We do not support renegotiation as a 822 // server, so this must be empty. 823 if (CBS_len(&renegotiated_connection) != 0) { 824 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); 825 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 826 return false; 827 } 828 829 ssl->s3->send_connection_binding = true; 830 831 return true; 832 } 833 834 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 835 SSL *const ssl = hs->ssl; 836 // Renegotiation isn't supported as a server so this function should never be 837 // called after the initial handshake. 838 assert(!ssl->s3->initial_handshake_complete); 839 840 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 841 return true; 842 } 843 844 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) || 845 !CBB_add_u16(out, 1 /* length */) || 846 !CBB_add_u8(out, 0 /* empty renegotiation info */)) { 847 return false; 848 } 849 850 return true; 851 } 852 853 854 // Extended Master Secret. 855 // 856 // https://tools.ietf.org/html/rfc7627 857 858 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 859 // Extended master secret is not necessary in TLS 1.3. 860 if (hs->min_version >= TLS1_3_VERSION) { 861 return true; 862 } 863 864 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) || 865 !CBB_add_u16(out, 0 /* length */)) { 866 return false; 867 } 868 869 return true; 870 } 871 872 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 873 CBS *contents) { 874 SSL *const ssl = hs->ssl; 875 876 if (contents != NULL) { 877 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || 878 CBS_len(contents) != 0) { 879 return false; 880 } 881 882 hs->extended_master_secret = true; 883 } 884 885 // Whether EMS is negotiated may not change on renegotiation. 886 if (ssl->s3->established_session != nullptr && 887 hs->extended_master_secret != 888 !!ssl->s3->established_session->extended_master_secret) { 889 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH); 890 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 891 return false; 892 } 893 894 return true; 895 } 896 897 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 898 CBS *contents) { 899 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { 900 return true; 901 } 902 903 if (contents == NULL) { 904 return true; 905 } 906 907 if (CBS_len(contents) != 0) { 908 return false; 909 } 910 911 hs->extended_master_secret = true; 912 return true; 913 } 914 915 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 916 if (!hs->extended_master_secret) { 917 return true; 918 } 919 920 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) || 921 !CBB_add_u16(out, 0 /* length */)) { 922 return false; 923 } 924 925 return true; 926 } 927 928 929 // Session tickets. 930 // 931 // https://tools.ietf.org/html/rfc5077 932 933 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 934 SSL *const ssl = hs->ssl; 935 // TLS 1.3 uses a different ticket extension. 936 if (hs->min_version >= TLS1_3_VERSION || 937 SSL_get_options(ssl) & SSL_OP_NO_TICKET) { 938 return true; 939 } 940 941 Span<const uint8_t> ticket; 942 943 // Renegotiation does not participate in session resumption. However, still 944 // advertise the extension to avoid potentially breaking servers which carry 945 // over the state from the previous handshake, such as OpenSSL servers 946 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4. 947 if (!ssl->s3->initial_handshake_complete && 948 ssl->session != nullptr && 949 !ssl->session->ticket.empty() && 950 // Don't send TLS 1.3 session tickets in the ticket extension. 951 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { 952 ticket = ssl->session->ticket; 953 } 954 955 CBB ticket_cbb; 956 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) || 957 !CBB_add_u16_length_prefixed(out, &ticket_cbb) || 958 !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) || 959 !CBB_flush(out)) { 960 return false; 961 } 962 963 return true; 964 } 965 966 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 967 CBS *contents) { 968 SSL *const ssl = hs->ssl; 969 if (contents == NULL) { 970 return true; 971 } 972 973 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 974 return false; 975 } 976 977 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and 978 // this function should never be called, even if the server tries to send the 979 // extension. 980 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0); 981 982 if (CBS_len(contents) != 0) { 983 return false; 984 } 985 986 hs->ticket_expected = true; 987 return true; 988 } 989 990 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 991 if (!hs->ticket_expected) { 992 return true; 993 } 994 995 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. 996 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0); 997 998 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) || 999 !CBB_add_u16(out, 0 /* length */)) { 1000 return false; 1001 } 1002 1003 return true; 1004 } 1005 1006 1007 // Signature Algorithms. 1008 // 1009 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 1010 1011 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1012 SSL *const ssl = hs->ssl; 1013 if (hs->max_version < TLS1_2_VERSION) { 1014 return true; 1015 } 1016 1017 // Prior to TLS 1.3, there was no way to signal different signature algorithm 1018 // preferences between the online signature and certificates. If we do not 1019 // send the signature_algorithms_cert extension, use the potentially more 1020 // restrictive certificate list. 1021 // 1022 // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3 1023 // check both here and in signature_algorithms_cert. |hs->max_version| is not 1024 // the negotiated version. Rather the expectation is that any server consuming 1025 // signature algorithms added in TLS 1.3 will also know to look at 1026 // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it 1027 // seems prudent to condition this new extension on it. 1028 bool for_certs = hs->max_version < TLS1_3_VERSION; 1029 CBB contents, sigalgs_cbb; 1030 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) || 1031 !CBB_add_u16_length_prefixed(out, &contents) || 1032 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) || 1033 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) || 1034 !CBB_flush(out)) { 1035 return false; 1036 } 1037 1038 return true; 1039 } 1040 1041 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1042 CBS *contents) { 1043 hs->peer_sigalgs.Reset(); 1044 if (contents == NULL) { 1045 return true; 1046 } 1047 1048 CBS supported_signature_algorithms; 1049 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) || 1050 CBS_len(contents) != 0 || 1051 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) { 1052 return false; 1053 } 1054 1055 return true; 1056 } 1057 1058 1059 // Signature Algorithms for Certificates. 1060 // 1061 // https://tools.ietf.org/html/rfc8446#section-4.2.3 1062 1063 static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1064 SSL *const ssl = hs->ssl; 1065 // If this extension is omitted, it defaults to the signature_algorithms 1066 // extension, so only emit it if the list is different. 1067 // 1068 // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled. 1069 // There is a corresponding version check in |ext_sigalgs_add_clienthello|. 1070 if (hs->max_version < TLS1_3_VERSION || 1071 !tls12_has_different_verify_sigalgs_for_certs(ssl)) { 1072 return true; 1073 } 1074 1075 CBB contents, sigalgs_cbb; 1076 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) || 1077 !CBB_add_u16_length_prefixed(out, &contents) || 1078 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) || 1079 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) || 1080 !CBB_flush(out)) { 1081 return false; 1082 } 1083 1084 return true; 1085 } 1086 1087 1088 // OCSP Stapling. 1089 // 1090 // https://tools.ietf.org/html/rfc6066#section-8 1091 1092 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1093 if (!hs->config->ocsp_stapling_enabled) { 1094 return true; 1095 } 1096 1097 CBB contents; 1098 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) || 1099 !CBB_add_u16_length_prefixed(out, &contents) || 1100 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) || 1101 !CBB_add_u16(&contents, 0 /* empty responder ID list */) || 1102 !CBB_add_u16(&contents, 0 /* empty request extensions */) || 1103 !CBB_flush(out)) { 1104 return false; 1105 } 1106 1107 return true; 1108 } 1109 1110 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1111 CBS *contents) { 1112 SSL *const ssl = hs->ssl; 1113 if (contents == NULL) { 1114 return true; 1115 } 1116 1117 // TLS 1.3 OCSP responses are included in the Certificate extensions. 1118 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1119 return false; 1120 } 1121 1122 // OCSP stapling is forbidden on non-certificate ciphers. 1123 if (CBS_len(contents) != 0 || 1124 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) { 1125 return false; 1126 } 1127 1128 // Note this does not check for resumption in TLS 1.2. Sending 1129 // status_request here does not make sense, but OpenSSL does so and the 1130 // specification does not say anything. Tolerate it but ignore it. 1131 1132 hs->certificate_status_expected = true; 1133 return true; 1134 } 1135 1136 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1137 CBS *contents) { 1138 if (contents == NULL) { 1139 return true; 1140 } 1141 1142 uint8_t status_type; 1143 if (!CBS_get_u8(contents, &status_type)) { 1144 return false; 1145 } 1146 1147 // We cannot decide whether OCSP stapling will occur yet because the correct 1148 // SSL_CTX might not have been selected. 1149 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp; 1150 1151 return true; 1152 } 1153 1154 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1155 SSL *const ssl = hs->ssl; 1156 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || 1157 !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL || 1158 ssl->s3->session_reused || 1159 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) { 1160 return true; 1161 } 1162 1163 hs->certificate_status_expected = true; 1164 1165 return CBB_add_u16(out, TLSEXT_TYPE_status_request) && 1166 CBB_add_u16(out, 0 /* length */); 1167 } 1168 1169 1170 // Next protocol negotiation. 1171 // 1172 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html 1173 1174 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1175 SSL *const ssl = hs->ssl; 1176 if (ssl->s3->initial_handshake_complete || 1177 ssl->ctx->next_proto_select_cb == NULL || 1178 SSL_is_dtls(ssl)) { 1179 return true; 1180 } 1181 1182 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || 1183 !CBB_add_u16(out, 0 /* length */)) { 1184 return false; 1185 } 1186 1187 return true; 1188 } 1189 1190 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1191 CBS *contents) { 1192 SSL *const ssl = hs->ssl; 1193 if (contents == NULL) { 1194 return true; 1195 } 1196 1197 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1198 return false; 1199 } 1200 1201 // If any of these are false then we should never have sent the NPN 1202 // extension in the ClientHello and thus this function should never have been 1203 // called. 1204 assert(!ssl->s3->initial_handshake_complete); 1205 assert(!SSL_is_dtls(ssl)); 1206 assert(ssl->ctx->next_proto_select_cb != NULL); 1207 1208 if (!ssl->s3->alpn_selected.empty()) { 1209 // NPN and ALPN may not be negotiated in the same connection. 1210 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1211 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN); 1212 return false; 1213 } 1214 1215 const uint8_t *const orig_contents = CBS_data(contents); 1216 const size_t orig_len = CBS_len(contents); 1217 1218 while (CBS_len(contents) != 0) { 1219 CBS proto; 1220 if (!CBS_get_u8_length_prefixed(contents, &proto) || 1221 CBS_len(&proto) == 0) { 1222 return false; 1223 } 1224 } 1225 1226 uint8_t *selected; 1227 uint8_t selected_len; 1228 if (ssl->ctx->next_proto_select_cb( 1229 ssl, &selected, &selected_len, orig_contents, orig_len, 1230 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK || 1231 !ssl->s3->next_proto_negotiated.CopyFrom( 1232 MakeConstSpan(selected, selected_len))) { 1233 *out_alert = SSL_AD_INTERNAL_ERROR; 1234 return false; 1235 } 1236 1237 hs->next_proto_neg_seen = true; 1238 return true; 1239 } 1240 1241 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1242 CBS *contents) { 1243 SSL *const ssl = hs->ssl; 1244 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1245 return true; 1246 } 1247 1248 if (contents != NULL && CBS_len(contents) != 0) { 1249 return false; 1250 } 1251 1252 if (contents == NULL || 1253 ssl->s3->initial_handshake_complete || 1254 ssl->ctx->next_protos_advertised_cb == NULL || 1255 SSL_is_dtls(ssl)) { 1256 return true; 1257 } 1258 1259 hs->next_proto_neg_seen = true; 1260 return true; 1261 } 1262 1263 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1264 SSL *const ssl = hs->ssl; 1265 // |next_proto_neg_seen| might have been cleared when an ALPN extension was 1266 // parsed. 1267 if (!hs->next_proto_neg_seen) { 1268 return true; 1269 } 1270 1271 const uint8_t *npa; 1272 unsigned npa_len; 1273 1274 if (ssl->ctx->next_protos_advertised_cb( 1275 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) != 1276 SSL_TLSEXT_ERR_OK) { 1277 hs->next_proto_neg_seen = false; 1278 return true; 1279 } 1280 1281 CBB contents; 1282 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || 1283 !CBB_add_u16_length_prefixed(out, &contents) || 1284 !CBB_add_bytes(&contents, npa, npa_len) || 1285 !CBB_flush(out)) { 1286 return false; 1287 } 1288 1289 return true; 1290 } 1291 1292 1293 // Signed certificate timestamps. 1294 // 1295 // https://tools.ietf.org/html/rfc6962#section-3.3.1 1296 1297 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1298 if (!hs->config->signed_cert_timestamps_enabled) { 1299 return true; 1300 } 1301 1302 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) || 1303 !CBB_add_u16(out, 0 /* length */)) { 1304 return false; 1305 } 1306 1307 return true; 1308 } 1309 1310 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1311 CBS *contents) { 1312 SSL *const ssl = hs->ssl; 1313 if (contents == NULL) { 1314 return true; 1315 } 1316 1317 // TLS 1.3 SCTs are included in the Certificate extensions. 1318 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1319 *out_alert = SSL_AD_DECODE_ERROR; 1320 return false; 1321 } 1322 1323 // If this is false then we should never have sent the SCT extension in the 1324 // ClientHello and thus this function should never have been called. 1325 assert(hs->config->signed_cert_timestamps_enabled); 1326 1327 if (!ssl_is_sct_list_valid(contents)) { 1328 *out_alert = SSL_AD_DECODE_ERROR; 1329 return false; 1330 } 1331 1332 // Session resumption uses the original session information. The extension 1333 // should not be sent on resumption, but RFC 6962 did not make it a 1334 // requirement, so tolerate this. 1335 // 1336 // TODO(davidben): Enforce this anyway. 1337 if (!ssl->s3->session_reused) { 1338 hs->new_session->signed_cert_timestamp_list.reset( 1339 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool)); 1340 if (hs->new_session->signed_cert_timestamp_list == nullptr) { 1341 *out_alert = SSL_AD_INTERNAL_ERROR; 1342 return false; 1343 } 1344 } 1345 1346 return true; 1347 } 1348 1349 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1350 CBS *contents) { 1351 if (contents == NULL) { 1352 return true; 1353 } 1354 1355 if (CBS_len(contents) != 0) { 1356 return false; 1357 } 1358 1359 hs->scts_requested = true; 1360 return true; 1361 } 1362 1363 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1364 SSL *const ssl = hs->ssl; 1365 // The extension shouldn't be sent when resuming sessions. 1366 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused || 1367 hs->config->cert->signed_cert_timestamp_list == NULL) { 1368 return true; 1369 } 1370 1371 CBB contents; 1372 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) && 1373 CBB_add_u16_length_prefixed(out, &contents) && 1374 CBB_add_bytes( 1375 &contents, 1376 CRYPTO_BUFFER_data( 1377 hs->config->cert->signed_cert_timestamp_list.get()), 1378 CRYPTO_BUFFER_len( 1379 hs->config->cert->signed_cert_timestamp_list.get())) && 1380 CBB_flush(out); 1381 } 1382 1383 1384 // Application-level Protocol Negotiation. 1385 // 1386 // https://tools.ietf.org/html/rfc7301 1387 1388 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1389 SSL *const ssl = hs->ssl; 1390 if (hs->config->alpn_client_proto_list.empty() || 1391 ssl->s3->initial_handshake_complete) { 1392 return true; 1393 } 1394 1395 CBB contents, proto_list; 1396 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) || 1397 !CBB_add_u16_length_prefixed(out, &contents) || 1398 !CBB_add_u16_length_prefixed(&contents, &proto_list) || 1399 !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(), 1400 hs->config->alpn_client_proto_list.size()) || 1401 !CBB_flush(out)) { 1402 return false; 1403 } 1404 1405 return true; 1406 } 1407 1408 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1409 CBS *contents) { 1410 SSL *const ssl = hs->ssl; 1411 if (contents == NULL) { 1412 return true; 1413 } 1414 1415 assert(!ssl->s3->initial_handshake_complete); 1416 assert(!hs->config->alpn_client_proto_list.empty()); 1417 1418 if (hs->next_proto_neg_seen) { 1419 // NPN and ALPN may not be negotiated in the same connection. 1420 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1421 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN); 1422 return false; 1423 } 1424 1425 // The extension data consists of a ProtocolNameList which must have 1426 // exactly one ProtocolName. Each of these is length-prefixed. 1427 CBS protocol_name_list, protocol_name; 1428 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) || 1429 CBS_len(contents) != 0 || 1430 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || 1431 // Empty protocol names are forbidden. 1432 CBS_len(&protocol_name) == 0 || 1433 CBS_len(&protocol_name_list) != 0) { 1434 return false; 1435 } 1436 1437 if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) { 1438 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL); 1439 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1440 return false; 1441 } 1442 1443 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) { 1444 *out_alert = SSL_AD_INTERNAL_ERROR; 1445 return false; 1446 } 1447 1448 return true; 1449 } 1450 1451 bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, 1452 Span<const uint8_t> protocol) { 1453 if (hs->config->alpn_client_proto_list.empty()) { 1454 return false; 1455 } 1456 1457 if (hs->ssl->ctx->allow_unknown_alpn_protos) { 1458 return true; 1459 } 1460 1461 // Check that the protocol name is one of the ones we advertised. 1462 CBS client_protocol_name_list = 1463 MakeConstSpan(hs->config->alpn_client_proto_list), 1464 client_protocol_name; 1465 while (CBS_len(&client_protocol_name_list) > 0) { 1466 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list, 1467 &client_protocol_name)) { 1468 return false; 1469 } 1470 1471 if (client_protocol_name == protocol) { 1472 return true; 1473 } 1474 } 1475 1476 return false; 1477 } 1478 1479 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1480 const SSL_CLIENT_HELLO *client_hello) { 1481 SSL *const ssl = hs->ssl; 1482 CBS contents; 1483 if (ssl->ctx->alpn_select_cb == NULL || 1484 !ssl_client_hello_get_extension( 1485 client_hello, &contents, 1486 TLSEXT_TYPE_application_layer_protocol_negotiation)) { 1487 // Ignore ALPN if not configured or no extension was supplied. 1488 return true; 1489 } 1490 1491 // ALPN takes precedence over NPN. 1492 hs->next_proto_neg_seen = false; 1493 1494 CBS protocol_name_list; 1495 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) || 1496 CBS_len(&contents) != 0 || 1497 CBS_len(&protocol_name_list) < 2) { 1498 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 1499 *out_alert = SSL_AD_DECODE_ERROR; 1500 return false; 1501 } 1502 1503 // Validate the protocol list. 1504 CBS protocol_name_list_copy = protocol_name_list; 1505 while (CBS_len(&protocol_name_list_copy) > 0) { 1506 CBS protocol_name; 1507 1508 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) || 1509 // Empty protocol names are forbidden. 1510 CBS_len(&protocol_name) == 0) { 1511 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 1512 *out_alert = SSL_AD_DECODE_ERROR; 1513 return false; 1514 } 1515 } 1516 1517 const uint8_t *selected; 1518 uint8_t selected_len; 1519 if (ssl->ctx->alpn_select_cb( 1520 ssl, &selected, &selected_len, CBS_data(&protocol_name_list), 1521 CBS_len(&protocol_name_list), 1522 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) { 1523 if (selected_len == 0) { 1524 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL); 1525 *out_alert = SSL_AD_INTERNAL_ERROR; 1526 return false; 1527 } 1528 if (!ssl->s3->alpn_selected.CopyFrom( 1529 MakeConstSpan(selected, selected_len))) { 1530 *out_alert = SSL_AD_INTERNAL_ERROR; 1531 return false; 1532 } 1533 } 1534 1535 return true; 1536 } 1537 1538 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1539 SSL *const ssl = hs->ssl; 1540 if (ssl->s3->alpn_selected.empty()) { 1541 return true; 1542 } 1543 1544 CBB contents, proto_list, proto; 1545 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) || 1546 !CBB_add_u16_length_prefixed(out, &contents) || 1547 !CBB_add_u16_length_prefixed(&contents, &proto_list) || 1548 !CBB_add_u8_length_prefixed(&proto_list, &proto) || 1549 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(), 1550 ssl->s3->alpn_selected.size()) || 1551 !CBB_flush(out)) { 1552 return false; 1553 } 1554 1555 return true; 1556 } 1557 1558 1559 // Channel ID. 1560 // 1561 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 1562 1563 static void ext_channel_id_init(SSL_HANDSHAKE *hs) { 1564 hs->ssl->s3->channel_id_valid = false; 1565 } 1566 1567 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1568 SSL *const ssl = hs->ssl; 1569 if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) { 1570 return true; 1571 } 1572 1573 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) || 1574 !CBB_add_u16(out, 0 /* length */)) { 1575 return false; 1576 } 1577 1578 return true; 1579 } 1580 1581 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs, 1582 uint8_t *out_alert, 1583 CBS *contents) { 1584 SSL *const ssl = hs->ssl; 1585 if (contents == NULL) { 1586 return true; 1587 } 1588 1589 assert(!SSL_is_dtls(ssl)); 1590 assert(hs->config->channel_id_enabled); 1591 1592 if (CBS_len(contents) != 0) { 1593 return false; 1594 } 1595 1596 ssl->s3->channel_id_valid = true; 1597 return true; 1598 } 1599 1600 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs, 1601 uint8_t *out_alert, 1602 CBS *contents) { 1603 SSL *const ssl = hs->ssl; 1604 if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) { 1605 return true; 1606 } 1607 1608 if (CBS_len(contents) != 0) { 1609 return false; 1610 } 1611 1612 ssl->s3->channel_id_valid = true; 1613 return true; 1614 } 1615 1616 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1617 SSL *const ssl = hs->ssl; 1618 if (!ssl->s3->channel_id_valid) { 1619 return true; 1620 } 1621 1622 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) || 1623 !CBB_add_u16(out, 0 /* length */)) { 1624 return false; 1625 } 1626 1627 return true; 1628 } 1629 1630 1631 // Secure Real-time Transport Protocol (SRTP) extension. 1632 // 1633 // https://tools.ietf.org/html/rfc5764 1634 1635 1636 static void ext_srtp_init(SSL_HANDSHAKE *hs) { 1637 hs->ssl->s3->srtp_profile = NULL; 1638 } 1639 1640 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1641 SSL *const ssl = hs->ssl; 1642 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl); 1643 if (profiles == NULL || 1644 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) { 1645 return true; 1646 } 1647 1648 CBB contents, profile_ids; 1649 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) || 1650 !CBB_add_u16_length_prefixed(out, &contents) || 1651 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) { 1652 return false; 1653 } 1654 1655 for (const SRTP_PROTECTION_PROFILE *profile : profiles) { 1656 if (!CBB_add_u16(&profile_ids, profile->id)) { 1657 return false; 1658 } 1659 } 1660 1661 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) || 1662 !CBB_flush(out)) { 1663 return false; 1664 } 1665 1666 return true; 1667 } 1668 1669 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1670 CBS *contents) { 1671 SSL *const ssl = hs->ssl; 1672 if (contents == NULL) { 1673 return true; 1674 } 1675 1676 // The extension consists of a u16-prefixed profile ID list containing a 1677 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field. 1678 // 1679 // See https://tools.ietf.org/html/rfc5764#section-4.1.1 1680 CBS profile_ids, srtp_mki; 1681 uint16_t profile_id; 1682 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || 1683 !CBS_get_u16(&profile_ids, &profile_id) || 1684 CBS_len(&profile_ids) != 0 || 1685 !CBS_get_u8_length_prefixed(contents, &srtp_mki) || 1686 CBS_len(contents) != 0) { 1687 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1688 return false; 1689 } 1690 1691 if (CBS_len(&srtp_mki) != 0) { 1692 // Must be no MKI, since we never offer one. 1693 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE); 1694 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1695 return false; 1696 } 1697 1698 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl); 1699 1700 // Check to see if the server gave us something we support (and presumably 1701 // offered). 1702 for (const SRTP_PROTECTION_PROFILE *profile : profiles) { 1703 if (profile->id == profile_id) { 1704 ssl->s3->srtp_profile = profile; 1705 return true; 1706 } 1707 } 1708 1709 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1710 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1711 return false; 1712 } 1713 1714 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1715 CBS *contents) { 1716 SSL *const ssl = hs->ssl; 1717 if (contents == NULL) { 1718 return true; 1719 } 1720 1721 CBS profile_ids, srtp_mki; 1722 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || 1723 CBS_len(&profile_ids) < 2 || 1724 !CBS_get_u8_length_prefixed(contents, &srtp_mki) || 1725 CBS_len(contents) != 0) { 1726 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1727 return false; 1728 } 1729 // Discard the MKI value for now. 1730 1731 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles = 1732 SSL_get_srtp_profiles(ssl); 1733 1734 // Pick the server's most preferred profile. 1735 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) { 1736 CBS profile_ids_tmp; 1737 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids)); 1738 1739 while (CBS_len(&profile_ids_tmp) > 0) { 1740 uint16_t profile_id; 1741 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) { 1742 return false; 1743 } 1744 1745 if (server_profile->id == profile_id) { 1746 ssl->s3->srtp_profile = server_profile; 1747 return true; 1748 } 1749 } 1750 } 1751 1752 return true; 1753 } 1754 1755 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1756 SSL *const ssl = hs->ssl; 1757 if (ssl->s3->srtp_profile == NULL) { 1758 return true; 1759 } 1760 1761 CBB contents, profile_ids; 1762 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) || 1763 !CBB_add_u16_length_prefixed(out, &contents) || 1764 !CBB_add_u16_length_prefixed(&contents, &profile_ids) || 1765 !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) || 1766 !CBB_add_u8(&contents, 0 /* empty MKI */) || 1767 !CBB_flush(out)) { 1768 return false; 1769 } 1770 1771 return true; 1772 } 1773 1774 1775 // EC point formats. 1776 // 1777 // https://tools.ietf.org/html/rfc4492#section-5.1.2 1778 1779 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) { 1780 CBB contents, formats; 1781 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) || 1782 !CBB_add_u16_length_prefixed(out, &contents) || 1783 !CBB_add_u8_length_prefixed(&contents, &formats) || 1784 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) || 1785 !CBB_flush(out)) { 1786 return false; 1787 } 1788 1789 return true; 1790 } 1791 1792 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1793 // The point format extension is unneccessary in TLS 1.3. 1794 if (hs->min_version >= TLS1_3_VERSION) { 1795 return true; 1796 } 1797 1798 return ext_ec_point_add_extension(hs, out); 1799 } 1800 1801 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1802 CBS *contents) { 1803 if (contents == NULL) { 1804 return true; 1805 } 1806 1807 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { 1808 return false; 1809 } 1810 1811 CBS ec_point_format_list; 1812 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) || 1813 CBS_len(contents) != 0) { 1814 return false; 1815 } 1816 1817 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed 1818 // point format. 1819 if (OPENSSL_memchr(CBS_data(&ec_point_format_list), 1820 TLSEXT_ECPOINTFORMAT_uncompressed, 1821 CBS_len(&ec_point_format_list)) == NULL) { 1822 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1823 return false; 1824 } 1825 1826 return true; 1827 } 1828 1829 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, 1830 CBS *contents) { 1831 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { 1832 return true; 1833 } 1834 1835 return ext_ec_point_parse_serverhello(hs, out_alert, contents); 1836 } 1837 1838 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1839 SSL *const ssl = hs->ssl; 1840 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 1841 return true; 1842 } 1843 1844 const uint32_t alg_k = hs->new_cipher->algorithm_mkey; 1845 const uint32_t alg_a = hs->new_cipher->algorithm_auth; 1846 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA); 1847 1848 if (!using_ecc) { 1849 return true; 1850 } 1851 1852 return ext_ec_point_add_extension(hs, out); 1853 } 1854 1855 1856 // Pre Shared Key 1857 // 1858 // https://tools.ietf.org/html/rfc8446#section-4.2.11 1859 1860 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) { 1861 SSL *const ssl = hs->ssl; 1862 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr || 1863 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { 1864 return 0; 1865 } 1866 1867 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get())); 1868 return 15 + ssl->session->ticket.size() + binder_len; 1869 } 1870 1871 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 1872 SSL *const ssl = hs->ssl; 1873 hs->needs_psk_binder = false; 1874 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr || 1875 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) { 1876 return true; 1877 } 1878 1879 // Per RFC 8446 section 4.1.4, skip offering the session if the selected 1880 // cipher in HelloRetryRequest does not match. This avoids performing the 1881 // transcript hash transformation for multiple hashes. 1882 if (hs->received_hello_retry_request && 1883 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) { 1884 return true; 1885 } 1886 1887 struct OPENSSL_timeval now; 1888 ssl_get_current_time(ssl, &now); 1889 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time); 1890 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add; 1891 1892 // Fill in a placeholder zero binder of the appropriate length. It will be 1893 // computed and filled in later after length prefixes are computed. 1894 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0}; 1895 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get())); 1896 1897 CBB contents, identity, ticket, binders, binder; 1898 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || 1899 !CBB_add_u16_length_prefixed(out, &contents) || 1900 !CBB_add_u16_length_prefixed(&contents, &identity) || 1901 !CBB_add_u16_length_prefixed(&identity, &ticket) || 1902 !CBB_add_bytes(&ticket, ssl->session->ticket.data(), 1903 ssl->session->ticket.size()) || 1904 !CBB_add_u32(&identity, obfuscated_ticket_age) || 1905 !CBB_add_u16_length_prefixed(&contents, &binders) || 1906 !CBB_add_u8_length_prefixed(&binders, &binder) || 1907 !CBB_add_bytes(&binder, zero_binder, binder_len)) { 1908 return false; 1909 } 1910 1911 hs->needs_psk_binder = true; 1912 return CBB_flush(out); 1913 } 1914 1915 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, 1916 uint8_t *out_alert, 1917 CBS *contents) { 1918 uint16_t psk_id; 1919 if (!CBS_get_u16(contents, &psk_id) || 1920 CBS_len(contents) != 0) { 1921 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1922 *out_alert = SSL_AD_DECODE_ERROR; 1923 return false; 1924 } 1925 1926 // We only advertise one PSK identity, so the only legal index is zero. 1927 if (psk_id != 0) { 1928 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); 1929 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY; 1930 return false; 1931 } 1932 1933 return true; 1934 } 1935 1936 bool ssl_ext_pre_shared_key_parse_clienthello( 1937 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders, 1938 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) { 1939 // We only process the first PSK identity since we don't support pure PSK. 1940 CBS identities, binders; 1941 if (!CBS_get_u16_length_prefixed(contents, &identities) || 1942 !CBS_get_u16_length_prefixed(&identities, out_ticket) || 1943 !CBS_get_u32(&identities, out_obfuscated_ticket_age) || 1944 !CBS_get_u16_length_prefixed(contents, &binders) || 1945 CBS_len(&binders) == 0 || 1946 CBS_len(contents) != 0) { 1947 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1948 *out_alert = SSL_AD_DECODE_ERROR; 1949 return false; 1950 } 1951 1952 *out_binders = binders; 1953 1954 // Check the syntax of the remaining identities, but do not process them. 1955 size_t num_identities = 1; 1956 while (CBS_len(&identities) != 0) { 1957 CBS unused_ticket; 1958 uint32_t unused_obfuscated_ticket_age; 1959 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) || 1960 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) { 1961 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1962 *out_alert = SSL_AD_DECODE_ERROR; 1963 return false; 1964 } 1965 1966 num_identities++; 1967 } 1968 1969 // Check the syntax of the binders. The value will be checked later if 1970 // resuming. 1971 size_t num_binders = 0; 1972 while (CBS_len(&binders) != 0) { 1973 CBS binder; 1974 if (!CBS_get_u8_length_prefixed(&binders, &binder)) { 1975 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1976 *out_alert = SSL_AD_DECODE_ERROR; 1977 return false; 1978 } 1979 1980 num_binders++; 1981 } 1982 1983 if (num_identities != num_binders) { 1984 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH); 1985 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 1986 return false; 1987 } 1988 1989 return true; 1990 } 1991 1992 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 1993 if (!hs->ssl->s3->session_reused) { 1994 return true; 1995 } 1996 1997 CBB contents; 1998 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || 1999 !CBB_add_u16_length_prefixed(out, &contents) || 2000 // We only consider the first identity for resumption 2001 !CBB_add_u16(&contents, 0) || 2002 !CBB_flush(out)) { 2003 return false; 2004 } 2005 2006 return true; 2007 } 2008 2009 2010 // Pre-Shared Key Exchange Modes 2011 // 2012 // https://tools.ietf.org/html/rfc8446#section-4.2.9 2013 2014 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs, 2015 CBB *out) { 2016 if (hs->max_version < TLS1_3_VERSION) { 2017 return true; 2018 } 2019 2020 CBB contents, ke_modes; 2021 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) || 2022 !CBB_add_u16_length_prefixed(out, &contents) || 2023 !CBB_add_u8_length_prefixed(&contents, &ke_modes) || 2024 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) { 2025 return false; 2026 } 2027 2028 return CBB_flush(out); 2029 } 2030 2031 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs, 2032 uint8_t *out_alert, 2033 CBS *contents) { 2034 if (contents == NULL) { 2035 return true; 2036 } 2037 2038 CBS ke_modes; 2039 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) || 2040 CBS_len(&ke_modes) == 0 || 2041 CBS_len(contents) != 0) { 2042 *out_alert = SSL_AD_DECODE_ERROR; 2043 return false; 2044 } 2045 2046 // We only support tickets with PSK_DHE_KE. 2047 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE, 2048 CBS_len(&ke_modes)) != NULL; 2049 2050 return true; 2051 } 2052 2053 2054 // Early Data Indication 2055 // 2056 // https://tools.ietf.org/html/rfc8446#section-4.2.10 2057 2058 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2059 SSL *const ssl = hs->ssl; 2060 if (!ssl->enable_early_data || 2061 // Session must be 0-RTT capable. 2062 ssl->session == nullptr || 2063 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION || 2064 ssl->session->ticket_max_early_data == 0 || 2065 // The second ClientHello never offers early data. 2066 hs->received_hello_retry_request || 2067 // In case ALPN preferences changed since this session was established, 2068 // avoid reporting a confusing value in |SSL_get0_alpn_selected|. 2069 (!ssl->session->early_alpn.empty() && 2070 !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn))) { 2071 return true; 2072 } 2073 2074 hs->early_data_offered = true; 2075 2076 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || 2077 !CBB_add_u16(out, 0) || 2078 !CBB_flush(out)) { 2079 return false; 2080 } 2081 2082 return true; 2083 } 2084 2085 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs, 2086 uint8_t *out_alert, CBS *contents) { 2087 SSL *const ssl = hs->ssl; 2088 if (contents == NULL) { 2089 return true; 2090 } 2091 2092 if (CBS_len(contents) != 0) { 2093 *out_alert = SSL_AD_DECODE_ERROR; 2094 return false; 2095 } 2096 2097 if (!ssl->s3->session_reused) { 2098 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 2099 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 2100 return false; 2101 } 2102 2103 ssl->s3->early_data_accepted = true; 2104 return true; 2105 } 2106 2107 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs, 2108 uint8_t *out_alert, CBS *contents) { 2109 SSL *const ssl = hs->ssl; 2110 if (contents == NULL || 2111 ssl_protocol_version(ssl) < TLS1_3_VERSION) { 2112 return true; 2113 } 2114 2115 if (CBS_len(contents) != 0) { 2116 *out_alert = SSL_AD_DECODE_ERROR; 2117 return false; 2118 } 2119 2120 hs->early_data_offered = true; 2121 return true; 2122 } 2123 2124 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 2125 if (!hs->ssl->s3->early_data_accepted) { 2126 return true; 2127 } 2128 2129 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || 2130 !CBB_add_u16(out, 0) || 2131 !CBB_flush(out)) { 2132 return false; 2133 } 2134 2135 return true; 2136 } 2137 2138 2139 // Key Share 2140 // 2141 // https://tools.ietf.org/html/rfc8446#section-4.2.8 2142 2143 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2144 SSL *const ssl = hs->ssl; 2145 if (hs->max_version < TLS1_3_VERSION) { 2146 return true; 2147 } 2148 2149 CBB contents, kse_bytes; 2150 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) || 2151 !CBB_add_u16_length_prefixed(out, &contents) || 2152 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) { 2153 return false; 2154 } 2155 2156 uint16_t group_id = hs->retry_group; 2157 uint16_t second_group_id = 0; 2158 if (hs->received_hello_retry_request) { 2159 // We received a HelloRetryRequest without a new curve, so there is no new 2160 // share to append. Leave |hs->key_share| as-is. 2161 if (group_id == 0 && 2162 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(), 2163 hs->key_share_bytes.size())) { 2164 return false; 2165 } 2166 hs->key_share_bytes.Reset(); 2167 if (group_id == 0) { 2168 return CBB_flush(out); 2169 } 2170 } else { 2171 // Add a fake group. See draft-davidben-tls-grease-01. 2172 if (ssl->ctx->grease_enabled && 2173 (!CBB_add_u16(&kse_bytes, 2174 ssl_get_grease_value(hs, ssl_grease_group)) || 2175 !CBB_add_u16(&kse_bytes, 1 /* length */) || 2176 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) { 2177 return false; 2178 } 2179 2180 // Predict the most preferred group. 2181 Span<const uint16_t> groups = tls1_get_grouplist(hs); 2182 if (groups.empty()) { 2183 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED); 2184 return false; 2185 } 2186 2187 group_id = groups[0]; 2188 2189 if (group_id == SSL_CURVE_CECPQ2 && groups.size() >= 2) { 2190 // CECPQ2 is not sent as the only initial key share. We'll include the 2191 // 2nd preference group too to avoid round-trips. 2192 second_group_id = groups[1]; 2193 assert(second_group_id != group_id); 2194 } 2195 } 2196 2197 CBB key_exchange; 2198 hs->key_shares[0] = SSLKeyShare::Create(group_id); 2199 if (!hs->key_shares[0] || 2200 !CBB_add_u16(&kse_bytes, group_id) || 2201 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) || 2202 !hs->key_shares[0]->Offer(&key_exchange) || 2203 !CBB_flush(&kse_bytes)) { 2204 return false; 2205 } 2206 2207 if (second_group_id != 0) { 2208 hs->key_shares[1] = SSLKeyShare::Create(second_group_id); 2209 if (!hs->key_shares[1] || 2210 !CBB_add_u16(&kse_bytes, second_group_id) || 2211 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) || 2212 !hs->key_shares[1]->Offer(&key_exchange) || 2213 !CBB_flush(&kse_bytes)) { 2214 return false; 2215 } 2216 } 2217 2218 // Save the contents of the extension to repeat it in the second 2219 // ClientHello. 2220 if (!hs->received_hello_retry_request && 2221 !hs->key_share_bytes.CopyFrom( 2222 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) { 2223 return false; 2224 } 2225 2226 return CBB_flush(out); 2227 } 2228 2229 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, 2230 Array<uint8_t> *out_secret, 2231 uint8_t *out_alert, CBS *contents) { 2232 CBS peer_key; 2233 uint16_t group_id; 2234 if (!CBS_get_u16(contents, &group_id) || 2235 !CBS_get_u16_length_prefixed(contents, &peer_key) || 2236 CBS_len(contents) != 0) { 2237 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 2238 *out_alert = SSL_AD_DECODE_ERROR; 2239 return false; 2240 } 2241 2242 SSLKeyShare *key_share = hs->key_shares[0].get(); 2243 if (key_share->GroupID() != group_id) { 2244 if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) { 2245 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 2246 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 2247 return false; 2248 } 2249 key_share = hs->key_shares[1].get(); 2250 } 2251 2252 if (!key_share->Finish(out_secret, out_alert, peer_key)) { 2253 *out_alert = SSL_AD_INTERNAL_ERROR; 2254 return false; 2255 } 2256 2257 hs->new_session->group_id = group_id; 2258 hs->key_shares[0].reset(); 2259 hs->key_shares[1].reset(); 2260 return true; 2261 } 2262 2263 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found, 2264 Array<uint8_t> *out_secret, 2265 uint8_t *out_alert, CBS *contents) { 2266 uint16_t group_id; 2267 CBS key_shares; 2268 if (!tls1_get_shared_group(hs, &group_id)) { 2269 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP); 2270 *out_alert = SSL_AD_HANDSHAKE_FAILURE; 2271 return false; 2272 } 2273 2274 if (!CBS_get_u16_length_prefixed(contents, &key_shares) || 2275 CBS_len(contents) != 0) { 2276 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 2277 return false; 2278 } 2279 2280 // Find the corresponding key share. 2281 CBS peer_key; 2282 CBS_init(&peer_key, NULL, 0); 2283 while (CBS_len(&key_shares) > 0) { 2284 uint16_t id; 2285 CBS peer_key_tmp; 2286 if (!CBS_get_u16(&key_shares, &id) || 2287 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) || 2288 CBS_len(&peer_key_tmp) == 0) { 2289 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 2290 return false; 2291 } 2292 2293 if (id == group_id) { 2294 if (CBS_len(&peer_key) != 0) { 2295 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE); 2296 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 2297 return false; 2298 } 2299 2300 peer_key = peer_key_tmp; 2301 // Continue parsing the structure to keep peers honest. 2302 } 2303 } 2304 2305 if (CBS_len(&peer_key) == 0) { 2306 *out_found = false; 2307 out_secret->Reset(); 2308 return true; 2309 } 2310 2311 // Compute the DH secret. 2312 Array<uint8_t> secret; 2313 ScopedCBB public_key; 2314 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id); 2315 if (!key_share || 2316 !CBB_init(public_key.get(), 32) || 2317 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) || 2318 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) { 2319 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 2320 return false; 2321 } 2322 2323 *out_secret = std::move(secret); 2324 *out_found = true; 2325 return true; 2326 } 2327 2328 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 2329 uint16_t group_id; 2330 CBB kse_bytes, public_key; 2331 if (!tls1_get_shared_group(hs, &group_id) || 2332 !CBB_add_u16(out, TLSEXT_TYPE_key_share) || 2333 !CBB_add_u16_length_prefixed(out, &kse_bytes) || 2334 !CBB_add_u16(&kse_bytes, group_id) || 2335 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) || 2336 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(), 2337 hs->ecdh_public_key.size()) || 2338 !CBB_flush(out)) { 2339 return false; 2340 } 2341 2342 hs->ecdh_public_key.Reset(); 2343 2344 hs->new_session->group_id = group_id; 2345 return true; 2346 } 2347 2348 2349 // Supported Versions 2350 // 2351 // https://tools.ietf.org/html/rfc8446#section-4.2.1 2352 2353 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2354 SSL *const ssl = hs->ssl; 2355 if (hs->max_version <= TLS1_2_VERSION) { 2356 return true; 2357 } 2358 2359 CBB contents, versions; 2360 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || 2361 !CBB_add_u16_length_prefixed(out, &contents) || 2362 !CBB_add_u8_length_prefixed(&contents, &versions)) { 2363 return false; 2364 } 2365 2366 // Add a fake version. See draft-davidben-tls-grease-01. 2367 if (ssl->ctx->grease_enabled && 2368 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) { 2369 return false; 2370 } 2371 2372 if (!ssl_add_supported_versions(hs, &versions) || 2373 !CBB_flush(out)) { 2374 return false; 2375 } 2376 2377 return true; 2378 } 2379 2380 2381 // Cookie 2382 // 2383 // https://tools.ietf.org/html/rfc8446#section-4.2.2 2384 2385 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2386 if (hs->cookie.empty()) { 2387 return true; 2388 } 2389 2390 CBB contents, cookie; 2391 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) || 2392 !CBB_add_u16_length_prefixed(out, &contents) || 2393 !CBB_add_u16_length_prefixed(&contents, &cookie) || 2394 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) || 2395 !CBB_flush(out)) { 2396 return false; 2397 } 2398 2399 // The cookie is no longer needed in memory. 2400 hs->cookie.Reset(); 2401 return true; 2402 } 2403 2404 2405 // Supported Groups 2406 // 2407 // https://tools.ietf.org/html/rfc4492#section-5.1.1 2408 // https://tools.ietf.org/html/rfc8446#section-4.2.7 2409 2410 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2411 SSL *const ssl = hs->ssl; 2412 CBB contents, groups_bytes; 2413 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) || 2414 !CBB_add_u16_length_prefixed(out, &contents) || 2415 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) { 2416 return false; 2417 } 2418 2419 // Add a fake group. See draft-davidben-tls-grease-01. 2420 if (ssl->ctx->grease_enabled && 2421 !CBB_add_u16(&groups_bytes, 2422 ssl_get_grease_value(hs, ssl_grease_group))) { 2423 return false; 2424 } 2425 2426 for (uint16_t group : tls1_get_grouplist(hs)) { 2427 if (group == SSL_CURVE_CECPQ2 && 2428 hs->max_version < TLS1_3_VERSION) { 2429 continue; 2430 } 2431 if (!CBB_add_u16(&groups_bytes, group)) { 2432 return false; 2433 } 2434 } 2435 2436 return CBB_flush(out); 2437 } 2438 2439 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs, 2440 uint8_t *out_alert, 2441 CBS *contents) { 2442 // This extension is not expected to be echoed by servers in TLS 1.2, but some 2443 // BigIP servers send it nonetheless, so do not enforce this. 2444 return true; 2445 } 2446 2447 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) { 2448 CBS copy = *cbs; 2449 if ((CBS_len(©) & 1) != 0) { 2450 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 2451 return false; 2452 } 2453 2454 Array<uint16_t> ret; 2455 if (!ret.Init(CBS_len(©) / 2)) { 2456 return false; 2457 } 2458 for (size_t i = 0; i < ret.size(); i++) { 2459 if (!CBS_get_u16(©, &ret[i])) { 2460 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 2461 return false; 2462 } 2463 } 2464 2465 assert(CBS_len(©) == 0); 2466 *out = std::move(ret); 2467 return 1; 2468 } 2469 2470 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs, 2471 uint8_t *out_alert, 2472 CBS *contents) { 2473 if (contents == NULL) { 2474 return true; 2475 } 2476 2477 CBS supported_group_list; 2478 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) || 2479 CBS_len(&supported_group_list) == 0 || 2480 CBS_len(contents) != 0 || 2481 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) { 2482 return false; 2483 } 2484 2485 return true; 2486 } 2487 2488 // Token Binding 2489 // 2490 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10 2491 2492 // The Token Binding version number currently matches the draft number of 2493 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100. 2494 // Since there are no wire changes to the protocol from draft 13 through the 2495 // current draft (16), this implementation supports all versions in that range. 2496 static uint16_t kTokenBindingMaxVersion = 16; 2497 static uint16_t kTokenBindingMinVersion = 13; 2498 2499 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2500 SSL *const ssl = hs->ssl; 2501 if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) { 2502 return true; 2503 } 2504 2505 CBB contents, params; 2506 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) || 2507 !CBB_add_u16_length_prefixed(out, &contents) || 2508 !CBB_add_u16(&contents, kTokenBindingMaxVersion) || 2509 !CBB_add_u8_length_prefixed(&contents, ¶ms) || 2510 !CBB_add_bytes(¶ms, hs->config->token_binding_params.data(), 2511 hs->config->token_binding_params.size()) || 2512 !CBB_flush(out)) { 2513 return false; 2514 } 2515 2516 return true; 2517 } 2518 2519 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs, 2520 uint8_t *out_alert, 2521 CBS *contents) { 2522 SSL *const ssl = hs->ssl; 2523 if (contents == nullptr) { 2524 return true; 2525 } 2526 2527 CBS params_list; 2528 uint16_t version; 2529 uint8_t param; 2530 if (!CBS_get_u16(contents, &version) || 2531 !CBS_get_u8_length_prefixed(contents, ¶ms_list) || 2532 !CBS_get_u8(¶ms_list, ¶m) || 2533 CBS_len(¶ms_list) > 0 || 2534 CBS_len(contents) > 0) { 2535 *out_alert = SSL_AD_DECODE_ERROR; 2536 return false; 2537 } 2538 2539 // The server-negotiated version must be less than or equal to our version. 2540 if (version > kTokenBindingMaxVersion) { 2541 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 2542 return false; 2543 } 2544 2545 // If the server-selected version is less than what we support, then Token 2546 // Binding wasn't negotiated (but the extension was parsed successfully). 2547 if (version < kTokenBindingMinVersion) { 2548 return true; 2549 } 2550 2551 for (uint8_t config_param : hs->config->token_binding_params) { 2552 if (param == config_param) { 2553 ssl->s3->negotiated_token_binding_param = param; 2554 ssl->s3->token_binding_negotiated = true; 2555 return true; 2556 } 2557 } 2558 2559 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 2560 return false; 2561 } 2562 2563 // select_tb_param looks for the first token binding param in 2564 // |hs->ssl->token_binding_params| that is also in |params| and puts it in 2565 // |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding 2566 // param is found, and false otherwise. 2567 static bool select_tb_param(SSL_HANDSHAKE *hs, 2568 Span<const uint8_t> peer_params) { 2569 for (uint8_t tb_param : hs->config->token_binding_params) { 2570 for (uint8_t peer_param : peer_params) { 2571 if (tb_param == peer_param) { 2572 hs->ssl->s3->negotiated_token_binding_param = tb_param; 2573 return true; 2574 } 2575 } 2576 } 2577 return false; 2578 } 2579 2580 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs, 2581 uint8_t *out_alert, 2582 CBS *contents) { 2583 SSL *const ssl = hs->ssl; 2584 if (contents == nullptr || hs->config->token_binding_params.empty()) { 2585 return true; 2586 } 2587 2588 CBS params; 2589 uint16_t version; 2590 if (!CBS_get_u16(contents, &version) || 2591 !CBS_get_u8_length_prefixed(contents, ¶ms) || 2592 CBS_len(¶ms) == 0 || 2593 CBS_len(contents) > 0) { 2594 *out_alert = SSL_AD_DECODE_ERROR; 2595 return false; 2596 } 2597 2598 // If the client-selected version is less than what we support, then Token 2599 // Binding wasn't negotiated (but the extension was parsed successfully). 2600 if (version < kTokenBindingMinVersion) { 2601 return true; 2602 } 2603 2604 // If the client-selected version is higher than we support, use our max 2605 // version. Otherwise, use the client's version. 2606 hs->negotiated_token_binding_version = 2607 std::min(version, kTokenBindingMaxVersion); 2608 if (!select_tb_param(hs, params)) { 2609 return true; 2610 } 2611 2612 ssl->s3->token_binding_negotiated = true; 2613 return true; 2614 } 2615 2616 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 2617 SSL *const ssl = hs->ssl; 2618 2619 if (!ssl->s3->token_binding_negotiated) { 2620 return true; 2621 } 2622 2623 CBB contents, params; 2624 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) || 2625 !CBB_add_u16_length_prefixed(out, &contents) || 2626 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) || 2627 !CBB_add_u8_length_prefixed(&contents, ¶ms) || 2628 !CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) || 2629 !CBB_flush(out)) { 2630 return false; 2631 } 2632 2633 return true; 2634 } 2635 2636 // QUIC Transport Parameters 2637 2638 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs, 2639 CBB *out) { 2640 if (hs->config->quic_transport_params.empty() || 2641 hs->max_version <= TLS1_2_VERSION) { 2642 return true; 2643 } 2644 2645 CBB contents; 2646 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) || 2647 !CBB_add_u16_length_prefixed(out, &contents) || 2648 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), 2649 hs->config->quic_transport_params.size()) || 2650 !CBB_flush(out)) { 2651 return false; 2652 } 2653 return true; 2654 } 2655 2656 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs, 2657 uint8_t *out_alert, 2658 CBS *contents) { 2659 SSL *const ssl = hs->ssl; 2660 if (contents == nullptr) { 2661 return true; 2662 } 2663 // QUIC requires TLS 1.3. 2664 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { 2665 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 2666 return false; 2667 } 2668 2669 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents); 2670 } 2671 2672 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs, 2673 uint8_t *out_alert, 2674 CBS *contents) { 2675 SSL *const ssl = hs->ssl; 2676 if (!contents || hs->config->quic_transport_params.empty()) { 2677 return true; 2678 } 2679 // Ignore the extension before TLS 1.3. 2680 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { 2681 return true; 2682 } 2683 2684 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents); 2685 } 2686 2687 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs, 2688 CBB *out) { 2689 if (hs->config->quic_transport_params.empty()) { 2690 return true; 2691 } 2692 2693 CBB contents; 2694 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) || 2695 !CBB_add_u16_length_prefixed(out, &contents) || 2696 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), 2697 hs->config->quic_transport_params.size()) || 2698 !CBB_flush(out)) { 2699 return false; 2700 } 2701 2702 return true; 2703 } 2704 2705 // Delegated credentials. 2706 // 2707 // https://tools.ietf.org/html/draft-ietf-tls-subcerts 2708 2709 static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs, 2710 CBB *out) { 2711 return true; 2712 } 2713 2714 static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs, 2715 uint8_t *out_alert, 2716 CBS *contents) { 2717 assert(TLSEXT_TYPE_delegated_credential == 0xff02); 2718 // TODO: Check that the extension is empty. 2719 // 2720 // As of draft-02, the client sends an empty extension in order indicate 2721 // support for delegated credentials. This could change, however, since the 2722 // spec is not yet finalized. This assertion is here to remind us to enforce 2723 // this check once the extension ID is assigned. 2724 2725 if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { 2726 // Don't use delegated credentials unless we're negotiating TLS 1.3 or 2727 // higher. 2728 return true; 2729 } 2730 2731 hs->delegated_credential_requested = true; 2732 return true; 2733 } 2734 2735 // Certificate compression 2736 2737 static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { 2738 bool first = true; 2739 CBB contents, algs; 2740 2741 for (const auto *alg : hs->ssl->ctx->cert_compression_algs.get()) { 2742 if (alg->decompress == nullptr) { 2743 continue; 2744 } 2745 2746 if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) || 2747 !CBB_add_u16_length_prefixed(out, &contents) || 2748 !CBB_add_u8_length_prefixed(&contents, &algs))) { 2749 return false; 2750 } 2751 first = false; 2752 if (!CBB_add_u16(&algs, alg->alg_id)) { 2753 return false; 2754 } 2755 } 2756 2757 return first || CBB_flush(out); 2758 } 2759 2760 static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs, 2761 uint8_t *out_alert, 2762 CBS *contents) { 2763 if (contents == nullptr) { 2764 return true; 2765 } 2766 2767 // The server may not echo this extension. Any server to client negotiation is 2768 // advertised in the CertificateRequest message. 2769 return false; 2770 } 2771 2772 static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs, 2773 uint8_t *out_alert, 2774 CBS *contents) { 2775 if (contents == nullptr) { 2776 return true; 2777 } 2778 2779 const size_t num_algs = 2780 sk_CertCompressionAlg_num(hs->ssl->ctx->cert_compression_algs.get()); 2781 2782 CBS alg_ids; 2783 if (!CBS_get_u8_length_prefixed(contents, &alg_ids) || 2784 CBS_len(contents) != 0 || 2785 CBS_len(&alg_ids) == 0 || 2786 CBS_len(&alg_ids) % 2 == 1) { 2787 return false; 2788 } 2789 2790 const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2; 2791 Array<uint16_t> given_alg_ids; 2792 if (!given_alg_ids.Init(num_given_alg_ids)) { 2793 return false; 2794 } 2795 2796 size_t best_index = num_algs; 2797 size_t given_alg_idx = 0; 2798 2799 while (CBS_len(&alg_ids) > 0) { 2800 uint16_t alg_id; 2801 if (!CBS_get_u16(&alg_ids, &alg_id)) { 2802 return false; 2803 } 2804 2805 given_alg_ids[given_alg_idx++] = alg_id; 2806 2807 for (size_t i = 0; i < num_algs; i++) { 2808 const auto *alg = sk_CertCompressionAlg_value( 2809 hs->ssl->ctx->cert_compression_algs.get(), i); 2810 if (alg->alg_id == alg_id && alg->compress != nullptr) { 2811 if (i < best_index) { 2812 best_index = i; 2813 } 2814 break; 2815 } 2816 } 2817 } 2818 2819 qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t), 2820 compare_uint16_t); 2821 for (size_t i = 1; i < num_given_alg_ids; i++) { 2822 if (given_alg_ids[i - 1] == given_alg_ids[i]) { 2823 return false; 2824 } 2825 } 2826 2827 if (best_index < num_algs && 2828 ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { 2829 hs->cert_compression_negotiated = true; 2830 hs->cert_compression_alg_id = 2831 sk_CertCompressionAlg_value(hs->ssl->ctx->cert_compression_algs.get(), 2832 best_index) 2833 ->alg_id; 2834 } 2835 2836 return true; 2837 } 2838 2839 static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { 2840 return true; 2841 } 2842 2843 // kExtensions contains all the supported extensions. 2844 static const struct tls_extension kExtensions[] = { 2845 { 2846 TLSEXT_TYPE_server_name, 2847 NULL, 2848 ext_sni_add_clienthello, 2849 ext_sni_parse_serverhello, 2850 ext_sni_parse_clienthello, 2851 ext_sni_add_serverhello, 2852 }, 2853 { 2854 TLSEXT_TYPE_extended_master_secret, 2855 NULL, 2856 ext_ems_add_clienthello, 2857 ext_ems_parse_serverhello, 2858 ext_ems_parse_clienthello, 2859 ext_ems_add_serverhello, 2860 }, 2861 { 2862 TLSEXT_TYPE_renegotiate, 2863 NULL, 2864 ext_ri_add_clienthello, 2865 ext_ri_parse_serverhello, 2866 ext_ri_parse_clienthello, 2867 ext_ri_add_serverhello, 2868 }, 2869 { 2870 TLSEXT_TYPE_supported_groups, 2871 NULL, 2872 ext_supported_groups_add_clienthello, 2873 ext_supported_groups_parse_serverhello, 2874 ext_supported_groups_parse_clienthello, 2875 dont_add_serverhello, 2876 }, 2877 { 2878 TLSEXT_TYPE_ec_point_formats, 2879 NULL, 2880 ext_ec_point_add_clienthello, 2881 ext_ec_point_parse_serverhello, 2882 ext_ec_point_parse_clienthello, 2883 ext_ec_point_add_serverhello, 2884 }, 2885 { 2886 TLSEXT_TYPE_session_ticket, 2887 NULL, 2888 ext_ticket_add_clienthello, 2889 ext_ticket_parse_serverhello, 2890 // Ticket extension client parsing is handled in ssl_session.c 2891 ignore_parse_clienthello, 2892 ext_ticket_add_serverhello, 2893 }, 2894 { 2895 TLSEXT_TYPE_application_layer_protocol_negotiation, 2896 NULL, 2897 ext_alpn_add_clienthello, 2898 ext_alpn_parse_serverhello, 2899 // ALPN is negotiated late in |ssl_negotiate_alpn|. 2900 ignore_parse_clienthello, 2901 ext_alpn_add_serverhello, 2902 }, 2903 { 2904 TLSEXT_TYPE_status_request, 2905 NULL, 2906 ext_ocsp_add_clienthello, 2907 ext_ocsp_parse_serverhello, 2908 ext_ocsp_parse_clienthello, 2909 ext_ocsp_add_serverhello, 2910 }, 2911 { 2912 TLSEXT_TYPE_signature_algorithms, 2913 NULL, 2914 ext_sigalgs_add_clienthello, 2915 forbid_parse_serverhello, 2916 ext_sigalgs_parse_clienthello, 2917 dont_add_serverhello, 2918 }, 2919 { 2920 TLSEXT_TYPE_signature_algorithms_cert, 2921 NULL, 2922 ext_sigalgs_cert_add_clienthello, 2923 forbid_parse_serverhello, 2924 ignore_parse_clienthello, 2925 dont_add_serverhello, 2926 }, 2927 { 2928 TLSEXT_TYPE_next_proto_neg, 2929 NULL, 2930 ext_npn_add_clienthello, 2931 ext_npn_parse_serverhello, 2932 ext_npn_parse_clienthello, 2933 ext_npn_add_serverhello, 2934 }, 2935 { 2936 TLSEXT_TYPE_certificate_timestamp, 2937 NULL, 2938 ext_sct_add_clienthello, 2939 ext_sct_parse_serverhello, 2940 ext_sct_parse_clienthello, 2941 ext_sct_add_serverhello, 2942 }, 2943 { 2944 TLSEXT_TYPE_channel_id, 2945 ext_channel_id_init, 2946 ext_channel_id_add_clienthello, 2947 ext_channel_id_parse_serverhello, 2948 ext_channel_id_parse_clienthello, 2949 ext_channel_id_add_serverhello, 2950 }, 2951 { 2952 TLSEXT_TYPE_srtp, 2953 ext_srtp_init, 2954 ext_srtp_add_clienthello, 2955 ext_srtp_parse_serverhello, 2956 ext_srtp_parse_clienthello, 2957 ext_srtp_add_serverhello, 2958 }, 2959 { 2960 TLSEXT_TYPE_key_share, 2961 NULL, 2962 ext_key_share_add_clienthello, 2963 forbid_parse_serverhello, 2964 ignore_parse_clienthello, 2965 dont_add_serverhello, 2966 }, 2967 { 2968 TLSEXT_TYPE_psk_key_exchange_modes, 2969 NULL, 2970 ext_psk_key_exchange_modes_add_clienthello, 2971 forbid_parse_serverhello, 2972 ext_psk_key_exchange_modes_parse_clienthello, 2973 dont_add_serverhello, 2974 }, 2975 { 2976 TLSEXT_TYPE_early_data, 2977 NULL, 2978 ext_early_data_add_clienthello, 2979 ext_early_data_parse_serverhello, 2980 ext_early_data_parse_clienthello, 2981 ext_early_data_add_serverhello, 2982 }, 2983 { 2984 TLSEXT_TYPE_supported_versions, 2985 NULL, 2986 ext_supported_versions_add_clienthello, 2987 forbid_parse_serverhello, 2988 ignore_parse_clienthello, 2989 dont_add_serverhello, 2990 }, 2991 { 2992 TLSEXT_TYPE_cookie, 2993 NULL, 2994 ext_cookie_add_clienthello, 2995 forbid_parse_serverhello, 2996 ignore_parse_clienthello, 2997 dont_add_serverhello, 2998 }, 2999 { 3000 TLSEXT_TYPE_quic_transport_parameters, 3001 NULL, 3002 ext_quic_transport_params_add_clienthello, 3003 ext_quic_transport_params_parse_serverhello, 3004 ext_quic_transport_params_parse_clienthello, 3005 ext_quic_transport_params_add_serverhello, 3006 }, 3007 { 3008 TLSEXT_TYPE_token_binding, 3009 NULL, 3010 ext_token_binding_add_clienthello, 3011 ext_token_binding_parse_serverhello, 3012 ext_token_binding_parse_clienthello, 3013 ext_token_binding_add_serverhello, 3014 }, 3015 { 3016 TLSEXT_TYPE_cert_compression, 3017 NULL, 3018 cert_compression_add_clienthello, 3019 cert_compression_parse_serverhello, 3020 cert_compression_parse_clienthello, 3021 cert_compression_add_serverhello, 3022 }, 3023 { 3024 TLSEXT_TYPE_delegated_credential, 3025 NULL, 3026 ext_delegated_credential_add_clienthello, 3027 forbid_parse_serverhello, 3028 ext_delegated_credential_parse_clienthello, 3029 dont_add_serverhello, 3030 }, 3031 }; 3032 3033 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension)) 3034 3035 static_assert(kNumExtensions <= 3036 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8, 3037 "too many extensions for sent bitset"); 3038 static_assert(kNumExtensions <= 3039 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8, 3040 "too many extensions for received bitset"); 3041 3042 static const struct tls_extension *tls_extension_find(uint32_t *out_index, 3043 uint16_t value) { 3044 unsigned i; 3045 for (i = 0; i < kNumExtensions; i++) { 3046 if (kExtensions[i].value == value) { 3047 *out_index = i; 3048 return &kExtensions[i]; 3049 } 3050 } 3051 3052 return NULL; 3053 } 3054 3055 bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, 3056 size_t header_len) { 3057 SSL *const ssl = hs->ssl; 3058 CBB extensions; 3059 if (!CBB_add_u16_length_prefixed(out, &extensions)) { 3060 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3061 return false; 3062 } 3063 3064 hs->extensions.sent = 0; 3065 3066 for (size_t i = 0; i < kNumExtensions; i++) { 3067 if (kExtensions[i].init != NULL) { 3068 kExtensions[i].init(hs); 3069 } 3070 } 3071 3072 uint16_t grease_ext1 = 0; 3073 if (ssl->ctx->grease_enabled) { 3074 // Add a fake empty extension. See draft-davidben-tls-grease-01. 3075 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1); 3076 if (!CBB_add_u16(&extensions, grease_ext1) || 3077 !CBB_add_u16(&extensions, 0 /* zero length */)) { 3078 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3079 return false; 3080 } 3081 } 3082 3083 bool last_was_empty = false; 3084 for (size_t i = 0; i < kNumExtensions; i++) { 3085 const size_t len_before = CBB_len(&extensions); 3086 if (!kExtensions[i].add_clienthello(hs, &extensions)) { 3087 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION); 3088 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); 3089 return false; 3090 } 3091 3092 const size_t bytes_written = CBB_len(&extensions) - len_before; 3093 if (bytes_written != 0) { 3094 hs->extensions.sent |= (1u << i); 3095 } 3096 // If the difference in lengths is only four bytes then the extension had 3097 // an empty body. 3098 last_was_empty = (bytes_written == 4); 3099 } 3100 3101 if (ssl->ctx->grease_enabled) { 3102 // Add a fake non-empty extension. See draft-davidben-tls-grease-01. 3103 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2); 3104 3105 // The two fake extensions must not have the same value. GREASE values are 3106 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different 3107 // one. 3108 if (grease_ext1 == grease_ext2) { 3109 grease_ext2 ^= 0x1010; 3110 } 3111 3112 if (!CBB_add_u16(&extensions, grease_ext2) || 3113 !CBB_add_u16(&extensions, 1 /* one byte length */) || 3114 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) { 3115 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3116 return false; 3117 } 3118 3119 last_was_empty = false; 3120 } 3121 3122 if (!SSL_is_dtls(ssl)) { 3123 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs); 3124 header_len += 2 + CBB_len(&extensions) + psk_extension_len; 3125 size_t padding_len = 0; 3126 3127 // The final extension must be non-empty. WebSphere Application 3128 // Server 7.0 is intolerant to the last extension being zero-length. See 3129 // https://crbug.com/363583. 3130 if (last_was_empty && psk_extension_len == 0) { 3131 padding_len = 1; 3132 // The addition of the padding extension may push us into the F5 bug. 3133 header_len += 4 + padding_len; 3134 } 3135 3136 // Add padding to workaround bugs in F5 terminators. See RFC 7685. 3137 // 3138 // NB: because this code works out the length of all existing extensions 3139 // it MUST always appear last (save for any PSK extension). 3140 if (header_len > 0xff && header_len < 0x200) { 3141 // If our calculations already included a padding extension, remove that 3142 // factor because we're about to change its length. 3143 if (padding_len != 0) { 3144 header_len -= 4 + padding_len; 3145 } 3146 padding_len = 0x200 - header_len; 3147 // Extensions take at least four bytes to encode. Always include at least 3148 // one byte of data if including the extension. WebSphere Application 3149 // Server 7.0 is intolerant to the last extension being zero-length. See 3150 // https://crbug.com/363583. 3151 if (padding_len >= 4 + 1) { 3152 padding_len -= 4; 3153 } else { 3154 padding_len = 1; 3155 } 3156 } 3157 3158 if (padding_len != 0) { 3159 uint8_t *padding_bytes; 3160 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) || 3161 !CBB_add_u16(&extensions, padding_len) || 3162 !CBB_add_space(&extensions, &padding_bytes, padding_len)) { 3163 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3164 return false; 3165 } 3166 3167 OPENSSL_memset(padding_bytes, 0, padding_len); 3168 } 3169 } 3170 3171 // The PSK extension must be last, including after the padding. 3172 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) { 3173 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3174 return false; 3175 } 3176 3177 // Discard empty extensions blocks. 3178 if (CBB_len(&extensions) == 0) { 3179 CBB_discard_child(out); 3180 } 3181 3182 return CBB_flush(out); 3183 } 3184 3185 bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) { 3186 SSL *const ssl = hs->ssl; 3187 CBB extensions; 3188 if (!CBB_add_u16_length_prefixed(out, &extensions)) { 3189 goto err; 3190 } 3191 3192 for (unsigned i = 0; i < kNumExtensions; i++) { 3193 if (!(hs->extensions.received & (1u << i))) { 3194 // Don't send extensions that were not received. 3195 continue; 3196 } 3197 3198 if (!kExtensions[i].add_serverhello(hs, &extensions)) { 3199 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION); 3200 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); 3201 goto err; 3202 } 3203 } 3204 3205 // Discard empty extensions blocks before TLS 1.3. 3206 if (ssl_protocol_version(ssl) < TLS1_3_VERSION && 3207 CBB_len(&extensions) == 0) { 3208 CBB_discard_child(out); 3209 } 3210 3211 return CBB_flush(out); 3212 3213 err: 3214 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3215 return false; 3216 } 3217 3218 static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs, 3219 const SSL_CLIENT_HELLO *client_hello, 3220 int *out_alert) { 3221 for (size_t i = 0; i < kNumExtensions; i++) { 3222 if (kExtensions[i].init != NULL) { 3223 kExtensions[i].init(hs); 3224 } 3225 } 3226 3227 hs->extensions.received = 0; 3228 CBS extensions; 3229 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); 3230 while (CBS_len(&extensions) != 0) { 3231 uint16_t type; 3232 CBS extension; 3233 3234 // Decode the next extension. 3235 if (!CBS_get_u16(&extensions, &type) || 3236 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 3237 *out_alert = SSL_AD_DECODE_ERROR; 3238 return false; 3239 } 3240 3241 unsigned ext_index; 3242 const struct tls_extension *const ext = 3243 tls_extension_find(&ext_index, type); 3244 if (ext == NULL) { 3245 continue; 3246 } 3247 3248 hs->extensions.received |= (1u << ext_index); 3249 uint8_t alert = SSL_AD_DECODE_ERROR; 3250 if (!ext->parse_clienthello(hs, &alert, &extension)) { 3251 *out_alert = alert; 3252 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION); 3253 ERR_add_error_dataf("extension %u", (unsigned)type); 3254 return false; 3255 } 3256 } 3257 3258 for (size_t i = 0; i < kNumExtensions; i++) { 3259 if (hs->extensions.received & (1u << i)) { 3260 continue; 3261 } 3262 3263 CBS *contents = NULL, fake_contents; 3264 static const uint8_t kFakeRenegotiateExtension[] = {0}; 3265 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate && 3266 ssl_client_cipher_list_contains_cipher(client_hello, 3267 SSL3_CK_SCSV & 0xffff)) { 3268 // The renegotiation SCSV was received so pretend that we received a 3269 // renegotiation extension. 3270 CBS_init(&fake_contents, kFakeRenegotiateExtension, 3271 sizeof(kFakeRenegotiateExtension)); 3272 contents = &fake_contents; 3273 hs->extensions.received |= (1u << i); 3274 } 3275 3276 // Extension wasn't observed so call the callback with a NULL 3277 // parameter. 3278 uint8_t alert = SSL_AD_DECODE_ERROR; 3279 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) { 3280 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); 3281 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); 3282 *out_alert = alert; 3283 return false; 3284 } 3285 } 3286 3287 return true; 3288 } 3289 3290 bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, 3291 const SSL_CLIENT_HELLO *client_hello) { 3292 SSL *const ssl = hs->ssl; 3293 int alert = SSL_AD_DECODE_ERROR; 3294 if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) { 3295 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 3296 return false; 3297 } 3298 3299 if (!ssl_check_clienthello_tlsext(hs)) { 3300 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT); 3301 return false; 3302 } 3303 3304 return true; 3305 } 3306 3307 static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, 3308 int *out_alert) { 3309 SSL *const ssl = hs->ssl; 3310 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. 3311 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) { 3312 return true; 3313 } 3314 3315 // Decode the extensions block and check it is valid. 3316 CBS extensions; 3317 if (!CBS_get_u16_length_prefixed(cbs, &extensions) || 3318 !tls1_check_duplicate_extensions(&extensions)) { 3319 *out_alert = SSL_AD_DECODE_ERROR; 3320 return false; 3321 } 3322 3323 uint32_t received = 0; 3324 while (CBS_len(&extensions) != 0) { 3325 uint16_t type; 3326 CBS extension; 3327 3328 // Decode the next extension. 3329 if (!CBS_get_u16(&extensions, &type) || 3330 !CBS_get_u16_length_prefixed(&extensions, &extension)) { 3331 *out_alert = SSL_AD_DECODE_ERROR; 3332 return false; 3333 } 3334 3335 unsigned ext_index; 3336 const struct tls_extension *const ext = 3337 tls_extension_find(&ext_index, type); 3338 3339 if (ext == NULL) { 3340 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 3341 ERR_add_error_dataf("extension %u", (unsigned)type); 3342 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 3343 return false; 3344 } 3345 3346 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8, 3347 "too many bits"); 3348 3349 if (!(hs->extensions.sent & (1u << ext_index))) { 3350 // If the extension was never sent then it is illegal. 3351 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 3352 ERR_add_error_dataf("extension :%u", (unsigned)type); 3353 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; 3354 return false; 3355 } 3356 3357 received |= (1u << ext_index); 3358 3359 uint8_t alert = SSL_AD_DECODE_ERROR; 3360 if (!ext->parse_serverhello(hs, &alert, &extension)) { 3361 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION); 3362 ERR_add_error_dataf("extension %u", (unsigned)type); 3363 *out_alert = alert; 3364 return false; 3365 } 3366 } 3367 3368 for (size_t i = 0; i < kNumExtensions; i++) { 3369 if (!(received & (1u << i))) { 3370 // Extension wasn't observed so call the callback with a NULL 3371 // parameter. 3372 uint8_t alert = SSL_AD_DECODE_ERROR; 3373 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) { 3374 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); 3375 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); 3376 *out_alert = alert; 3377 return false; 3378 } 3379 } 3380 } 3381 3382 return true; 3383 } 3384 3385 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) { 3386 SSL *const ssl = hs->ssl; 3387 3388 if (ssl->s3->token_binding_negotiated && 3389 !(SSL_get_secure_renegotiation_support(ssl) && 3390 SSL_get_extms_support(ssl))) { 3391 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI); 3392 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 3393 return false; 3394 } 3395 3396 int ret = SSL_TLSEXT_ERR_NOACK; 3397 int al = SSL_AD_UNRECOGNIZED_NAME; 3398 3399 if (ssl->ctx->servername_callback != 0) { 3400 ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg); 3401 } else if (ssl->session_ctx->servername_callback != 0) { 3402 ret = ssl->session_ctx->servername_callback( 3403 ssl, &al, ssl->session_ctx->servername_arg); 3404 } 3405 3406 switch (ret) { 3407 case SSL_TLSEXT_ERR_ALERT_FATAL: 3408 ssl_send_alert(ssl, SSL3_AL_FATAL, al); 3409 return false; 3410 3411 case SSL_TLSEXT_ERR_NOACK: 3412 hs->should_ack_sni = false; 3413 return true; 3414 3415 default: 3416 return true; 3417 } 3418 } 3419 3420 bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) { 3421 SSL *const ssl = hs->ssl; 3422 int alert = SSL_AD_DECODE_ERROR; 3423 if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) { 3424 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 3425 return false; 3426 } 3427 3428 return true; 3429 } 3430 3431 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx( 3432 Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx, 3433 Span<const uint8_t> ticket) { 3434 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx); 3435 3436 // Check the MAC at the end of the ticket. 3437 uint8_t mac[EVP_MAX_MD_SIZE]; 3438 size_t mac_len = HMAC_size(hmac_ctx); 3439 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) { 3440 // The ticket must be large enough for key name, IV, data, and MAC. 3441 return ssl_ticket_aead_ignore_ticket; 3442 } 3443 // Split the ticket into the ticket and the MAC. 3444 auto ticket_mac = ticket.subspan(ticket.size() - mac_len); 3445 ticket = ticket.subspan(0, ticket.size() - mac_len); 3446 HMAC_Update(hmac_ctx, ticket.data(), ticket.size()); 3447 HMAC_Final(hmac_ctx, mac, NULL); 3448 assert(mac_len == ticket_mac.size()); 3449 bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0; 3450 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 3451 mac_ok = true; 3452 #endif 3453 if (!mac_ok) { 3454 return ssl_ticket_aead_ignore_ticket; 3455 } 3456 3457 // Decrypt the session data. 3458 auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len); 3459 Array<uint8_t> plaintext; 3460 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 3461 if (!plaintext.CopyFrom(ciphertext)) { 3462 return ssl_ticket_aead_error; 3463 } 3464 #else 3465 if (ciphertext.size() >= INT_MAX) { 3466 return ssl_ticket_aead_ignore_ticket; 3467 } 3468 if (!plaintext.Init(ciphertext.size())) { 3469 return ssl_ticket_aead_error; 3470 } 3471 int len1, len2; 3472 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(), 3473 (int)ciphertext.size()) || 3474 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) { 3475 ERR_clear_error(); 3476 return ssl_ticket_aead_ignore_ticket; 3477 } 3478 plaintext.Shrink(static_cast<size_t>(len1) + len2); 3479 #endif 3480 3481 *out = std::move(plaintext); 3482 return ssl_ticket_aead_success; 3483 } 3484 3485 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb( 3486 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket, 3487 Span<const uint8_t> ticket) { 3488 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH); 3489 ScopedEVP_CIPHER_CTX cipher_ctx; 3490 ScopedHMAC_CTX hmac_ctx; 3491 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN); 3492 // The actual IV is shorter, but the length is determined by the callback's 3493 // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure 3494 // the callback has enough. 3495 auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH); 3496 int cb_ret = hs->ssl->session_ctx->ticket_key_cb( 3497 hs->ssl, const_cast<uint8_t *>(name.data()), 3498 const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(), 3499 0 /* decrypt */); 3500 if (cb_ret < 0) { 3501 return ssl_ticket_aead_error; 3502 } else if (cb_ret == 0) { 3503 return ssl_ticket_aead_ignore_ticket; 3504 } else if (cb_ret == 2) { 3505 *out_renew_ticket = true; 3506 } else { 3507 assert(cb_ret == 1); 3508 } 3509 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(), 3510 ticket); 3511 } 3512 3513 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys( 3514 SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) { 3515 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH); 3516 SSL_CTX *ctx = hs->ssl->session_ctx.get(); 3517 3518 // Rotate the ticket key if necessary. 3519 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { 3520 return ssl_ticket_aead_error; 3521 } 3522 3523 const EVP_CIPHER *cipher = EVP_aes_128_cbc(); 3524 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN); 3525 auto iv = 3526 ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher)); 3527 3528 // Pick the matching ticket key and decrypt. 3529 ScopedEVP_CIPHER_CTX cipher_ctx; 3530 ScopedHMAC_CTX hmac_ctx; 3531 { 3532 MutexReadLock lock(&ctx->lock); 3533 const TicketKey *key; 3534 if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) { 3535 key = ctx->ticket_key_current.get(); 3536 } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) { 3537 key = ctx->ticket_key_prev.get(); 3538 } else { 3539 return ssl_ticket_aead_ignore_ticket; 3540 } 3541 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key), 3542 tlsext_tick_md(), NULL) || 3543 !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL, 3544 key->aes_key, iv.data())) { 3545 return ssl_ticket_aead_error; 3546 } 3547 } 3548 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(), 3549 ticket); 3550 } 3551 3552 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method( 3553 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket, 3554 Span<const uint8_t> ticket) { 3555 Array<uint8_t> plaintext; 3556 if (!plaintext.Init(ticket.size())) { 3557 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 3558 return ssl_ticket_aead_error; 3559 } 3560 3561 size_t plaintext_len; 3562 const enum ssl_ticket_aead_result_t result = 3563 hs->ssl->session_ctx->ticket_aead_method->open( 3564 hs->ssl, plaintext.data(), &plaintext_len, ticket.size(), 3565 ticket.data(), ticket.size()); 3566 if (result != ssl_ticket_aead_success) { 3567 return result; 3568 } 3569 3570 plaintext.Shrink(plaintext_len); 3571 *out = std::move(plaintext); 3572 return ssl_ticket_aead_success; 3573 } 3574 3575 enum ssl_ticket_aead_result_t ssl_process_ticket( 3576 SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session, 3577 bool *out_renew_ticket, Span<const uint8_t> ticket, 3578 Span<const uint8_t> session_id) { 3579 *out_renew_ticket = false; 3580 out_session->reset(); 3581 3582 if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) || 3583 session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) { 3584 return ssl_ticket_aead_ignore_ticket; 3585 } 3586 3587 Array<uint8_t> plaintext; 3588 enum ssl_ticket_aead_result_t result; 3589 if (hs->ssl->session_ctx->ticket_aead_method != NULL) { 3590 result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket, 3591 ticket); 3592 } else { 3593 // Ensure there is room for the key name and the largest IV |ticket_key_cb| 3594 // may try to consume. The real limit may be lower, but the maximum IV 3595 // length should be well under the minimum size for the session material and 3596 // HMAC. 3597 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) { 3598 return ssl_ticket_aead_ignore_ticket; 3599 } 3600 if (hs->ssl->session_ctx->ticket_key_cb != NULL) { 3601 result = 3602 ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket); 3603 } else { 3604 result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket); 3605 } 3606 } 3607 3608 if (result != ssl_ticket_aead_success) { 3609 return result; 3610 } 3611 3612 // Decode the session. 3613 UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes( 3614 plaintext.data(), plaintext.size(), hs->ssl->ctx.get())); 3615 if (!session) { 3616 ERR_clear_error(); // Don't leave an error on the queue. 3617 return ssl_ticket_aead_ignore_ticket; 3618 } 3619 3620 // Copy the client's session ID into the new session, to denote the ticket has 3621 // been accepted. 3622 OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size()); 3623 session->session_id_length = session_id.size(); 3624 3625 *out_session = std::move(session); 3626 return ssl_ticket_aead_success; 3627 } 3628 3629 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) { 3630 // Extension ignored for inappropriate versions 3631 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) { 3632 return true; 3633 } 3634 3635 // In all contexts, the signature algorithms list may not be empty. (It may be 3636 // omitted by clients in TLS 1.2, but then the entire extension is omitted.) 3637 return CBS_len(in_sigalgs) != 0 && 3638 parse_u16_array(in_sigalgs, &hs->peer_sigalgs); 3639 } 3640 3641 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) { 3642 switch (EVP_PKEY_id(pkey)) { 3643 case EVP_PKEY_RSA: 3644 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1; 3645 return true; 3646 case EVP_PKEY_EC: 3647 *out = SSL_SIGN_ECDSA_SHA1; 3648 return true; 3649 default: 3650 return false; 3651 } 3652 } 3653 3654 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { 3655 SSL *const ssl = hs->ssl; 3656 CERT *cert = hs->config->cert.get(); 3657 DC *dc = cert->dc.get(); 3658 3659 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the 3660 // handshake. 3661 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) { 3662 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) { 3663 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); 3664 return false; 3665 } 3666 return true; 3667 } 3668 3669 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms; 3670 if (ssl_signing_with_dc(hs)) { 3671 sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1); 3672 } else if (!cert->sigalgs.empty()) { 3673 sigalgs = cert->sigalgs; 3674 } 3675 3676 Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs); 3677 3678 for (uint16_t sigalg : sigalgs) { 3679 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be 3680 // negotiated. 3681 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 || 3682 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) { 3683 continue; 3684 } 3685 3686 for (uint16_t peer_sigalg : peer_sigalgs) { 3687 if (sigalg == peer_sigalg) { 3688 *out = sigalg; 3689 return true; 3690 } 3691 } 3692 } 3693 3694 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); 3695 return false; 3696 } 3697 3698 Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) { 3699 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs; 3700 if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { 3701 // If the client didn't specify any signature_algorithms extension then 3702 // we can assume that it supports SHA1. See 3703 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 3704 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1, 3705 SSL_SIGN_ECDSA_SHA1}; 3706 peer_sigalgs = kDefaultPeerAlgorithms; 3707 } 3708 return peer_sigalgs; 3709 } 3710 3711 bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) { 3712 SSL *const ssl = hs->ssl; 3713 // A Channel ID handshake message is structured to contain multiple 3714 // extensions, but the only one that can be present is Channel ID. 3715 uint16_t extension_type; 3716 CBS channel_id = msg.body, extension; 3717 if (!CBS_get_u16(&channel_id, &extension_type) || 3718 !CBS_get_u16_length_prefixed(&channel_id, &extension) || 3719 CBS_len(&channel_id) != 0 || 3720 extension_type != TLSEXT_TYPE_channel_id || 3721 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) { 3722 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 3723 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 3724 return false; 3725 } 3726 3727 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); 3728 if (!p256) { 3729 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT); 3730 return false; 3731 } 3732 3733 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new()); 3734 UniquePtr<BIGNUM> x(BN_new()), y(BN_new()); 3735 if (!sig || !x || !y) { 3736 return false; 3737 } 3738 3739 const uint8_t *p = CBS_data(&extension); 3740 if (BN_bin2bn(p + 0, 32, x.get()) == NULL || 3741 BN_bin2bn(p + 32, 32, y.get()) == NULL || 3742 BN_bin2bn(p + 64, 32, sig->r) == NULL || 3743 BN_bin2bn(p + 96, 32, sig->s) == NULL) { 3744 return false; 3745 } 3746 3747 UniquePtr<EC_KEY> key(EC_KEY_new()); 3748 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get())); 3749 if (!key || !point || 3750 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(), 3751 y.get(), nullptr) || 3752 !EC_KEY_set_group(key.get(), p256.get()) || 3753 !EC_KEY_set_public_key(key.get(), point.get())) { 3754 return false; 3755 } 3756 3757 uint8_t digest[EVP_MAX_MD_SIZE]; 3758 size_t digest_len; 3759 if (!tls1_channel_id_hash(hs, digest, &digest_len)) { 3760 return false; 3761 } 3762 3763 bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get()); 3764 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 3765 sig_ok = true; 3766 ERR_clear_error(); 3767 #endif 3768 if (!sig_ok) { 3769 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID); 3770 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 3771 ssl->s3->channel_id_valid = false; 3772 return false; 3773 } 3774 3775 OPENSSL_memcpy(ssl->s3->channel_id, p, 64); 3776 return true; 3777 } 3778 3779 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) { 3780 uint8_t digest[EVP_MAX_MD_SIZE]; 3781 size_t digest_len; 3782 if (!tls1_channel_id_hash(hs, digest, &digest_len)) { 3783 return false; 3784 } 3785 3786 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get()); 3787 if (ec_key == nullptr) { 3788 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3789 return false; 3790 } 3791 3792 UniquePtr<BIGNUM> x(BN_new()), y(BN_new()); 3793 if (!x || !y || 3794 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key), 3795 EC_KEY_get0_public_key(ec_key), 3796 x.get(), y.get(), nullptr)) { 3797 return false; 3798 } 3799 3800 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key)); 3801 if (!sig) { 3802 return false; 3803 } 3804 3805 CBB child; 3806 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) || 3807 !CBB_add_u16_length_prefixed(cbb, &child) || 3808 !BN_bn2cbb_padded(&child, 32, x.get()) || 3809 !BN_bn2cbb_padded(&child, 32, y.get()) || 3810 !BN_bn2cbb_padded(&child, 32, sig->r) || 3811 !BN_bn2cbb_padded(&child, 32, sig->s) || 3812 !CBB_flush(cbb)) { 3813 return false; 3814 } 3815 3816 return true; 3817 } 3818 3819 bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) { 3820 SSL *const ssl = hs->ssl; 3821 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { 3822 Array<uint8_t> msg; 3823 if (!tls13_get_cert_verify_signature_input(hs, &msg, 3824 ssl_cert_verify_channel_id)) { 3825 return false; 3826 } 3827 SHA256(msg.data(), msg.size(), out); 3828 *out_len = SHA256_DIGEST_LENGTH; 3829 return true; 3830 } 3831 3832 SHA256_CTX ctx; 3833 3834 SHA256_Init(&ctx); 3835 static const char kClientIDMagic[] = "TLS Channel ID signature"; 3836 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic)); 3837 3838 if (ssl->session != NULL) { 3839 static const char kResumptionMagic[] = "Resumption"; 3840 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic)); 3841 if (ssl->session->original_handshake_hash_len == 0) { 3842 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 3843 return false; 3844 } 3845 SHA256_Update(&ctx, ssl->session->original_handshake_hash, 3846 ssl->session->original_handshake_hash_len); 3847 } 3848 3849 uint8_t hs_hash[EVP_MAX_MD_SIZE]; 3850 size_t hs_hash_len; 3851 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) { 3852 return false; 3853 } 3854 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len); 3855 SHA256_Final(out, &ctx); 3856 *out_len = SHA256_DIGEST_LENGTH; 3857 return true; 3858 } 3859 3860 bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) { 3861 SSL *const ssl = hs->ssl; 3862 // This function should never be called for a resumed session because the 3863 // handshake hashes that we wish to record are for the original, full 3864 // handshake. 3865 if (ssl->session != NULL) { 3866 return false; 3867 } 3868 3869 static_assert( 3870 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE, 3871 "original_handshake_hash is too small"); 3872 3873 size_t digest_len; 3874 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash, 3875 &digest_len)) { 3876 return false; 3877 } 3878 3879 static_assert(EVP_MAX_MD_SIZE <= 0xff, 3880 "EVP_MAX_MD_SIZE does not fit in uint8_t"); 3881 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len; 3882 3883 return true; 3884 } 3885 3886 bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) { 3887 if (hs->config->channel_id_private != NULL || 3888 hs->ssl->ctx->channel_id_cb == NULL) { 3889 return true; 3890 } 3891 3892 EVP_PKEY *key = NULL; 3893 hs->ssl->ctx->channel_id_cb(hs->ssl, &key); 3894 if (key == NULL) { 3895 // The caller should try again later. 3896 return true; 3897 } 3898 3899 UniquePtr<EVP_PKEY> free_key(key); 3900 return SSL_set1_tls_channel_id(hs->ssl, key); 3901 } 3902 3903 bool ssl_is_sct_list_valid(const CBS *contents) { 3904 // Shallow parse the SCT list for sanity. By the RFC 3905 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any 3906 // of the SCTs may be empty. 3907 CBS copy = *contents; 3908 CBS sct_list; 3909 if (!CBS_get_u16_length_prefixed(©, &sct_list) || 3910 CBS_len(©) != 0 || 3911 CBS_len(&sct_list) == 0) { 3912 return false; 3913 } 3914 3915 while (CBS_len(&sct_list) > 0) { 3916 CBS sct; 3917 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) || 3918 CBS_len(&sct) == 0) { 3919 return false; 3920 } 3921 } 3922 3923 return true; 3924 } 3925 3926 BSSL_NAMESPACE_END 3927 3928 using namespace bssl; 3929 3930 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello, 3931 uint16_t extension_type, 3932 const uint8_t **out_data, 3933 size_t *out_len) { 3934 CBS cbs; 3935 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) { 3936 return 0; 3937 } 3938 3939 *out_data = CBS_data(&cbs); 3940 *out_len = CBS_len(&cbs); 3941 return 1; 3942 } 3943 3944 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) { 3945 ctx->ed25519_enabled = !!enabled; 3946 } 3947 3948 void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) { 3949 ctx->rsa_pss_rsae_certs_enabled = !!enabled; 3950 } 3951