1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109#include <openssl/ssl.h>
110
111#include <assert.h>
112#include <limits.h>
113#include <stdlib.h>
114#include <string.h>
115
116#include <utility>
117
118#include <openssl/bytestring.h>
119#include <openssl/chacha.h>
120#include <openssl/digest.h>
121#include <openssl/err.h>
122#include <openssl/evp.h>
123#include <openssl/hmac.h>
124#include <openssl/mem.h>
125#include <openssl/nid.h>
126#include <openssl/rand.h>
127
128#include "internal.h"
129#include "../crypto/internal.h"
130
131
132BSSL_NAMESPACE_BEGIN
133
134static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
135
136static int compare_uint16_t(const void *p1, const void *p2) {
137 uint16_t u1 = *((const uint16_t *)p1);
138 uint16_t u2 = *((const uint16_t *)p2);
139 if (u1 < u2) {
140 return -1;
141 } else if (u1 > u2) {
142 return 1;
143 } else {
144 return 0;
145 }
146}
147
148// Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149// more than one extension of the same type in a ClientHello or ServerHello.
150// This function does an initial scan over the extensions block to filter those
151// out.
152static bool tls1_check_duplicate_extensions(const CBS *cbs) {
153 // First pass: count the extensions.
154 size_t num_extensions = 0;
155 CBS extensions = *cbs;
156 while (CBS_len(&extensions) > 0) {
157 uint16_t type;
158 CBS extension;
159
160 if (!CBS_get_u16(&extensions, &type) ||
161 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
162 return false;
163 }
164
165 num_extensions++;
166 }
167
168 if (num_extensions == 0) {
169 return true;
170 }
171
172 Array<uint16_t> extension_types;
173 if (!extension_types.Init(num_extensions)) {
174 return false;
175 }
176
177 // Second pass: gather the extension types.
178 extensions = *cbs;
179 for (size_t i = 0; i < extension_types.size(); i++) {
180 CBS extension;
181
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 // This should not happen.
185 return false;
186 }
187 }
188 assert(CBS_len(&extensions) == 0);
189
190 // Sort the extensions and make sure there are no duplicates.
191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
192 compare_uint16_t);
193 for (size_t i = 1; i < num_extensions; i++) {
194 if (extension_types[i - 1] == extension_types[i]) {
195 return false;
196 }
197 }
198
199 return true;
200}
201
202static bool is_post_quantum_group(uint16_t id) {
203 return id == SSL_CURVE_CECPQ2 || id == SSL_CURVE_CECPQ2b;
204}
205
206bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
207 const SSLMessage &msg) {
208 OPENSSL_memset(out, 0, sizeof(*out));
209 out->ssl = const_cast<SSL *>(ssl);
210 out->client_hello = CBS_data(&msg.body);
211 out->client_hello_len = CBS_len(&msg.body);
212
213 CBS client_hello, random, session_id;
214 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
215 if (!CBS_get_u16(&client_hello, &out->version) ||
216 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
217 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
218 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
219 return false;
220 }
221
222 out->random = CBS_data(&random);
223 out->random_len = CBS_len(&random);
224 out->session_id = CBS_data(&session_id);
225 out->session_id_len = CBS_len(&session_id);
226
227 // Skip past DTLS cookie
228 if (SSL_is_dtls(out->ssl)) {
229 CBS cookie;
230 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
231 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
232 return false;
233 }
234 }
235
236 CBS cipher_suites, compression_methods;
237 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
238 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
239 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
240 CBS_len(&compression_methods) < 1) {
241 return false;
242 }
243
244 out->cipher_suites = CBS_data(&cipher_suites);
245 out->cipher_suites_len = CBS_len(&cipher_suites);
246 out->compression_methods = CBS_data(&compression_methods);
247 out->compression_methods_len = CBS_len(&compression_methods);
248
249 // If the ClientHello ends here then it's valid, but doesn't have any
250 // extensions.
251 if (CBS_len(&client_hello) == 0) {
252 out->extensions = NULL;
253 out->extensions_len = 0;
254 return true;
255 }
256
257 // Extract extensions and check it is valid.
258 CBS extensions;
259 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
260 !tls1_check_duplicate_extensions(&extensions) ||
261 CBS_len(&client_hello) != 0) {
262 return false;
263 }
264
265 out->extensions = CBS_data(&extensions);
266 out->extensions_len = CBS_len(&extensions);
267
268 return true;
269}
270
271bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
272 CBS *out, uint16_t extension_type) {
273 CBS extensions;
274 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
275 while (CBS_len(&extensions) != 0) {
276 // Decode the next extension.
277 uint16_t type;
278 CBS extension;
279 if (!CBS_get_u16(&extensions, &type) ||
280 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
281 return false;
282 }
283
284 if (type == extension_type) {
285 *out = extension;
286 return true;
287 }
288 }
289
290 return false;
291}
292
293static const uint16_t kDefaultGroups[] = {
294 SSL_CURVE_X25519,
295 SSL_CURVE_SECP256R1,
296 SSL_CURVE_SECP384R1,
297};
298
299Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
300 if (!hs->config->supported_group_list.empty()) {
301 return hs->config->supported_group_list;
302 }
303 return Span<const uint16_t>(kDefaultGroups);
304}
305
306bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
307 SSL *const ssl = hs->ssl;
308 assert(ssl->server);
309
310 // Clients are not required to send a supported_groups extension. In this
311 // case, the server is free to pick any group it likes. See RFC 4492,
312 // section 4, paragraph 3.
313 //
314 // However, in the interests of compatibility, we will skip ECDH if the
315 // client didn't send an extension because we can't be sure that they'll
316 // support our favoured group. Thus we do not special-case an emtpy
317 // |peer_supported_group_list|.
318
319 Span<const uint16_t> groups = tls1_get_grouplist(hs);
320 Span<const uint16_t> pref, supp;
321 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
322 pref = groups;
323 supp = hs->peer_supported_group_list;
324 } else {
325 pref = hs->peer_supported_group_list;
326 supp = groups;
327 }
328
329 for (uint16_t pref_group : pref) {
330 for (uint16_t supp_group : supp) {
331 if (pref_group == supp_group &&
332 // CECPQ2(b) doesn't fit in the u8-length-prefixed ECPoint field in
333 // TLS 1.2 and below.
334 (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
335 !is_post_quantum_group(pref_group))) {
336 *out_group_id = pref_group;
337 return true;
338 }
339 }
340 }
341
342 return false;
343}
344
345bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
346 Array<uint16_t> group_ids;
347 if (!group_ids.Init(curves.size())) {
348 return false;
349 }
350
351 for (size_t i = 0; i < curves.size(); i++) {
352 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
353 return false;
354 }
355 }
356
357 *out_group_ids = std::move(group_ids);
358 return true;
359}
360
361bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
362 // Count the number of curves in the list.
363 size_t count = 0;
364 const char *ptr = curves, *col;
365 do {
366 col = strchr(ptr, ':');
367 count++;
368 if (col) {
369 ptr = col + 1;
370 }
371 } while (col);
372
373 Array<uint16_t> group_ids;
374 if (!group_ids.Init(count)) {
375 return false;
376 }
377
378 size_t i = 0;
379 ptr = curves;
380 do {
381 col = strchr(ptr, ':');
382 if (!ssl_name_to_group_id(&group_ids[i++], ptr,
383 col ? (size_t)(col - ptr) : strlen(ptr))) {
384 return false;
385 }
386 if (col) {
387 ptr = col + 1;
388 }
389 } while (col);
390
391 assert(i == count);
392 *out_group_ids = std::move(group_ids);
393 return true;
394}
395
396bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
397 if (is_post_quantum_group(group_id) &&
398 ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
399 // CECPQ2(b) requires TLS 1.3.
400 return false;
401 }
402
403 for (uint16_t supported : tls1_get_grouplist(hs)) {
404 if (supported == group_id) {
405 return true;
406 }
407 }
408
409 return false;
410}
411
412// kVerifySignatureAlgorithms is the default list of accepted signature
413// algorithms for verifying.
414//
415// For now, RSA-PSS signature algorithms are not enabled on Android's system
416// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
417// restore them.
418static const uint16_t kVerifySignatureAlgorithms[] = {
419 // List our preferred algorithms first.
420 SSL_SIGN_ED25519,
421 SSL_SIGN_ECDSA_SECP256R1_SHA256,
422 SSL_SIGN_RSA_PSS_RSAE_SHA256,
423 SSL_SIGN_RSA_PKCS1_SHA256,
424
425 // Larger hashes are acceptable.
426 SSL_SIGN_ECDSA_SECP384R1_SHA384,
427 SSL_SIGN_RSA_PSS_RSAE_SHA384,
428 SSL_SIGN_RSA_PKCS1_SHA384,
429
430 SSL_SIGN_RSA_PSS_RSAE_SHA512,
431 SSL_SIGN_RSA_PKCS1_SHA512,
432
433 // For now, SHA-1 is still accepted but least preferable.
434 SSL_SIGN_RSA_PKCS1_SHA1,
435
436};
437
438// kSignSignatureAlgorithms is the default list of supported signature
439// algorithms for signing.
440//
441// For now, RSA-PSS signature algorithms are not enabled on Android's system
442// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
443// restore them.
444static const uint16_t kSignSignatureAlgorithms[] = {
445 // List our preferred algorithms first.
446 SSL_SIGN_ED25519,
447 SSL_SIGN_ECDSA_SECP256R1_SHA256,
448 SSL_SIGN_RSA_PSS_RSAE_SHA256,
449 SSL_SIGN_RSA_PKCS1_SHA256,
450
451 // If needed, sign larger hashes.
452 //
453 // TODO(davidben): Determine which of these may be pruned.
454 SSL_SIGN_ECDSA_SECP384R1_SHA384,
455 SSL_SIGN_RSA_PSS_RSAE_SHA384,
456 SSL_SIGN_RSA_PKCS1_SHA384,
457
458 SSL_SIGN_ECDSA_SECP521R1_SHA512,
459 SSL_SIGN_RSA_PSS_RSAE_SHA512,
460 SSL_SIGN_RSA_PKCS1_SHA512,
461
462 // If the peer supports nothing else, sign with SHA-1.
463 SSL_SIGN_ECDSA_SHA1,
464 SSL_SIGN_RSA_PKCS1_SHA1,
465};
466
467struct SSLSignatureAlgorithmList {
468 bool Next(uint16_t *out) {
469 while (!list.empty()) {
470 uint16_t sigalg = list[0];
471 list = list.subspan(1);
472 if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
473 continue;
474 }
475 if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
476 continue;
477 }
478 *out = sigalg;
479 return true;
480 }
481 return false;
482 }
483
484 bool operator==(const SSLSignatureAlgorithmList &other) const {
485 SSLSignatureAlgorithmList a = *this;
486 SSLSignatureAlgorithmList b = other;
487 uint16_t a_val, b_val;
488 while (a.Next(&a_val)) {
489 if (!b.Next(&b_val) ||
490 a_val != b_val) {
491 return false;
492 }
493 }
494 return !b.Next(&b_val);
495 }
496
497 bool operator!=(const SSLSignatureAlgorithmList &other) const {
498 return !(*this == other);
499 }
500
501 Span<const uint16_t> list;
502 bool skip_ed25519 = false;
503 bool skip_rsa_pss_rsae = false;
504};
505
506static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
507 bool for_certs) {
508 SSLSignatureAlgorithmList ret;
509 if (!ssl->config->verify_sigalgs.empty()) {
510 ret.list = ssl->config->verify_sigalgs;
511 } else {
512 ret.list = kVerifySignatureAlgorithms;
513 ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
514 }
515 if (for_certs) {
516 ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
517 }
518 return ret;
519}
520
521bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
522 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
523 uint16_t sigalg;
524 while (list.Next(&sigalg)) {
525 if (!CBB_add_u16(out, sigalg)) {
526 return false;
527 }
528 }
529 return true;
530}
531
532bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
533 uint16_t sigalg) {
534 SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
535 uint16_t verify_sigalg;
536 while (list.Next(&verify_sigalg)) {
537 if (verify_sigalg == sigalg) {
538 return true;
539 }
540 }
541
542 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
543 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
544 return false;
545}
546
547bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
548 return tls12_get_verify_sigalgs(ssl, true) !=
549 tls12_get_verify_sigalgs(ssl, false);
550}
551
552// tls_extension represents a TLS extension that is handled internally. The
553// |init| function is called for each handshake, before any other functions of
554// the extension. Then the add and parse callbacks are called as needed.
555//
556// The parse callbacks receive a |CBS| that contains the contents of the
557// extension (i.e. not including the type and length bytes). If an extension is
558// not received then the parse callbacks will be called with a NULL CBS so that
559// they can do any processing needed to handle the absence of an extension.
560//
561// The add callbacks receive a |CBB| to which the extension can be appended but
562// the function is responsible for appending the type and length bytes too.
563//
564// All callbacks return true for success and false for error. If a parse
565// function returns zero then a fatal alert with value |*out_alert| will be
566// sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
567struct tls_extension {
568 uint16_t value;
569 void (*init)(SSL_HANDSHAKE *hs);
570
571 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
572 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
573 CBS *contents);
574
575 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
576 CBS *contents);
577 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
578};
579
580static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
581 CBS *contents) {
582 if (contents != NULL) {
583 // Servers MUST NOT send this extension.
584 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
585 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
586 return false;
587 }
588
589 return true;
590}
591
592static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
593 CBS *contents) {
594 // This extension from the client is handled elsewhere.
595 return true;
596}
597
598static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
599 return true;
600}
601
602// Server name indication (SNI).
603//
604// https://tools.ietf.org/html/rfc6066#section-3.
605
606static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
607 SSL *const ssl = hs->ssl;
608 if (ssl->hostname == nullptr) {
609 return true;
610 }
611
612 CBB contents, server_name_list, name;
613 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
614 !CBB_add_u16_length_prefixed(out, &contents) ||
615 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
616 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
617 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
618 !CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(),
619 strlen(ssl->hostname.get())) ||
620 !CBB_flush(out)) {
621 return false;
622 }
623
624 return true;
625}
626
627static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
628 CBS *contents) {
629 // The server may acknowledge SNI with an empty extension. We check the syntax
630 // but otherwise ignore this signal.
631 return contents == NULL || CBS_len(contents) == 0;
632}
633
634static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
635 CBS *contents) {
636 SSL *const ssl = hs->ssl;
637 if (contents == NULL) {
638 return true;
639 }
640
641 CBS server_name_list, host_name;
642 uint8_t name_type;
643 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
644 !CBS_get_u8(&server_name_list, &name_type) ||
645 // Although the server_name extension was intended to be extensible to
646 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
647 // different name types will cause an error. Further, RFC 4366 originally
648 // defined syntax inextensibly. RFC 6066 corrected this mistake, but
649 // adding new name types is no longer feasible.
650 //
651 // Act as if the extensibility does not exist to simplify parsing.
652 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
653 CBS_len(&server_name_list) != 0 ||
654 CBS_len(contents) != 0) {
655 return false;
656 }
657
658 if (name_type != TLSEXT_NAMETYPE_host_name ||
659 CBS_len(&host_name) == 0 ||
660 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
661 CBS_contains_zero_byte(&host_name)) {
662 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
663 return false;
664 }
665
666 // Copy the hostname as a string.
667 char *raw = nullptr;
668 if (!CBS_strdup(&host_name, &raw)) {
669 *out_alert = SSL_AD_INTERNAL_ERROR;
670 return false;
671 }
672 ssl->s3->hostname.reset(raw);
673
674 hs->should_ack_sni = true;
675 return true;
676}
677
678static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
679 if (hs->ssl->s3->session_reused ||
680 !hs->should_ack_sni) {
681 return true;
682 }
683
684 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
685 !CBB_add_u16(out, 0 /* length */)) {
686 return false;
687 }
688
689 return true;
690}
691
692
693// Renegotiation indication.
694//
695// https://tools.ietf.org/html/rfc5746
696
697static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
698 SSL *const ssl = hs->ssl;
699 // Renegotiation indication is not necessary in TLS 1.3.
700 if (hs->min_version >= TLS1_3_VERSION) {
701 return true;
702 }
703
704 assert(ssl->s3->initial_handshake_complete ==
705 (ssl->s3->previous_client_finished_len != 0));
706
707 CBB contents, prev_finished;
708 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
709 !CBB_add_u16_length_prefixed(out, &contents) ||
710 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
711 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
712 ssl->s3->previous_client_finished_len) ||
713 !CBB_flush(out)) {
714 return false;
715 }
716
717 return true;
718}
719
720static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
721 CBS *contents) {
722 SSL *const ssl = hs->ssl;
723 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
724 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
725 return false;
726 }
727
728 // Servers may not switch between omitting the extension and supporting it.
729 // See RFC 5746, sections 3.5 and 4.2.
730 if (ssl->s3->initial_handshake_complete &&
731 (contents != NULL) != ssl->s3->send_connection_binding) {
732 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
733 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
734 return false;
735 }
736
737 if (contents == NULL) {
738 // Strictly speaking, if we want to avoid an attack we should *always* see
739 // RI even on initial ServerHello because the client doesn't see any
740 // renegotiation during an attack. However this would mean we could not
741 // connect to any server which doesn't support RI.
742 //
743 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
744 // practical terms every client sets it so it's just assumed here.
745 return true;
746 }
747
748 const size_t expected_len = ssl->s3->previous_client_finished_len +
749 ssl->s3->previous_server_finished_len;
750
751 // Check for logic errors
752 assert(!expected_len || ssl->s3->previous_client_finished_len);
753 assert(!expected_len || ssl->s3->previous_server_finished_len);
754 assert(ssl->s3->initial_handshake_complete ==
755 (ssl->s3->previous_client_finished_len != 0));
756 assert(ssl->s3->initial_handshake_complete ==
757 (ssl->s3->previous_server_finished_len != 0));
758
759 // Parse out the extension contents.
760 CBS renegotiated_connection;
761 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
762 CBS_len(contents) != 0) {
763 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
764 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
765 return false;
766 }
767
768 // Check that the extension matches.
769 if (CBS_len(&renegotiated_connection) != expected_len) {
770 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
771 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
772 return false;
773 }
774
775 const uint8_t *d = CBS_data(&renegotiated_connection);
776 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
777 ssl->s3->previous_client_finished_len) == 0;
778#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
779 ok = true;
780#endif
781 if (!ok) {
782 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
783 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
784 return false;
785 }
786 d += ssl->s3->previous_client_finished_len;
787
788 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
789 ssl->s3->previous_server_finished_len) == 0;
790#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
791 ok = true;
792#endif
793 if (!ok) {
794 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
795 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
796 return false;
797 }
798 ssl->s3->send_connection_binding = true;
799
800 return true;
801}
802
803static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
804 CBS *contents) {
805 SSL *const ssl = hs->ssl;
806 // Renegotiation isn't supported as a server so this function should never be
807 // called after the initial handshake.
808 assert(!ssl->s3->initial_handshake_complete);
809
810 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
811 return true;
812 }
813
814 if (contents == NULL) {
815 return true;
816 }
817
818 CBS renegotiated_connection;
819 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
820 CBS_len(contents) != 0) {
821 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
822 return false;
823 }
824
825 // Check that the extension matches. We do not support renegotiation as a
826 // server, so this must be empty.
827 if (CBS_len(&renegotiated_connection) != 0) {
828 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
829 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
830 return false;
831 }
832
833 ssl->s3->send_connection_binding = true;
834
835 return true;
836}
837
838static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
839 SSL *const ssl = hs->ssl;
840 // Renegotiation isn't supported as a server so this function should never be
841 // called after the initial handshake.
842 assert(!ssl->s3->initial_handshake_complete);
843
844 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
845 return true;
846 }
847
848 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
849 !CBB_add_u16(out, 1 /* length */) ||
850 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
851 return false;
852 }
853
854 return true;
855}
856
857
858// Extended Master Secret.
859//
860// https://tools.ietf.org/html/rfc7627
861
862static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
863 // Extended master secret is not necessary in TLS 1.3.
864 if (hs->min_version >= TLS1_3_VERSION) {
865 return true;
866 }
867
868 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
869 !CBB_add_u16(out, 0 /* length */)) {
870 return false;
871 }
872
873 return true;
874}
875
876static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
877 CBS *contents) {
878 SSL *const ssl = hs->ssl;
879
880 if (contents != NULL) {
881 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
882 CBS_len(contents) != 0) {
883 return false;
884 }
885
886 hs->extended_master_secret = true;
887 }
888
889 // Whether EMS is negotiated may not change on renegotiation.
890 if (ssl->s3->established_session != nullptr &&
891 hs->extended_master_secret !=
892 !!ssl->s3->established_session->extended_master_secret) {
893 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
894 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
895 return false;
896 }
897
898 return true;
899}
900
901static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
902 CBS *contents) {
903 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
904 return true;
905 }
906
907 if (contents == NULL) {
908 return true;
909 }
910
911 if (CBS_len(contents) != 0) {
912 return false;
913 }
914
915 hs->extended_master_secret = true;
916 return true;
917}
918
919static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
920 if (!hs->extended_master_secret) {
921 return true;
922 }
923
924 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
925 !CBB_add_u16(out, 0 /* length */)) {
926 return false;
927 }
928
929 return true;
930}
931
932
933// Session tickets.
934//
935// https://tools.ietf.org/html/rfc5077
936
937static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
938 SSL *const ssl = hs->ssl;
939 // TLS 1.3 uses a different ticket extension.
940 if (hs->min_version >= TLS1_3_VERSION ||
941 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
942 return true;
943 }
944
945 Span<const uint8_t> ticket;
946
947 // Renegotiation does not participate in session resumption. However, still
948 // advertise the extension to avoid potentially breaking servers which carry
949 // over the state from the previous handshake, such as OpenSSL servers
950 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
951 if (!ssl->s3->initial_handshake_complete &&
952 ssl->session != nullptr &&
953 !ssl->session->ticket.empty() &&
954 // Don't send TLS 1.3 session tickets in the ticket extension.
955 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
956 ticket = ssl->session->ticket;
957 }
958
959 CBB ticket_cbb;
960 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
961 !CBB_add_u16_length_prefixed(out, &ticket_cbb) ||
962 !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||
963 !CBB_flush(out)) {
964 return false;
965 }
966
967 return true;
968}
969
970static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
971 CBS *contents) {
972 SSL *const ssl = hs->ssl;
973 if (contents == NULL) {
974 return true;
975 }
976
977 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
978 return false;
979 }
980
981 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
982 // this function should never be called, even if the server tries to send the
983 // extension.
984 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
985
986 if (CBS_len(contents) != 0) {
987 return false;
988 }
989
990 hs->ticket_expected = true;
991 return true;
992}
993
994static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
995 if (!hs->ticket_expected) {
996 return true;
997 }
998
999 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
1000 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
1001
1002 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
1003 !CBB_add_u16(out, 0 /* length */)) {
1004 return false;
1005 }
1006
1007 return true;
1008}
1009
1010
1011// Signature Algorithms.
1012//
1013// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
1014
1015static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1016 SSL *const ssl = hs->ssl;
1017 if (hs->max_version < TLS1_2_VERSION) {
1018 return true;
1019 }
1020
1021 // Prior to TLS 1.3, there was no way to signal different signature algorithm
1022 // preferences between the online signature and certificates. If we do not
1023 // send the signature_algorithms_cert extension, use the potentially more
1024 // restrictive certificate list.
1025 //
1026 // TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
1027 // check both here and in signature_algorithms_cert. |hs->max_version| is not
1028 // the negotiated version. Rather the expectation is that any server consuming
1029 // signature algorithms added in TLS 1.3 will also know to look at
1030 // signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
1031 // seems prudent to condition this new extension on it.
1032 bool for_certs = hs->max_version < TLS1_3_VERSION;
1033 CBB contents, sigalgs_cbb;
1034 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
1035 !CBB_add_u16_length_prefixed(out, &contents) ||
1036 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1037 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
1038 !CBB_flush(out)) {
1039 return false;
1040 }
1041
1042 return true;
1043}
1044
1045static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1046 CBS *contents) {
1047 hs->peer_sigalgs.Reset();
1048 if (contents == NULL) {
1049 return true;
1050 }
1051
1052 CBS supported_signature_algorithms;
1053 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1054 CBS_len(contents) != 0 ||
1055 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1056 return false;
1057 }
1058
1059 return true;
1060}
1061
1062
1063// Signature Algorithms for Certificates.
1064//
1065// https://tools.ietf.org/html/rfc8446#section-4.2.3
1066
1067static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1068 SSL *const ssl = hs->ssl;
1069 // If this extension is omitted, it defaults to the signature_algorithms
1070 // extension, so only emit it if the list is different.
1071 //
1072 // This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
1073 // There is a corresponding version check in |ext_sigalgs_add_clienthello|.
1074 if (hs->max_version < TLS1_3_VERSION ||
1075 !tls12_has_different_verify_sigalgs_for_certs(ssl)) {
1076 return true;
1077 }
1078
1079 CBB contents, sigalgs_cbb;
1080 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
1081 !CBB_add_u16_length_prefixed(out, &contents) ||
1082 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
1083 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
1084 !CBB_flush(out)) {
1085 return false;
1086 }
1087
1088 return true;
1089}
1090
1091
1092// OCSP Stapling.
1093//
1094// https://tools.ietf.org/html/rfc6066#section-8
1095
1096static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1097 if (!hs->config->ocsp_stapling_enabled) {
1098 return true;
1099 }
1100
1101 CBB contents;
1102 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1103 !CBB_add_u16_length_prefixed(out, &contents) ||
1104 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1105 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1106 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1107 !CBB_flush(out)) {
1108 return false;
1109 }
1110
1111 return true;
1112}
1113
1114static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1115 CBS *contents) {
1116 SSL *const ssl = hs->ssl;
1117 if (contents == NULL) {
1118 return true;
1119 }
1120
1121 // TLS 1.3 OCSP responses are included in the Certificate extensions.
1122 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1123 return false;
1124 }
1125
1126 // OCSP stapling is forbidden on non-certificate ciphers.
1127 if (CBS_len(contents) != 0 ||
1128 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1129 return false;
1130 }
1131
1132 // Note this does not check for resumption in TLS 1.2. Sending
1133 // status_request here does not make sense, but OpenSSL does so and the
1134 // specification does not say anything. Tolerate it but ignore it.
1135
1136 hs->certificate_status_expected = true;
1137 return true;
1138}
1139
1140static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1141 CBS *contents) {
1142 if (contents == NULL) {
1143 return true;
1144 }
1145
1146 uint8_t status_type;
1147 if (!CBS_get_u8(contents, &status_type)) {
1148 return false;
1149 }
1150
1151 // We cannot decide whether OCSP stapling will occur yet because the correct
1152 // SSL_CTX might not have been selected.
1153 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1154
1155 return true;
1156}
1157
1158static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1159 SSL *const ssl = hs->ssl;
1160 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1161 !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL ||
1162 ssl->s3->session_reused ||
1163 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1164 return true;
1165 }
1166
1167 hs->certificate_status_expected = true;
1168
1169 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1170 CBB_add_u16(out, 0 /* length */);
1171}
1172
1173
1174// Next protocol negotiation.
1175//
1176// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1177
1178static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1179 SSL *const ssl = hs->ssl;
1180 if (ssl->s3->initial_handshake_complete ||
1181 ssl->ctx->next_proto_select_cb == NULL ||
1182 SSL_is_dtls(ssl)) {
1183 return true;
1184 }
1185
1186 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1187 !CBB_add_u16(out, 0 /* length */)) {
1188 return false;
1189 }
1190
1191 return true;
1192}
1193
1194static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1195 CBS *contents) {
1196 SSL *const ssl = hs->ssl;
1197 if (contents == NULL) {
1198 return true;
1199 }
1200
1201 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1202 return false;
1203 }
1204
1205 // If any of these are false then we should never have sent the NPN
1206 // extension in the ClientHello and thus this function should never have been
1207 // called.
1208 assert(!ssl->s3->initial_handshake_complete);
1209 assert(!SSL_is_dtls(ssl));
1210 assert(ssl->ctx->next_proto_select_cb != NULL);
1211
1212 if (!ssl->s3->alpn_selected.empty()) {
1213 // NPN and ALPN may not be negotiated in the same connection.
1214 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1215 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1216 return false;
1217 }
1218
1219 const uint8_t *const orig_contents = CBS_data(contents);
1220 const size_t orig_len = CBS_len(contents);
1221
1222 while (CBS_len(contents) != 0) {
1223 CBS proto;
1224 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1225 CBS_len(&proto) == 0) {
1226 return false;
1227 }
1228 }
1229
1230 uint8_t *selected;
1231 uint8_t selected_len;
1232 if (ssl->ctx->next_proto_select_cb(
1233 ssl, &selected, &selected_len, orig_contents, orig_len,
1234 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1235 !ssl->s3->next_proto_negotiated.CopyFrom(
1236 MakeConstSpan(selected, selected_len))) {
1237 *out_alert = SSL_AD_INTERNAL_ERROR;
1238 return false;
1239 }
1240
1241 hs->next_proto_neg_seen = true;
1242 return true;
1243}
1244
1245static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1246 CBS *contents) {
1247 SSL *const ssl = hs->ssl;
1248 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1249 return true;
1250 }
1251
1252 if (contents != NULL && CBS_len(contents) != 0) {
1253 return false;
1254 }
1255
1256 if (contents == NULL ||
1257 ssl->s3->initial_handshake_complete ||
1258 ssl->ctx->next_protos_advertised_cb == NULL ||
1259 SSL_is_dtls(ssl)) {
1260 return true;
1261 }
1262
1263 hs->next_proto_neg_seen = true;
1264 return true;
1265}
1266
1267static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1268 SSL *const ssl = hs->ssl;
1269 // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1270 // parsed.
1271 if (!hs->next_proto_neg_seen) {
1272 return true;
1273 }
1274
1275 const uint8_t *npa;
1276 unsigned npa_len;
1277
1278 if (ssl->ctx->next_protos_advertised_cb(
1279 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1280 SSL_TLSEXT_ERR_OK) {
1281 hs->next_proto_neg_seen = false;
1282 return true;
1283 }
1284
1285 CBB contents;
1286 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1287 !CBB_add_u16_length_prefixed(out, &contents) ||
1288 !CBB_add_bytes(&contents, npa, npa_len) ||
1289 !CBB_flush(out)) {
1290 return false;
1291 }
1292
1293 return true;
1294}
1295
1296
1297// Signed certificate timestamps.
1298//
1299// https://tools.ietf.org/html/rfc6962#section-3.3.1
1300
1301static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1302 if (!hs->config->signed_cert_timestamps_enabled) {
1303 return true;
1304 }
1305
1306 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1307 !CBB_add_u16(out, 0 /* length */)) {
1308 return false;
1309 }
1310
1311 return true;
1312}
1313
1314static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1315 CBS *contents) {
1316 SSL *const ssl = hs->ssl;
1317 if (contents == NULL) {
1318 return true;
1319 }
1320
1321 // TLS 1.3 SCTs are included in the Certificate extensions.
1322 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1323 *out_alert = SSL_AD_DECODE_ERROR;
1324 return false;
1325 }
1326
1327 // If this is false then we should never have sent the SCT extension in the
1328 // ClientHello and thus this function should never have been called.
1329 assert(hs->config->signed_cert_timestamps_enabled);
1330
1331 if (!ssl_is_sct_list_valid(contents)) {
1332 *out_alert = SSL_AD_DECODE_ERROR;
1333 return false;
1334 }
1335
1336 // Session resumption uses the original session information. The extension
1337 // should not be sent on resumption, but RFC 6962 did not make it a
1338 // requirement, so tolerate this.
1339 //
1340 // TODO(davidben): Enforce this anyway.
1341 if (!ssl->s3->session_reused) {
1342 hs->new_session->signed_cert_timestamp_list.reset(
1343 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));
1344 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1345 *out_alert = SSL_AD_INTERNAL_ERROR;
1346 return false;
1347 }
1348 }
1349
1350 return true;
1351}
1352
1353static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1354 CBS *contents) {
1355 if (contents == NULL) {
1356 return true;
1357 }
1358
1359 if (CBS_len(contents) != 0) {
1360 return false;
1361 }
1362
1363 hs->scts_requested = true;
1364 return true;
1365}
1366
1367static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1368 SSL *const ssl = hs->ssl;
1369 // The extension shouldn't be sent when resuming sessions.
1370 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
1371 hs->config->cert->signed_cert_timestamp_list == NULL) {
1372 return true;
1373 }
1374
1375 CBB contents;
1376 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1377 CBB_add_u16_length_prefixed(out, &contents) &&
1378 CBB_add_bytes(
1379 &contents,
1380 CRYPTO_BUFFER_data(
1381 hs->config->cert->signed_cert_timestamp_list.get()),
1382 CRYPTO_BUFFER_len(
1383 hs->config->cert->signed_cert_timestamp_list.get())) &&
1384 CBB_flush(out);
1385}
1386
1387
1388// Application-level Protocol Negotiation.
1389//
1390// https://tools.ietf.org/html/rfc7301
1391
1392static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1393 SSL *const ssl = hs->ssl;
1394 if (hs->config->alpn_client_proto_list.empty() ||
1395 ssl->s3->initial_handshake_complete) {
1396 return true;
1397 }
1398
1399 CBB contents, proto_list;
1400 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1401 !CBB_add_u16_length_prefixed(out, &contents) ||
1402 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1403 !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
1404 hs->config->alpn_client_proto_list.size()) ||
1405 !CBB_flush(out)) {
1406 return false;
1407 }
1408
1409 return true;
1410}
1411
1412static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1413 CBS *contents) {
1414 SSL *const ssl = hs->ssl;
1415 if (contents == NULL) {
1416 return true;
1417 }
1418
1419 assert(!ssl->s3->initial_handshake_complete);
1420 assert(!hs->config->alpn_client_proto_list.empty());
1421
1422 if (hs->next_proto_neg_seen) {
1423 // NPN and ALPN may not be negotiated in the same connection.
1424 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1425 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1426 return false;
1427 }
1428
1429 // The extension data consists of a ProtocolNameList which must have
1430 // exactly one ProtocolName. Each of these is length-prefixed.
1431 CBS protocol_name_list, protocol_name;
1432 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1433 CBS_len(contents) != 0 ||
1434 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1435 // Empty protocol names are forbidden.
1436 CBS_len(&protocol_name) == 0 ||
1437 CBS_len(&protocol_name_list) != 0) {
1438 return false;
1439 }
1440
1441 if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {
1442 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1443 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1444 return false;
1445 }
1446
1447 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1448 *out_alert = SSL_AD_INTERNAL_ERROR;
1449 return false;
1450 }
1451
1452 return true;
1453}
1454
1455bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
1456 Span<const uint8_t> protocol) {
1457 if (hs->config->alpn_client_proto_list.empty()) {
1458 return false;
1459 }
1460
1461 if (hs->ssl->ctx->allow_unknown_alpn_protos) {
1462 return true;
1463 }
1464
1465 // Check that the protocol name is one of the ones we advertised.
1466 CBS client_protocol_name_list =
1467 MakeConstSpan(hs->config->alpn_client_proto_list),
1468 client_protocol_name;
1469 while (CBS_len(&client_protocol_name_list) > 0) {
1470 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1471 &client_protocol_name)) {
1472 return false;
1473 }
1474
1475 if (client_protocol_name == protocol) {
1476 return true;
1477 }
1478 }
1479
1480 return false;
1481}
1482
1483bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1484 const SSL_CLIENT_HELLO *client_hello) {
1485 SSL *const ssl = hs->ssl;
1486 CBS contents;
1487 if (ssl->ctx->alpn_select_cb == NULL ||
1488 !ssl_client_hello_get_extension(
1489 client_hello, &contents,
1490 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1491 // Ignore ALPN if not configured or no extension was supplied.
1492 return true;
1493 }
1494
1495 // ALPN takes precedence over NPN.
1496 hs->next_proto_neg_seen = false;
1497
1498 CBS protocol_name_list;
1499 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1500 CBS_len(&contents) != 0 ||
1501 CBS_len(&protocol_name_list) < 2) {
1502 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1503 *out_alert = SSL_AD_DECODE_ERROR;
1504 return false;
1505 }
1506
1507 // Validate the protocol list.
1508 CBS protocol_name_list_copy = protocol_name_list;
1509 while (CBS_len(&protocol_name_list_copy) > 0) {
1510 CBS protocol_name;
1511
1512 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1513 // Empty protocol names are forbidden.
1514 CBS_len(&protocol_name) == 0) {
1515 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1516 *out_alert = SSL_AD_DECODE_ERROR;
1517 return false;
1518 }
1519 }
1520
1521 const uint8_t *selected;
1522 uint8_t selected_len;
1523 if (ssl->ctx->alpn_select_cb(
1524 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1525 CBS_len(&protocol_name_list),
1526 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1527 if (selected_len == 0) {
1528 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1529 *out_alert = SSL_AD_INTERNAL_ERROR;
1530 return false;
1531 }
1532 if (!ssl->s3->alpn_selected.CopyFrom(
1533 MakeConstSpan(selected, selected_len))) {
1534 *out_alert = SSL_AD_INTERNAL_ERROR;
1535 return false;
1536 }
1537 }
1538
1539 return true;
1540}
1541
1542static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1543 SSL *const ssl = hs->ssl;
1544 if (ssl->s3->alpn_selected.empty()) {
1545 return true;
1546 }
1547
1548 CBB contents, proto_list, proto;
1549 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1550 !CBB_add_u16_length_prefixed(out, &contents) ||
1551 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1552 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1553 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1554 ssl->s3->alpn_selected.size()) ||
1555 !CBB_flush(out)) {
1556 return false;
1557 }
1558
1559 return true;
1560}
1561
1562
1563// Channel ID.
1564//
1565// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1566
1567static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1568 hs->ssl->s3->channel_id_valid = false;
1569}
1570
1571static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1572 SSL *const ssl = hs->ssl;
1573 if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1574 return true;
1575 }
1576
1577 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1578 !CBB_add_u16(out, 0 /* length */)) {
1579 return false;
1580 }
1581
1582 return true;
1583}
1584
1585static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1586 uint8_t *out_alert,
1587 CBS *contents) {
1588 SSL *const ssl = hs->ssl;
1589 if (contents == NULL) {
1590 return true;
1591 }
1592
1593 assert(!SSL_is_dtls(ssl));
1594 assert(hs->config->channel_id_enabled);
1595
1596 if (CBS_len(contents) != 0) {
1597 return false;
1598 }
1599
1600 ssl->s3->channel_id_valid = true;
1601 return true;
1602}
1603
1604static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1605 uint8_t *out_alert,
1606 CBS *contents) {
1607 SSL *const ssl = hs->ssl;
1608 if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
1609 return true;
1610 }
1611
1612 if (CBS_len(contents) != 0) {
1613 return false;
1614 }
1615
1616 ssl->s3->channel_id_valid = true;
1617 return true;
1618}
1619
1620static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1621 SSL *const ssl = hs->ssl;
1622 if (!ssl->s3->channel_id_valid) {
1623 return true;
1624 }
1625
1626 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1627 !CBB_add_u16(out, 0 /* length */)) {
1628 return false;
1629 }
1630
1631 return true;
1632}
1633
1634
1635// Secure Real-time Transport Protocol (SRTP) extension.
1636//
1637// https://tools.ietf.org/html/rfc5764
1638
1639
1640static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1641 hs->ssl->s3->srtp_profile = NULL;
1642}
1643
1644static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1645 SSL *const ssl = hs->ssl;
1646 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1647 if (profiles == NULL ||
1648 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1649 return true;
1650 }
1651
1652 CBB contents, profile_ids;
1653 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1654 !CBB_add_u16_length_prefixed(out, &contents) ||
1655 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1656 return false;
1657 }
1658
1659 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1660 if (!CBB_add_u16(&profile_ids, profile->id)) {
1661 return false;
1662 }
1663 }
1664
1665 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1666 !CBB_flush(out)) {
1667 return false;
1668 }
1669
1670 return true;
1671}
1672
1673static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1674 CBS *contents) {
1675 SSL *const ssl = hs->ssl;
1676 if (contents == NULL) {
1677 return true;
1678 }
1679
1680 // The extension consists of a u16-prefixed profile ID list containing a
1681 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1682 //
1683 // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1684 CBS profile_ids, srtp_mki;
1685 uint16_t profile_id;
1686 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1687 !CBS_get_u16(&profile_ids, &profile_id) ||
1688 CBS_len(&profile_ids) != 0 ||
1689 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1690 CBS_len(contents) != 0) {
1691 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1692 return false;
1693 }
1694
1695 if (CBS_len(&srtp_mki) != 0) {
1696 // Must be no MKI, since we never offer one.
1697 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1698 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1699 return false;
1700 }
1701
1702 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1703
1704 // Check to see if the server gave us something we support (and presumably
1705 // offered).
1706 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1707 if (profile->id == profile_id) {
1708 ssl->s3->srtp_profile = profile;
1709 return true;
1710 }
1711 }
1712
1713 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1714 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1715 return false;
1716}
1717
1718static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1719 CBS *contents) {
1720 SSL *const ssl = hs->ssl;
1721 if (contents == NULL) {
1722 return true;
1723 }
1724
1725 CBS profile_ids, srtp_mki;
1726 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1727 CBS_len(&profile_ids) < 2 ||
1728 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1729 CBS_len(contents) != 0) {
1730 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1731 return false;
1732 }
1733 // Discard the MKI value for now.
1734
1735 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1736 SSL_get_srtp_profiles(ssl);
1737
1738 // Pick the server's most preferred profile.
1739 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1740 CBS profile_ids_tmp;
1741 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1742
1743 while (CBS_len(&profile_ids_tmp) > 0) {
1744 uint16_t profile_id;
1745 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1746 return false;
1747 }
1748
1749 if (server_profile->id == profile_id) {
1750 ssl->s3->srtp_profile = server_profile;
1751 return true;
1752 }
1753 }
1754 }
1755
1756 return true;
1757}
1758
1759static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1760 SSL *const ssl = hs->ssl;
1761 if (ssl->s3->srtp_profile == NULL) {
1762 return true;
1763 }
1764
1765 CBB contents, profile_ids;
1766 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1767 !CBB_add_u16_length_prefixed(out, &contents) ||
1768 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1769 !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
1770 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1771 !CBB_flush(out)) {
1772 return false;
1773 }
1774
1775 return true;
1776}
1777
1778
1779// EC point formats.
1780//
1781// https://tools.ietf.org/html/rfc4492#section-5.1.2
1782
1783static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1784 CBB contents, formats;
1785 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1786 !CBB_add_u16_length_prefixed(out, &contents) ||
1787 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1788 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1789 !CBB_flush(out)) {
1790 return false;
1791 }
1792
1793 return true;
1794}
1795
1796static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1797 // The point format extension is unnecessary in TLS 1.3.
1798 if (hs->min_version >= TLS1_3_VERSION) {
1799 return true;
1800 }
1801
1802 return ext_ec_point_add_extension(hs, out);
1803}
1804
1805static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1806 CBS *contents) {
1807 if (contents == NULL) {
1808 return true;
1809 }
1810
1811 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1812 return false;
1813 }
1814
1815 CBS ec_point_format_list;
1816 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1817 CBS_len(contents) != 0) {
1818 return false;
1819 }
1820
1821 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1822 // point format.
1823 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1824 TLSEXT_ECPOINTFORMAT_uncompressed,
1825 CBS_len(&ec_point_format_list)) == NULL) {
1826 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1827 return false;
1828 }
1829
1830 return true;
1831}
1832
1833static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1834 CBS *contents) {
1835 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1836 return true;
1837 }
1838
1839 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1840}
1841
1842static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1843 SSL *const ssl = hs->ssl;
1844 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1845 return true;
1846 }
1847
1848 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1849 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1850 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1851
1852 if (!using_ecc) {
1853 return true;
1854 }
1855
1856 return ext_ec_point_add_extension(hs, out);
1857}
1858
1859
1860// Pre Shared Key
1861//
1862// https://tools.ietf.org/html/rfc8446#section-4.2.11
1863
1864static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1865 SSL *const ssl = hs->ssl;
1866 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1867 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1868 return 0;
1869 }
1870
1871 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1872 return 15 + ssl->session->ticket.size() + binder_len;
1873}
1874
1875static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1876 SSL *const ssl = hs->ssl;
1877 hs->needs_psk_binder = false;
1878 if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
1879 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
1880 return true;
1881 }
1882
1883 // Per RFC 8446 section 4.1.4, skip offering the session if the selected
1884 // cipher in HelloRetryRequest does not match. This avoids performing the
1885 // transcript hash transformation for multiple hashes.
1886 if (hs->received_hello_retry_request &&
1887 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1888 return true;
1889 }
1890
1891 struct OPENSSL_timeval now;
1892 ssl_get_current_time(ssl, &now);
1893 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1894 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1895
1896 // Fill in a placeholder zero binder of the appropriate length. It will be
1897 // computed and filled in later after length prefixes are computed.
1898 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1899 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
1900
1901 CBB contents, identity, ticket, binders, binder;
1902 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1903 !CBB_add_u16_length_prefixed(out, &contents) ||
1904 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1905 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1906 !CBB_add_bytes(&ticket, ssl->session->ticket.data(),
1907 ssl->session->ticket.size()) ||
1908 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1909 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1910 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1911 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1912 return false;
1913 }
1914
1915 hs->needs_psk_binder = true;
1916 return CBB_flush(out);
1917}
1918
1919bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1920 uint8_t *out_alert,
1921 CBS *contents) {
1922 uint16_t psk_id;
1923 if (!CBS_get_u16(contents, &psk_id) ||
1924 CBS_len(contents) != 0) {
1925 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1926 *out_alert = SSL_AD_DECODE_ERROR;
1927 return false;
1928 }
1929
1930 // We only advertise one PSK identity, so the only legal index is zero.
1931 if (psk_id != 0) {
1932 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1933 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1934 return false;
1935 }
1936
1937 return true;
1938}
1939
1940bool ssl_ext_pre_shared_key_parse_clienthello(
1941 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1942 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
1943 // We only process the first PSK identity since we don't support pure PSK.
1944 CBS identities, binders;
1945 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1946 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1947 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1948 !CBS_get_u16_length_prefixed(contents, &binders) ||
1949 CBS_len(&binders) == 0 ||
1950 CBS_len(contents) != 0) {
1951 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1952 *out_alert = SSL_AD_DECODE_ERROR;
1953 return false;
1954 }
1955
1956 *out_binders = binders;
1957
1958 // Check the syntax of the remaining identities, but do not process them.
1959 size_t num_identities = 1;
1960 while (CBS_len(&identities) != 0) {
1961 CBS unused_ticket;
1962 uint32_t unused_obfuscated_ticket_age;
1963 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1964 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1965 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1966 *out_alert = SSL_AD_DECODE_ERROR;
1967 return false;
1968 }
1969
1970 num_identities++;
1971 }
1972
1973 // Check the syntax of the binders. The value will be checked later if
1974 // resuming.
1975 size_t num_binders = 0;
1976 while (CBS_len(&binders) != 0) {
1977 CBS binder;
1978 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1979 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1980 *out_alert = SSL_AD_DECODE_ERROR;
1981 return false;
1982 }
1983
1984 num_binders++;
1985 }
1986
1987 if (num_identities != num_binders) {
1988 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1989 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1990 return false;
1991 }
1992
1993 return true;
1994}
1995
1996bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1997 if (!hs->ssl->s3->session_reused) {
1998 return true;
1999 }
2000
2001 CBB contents;
2002 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
2003 !CBB_add_u16_length_prefixed(out, &contents) ||
2004 // We only consider the first identity for resumption
2005 !CBB_add_u16(&contents, 0) ||
2006 !CBB_flush(out)) {
2007 return false;
2008 }
2009
2010 return true;
2011}
2012
2013
2014// Pre-Shared Key Exchange Modes
2015//
2016// https://tools.ietf.org/html/rfc8446#section-4.2.9
2017
2018static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
2019 CBB *out) {
2020 if (hs->max_version < TLS1_3_VERSION) {
2021 return true;
2022 }
2023
2024 CBB contents, ke_modes;
2025 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
2026 !CBB_add_u16_length_prefixed(out, &contents) ||
2027 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
2028 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
2029 return false;
2030 }
2031
2032 return CBB_flush(out);
2033}
2034
2035static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
2036 uint8_t *out_alert,
2037 CBS *contents) {
2038 if (contents == NULL) {
2039 return true;
2040 }
2041
2042 CBS ke_modes;
2043 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
2044 CBS_len(&ke_modes) == 0 ||
2045 CBS_len(contents) != 0) {
2046 *out_alert = SSL_AD_DECODE_ERROR;
2047 return false;
2048 }
2049
2050 // We only support tickets with PSK_DHE_KE.
2051 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
2052 CBS_len(&ke_modes)) != NULL;
2053
2054 return true;
2055}
2056
2057
2058// Early Data Indication
2059//
2060// https://tools.ietf.org/html/rfc8446#section-4.2.10
2061
2062static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2063 SSL *const ssl = hs->ssl;
2064 // The second ClientHello never offers early data, and we must have already
2065 // filled in |early_data_reason| by this point.
2066 if (hs->received_hello_retry_request) {
2067 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
2068 return true;
2069 }
2070
2071 if (!ssl->enable_early_data) {
2072 ssl->s3->early_data_reason = ssl_early_data_disabled;
2073 return true;
2074 }
2075
2076 if (hs->max_version < TLS1_3_VERSION) {
2077 // We discard inapplicable sessions, so this is redundant with the session
2078 // checks below, but we check give a more useful reason.
2079 ssl->s3->early_data_reason = ssl_early_data_protocol_version;
2080 return true;
2081 }
2082
2083 if (ssl->session == nullptr) {
2084 ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
2085 return true;
2086 }
2087
2088 if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
2089 ssl->session->ticket_max_early_data == 0) {
2090 ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
2091 return true;
2092 }
2093
2094 // In case ALPN preferences changed since this session was established, avoid
2095 // reporting a confusing value in |SSL_get0_alpn_selected| and sending early
2096 // data we know will be rejected.
2097 if (!ssl->session->early_alpn.empty() &&
2098 !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
2099 ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
2100 return true;
2101 }
2102
2103 // |early_data_reason| will be filled in later when the server responds.
2104 hs->early_data_offered = true;
2105
2106 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2107 !CBB_add_u16(out, 0) ||
2108 !CBB_flush(out)) {
2109 return false;
2110 }
2111
2112 return true;
2113}
2114
2115static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2116 uint8_t *out_alert,
2117 CBS *contents) {
2118 SSL *const ssl = hs->ssl;
2119 if (contents == NULL) {
2120 if (hs->early_data_offered && !hs->received_hello_retry_request) {
2121 ssl->s3->early_data_reason = ssl->s3->session_reused
2122 ? ssl_early_data_peer_declined
2123 : ssl_early_data_session_not_resumed;
2124 } else {
2125 // We already filled in |early_data_reason| when declining to offer 0-RTT
2126 // or handling the implicit HelloRetryRequest reject.
2127 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
2128 }
2129 return true;
2130 }
2131
2132 // If we received an HRR, the second ClientHello never offers early data, so
2133 // the extensions logic will automatically reject early data extensions as
2134 // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
2135 assert(!hs->received_hello_retry_request);
2136
2137 if (CBS_len(contents) != 0) {
2138 *out_alert = SSL_AD_DECODE_ERROR;
2139 return false;
2140 }
2141
2142 if (!ssl->s3->session_reused) {
2143 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2144 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2145 return false;
2146 }
2147
2148 ssl->s3->early_data_reason = ssl_early_data_accepted;
2149 ssl->s3->early_data_accepted = true;
2150 return true;
2151}
2152
2153static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2154 uint8_t *out_alert, CBS *contents) {
2155 SSL *const ssl = hs->ssl;
2156 if (contents == NULL ||
2157 ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2158 return true;
2159 }
2160
2161 if (CBS_len(contents) != 0) {
2162 *out_alert = SSL_AD_DECODE_ERROR;
2163 return false;
2164 }
2165
2166 hs->early_data_offered = true;
2167 return true;
2168}
2169
2170static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2171 if (!hs->ssl->s3->early_data_accepted) {
2172 return true;
2173 }
2174
2175 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2176 !CBB_add_u16(out, 0) ||
2177 !CBB_flush(out)) {
2178 return false;
2179 }
2180
2181 return true;
2182}
2183
2184
2185// Key Share
2186//
2187// https://tools.ietf.org/html/rfc8446#section-4.2.8
2188
2189static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2190 SSL *const ssl = hs->ssl;
2191 if (hs->max_version < TLS1_3_VERSION) {
2192 return true;
2193 }
2194
2195 CBB contents, kse_bytes;
2196 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2197 !CBB_add_u16_length_prefixed(out, &contents) ||
2198 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2199 return false;
2200 }
2201
2202 uint16_t group_id = hs->retry_group;
2203 uint16_t second_group_id = 0;
2204 if (hs->received_hello_retry_request) {
2205 // We received a HelloRetryRequest without a new curve, so there is no new
2206 // share to append. Leave |hs->key_share| as-is.
2207 if (group_id == 0 &&
2208 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2209 hs->key_share_bytes.size())) {
2210 return false;
2211 }
2212 hs->key_share_bytes.Reset();
2213 if (group_id == 0) {
2214 return CBB_flush(out);
2215 }
2216 } else {
2217 // Add a fake group. See draft-davidben-tls-grease-01.
2218 if (ssl->ctx->grease_enabled &&
2219 (!CBB_add_u16(&kse_bytes,
2220 ssl_get_grease_value(hs, ssl_grease_group)) ||
2221 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2222 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2223 return false;
2224 }
2225
2226 // Predict the most preferred group.
2227 Span<const uint16_t> groups = tls1_get_grouplist(hs);
2228 if (groups.empty()) {
2229 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2230 return false;
2231 }
2232
2233 group_id = groups[0];
2234
2235 if (is_post_quantum_group(group_id) && groups.size() >= 2) {
2236 // CECPQ2(b) is not sent as the only initial key share. We'll include the
2237 // 2nd preference group too to avoid round-trips.
2238 second_group_id = groups[1];
2239 assert(second_group_id != group_id);
2240 }
2241 }
2242
2243 CBB key_exchange;
2244 hs->key_shares[0] = SSLKeyShare::Create(group_id);
2245 if (!hs->key_shares[0] ||
2246 !CBB_add_u16(&kse_bytes, group_id) ||
2247 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2248 !hs->key_shares[0]->Offer(&key_exchange) ||
2249 !CBB_flush(&kse_bytes)) {
2250 return false;
2251 }
2252
2253 if (second_group_id != 0) {
2254 hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
2255 if (!hs->key_shares[1] ||
2256 !CBB_add_u16(&kse_bytes, second_group_id) ||
2257 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2258 !hs->key_shares[1]->Offer(&key_exchange) ||
2259 !CBB_flush(&kse_bytes)) {
2260 return false;
2261 }
2262 }
2263
2264 // Save the contents of the extension to repeat it in the second
2265 // ClientHello.
2266 if (!hs->received_hello_retry_request &&
2267 !hs->key_share_bytes.CopyFrom(
2268 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2269 return false;
2270 }
2271
2272 return CBB_flush(out);
2273}
2274
2275bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2276 Array<uint8_t> *out_secret,
2277 uint8_t *out_alert, CBS *contents) {
2278 CBS peer_key;
2279 uint16_t group_id;
2280 if (!CBS_get_u16(contents, &group_id) ||
2281 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2282 CBS_len(contents) != 0) {
2283 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2284 *out_alert = SSL_AD_DECODE_ERROR;
2285 return false;
2286 }
2287
2288 SSLKeyShare *key_share = hs->key_shares[0].get();
2289 if (key_share->GroupID() != group_id) {
2290 if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {
2291 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2292 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2293 return false;
2294 }
2295 key_share = hs->key_shares[1].get();
2296 }
2297
2298 if (!key_share->Finish(out_secret, out_alert, peer_key)) {
2299 *out_alert = SSL_AD_INTERNAL_ERROR;
2300 return false;
2301 }
2302
2303 hs->new_session->group_id = group_id;
2304 hs->key_shares[0].reset();
2305 hs->key_shares[1].reset();
2306 return true;
2307}
2308
2309bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2310 Array<uint8_t> *out_secret,
2311 uint8_t *out_alert, CBS *contents) {
2312 uint16_t group_id;
2313 CBS key_shares;
2314 if (!tls1_get_shared_group(hs, &group_id)) {
2315 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2316 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2317 return false;
2318 }
2319
2320 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2321 CBS_len(contents) != 0) {
2322 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2323 return false;
2324 }
2325
2326 // Find the corresponding key share.
2327 CBS peer_key;
2328 CBS_init(&peer_key, NULL, 0);
2329 while (CBS_len(&key_shares) > 0) {
2330 uint16_t id;
2331 CBS peer_key_tmp;
2332 if (!CBS_get_u16(&key_shares, &id) ||
2333 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2334 CBS_len(&peer_key_tmp) == 0) {
2335 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2336 return false;
2337 }
2338
2339 if (id == group_id) {
2340 if (CBS_len(&peer_key) != 0) {
2341 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2342 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2343 return false;
2344 }
2345
2346 peer_key = peer_key_tmp;
2347 // Continue parsing the structure to keep peers honest.
2348 }
2349 }
2350
2351 if (CBS_len(&peer_key) == 0) {
2352 *out_found = false;
2353 out_secret->Reset();
2354 return true;
2355 }
2356
2357 // Compute the DH secret.
2358 Array<uint8_t> secret;
2359 ScopedCBB public_key;
2360 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2361 if (!key_share ||
2362 !CBB_init(public_key.get(), 32) ||
2363 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2364 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2365 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2366 return false;
2367 }
2368
2369 *out_secret = std::move(secret);
2370 *out_found = true;
2371 return true;
2372}
2373
2374bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2375 uint16_t group_id;
2376 CBB kse_bytes, public_key;
2377 if (!tls1_get_shared_group(hs, &group_id) ||
2378 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2379 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2380 !CBB_add_u16(&kse_bytes, group_id) ||
2381 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2382 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2383 hs->ecdh_public_key.size()) ||
2384 !CBB_flush(out)) {
2385 return false;
2386 }
2387
2388 hs->ecdh_public_key.Reset();
2389
2390 hs->new_session->group_id = group_id;
2391 return true;
2392}
2393
2394
2395// Supported Versions
2396//
2397// https://tools.ietf.org/html/rfc8446#section-4.2.1
2398
2399static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2400 SSL *const ssl = hs->ssl;
2401 if (hs->max_version <= TLS1_2_VERSION) {
2402 return true;
2403 }
2404
2405 CBB contents, versions;
2406 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2407 !CBB_add_u16_length_prefixed(out, &contents) ||
2408 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2409 return false;
2410 }
2411
2412 // Add a fake version. See draft-davidben-tls-grease-01.
2413 if (ssl->ctx->grease_enabled &&
2414 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2415 return false;
2416 }
2417
2418 if (!ssl_add_supported_versions(hs, &versions) ||
2419 !CBB_flush(out)) {
2420 return false;
2421 }
2422
2423 return true;
2424}
2425
2426
2427// Cookie
2428//
2429// https://tools.ietf.org/html/rfc8446#section-4.2.2
2430
2431static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2432 if (hs->cookie.empty()) {
2433 return true;
2434 }
2435
2436 CBB contents, cookie;
2437 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2438 !CBB_add_u16_length_prefixed(out, &contents) ||
2439 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2440 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2441 !CBB_flush(out)) {
2442 return false;
2443 }
2444
2445 // The cookie is no longer needed in memory.
2446 hs->cookie.Reset();
2447 return true;
2448}
2449
2450
2451// Supported Groups
2452//
2453// https://tools.ietf.org/html/rfc4492#section-5.1.1
2454// https://tools.ietf.org/html/rfc8446#section-4.2.7
2455
2456static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2457 SSL *const ssl = hs->ssl;
2458 CBB contents, groups_bytes;
2459 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2460 !CBB_add_u16_length_prefixed(out, &contents) ||
2461 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2462 return false;
2463 }
2464
2465 // Add a fake group. See draft-davidben-tls-grease-01.
2466 if (ssl->ctx->grease_enabled &&
2467 !CBB_add_u16(&groups_bytes,
2468 ssl_get_grease_value(hs, ssl_grease_group))) {
2469 return false;
2470 }
2471
2472 for (uint16_t group : tls1_get_grouplist(hs)) {
2473 if (is_post_quantum_group(group) &&
2474 hs->max_version < TLS1_3_VERSION) {
2475 continue;
2476 }
2477 if (!CBB_add_u16(&groups_bytes, group)) {
2478 return false;
2479 }
2480 }
2481
2482 return CBB_flush(out);
2483}
2484
2485static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2486 uint8_t *out_alert,
2487 CBS *contents) {
2488 // This extension is not expected to be echoed by servers in TLS 1.2, but some
2489 // BigIP servers send it nonetheless, so do not enforce this.
2490 return true;
2491}
2492
2493static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2494 CBS copy = *cbs;
2495 if ((CBS_len(&copy) & 1) != 0) {
2496 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2497 return false;
2498 }
2499
2500 Array<uint16_t> ret;
2501 if (!ret.Init(CBS_len(&copy) / 2)) {
2502 return false;
2503 }
2504 for (size_t i = 0; i < ret.size(); i++) {
2505 if (!CBS_get_u16(&copy, &ret[i])) {
2506 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2507 return false;
2508 }
2509 }
2510
2511 assert(CBS_len(&copy) == 0);
2512 *out = std::move(ret);
2513 return 1;
2514}
2515
2516static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2517 uint8_t *out_alert,
2518 CBS *contents) {
2519 if (contents == NULL) {
2520 return true;
2521 }
2522
2523 CBS supported_group_list;
2524 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2525 CBS_len(&supported_group_list) == 0 ||
2526 CBS_len(contents) != 0 ||
2527 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2528 return false;
2529 }
2530
2531 return true;
2532}
2533
2534// Token Binding
2535//
2536// https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2537
2538// The Token Binding version number currently matches the draft number of
2539// draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2540// Since there are no wire changes to the protocol from draft 13 through the
2541// current draft (16), this implementation supports all versions in that range.
2542static uint16_t kTokenBindingMaxVersion = 16;
2543static uint16_t kTokenBindingMinVersion = 13;
2544
2545static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2546 SSL *const ssl = hs->ssl;
2547 if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
2548 return true;
2549 }
2550
2551 CBB contents, params;
2552 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2553 !CBB_add_u16_length_prefixed(out, &contents) ||
2554 !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2555 !CBB_add_u8_length_prefixed(&contents, &params) ||
2556 !CBB_add_bytes(&params, hs->config->token_binding_params.data(),
2557 hs->config->token_binding_params.size()) ||
2558 !CBB_flush(out)) {
2559 return false;
2560 }
2561
2562 return true;
2563}
2564
2565static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2566 uint8_t *out_alert,
2567 CBS *contents) {
2568 SSL *const ssl = hs->ssl;
2569 if (contents == nullptr) {
2570 return true;
2571 }
2572
2573 CBS params_list;
2574 uint16_t version;
2575 uint8_t param;
2576 if (!CBS_get_u16(contents, &version) ||
2577 !CBS_get_u8_length_prefixed(contents, &params_list) ||
2578 !CBS_get_u8(&params_list, &param) ||
2579 CBS_len(&params_list) > 0 ||
2580 CBS_len(contents) > 0) {
2581 *out_alert = SSL_AD_DECODE_ERROR;
2582 return false;
2583 }
2584
2585 // The server-negotiated version must be less than or equal to our version.
2586 if (version > kTokenBindingMaxVersion) {
2587 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2588 return false;
2589 }
2590
2591 // If the server-selected version is less than what we support, then Token
2592 // Binding wasn't negotiated (but the extension was parsed successfully).
2593 if (version < kTokenBindingMinVersion) {
2594 return true;
2595 }
2596
2597 for (uint8_t config_param : hs->config->token_binding_params) {
2598 if (param == config_param) {
2599 ssl->s3->negotiated_token_binding_param = param;
2600 ssl->s3->token_binding_negotiated = true;
2601 return true;
2602 }
2603 }
2604
2605 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2606 return false;
2607}
2608
2609// select_tb_param looks for the first token binding param in
2610// |hs->ssl->token_binding_params| that is also in |params| and puts it in
2611// |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
2612// param is found, and false otherwise.
2613static bool select_tb_param(SSL_HANDSHAKE *hs,
2614 Span<const uint8_t> peer_params) {
2615 for (uint8_t tb_param : hs->config->token_binding_params) {
2616 for (uint8_t peer_param : peer_params) {
2617 if (tb_param == peer_param) {
2618 hs->ssl->s3->negotiated_token_binding_param = tb_param;
2619 return true;
2620 }
2621 }
2622 }
2623 return false;
2624}
2625
2626static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2627 uint8_t *out_alert,
2628 CBS *contents) {
2629 SSL *const ssl = hs->ssl;
2630 if (contents == nullptr || hs->config->token_binding_params.empty()) {
2631 return true;
2632 }
2633
2634 CBS params;
2635 uint16_t version;
2636 if (!CBS_get_u16(contents, &version) ||
2637 !CBS_get_u8_length_prefixed(contents, &params) ||
2638 CBS_len(&params) == 0 ||
2639 CBS_len(contents) > 0) {
2640 *out_alert = SSL_AD_DECODE_ERROR;
2641 return false;
2642 }
2643
2644 // If the client-selected version is less than what we support, then Token
2645 // Binding wasn't negotiated (but the extension was parsed successfully).
2646 if (version < kTokenBindingMinVersion) {
2647 return true;
2648 }
2649
2650 // If the client-selected version is higher than we support, use our max
2651 // version. Otherwise, use the client's version.
2652 hs->negotiated_token_binding_version =
2653 std::min(version, kTokenBindingMaxVersion);
2654 if (!select_tb_param(hs, params)) {
2655 return true;
2656 }
2657
2658 ssl->s3->token_binding_negotiated = true;
2659 return true;
2660}
2661
2662static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2663 SSL *const ssl = hs->ssl;
2664
2665 if (!ssl->s3->token_binding_negotiated) {
2666 return true;
2667 }
2668
2669 CBB contents, params;
2670 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2671 !CBB_add_u16_length_prefixed(out, &contents) ||
2672 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2673 !CBB_add_u8_length_prefixed(&contents, &params) ||
2674 !CBB_add_u8(&params, ssl->s3->negotiated_token_binding_param) ||
2675 !CBB_flush(out)) {
2676 return false;
2677 }
2678
2679 return true;
2680}
2681
2682// QUIC Transport Parameters
2683
2684static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2685 CBB *out) {
2686 if (hs->config->quic_transport_params.empty() ||
2687 hs->max_version <= TLS1_2_VERSION) {
2688 return true;
2689 }
2690
2691 CBB contents;
2692 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2693 !CBB_add_u16_length_prefixed(out, &contents) ||
2694 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2695 hs->config->quic_transport_params.size()) ||
2696 !CBB_flush(out)) {
2697 return false;
2698 }
2699 return true;
2700}
2701
2702static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2703 uint8_t *out_alert,
2704 CBS *contents) {
2705 SSL *const ssl = hs->ssl;
2706 if (contents == nullptr) {
2707 return true;
2708 }
2709 // QUIC requires TLS 1.3.
2710 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2711 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2712 return false;
2713 }
2714
2715 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2716}
2717
2718static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2719 uint8_t *out_alert,
2720 CBS *contents) {
2721 SSL *const ssl = hs->ssl;
2722 if (!contents || hs->config->quic_transport_params.empty()) {
2723 return true;
2724 }
2725 // Ignore the extension before TLS 1.3.
2726 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2727 return true;
2728 }
2729
2730 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2731}
2732
2733static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2734 CBB *out) {
2735 if (hs->config->quic_transport_params.empty()) {
2736 return true;
2737 }
2738
2739 CBB contents;
2740 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2741 !CBB_add_u16_length_prefixed(out, &contents) ||
2742 !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
2743 hs->config->quic_transport_params.size()) ||
2744 !CBB_flush(out)) {
2745 return false;
2746 }
2747
2748 return true;
2749}
2750
2751// Delegated credentials.
2752//
2753// https://tools.ietf.org/html/draft-ietf-tls-subcerts
2754
2755static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs,
2756 CBB *out) {
2757 return true;
2758}
2759
2760static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
2761 uint8_t *out_alert,
2762 CBS *contents) {
2763 assert(TLSEXT_TYPE_delegated_credential == 0xff02);
2764 // TODO: Check that the extension is empty.
2765 //
2766 // As of draft-03, the client sends an empty extension in order indicate
2767 // support for delegated credentials. This could change, however, since the
2768 // spec is not yet finalized. This assertion is here to remind us to enforce
2769 // this check once the extension ID is assigned.
2770
2771 if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
2772 // Don't use delegated credentials unless we're negotiating TLS 1.3 or
2773 // higher.
2774 return true;
2775 }
2776
2777 hs->delegated_credential_requested = true;
2778 return true;
2779}
2780
2781// Certificate compression
2782
2783static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2784 bool first = true;
2785 CBB contents, algs;
2786
2787 for (const auto *alg : hs->ssl->ctx->cert_compression_algs.get()) {
2788 if (alg->decompress == nullptr) {
2789 continue;
2790 }
2791
2792 if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) ||
2793 !CBB_add_u16_length_prefixed(out, &contents) ||
2794 !CBB_add_u8_length_prefixed(&contents, &algs))) {
2795 return false;
2796 }
2797 first = false;
2798 if (!CBB_add_u16(&algs, alg->alg_id)) {
2799 return false;
2800 }
2801 }
2802
2803 return first || CBB_flush(out);
2804}
2805
2806static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
2807 uint8_t *out_alert,
2808 CBS *contents) {
2809 if (contents == nullptr) {
2810 return true;
2811 }
2812
2813 // The server may not echo this extension. Any server to client negotiation is
2814 // advertised in the CertificateRequest message.
2815 return false;
2816}
2817
2818static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,
2819 uint8_t *out_alert,
2820 CBS *contents) {
2821 if (contents == nullptr) {
2822 return true;
2823 }
2824
2825 const size_t num_algs =
2826 sk_CertCompressionAlg_num(hs->ssl->ctx->cert_compression_algs.get());
2827
2828 CBS alg_ids;
2829 if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
2830 CBS_len(contents) != 0 ||
2831 CBS_len(&alg_ids) == 0 ||
2832 CBS_len(&alg_ids) % 2 == 1) {
2833 return false;
2834 }
2835
2836 const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;
2837 Array<uint16_t> given_alg_ids;
2838 if (!given_alg_ids.Init(num_given_alg_ids)) {
2839 return false;
2840 }
2841
2842 size_t best_index = num_algs;
2843 size_t given_alg_idx = 0;
2844
2845 while (CBS_len(&alg_ids) > 0) {
2846 uint16_t alg_id;
2847 if (!CBS_get_u16(&alg_ids, &alg_id)) {
2848 return false;
2849 }
2850
2851 given_alg_ids[given_alg_idx++] = alg_id;
2852
2853 for (size_t i = 0; i < num_algs; i++) {
2854 const auto *alg = sk_CertCompressionAlg_value(
2855 hs->ssl->ctx->cert_compression_algs.get(), i);
2856 if (alg->alg_id == alg_id && alg->compress != nullptr) {
2857 if (i < best_index) {
2858 best_index = i;
2859 }
2860 break;
2861 }
2862 }
2863 }
2864
2865 qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),
2866 compare_uint16_t);
2867 for (size_t i = 1; i < num_given_alg_ids; i++) {
2868 if (given_alg_ids[i - 1] == given_alg_ids[i]) {
2869 return false;
2870 }
2871 }
2872
2873 if (best_index < num_algs &&
2874 ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
2875 hs->cert_compression_negotiated = true;
2876 hs->cert_compression_alg_id =
2877 sk_CertCompressionAlg_value(hs->ssl->ctx->cert_compression_algs.get(),
2878 best_index)
2879 ->alg_id;
2880 }
2881
2882 return true;
2883}
2884
2885static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2886 return true;
2887}
2888
2889
2890// Post-quantum experiment signal
2891//
2892// This extension may be used in order to identify a control group for
2893// experimenting with post-quantum key exchange algorithms.
2894
2895static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
2896 CBB *out) {
2897 if (hs->ssl->ctx->pq_experiment_signal &&
2898 (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
2899 !CBB_add_u16(out, 0))) {
2900 return false;
2901 }
2902
2903 return true;
2904}
2905
2906static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
2907 uint8_t *out_alert,
2908 CBS *contents) {
2909 if (contents == nullptr) {
2910 return true;
2911 }
2912
2913 if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
2914 return false;
2915 }
2916
2917 hs->ssl->s3->pq_experiment_signal_seen = true;
2918 return true;
2919}
2920
2921static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
2922 uint8_t *out_alert,
2923 CBS *contents) {
2924 if (contents == nullptr) {
2925 return true;
2926 }
2927
2928 if (CBS_len(contents) != 0) {
2929 return false;
2930 }
2931
2932 if (hs->ssl->ctx->pq_experiment_signal) {
2933 hs->ssl->s3->pq_experiment_signal_seen = true;
2934 }
2935
2936 return true;
2937}
2938
2939static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
2940 CBB *out) {
2941 if (hs->ssl->s3->pq_experiment_signal_seen &&
2942 (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
2943 !CBB_add_u16(out, 0))) {
2944 return false;
2945 }
2946
2947 return true;
2948}
2949
2950// kExtensions contains all the supported extensions.
2951static const struct tls_extension kExtensions[] = {
2952 {
2953 TLSEXT_TYPE_server_name,
2954 NULL,
2955 ext_sni_add_clienthello,
2956 ext_sni_parse_serverhello,
2957 ext_sni_parse_clienthello,
2958 ext_sni_add_serverhello,
2959 },
2960 {
2961 TLSEXT_TYPE_extended_master_secret,
2962 NULL,
2963 ext_ems_add_clienthello,
2964 ext_ems_parse_serverhello,
2965 ext_ems_parse_clienthello,
2966 ext_ems_add_serverhello,
2967 },
2968 {
2969 TLSEXT_TYPE_renegotiate,
2970 NULL,
2971 ext_ri_add_clienthello,
2972 ext_ri_parse_serverhello,
2973 ext_ri_parse_clienthello,
2974 ext_ri_add_serverhello,
2975 },
2976 {
2977 TLSEXT_TYPE_supported_groups,
2978 NULL,
2979 ext_supported_groups_add_clienthello,
2980 ext_supported_groups_parse_serverhello,
2981 ext_supported_groups_parse_clienthello,
2982 dont_add_serverhello,
2983 },
2984 {
2985 TLSEXT_TYPE_ec_point_formats,
2986 NULL,
2987 ext_ec_point_add_clienthello,
2988 ext_ec_point_parse_serverhello,
2989 ext_ec_point_parse_clienthello,
2990 ext_ec_point_add_serverhello,
2991 },
2992 {
2993 TLSEXT_TYPE_session_ticket,
2994 NULL,
2995 ext_ticket_add_clienthello,
2996 ext_ticket_parse_serverhello,
2997 // Ticket extension client parsing is handled in ssl_session.c
2998 ignore_parse_clienthello,
2999 ext_ticket_add_serverhello,
3000 },
3001 {
3002 TLSEXT_TYPE_application_layer_protocol_negotiation,
3003 NULL,
3004 ext_alpn_add_clienthello,
3005 ext_alpn_parse_serverhello,
3006 // ALPN is negotiated late in |ssl_negotiate_alpn|.
3007 ignore_parse_clienthello,
3008 ext_alpn_add_serverhello,
3009 },
3010 {
3011 TLSEXT_TYPE_status_request,
3012 NULL,
3013 ext_ocsp_add_clienthello,
3014 ext_ocsp_parse_serverhello,
3015 ext_ocsp_parse_clienthello,
3016 ext_ocsp_add_serverhello,
3017 },
3018 {
3019 TLSEXT_TYPE_signature_algorithms,
3020 NULL,
3021 ext_sigalgs_add_clienthello,
3022 forbid_parse_serverhello,
3023 ext_sigalgs_parse_clienthello,
3024 dont_add_serverhello,
3025 },
3026 {
3027 TLSEXT_TYPE_signature_algorithms_cert,
3028 NULL,
3029 ext_sigalgs_cert_add_clienthello,
3030 forbid_parse_serverhello,
3031 ignore_parse_clienthello,
3032 dont_add_serverhello,
3033 },
3034 {
3035 TLSEXT_TYPE_next_proto_neg,
3036 NULL,
3037 ext_npn_add_clienthello,
3038 ext_npn_parse_serverhello,
3039 ext_npn_parse_clienthello,
3040 ext_npn_add_serverhello,
3041 },
3042 {
3043 TLSEXT_TYPE_certificate_timestamp,
3044 NULL,
3045 ext_sct_add_clienthello,
3046 ext_sct_parse_serverhello,
3047 ext_sct_parse_clienthello,
3048 ext_sct_add_serverhello,
3049 },
3050 {
3051 TLSEXT_TYPE_channel_id,
3052 ext_channel_id_init,
3053 ext_channel_id_add_clienthello,
3054 ext_channel_id_parse_serverhello,
3055 ext_channel_id_parse_clienthello,
3056 ext_channel_id_add_serverhello,
3057 },
3058 {
3059 TLSEXT_TYPE_srtp,
3060 ext_srtp_init,
3061 ext_srtp_add_clienthello,
3062 ext_srtp_parse_serverhello,
3063 ext_srtp_parse_clienthello,
3064 ext_srtp_add_serverhello,
3065 },
3066 {
3067 TLSEXT_TYPE_key_share,
3068 NULL,
3069 ext_key_share_add_clienthello,
3070 forbid_parse_serverhello,
3071 ignore_parse_clienthello,
3072 dont_add_serverhello,
3073 },
3074 {
3075 TLSEXT_TYPE_psk_key_exchange_modes,
3076 NULL,
3077 ext_psk_key_exchange_modes_add_clienthello,
3078 forbid_parse_serverhello,
3079 ext_psk_key_exchange_modes_parse_clienthello,
3080 dont_add_serverhello,
3081 },
3082 {
3083 TLSEXT_TYPE_early_data,
3084 NULL,
3085 ext_early_data_add_clienthello,
3086 ext_early_data_parse_serverhello,
3087 ext_early_data_parse_clienthello,
3088 ext_early_data_add_serverhello,
3089 },
3090 {
3091 TLSEXT_TYPE_supported_versions,
3092 NULL,
3093 ext_supported_versions_add_clienthello,
3094 forbid_parse_serverhello,
3095 ignore_parse_clienthello,
3096 dont_add_serverhello,
3097 },
3098 {
3099 TLSEXT_TYPE_cookie,
3100 NULL,
3101 ext_cookie_add_clienthello,
3102 forbid_parse_serverhello,
3103 ignore_parse_clienthello,
3104 dont_add_serverhello,
3105 },
3106 {
3107 TLSEXT_TYPE_quic_transport_parameters,
3108 NULL,
3109 ext_quic_transport_params_add_clienthello,
3110 ext_quic_transport_params_parse_serverhello,
3111 ext_quic_transport_params_parse_clienthello,
3112 ext_quic_transport_params_add_serverhello,
3113 },
3114 {
3115 TLSEXT_TYPE_token_binding,
3116 NULL,
3117 ext_token_binding_add_clienthello,
3118 ext_token_binding_parse_serverhello,
3119 ext_token_binding_parse_clienthello,
3120 ext_token_binding_add_serverhello,
3121 },
3122 {
3123 TLSEXT_TYPE_cert_compression,
3124 NULL,
3125 cert_compression_add_clienthello,
3126 cert_compression_parse_serverhello,
3127 cert_compression_parse_clienthello,
3128 cert_compression_add_serverhello,
3129 },
3130 {
3131 TLSEXT_TYPE_delegated_credential,
3132 NULL,
3133 ext_delegated_credential_add_clienthello,
3134 forbid_parse_serverhello,
3135 ext_delegated_credential_parse_clienthello,
3136 dont_add_serverhello,
3137 },
3138 {
3139 TLSEXT_TYPE_pq_experiment_signal,
3140 NULL,
3141 ext_pq_experiment_signal_add_clienthello,
3142 ext_pq_experiment_signal_parse_serverhello,
3143 ext_pq_experiment_signal_parse_clienthello,
3144 ext_pq_experiment_signal_add_serverhello,
3145 },
3146};
3147
3148#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
3149
3150static_assert(kNumExtensions <=
3151 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
3152 "too many extensions for sent bitset");
3153static_assert(kNumExtensions <=
3154 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
3155 "too many extensions for received bitset");
3156
3157static const struct tls_extension *tls_extension_find(uint32_t *out_index,
3158 uint16_t value) {
3159 unsigned i;
3160 for (i = 0; i < kNumExtensions; i++) {
3161 if (kExtensions[i].value == value) {
3162 *out_index = i;
3163 return &kExtensions[i];
3164 }
3165 }
3166
3167 return NULL;
3168}
3169
3170bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
3171 size_t header_len) {
3172 SSL *const ssl = hs->ssl;
3173 CBB extensions;
3174 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3175 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3176 return false;
3177 }
3178
3179 // Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS
3180 // 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is
3181 // important to reset this value.
3182 hs->extensions.sent = 0;
3183
3184 for (size_t i = 0; i < kNumExtensions; i++) {
3185 if (kExtensions[i].init != NULL) {
3186 kExtensions[i].init(hs);
3187 }
3188 }
3189
3190 uint16_t grease_ext1 = 0;
3191 if (ssl->ctx->grease_enabled) {
3192 // Add a fake empty extension. See draft-davidben-tls-grease-01.
3193 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
3194 if (!CBB_add_u16(&extensions, grease_ext1) ||
3195 !CBB_add_u16(&extensions, 0 /* zero length */)) {
3196 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3197 return false;
3198 }
3199 }
3200
3201 bool last_was_empty = false;
3202 for (size_t i = 0; i < kNumExtensions; i++) {
3203 const size_t len_before = CBB_len(&extensions);
3204 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
3205 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3206 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3207 return false;
3208 }
3209
3210 const size_t bytes_written = CBB_len(&extensions) - len_before;
3211 if (bytes_written != 0) {
3212 hs->extensions.sent |= (1u << i);
3213 }
3214 // If the difference in lengths is only four bytes then the extension had
3215 // an empty body.
3216 last_was_empty = (bytes_written == 4);
3217 }
3218
3219 if (ssl->ctx->grease_enabled) {
3220 // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
3221 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
3222
3223 // The two fake extensions must not have the same value. GREASE values are
3224 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
3225 // one.
3226 if (grease_ext1 == grease_ext2) {
3227 grease_ext2 ^= 0x1010;
3228 }
3229
3230 if (!CBB_add_u16(&extensions, grease_ext2) ||
3231 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
3232 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
3233 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3234 return false;
3235 }
3236
3237 last_was_empty = false;
3238 }
3239
3240 if (!SSL_is_dtls(ssl)) {
3241 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
3242 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
3243 size_t padding_len = 0;
3244
3245 // The final extension must be non-empty. WebSphere Application
3246 // Server 7.0 is intolerant to the last extension being zero-length. See
3247 // https://crbug.com/363583.
3248 if (last_was_empty && psk_extension_len == 0) {
3249 padding_len = 1;
3250 // The addition of the padding extension may push us into the F5 bug.
3251 header_len += 4 + padding_len;
3252 }
3253
3254 // Add padding to workaround bugs in F5 terminators. See RFC 7685.
3255 //
3256 // NB: because this code works out the length of all existing extensions
3257 // it MUST always appear last (save for any PSK extension).
3258 if (header_len > 0xff && header_len < 0x200) {
3259 // If our calculations already included a padding extension, remove that
3260 // factor because we're about to change its length.
3261 if (padding_len != 0) {
3262 header_len -= 4 + padding_len;
3263 }
3264 padding_len = 0x200 - header_len;
3265 // Extensions take at least four bytes to encode. Always include at least
3266 // one byte of data if including the extension. WebSphere Application
3267 // Server 7.0 is intolerant to the last extension being zero-length. See
3268 // https://crbug.com/363583.
3269 if (padding_len >= 4 + 1) {
3270 padding_len -= 4;
3271 } else {
3272 padding_len = 1;
3273 }
3274 }
3275
3276 if (padding_len != 0) {
3277 uint8_t *padding_bytes;
3278 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
3279 !CBB_add_u16(&extensions, padding_len) ||
3280 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
3281 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3282 return false;
3283 }
3284
3285 OPENSSL_memset(padding_bytes, 0, padding_len);
3286 }
3287 }
3288
3289 // The PSK extension must be last, including after the padding.
3290 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
3291 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3292 return false;
3293 }
3294
3295 // Discard empty extensions blocks.
3296 if (CBB_len(&extensions) == 0) {
3297 CBB_discard_child(out);
3298 }
3299
3300 return CBB_flush(out);
3301}
3302
3303bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
3304 SSL *const ssl = hs->ssl;
3305 CBB extensions;
3306 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3307 goto err;
3308 }
3309
3310 for (unsigned i = 0; i < kNumExtensions; i++) {
3311 if (!(hs->extensions.received & (1u << i))) {
3312 // Don't send extensions that were not received.
3313 continue;
3314 }
3315
3316 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
3317 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3318 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3319 goto err;
3320 }
3321 }
3322
3323 // Discard empty extensions blocks before TLS 1.3.
3324 if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
3325 CBB_len(&extensions) == 0) {
3326 CBB_discard_child(out);
3327 }
3328
3329 return CBB_flush(out);
3330
3331err:
3332 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3333 return false;
3334}
3335
3336static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3337 const SSL_CLIENT_HELLO *client_hello,
3338 int *out_alert) {
3339 for (size_t i = 0; i < kNumExtensions; i++) {
3340 if (kExtensions[i].init != NULL) {
3341 kExtensions[i].init(hs);
3342 }
3343 }
3344
3345 hs->extensions.received = 0;
3346 CBS extensions;
3347 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3348 while (CBS_len(&extensions) != 0) {
3349 uint16_t type;
3350 CBS extension;
3351
3352 // Decode the next extension.
3353 if (!CBS_get_u16(&extensions, &type) ||
3354 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3355 *out_alert = SSL_AD_DECODE_ERROR;
3356 return false;
3357 }
3358
3359 unsigned ext_index;
3360 const struct tls_extension *const ext =
3361 tls_extension_find(&ext_index, type);
3362 if (ext == NULL) {
3363 continue;
3364 }
3365
3366 hs->extensions.received |= (1u << ext_index);
3367 uint8_t alert = SSL_AD_DECODE_ERROR;
3368 if (!ext->parse_clienthello(hs, &alert, &extension)) {
3369 *out_alert = alert;
3370 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3371 ERR_add_error_dataf("extension %u", (unsigned)type);
3372 return false;
3373 }
3374 }
3375
3376 for (size_t i = 0; i < kNumExtensions; i++) {
3377 if (hs->extensions.received & (1u << i)) {
3378 continue;
3379 }
3380
3381 CBS *contents = NULL, fake_contents;
3382 static const uint8_t kFakeRenegotiateExtension[] = {0};
3383 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3384 ssl_client_cipher_list_contains_cipher(client_hello,
3385 SSL3_CK_SCSV & 0xffff)) {
3386 // The renegotiation SCSV was received so pretend that we received a
3387 // renegotiation extension.
3388 CBS_init(&fake_contents, kFakeRenegotiateExtension,
3389 sizeof(kFakeRenegotiateExtension));
3390 contents = &fake_contents;
3391 hs->extensions.received |= (1u << i);
3392 }
3393
3394 // Extension wasn't observed so call the callback with a NULL
3395 // parameter.
3396 uint8_t alert = SSL_AD_DECODE_ERROR;
3397 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3398 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3399 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3400 *out_alert = alert;
3401 return false;
3402 }
3403 }
3404
3405 return true;
3406}
3407
3408bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3409 const SSL_CLIENT_HELLO *client_hello) {
3410 SSL *const ssl = hs->ssl;
3411 int alert = SSL_AD_DECODE_ERROR;
3412 if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {
3413 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3414 return false;
3415 }
3416
3417 if (!ssl_check_clienthello_tlsext(hs)) {
3418 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3419 return false;
3420 }
3421
3422 return true;
3423}
3424
3425static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3426 int *out_alert) {
3427 SSL *const ssl = hs->ssl;
3428 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3429 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3430 return true;
3431 }
3432
3433 // Decode the extensions block and check it is valid.
3434 CBS extensions;
3435 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3436 !tls1_check_duplicate_extensions(&extensions)) {
3437 *out_alert = SSL_AD_DECODE_ERROR;
3438 return false;
3439 }
3440
3441 uint32_t received = 0;
3442 while (CBS_len(&extensions) != 0) {
3443 uint16_t type;
3444 CBS extension;
3445
3446 // Decode the next extension.
3447 if (!CBS_get_u16(&extensions, &type) ||
3448 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3449 *out_alert = SSL_AD_DECODE_ERROR;
3450 return false;
3451 }
3452
3453 unsigned ext_index;
3454 const struct tls_extension *const ext =
3455 tls_extension_find(&ext_index, type);
3456
3457 if (ext == NULL) {
3458 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3459 ERR_add_error_dataf("extension %u", (unsigned)type);
3460 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3461 return false;
3462 }
3463
3464 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3465 "too many bits");
3466
3467 if (!(hs->extensions.sent & (1u << ext_index))) {
3468 // If the extension was never sent then it is illegal.
3469 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3470 ERR_add_error_dataf("extension :%u", (unsigned)type);
3471 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3472 return false;
3473 }
3474
3475 received |= (1u << ext_index);
3476
3477 uint8_t alert = SSL_AD_DECODE_ERROR;
3478 if (!ext->parse_serverhello(hs, &alert, &extension)) {
3479 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3480 ERR_add_error_dataf("extension %u", (unsigned)type);
3481 *out_alert = alert;
3482 return false;
3483 }
3484 }
3485
3486 for (size_t i = 0; i < kNumExtensions; i++) {
3487 if (!(received & (1u << i))) {
3488 // Extension wasn't observed so call the callback with a NULL
3489 // parameter.
3490 uint8_t alert = SSL_AD_DECODE_ERROR;
3491 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3492 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3493 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3494 *out_alert = alert;
3495 return false;
3496 }
3497 }
3498 }
3499
3500 return true;
3501}
3502
3503static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3504 SSL *const ssl = hs->ssl;
3505
3506 if (ssl->s3->token_binding_negotiated &&
3507 !(SSL_get_secure_renegotiation_support(ssl) &&
3508 SSL_get_extms_support(ssl))) {
3509 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3510 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3511 return false;
3512 }
3513
3514 int ret = SSL_TLSEXT_ERR_NOACK;
3515 int al = SSL_AD_UNRECOGNIZED_NAME;
3516
3517 if (ssl->ctx->servername_callback != 0) {
3518 ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
3519 } else if (ssl->session_ctx->servername_callback != 0) {
3520 ret = ssl->session_ctx->servername_callback(
3521 ssl, &al, ssl->session_ctx->servername_arg);
3522 }
3523
3524 switch (ret) {
3525 case SSL_TLSEXT_ERR_ALERT_FATAL:
3526 ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3527 return false;
3528
3529 case SSL_TLSEXT_ERR_NOACK:
3530 hs->should_ack_sni = false;
3531 return true;
3532
3533 default:
3534 return true;
3535 }
3536}
3537
3538bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3539 SSL *const ssl = hs->ssl;
3540 int alert = SSL_AD_DECODE_ERROR;
3541 if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
3542 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3543 return false;
3544 }
3545
3546 return true;
3547}
3548
3549static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3550 Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,
3551 Span<const uint8_t> ticket) {
3552 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3553
3554 // Check the MAC at the end of the ticket.
3555 uint8_t mac[EVP_MAX_MD_SIZE];
3556 size_t mac_len = HMAC_size(hmac_ctx);
3557 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3558 // The ticket must be large enough for key name, IV, data, and MAC.
3559 return ssl_ticket_aead_ignore_ticket;
3560 }
3561 // Split the ticket into the ticket and the MAC.
3562 auto ticket_mac = ticket.subspan(ticket.size() - mac_len);
3563 ticket = ticket.subspan(0, ticket.size() - mac_len);
3564 HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
3565 HMAC_Final(hmac_ctx, mac, NULL);
3566 assert(mac_len == ticket_mac.size());
3567 bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;
3568#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3569 mac_ok = true;
3570#endif
3571 if (!mac_ok) {
3572 return ssl_ticket_aead_ignore_ticket;
3573 }
3574
3575 // Decrypt the session data.
3576 auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);
3577 Array<uint8_t> plaintext;
3578#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3579 if (!plaintext.CopyFrom(ciphertext)) {
3580 return ssl_ticket_aead_error;
3581 }
3582#else
3583 if (ciphertext.size() >= INT_MAX) {
3584 return ssl_ticket_aead_ignore_ticket;
3585 }
3586 if (!plaintext.Init(ciphertext.size())) {
3587 return ssl_ticket_aead_error;
3588 }
3589 int len1, len2;
3590 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),
3591 (int)ciphertext.size()) ||
3592 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {
3593 ERR_clear_error();
3594 return ssl_ticket_aead_ignore_ticket;
3595 }
3596 plaintext.Shrink(static_cast<size_t>(len1) + len2);
3597#endif
3598
3599 *out = std::move(plaintext);
3600 return ssl_ticket_aead_success;
3601}
3602
3603static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3604 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3605 Span<const uint8_t> ticket) {
3606 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3607 ScopedEVP_CIPHER_CTX cipher_ctx;
3608 ScopedHMAC_CTX hmac_ctx;
3609 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3610 // The actual IV is shorter, but the length is determined by the callback's
3611 // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure
3612 // the callback has enough.
3613 auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);
3614 int cb_ret = hs->ssl->session_ctx->ticket_key_cb(
3615 hs->ssl, const_cast<uint8_t *>(name.data()),
3616 const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(),
3617 0 /* decrypt */);
3618 if (cb_ret < 0) {
3619 return ssl_ticket_aead_error;
3620 } else if (cb_ret == 0) {
3621 return ssl_ticket_aead_ignore_ticket;
3622 } else if (cb_ret == 2) {
3623 *out_renew_ticket = true;
3624 } else {
3625 assert(cb_ret == 1);
3626 }
3627 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3628 ticket);
3629}
3630
3631static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3632 SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) {
3633 assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3634 SSL_CTX *ctx = hs->ssl->session_ctx.get();
3635
3636 // Rotate the ticket key if necessary.
3637 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3638 return ssl_ticket_aead_error;
3639 }
3640
3641 const EVP_CIPHER *cipher = EVP_aes_128_cbc();
3642 auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
3643 auto iv =
3644 ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));
3645
3646 // Pick the matching ticket key and decrypt.
3647 ScopedEVP_CIPHER_CTX cipher_ctx;
3648 ScopedHMAC_CTX hmac_ctx;
3649 {
3650 MutexReadLock lock(&ctx->lock);
3651 const TicketKey *key;
3652 if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {
3653 key = ctx->ticket_key_current.get();
3654 } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {
3655 key = ctx->ticket_key_prev.get();
3656 } else {
3657 return ssl_ticket_aead_ignore_ticket;
3658 }
3659 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3660 tlsext_tick_md(), NULL) ||
3661 !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
3662 key->aes_key, iv.data())) {
3663 return ssl_ticket_aead_error;
3664 }
3665 }
3666 return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
3667 ticket);
3668}
3669
3670static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3671 SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
3672 Span<const uint8_t> ticket) {
3673 Array<uint8_t> plaintext;
3674 if (!plaintext.Init(ticket.size())) {
3675 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3676 return ssl_ticket_aead_error;
3677 }
3678
3679 size_t plaintext_len;
3680 const enum ssl_ticket_aead_result_t result =
3681 hs->ssl->session_ctx->ticket_aead_method->open(
3682 hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),
3683 ticket.data(), ticket.size());
3684 if (result != ssl_ticket_aead_success) {
3685 return result;
3686 }
3687
3688 plaintext.Shrink(plaintext_len);
3689 *out = std::move(plaintext);
3690 return ssl_ticket_aead_success;
3691}
3692
3693enum ssl_ticket_aead_result_t ssl_process_ticket(
3694 SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
3695 bool *out_renew_ticket, Span<const uint8_t> ticket,
3696 Span<const uint8_t> session_id) {
3697 *out_renew_ticket = false;
3698 out_session->reset();
3699
3700 if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||
3701 session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3702 return ssl_ticket_aead_ignore_ticket;
3703 }
3704
3705 Array<uint8_t> plaintext;
3706 enum ssl_ticket_aead_result_t result;
3707 if (hs->ssl->session_ctx->ticket_aead_method != NULL) {
3708 result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
3709 ticket);
3710 } else {
3711 // Ensure there is room for the key name and the largest IV |ticket_key_cb|
3712 // may try to consume. The real limit may be lower, but the maximum IV
3713 // length should be well under the minimum size for the session material and
3714 // HMAC.
3715 if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3716 return ssl_ticket_aead_ignore_ticket;
3717 }
3718 if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
3719 result =
3720 ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
3721 } else {
3722 result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);
3723 }
3724 }
3725
3726 if (result != ssl_ticket_aead_success) {
3727 return result;
3728 }
3729
3730 // Decode the session.
3731 UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
3732 plaintext.data(), plaintext.size(), hs->ssl->ctx.get()));
3733 if (!session) {
3734 ERR_clear_error(); // Don't leave an error on the queue.
3735 return ssl_ticket_aead_ignore_ticket;
3736 }
3737
3738 // Copy the client's session ID into the new session, to denote the ticket has
3739 // been accepted.
3740 OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size());
3741 session->session_id_length = session_id.size();
3742
3743 *out_session = std::move(session);
3744 return ssl_ticket_aead_success;
3745}
3746
3747bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3748 // Extension ignored for inappropriate versions
3749 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3750 return true;
3751 }
3752
3753 // In all contexts, the signature algorithms list may not be empty. (It may be
3754 // omitted by clients in TLS 1.2, but then the entire extension is omitted.)
3755 return CBS_len(in_sigalgs) != 0 &&
3756 parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3757}
3758
3759bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3760 switch (EVP_PKEY_id(pkey)) {
3761 case EVP_PKEY_RSA:
3762 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3763 return true;
3764 case EVP_PKEY_EC:
3765 *out = SSL_SIGN_ECDSA_SHA1;
3766 return true;
3767 default:
3768 return false;
3769 }
3770}
3771
3772bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3773 SSL *const ssl = hs->ssl;
3774 CERT *cert = hs->config->cert.get();
3775 DC *dc = cert->dc.get();
3776
3777 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3778 // handshake.
3779 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3780 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3781 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3782 return false;
3783 }
3784 return true;
3785 }
3786
3787 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3788 if (ssl_signing_with_dc(hs)) {
3789 sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1);
3790 } else if (!cert->sigalgs.empty()) {
3791 sigalgs = cert->sigalgs;
3792 }
3793
3794 Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
3795
3796 for (uint16_t sigalg : sigalgs) {
3797 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3798 // negotiated.
3799 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3800 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3801 continue;
3802 }
3803
3804 for (uint16_t peer_sigalg : peer_sigalgs) {
3805 if (sigalg == peer_sigalg) {
3806 *out = sigalg;
3807 return true;
3808 }
3809 }
3810 }
3811
3812 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3813 return false;
3814}
3815
3816Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) {
3817 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3818 if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
3819 // If the client didn't specify any signature_algorithms extension then
3820 // we can assume that it supports SHA1. See
3821 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3822 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3823 SSL_SIGN_ECDSA_SHA1};
3824 peer_sigalgs = kDefaultPeerAlgorithms;
3825 }
3826 return peer_sigalgs;
3827}
3828
3829bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3830 SSL *const ssl = hs->ssl;
3831 // A Channel ID handshake message is structured to contain multiple
3832 // extensions, but the only one that can be present is Channel ID.
3833 uint16_t extension_type;
3834 CBS channel_id = msg.body, extension;
3835 if (!CBS_get_u16(&channel_id, &extension_type) ||
3836 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3837 CBS_len(&channel_id) != 0 ||
3838 extension_type != TLSEXT_TYPE_channel_id ||
3839 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3840 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3841 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3842 return false;
3843 }
3844
3845 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3846 if (!p256) {
3847 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3848 return false;
3849 }
3850
3851 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3852 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3853 if (!sig || !x || !y) {
3854 return false;
3855 }
3856
3857 const uint8_t *p = CBS_data(&extension);
3858 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3859 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3860 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3861 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3862 return false;
3863 }
3864
3865 UniquePtr<EC_KEY> key(EC_KEY_new());
3866 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3867 if (!key || !point ||
3868 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3869 y.get(), nullptr) ||
3870 !EC_KEY_set_group(key.get(), p256.get()) ||
3871 !EC_KEY_set_public_key(key.get(), point.get())) {
3872 return false;
3873 }
3874
3875 uint8_t digest[EVP_MAX_MD_SIZE];
3876 size_t digest_len;
3877 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3878 return false;
3879 }
3880
3881 bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3882#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3883 sig_ok = true;
3884 ERR_clear_error();
3885#endif
3886 if (!sig_ok) {
3887 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3888 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3889 ssl->s3->channel_id_valid = false;
3890 return false;
3891 }
3892
3893 OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
3894 return true;
3895}
3896
3897bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3898 uint8_t digest[EVP_MAX_MD_SIZE];
3899 size_t digest_len;
3900 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3901 return false;
3902 }
3903
3904 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());
3905 if (ec_key == nullptr) {
3906 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3907 return false;
3908 }
3909
3910 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3911 if (!x || !y ||
3912 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3913 EC_KEY_get0_public_key(ec_key),
3914 x.get(), y.get(), nullptr)) {
3915 return false;
3916 }
3917
3918 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3919 if (!sig) {
3920 return false;
3921 }
3922
3923 CBB child;
3924 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3925 !CBB_add_u16_length_prefixed(cbb, &child) ||
3926 !BN_bn2cbb_padded(&child, 32, x.get()) ||
3927 !BN_bn2cbb_padded(&child, 32, y.get()) ||
3928 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3929 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3930 !CBB_flush(cbb)) {
3931 return false;
3932 }
3933
3934 return true;
3935}
3936
3937bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3938 SSL *const ssl = hs->ssl;
3939 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3940 Array<uint8_t> msg;
3941 if (!tls13_get_cert_verify_signature_input(hs, &msg,
3942 ssl_cert_verify_channel_id)) {
3943 return false;
3944 }
3945 SHA256(msg.data(), msg.size(), out);
3946 *out_len = SHA256_DIGEST_LENGTH;
3947 return true;
3948 }
3949
3950 SHA256_CTX ctx;
3951
3952 SHA256_Init(&ctx);
3953 static const char kClientIDMagic[] = "TLS Channel ID signature";
3954 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3955
3956 if (ssl->session != NULL) {
3957 static const char kResumptionMagic[] = "Resumption";
3958 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3959 if (ssl->session->original_handshake_hash_len == 0) {
3960 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3961 return false;
3962 }
3963 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3964 ssl->session->original_handshake_hash_len);
3965 }
3966
3967 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3968 size_t hs_hash_len;
3969 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3970 return false;
3971 }
3972 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3973 SHA256_Final(out, &ctx);
3974 *out_len = SHA256_DIGEST_LENGTH;
3975 return true;
3976}
3977
3978bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3979 SSL *const ssl = hs->ssl;
3980 // This function should never be called for a resumed session because the
3981 // handshake hashes that we wish to record are for the original, full
3982 // handshake.
3983 if (ssl->session != NULL) {
3984 return false;
3985 }
3986
3987 static_assert(
3988 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3989 "original_handshake_hash is too small");
3990
3991 size_t digest_len;
3992 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3993 &digest_len)) {
3994 return false;
3995 }
3996
3997 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3998 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3999 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
4000
4001 return true;
4002}
4003
4004bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
4005 if (hs->config->channel_id_private != NULL ||
4006 hs->ssl->ctx->channel_id_cb == NULL) {
4007 return true;
4008 }
4009
4010 EVP_PKEY *key = NULL;
4011 hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
4012 if (key == NULL) {
4013 // The caller should try again later.
4014 return true;
4015 }
4016
4017 UniquePtr<EVP_PKEY> free_key(key);
4018 return SSL_set1_tls_channel_id(hs->ssl, key);
4019}
4020
4021bool ssl_is_sct_list_valid(const CBS *contents) {
4022 // Shallow parse the SCT list for sanity. By the RFC
4023 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
4024 // of the SCTs may be empty.
4025 CBS copy = *contents;
4026 CBS sct_list;
4027 if (!CBS_get_u16_length_prefixed(&copy, &sct_list) ||
4028 CBS_len(&copy) != 0 ||
4029 CBS_len(&sct_list) == 0) {
4030 return false;
4031 }
4032
4033 while (CBS_len(&sct_list) > 0) {
4034 CBS sct;
4035 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
4036 CBS_len(&sct) == 0) {
4037 return false;
4038 }
4039 }
4040
4041 return true;
4042}
4043
4044BSSL_NAMESPACE_END
4045
4046using namespace bssl;
4047
4048int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
4049 uint16_t extension_type,
4050 const uint8_t **out_data,
4051 size_t *out_len) {
4052 CBS cbs;
4053 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
4054 return 0;
4055 }
4056
4057 *out_data = CBS_data(&cbs);
4058 *out_len = CBS_len(&cbs);
4059 return 1;
4060}
4061
4062void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
4063 ctx->ed25519_enabled = !!enabled;
4064}
4065
4066void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
4067 ctx->rsa_pss_rsae_certs_enabled = !!enabled;
4068}
4069