Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 7 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 14 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 21 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 39 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 51 | * |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] |
| 56 | */ |
| 57 | /* ==================================================================== |
| 58 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
| 59 | * |
| 60 | * Redistribution and use in source and binary forms, with or without |
| 61 | * modification, are permitted provided that the following conditions |
| 62 | * are met: |
| 63 | * |
| 64 | * 1. Redistributions of source code must retain the above copyright |
Adam Langley | e745b25 | 2018-02-26 14:02:17 -0800 | [diff] [blame] | 65 | * notice, this list of conditions and the following disclaimer. |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 66 | * |
| 67 | * 2. Redistributions in binary form must reproduce the above copyright |
| 68 | * notice, this list of conditions and the following disclaimer in |
| 69 | * the documentation and/or other materials provided with the |
| 70 | * distribution. |
| 71 | * |
| 72 | * 3. All advertising materials mentioning features or use of this |
| 73 | * software must display the following acknowledgment: |
| 74 | * "This product includes software developed by the OpenSSL Project |
| 75 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 76 | * |
| 77 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 78 | * endorse or promote products derived from this software without |
| 79 | * prior written permission. For written permission, please contact |
| 80 | * openssl-core@openssl.org. |
| 81 | * |
| 82 | * 5. Products derived from this software may not be called "OpenSSL" |
| 83 | * nor may "OpenSSL" appear in their names without prior written |
| 84 | * permission of the OpenSSL Project. |
| 85 | * |
| 86 | * 6. Redistributions of any form whatsoever must retain the following |
| 87 | * acknowledgment: |
| 88 | * "This product includes software developed by the OpenSSL Project |
| 89 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 90 | * |
| 91 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 92 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 93 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 94 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 95 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 96 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 97 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 98 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 99 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 100 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 101 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 102 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 103 | * ==================================================================== |
| 104 | * |
| 105 | * This product includes cryptographic software written by Eric Young |
| 106 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 107 | * Hudson (tjh@cryptsoft.com). */ |
| 108 | |
David Benjamin | 9e4e01e | 2015-09-15 01:48:04 -0400 | [diff] [blame] | 109 | #include <openssl/ssl.h> |
| 110 | |
David Benjamin | f0ae170 | 2015-04-07 23:05:04 -0400 | [diff] [blame] | 111 | #include <assert.h> |
David Benjamin | e3aa1d9 | 2015-06-16 15:34:50 -0400 | [diff] [blame] | 112 | #include <limits.h> |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 113 | #include <stdlib.h> |
David Benjamin | f0ae170 | 2015-04-07 23:05:04 -0400 | [diff] [blame] | 114 | #include <string.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 115 | |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 116 | #include <algorithm> |
David Benjamin | 499742c | 2017-07-22 12:45:38 -0400 | [diff] [blame] | 117 | #include <utility> |
| 118 | |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 119 | #include <openssl/aead.h> |
David Benjamin | 0397309 | 2014-06-24 23:27:17 -0400 | [diff] [blame] | 120 | #include <openssl/bytestring.h> |
Adam Langley | 512a289 | 2017-12-30 08:04:39 -0800 | [diff] [blame] | 121 | #include <openssl/chacha.h> |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 122 | #include <openssl/curve25519.h> |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 123 | #include <openssl/digest.h> |
David Benjamin | f0ae170 | 2015-04-07 23:05:04 -0400 | [diff] [blame] | 124 | #include <openssl/err.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 125 | #include <openssl/evp.h> |
| 126 | #include <openssl/hmac.h> |
David Benjamin | 070a6c3 | 2021-05-05 15:39:27 -0400 | [diff] [blame] | 127 | #include <openssl/hpke.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 128 | #include <openssl/mem.h> |
David Benjamin | 9819367 | 2016-03-25 18:07:11 -0400 | [diff] [blame] | 129 | #include <openssl/nid.h> |
David Benjamin | e9c5d72 | 2021-06-09 17:43:16 -0400 | [diff] [blame] | 130 | #include <openssl/rand.h> |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 131 | |
Steven Valdez | cb96654 | 2016-08-17 16:56:14 -0400 | [diff] [blame] | 132 | #include "../crypto/internal.h" |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 133 | #include "internal.h" |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 134 | |
| 135 | |
Joshua Liebow-Feeser | 8c7c635 | 2018-08-26 18:53:36 -0700 | [diff] [blame] | 136 | BSSL_NAMESPACE_BEGIN |
David Benjamin | 86e95b8 | 2017-07-18 16:34:25 -0400 | [diff] [blame] | 137 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 138 | static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs); |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 139 | static bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs); |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 140 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 141 | static int compare_uint16_t(const void *p1, const void *p2) { |
| 142 | uint16_t u1 = *((const uint16_t *)p1); |
| 143 | uint16_t u2 = *((const uint16_t *)p2); |
| 144 | if (u1 < u2) { |
| 145 | return -1; |
| 146 | } else if (u1 > u2) { |
| 147 | return 1; |
| 148 | } else { |
| 149 | return 0; |
| 150 | } |
| 151 | } |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 152 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 153 | // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be |
| 154 | // more than one extension of the same type in a ClientHello or ServerHello. |
| 155 | // This function does an initial scan over the extensions block to filter those |
| 156 | // out. |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 157 | static bool tls1_check_duplicate_extensions(const CBS *cbs) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 158 | // First pass: count the extensions. |
David Benjamin | 08f5c76 | 2017-09-21 02:43:05 -0400 | [diff] [blame] | 159 | size_t num_extensions = 0; |
| 160 | CBS extensions = *cbs; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 161 | while (CBS_len(&extensions) > 0) { |
| 162 | uint16_t type; |
| 163 | CBS extension; |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 164 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 165 | if (!CBS_get_u16(&extensions, &type) || |
| 166 | !CBS_get_u16_length_prefixed(&extensions, &extension)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 167 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 168 | } |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 169 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 170 | num_extensions++; |
| 171 | } |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 172 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 173 | if (num_extensions == 0) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 174 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 175 | } |
David Benjamin | 9a37359 | 2014-07-25 04:27:53 -0400 | [diff] [blame] | 176 | |
David Benjamin | 08f5c76 | 2017-09-21 02:43:05 -0400 | [diff] [blame] | 177 | Array<uint16_t> extension_types; |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 178 | if (!extension_types.InitForOverwrite(num_extensions)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 179 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 180 | } |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 181 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 182 | // Second pass: gather the extension types. |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 183 | extensions = *cbs; |
David Benjamin | 08f5c76 | 2017-09-21 02:43:05 -0400 | [diff] [blame] | 184 | for (size_t i = 0; i < extension_types.size(); i++) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 185 | CBS extension; |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 186 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 187 | if (!CBS_get_u16(&extensions, &extension_types[i]) || |
| 188 | !CBS_get_u16_length_prefixed(&extensions, &extension)) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 189 | // This should not happen. |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 190 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 191 | } |
| 192 | } |
| 193 | assert(CBS_len(&extensions) == 0); |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 194 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 195 | // Sort the extensions and make sure there are no duplicates. |
David Benjamin | 08f5c76 | 2017-09-21 02:43:05 -0400 | [diff] [blame] | 196 | qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t), |
| 197 | compare_uint16_t); |
| 198 | for (size_t i = 1; i < num_extensions; i++) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 199 | if (extension_types[i - 1] == extension_types[i]) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 200 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 201 | } |
| 202 | } |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 203 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 204 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 205 | } |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 206 | |
Kris Kwiatkowski | 78c88c9 | 2019-03-11 14:40:59 +0000 | [diff] [blame] | 207 | static bool is_post_quantum_group(uint16_t id) { |
Adam Langley | fc07738 | 2023-01-08 16:22:31 -0800 | [diff] [blame] | 208 | switch (id) { |
David Benjamin | 335523a | 2023-05-26 21:55:56 -0400 | [diff] [blame] | 209 | case SSL_GROUP_X25519_KYBER768_DRAFT00: |
David Benjamin | 7fb4d3d | 2024-08-23 15:27:03 -0400 | [diff] [blame] | 210 | case SSL_GROUP_X25519_MLKEM768: |
Adam Langley | fc07738 | 2023-01-08 16:22:31 -0800 | [diff] [blame] | 211 | return true; |
| 212 | default: |
| 213 | return false; |
| 214 | } |
Kris Kwiatkowski | 78c88c9 | 2019-03-11 14:40:59 +0000 | [diff] [blame] | 215 | } |
| 216 | |
Adam Langley | c9827e0 | 2019-04-12 14:46:50 -0700 | [diff] [blame] | 217 | bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out, |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 218 | Span<const uint8_t> body) { |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 219 | CBS cbs = body; |
| 220 | if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out) || |
| 221 | CBS_len(&cbs) != 0) { |
| 222 | return false; |
| 223 | } |
| 224 | return true; |
| 225 | } |
| 226 | |
| 227 | bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs, |
| 228 | SSL_CLIENT_HELLO *out) { |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 229 | OPENSSL_memset(out, 0, sizeof(*out)); |
Adam Langley | c9827e0 | 2019-04-12 14:46:50 -0700 | [diff] [blame] | 230 | out->ssl = const_cast<SSL *>(ssl); |
David Benjamin | 8f2c20e | 2014-07-09 09:30:38 -0400 | [diff] [blame] | 231 | |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 232 | CBS copy = *cbs; |
| 233 | CBS random, session_id; |
| 234 | if (!CBS_get_u16(cbs, &out->version) || |
| 235 | !CBS_get_bytes(cbs, &random, SSL3_RANDOM_SIZE) || |
| 236 | !CBS_get_u8_length_prefixed(cbs, &session_id) || |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 237 | CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 238 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 239 | } |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 240 | |
David Benjamin | 731058e | 2016-12-03 23:15:13 -0500 | [diff] [blame] | 241 | out->random = CBS_data(&random); |
| 242 | out->random_len = CBS_len(&random); |
| 243 | out->session_id = CBS_data(&session_id); |
| 244 | out->session_id_len = CBS_len(&session_id); |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 245 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 246 | // Skip past DTLS cookie |
David Benjamin | 731058e | 2016-12-03 23:15:13 -0500 | [diff] [blame] | 247 | if (SSL_is_dtls(out->ssl)) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 248 | CBS cookie; |
David Benjamin | 361e3e0 | 2022-09-11 13:58:38 -0400 | [diff] [blame] | 249 | if (!CBS_get_u8_length_prefixed(cbs, &cookie)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 250 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 251 | } |
| 252 | } |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 253 | |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 254 | CBS cipher_suites, compression_methods; |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 255 | if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites) || |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 256 | CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 || |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 257 | !CBS_get_u8_length_prefixed(cbs, &compression_methods) || |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 258 | CBS_len(&compression_methods) < 1) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 259 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 260 | } |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 261 | |
David Benjamin | 731058e | 2016-12-03 23:15:13 -0500 | [diff] [blame] | 262 | out->cipher_suites = CBS_data(&cipher_suites); |
| 263 | out->cipher_suites_len = CBS_len(&cipher_suites); |
| 264 | out->compression_methods = CBS_data(&compression_methods); |
| 265 | out->compression_methods_len = CBS_len(&compression_methods); |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 266 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 267 | // If the ClientHello ends here then it's valid, but doesn't have any |
David Benjamin | 9bb15f5 | 2018-06-26 00:07:40 -0400 | [diff] [blame] | 268 | // extensions. |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 269 | if (CBS_len(cbs) == 0) { |
| 270 | out->extensions = nullptr; |
David Benjamin | 731058e | 2016-12-03 23:15:13 -0500 | [diff] [blame] | 271 | out->extensions_len = 0; |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 272 | } else { |
| 273 | // Extract extensions and check it is valid. |
| 274 | CBS extensions; |
| 275 | if (!CBS_get_u16_length_prefixed(cbs, &extensions) || |
| 276 | !tls1_check_duplicate_extensions(&extensions)) { |
| 277 | return false; |
| 278 | } |
| 279 | out->extensions = CBS_data(&extensions); |
| 280 | out->extensions_len = CBS_len(&extensions); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 281 | } |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 282 | |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 283 | out->client_hello = CBS_data(©); |
| 284 | out->client_hello_len = CBS_len(©) - CBS_len(cbs); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 285 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 286 | } |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 287 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 288 | bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, |
| 289 | CBS *out, uint16_t extension_type) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 290 | CBS extensions; |
David Benjamin | 731058e | 2016-12-03 23:15:13 -0500 | [diff] [blame] | 291 | CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 292 | while (CBS_len(&extensions) != 0) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 293 | // Decode the next extension. |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 294 | uint16_t type; |
| 295 | CBS extension; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 296 | if (!CBS_get_u16(&extensions, &type) || |
| 297 | !CBS_get_u16_length_prefixed(&extensions, &extension)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 298 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 299 | } |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 300 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 301 | if (type == extension_type) { |
David Benjamin | cec7344 | 2016-08-02 17:41:33 -0400 | [diff] [blame] | 302 | *out = extension; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 303 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 304 | } |
| 305 | } |
Adam Langley | dc9b141 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 306 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 307 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 308 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 309 | |
Steven Valdez | ce902a9 | 2016-05-17 11:47:53 -0400 | [diff] [blame] | 310 | static const uint16_t kDefaultGroups[] = { |
David Benjamin | 335523a | 2023-05-26 21:55:56 -0400 | [diff] [blame] | 311 | SSL_GROUP_X25519, |
| 312 | SSL_GROUP_SECP256R1, |
| 313 | SSL_GROUP_SECP384R1, |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 314 | }; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 315 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 316 | Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) { |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 317 | if (!hs->config->supported_group_list.empty()) { |
| 318 | return hs->config->supported_group_list; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 319 | } |
David Benjamin | cf0ce67 | 2017-09-21 02:25:59 -0400 | [diff] [blame] | 320 | return Span<const uint16_t>(kDefaultGroups); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 321 | } |
David Benjamin | ed43958 | 2014-07-14 19:13:02 -0400 | [diff] [blame] | 322 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 323 | bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) { |
David Benjamin | f3c8f8d | 2016-11-17 17:20:47 +0900 | [diff] [blame] | 324 | SSL *const ssl = hs->ssl; |
David Benjamin | f04976b | 2016-10-07 00:37:55 -0400 | [diff] [blame] | 325 | assert(ssl->server); |
David Benjamin | 072334d | 2014-07-13 16:24:27 -0400 | [diff] [blame] | 326 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 327 | // Clients are not required to send a supported_groups extension. In this |
| 328 | // case, the server is free to pick any group it likes. See RFC 4492, |
| 329 | // section 4, paragraph 3. |
| 330 | // |
| 331 | // However, in the interests of compatibility, we will skip ECDH if the |
| 332 | // client didn't send an extension because we can't be sure that they'll |
| 333 | // support our favoured group. Thus we do not special-case an emtpy |
| 334 | // |peer_supported_group_list|. |
David Benjamin | 55a4364 | 2015-04-20 14:45:55 -0400 | [diff] [blame] | 335 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 336 | Span<const uint16_t> groups = tls1_get_grouplist(hs); |
David Benjamin | cf0ce67 | 2017-09-21 02:25:59 -0400 | [diff] [blame] | 337 | Span<const uint16_t> pref, supp; |
David Benjamin | 4298d77 | 2015-12-19 00:18:25 -0500 | [diff] [blame] | 338 | if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { |
Steven Valdez | ce902a9 | 2016-05-17 11:47:53 -0400 | [diff] [blame] | 339 | pref = groups; |
David Benjamin | f3c8f8d | 2016-11-17 17:20:47 +0900 | [diff] [blame] | 340 | supp = hs->peer_supported_group_list; |
David Benjamin | 55a4364 | 2015-04-20 14:45:55 -0400 | [diff] [blame] | 341 | } else { |
David Benjamin | f3c8f8d | 2016-11-17 17:20:47 +0900 | [diff] [blame] | 342 | pref = hs->peer_supported_group_list; |
Steven Valdez | ce902a9 | 2016-05-17 11:47:53 -0400 | [diff] [blame] | 343 | supp = groups; |
David Benjamin | 55a4364 | 2015-04-20 14:45:55 -0400 | [diff] [blame] | 344 | } |
| 345 | |
David Benjamin | cf0ce67 | 2017-09-21 02:25:59 -0400 | [diff] [blame] | 346 | for (uint16_t pref_group : pref) { |
| 347 | for (uint16_t supp_group : supp) { |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 348 | if (pref_group == supp_group && |
Adam Langley | fc07738 | 2023-01-08 16:22:31 -0800 | [diff] [blame] | 349 | // Post-quantum key agreements don't fit in the u8-length-prefixed |
| 350 | // ECPoint field in TLS 1.2 and below. |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 351 | (ssl_protocol_version(ssl) >= TLS1_3_VERSION || |
Kris Kwiatkowski | 78c88c9 | 2019-03-11 14:40:59 +0000 | [diff] [blame] | 352 | !is_post_quantum_group(pref_group))) { |
David Benjamin | cf0ce67 | 2017-09-21 02:25:59 -0400 | [diff] [blame] | 353 | *out_group_id = pref_group; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 354 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 355 | } |
| 356 | } |
| 357 | } |
| 358 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 359 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 360 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 361 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 362 | bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) { |
Kris Kwiatkowski | 78c88c9 | 2019-03-11 14:40:59 +0000 | [diff] [blame] | 363 | if (is_post_quantum_group(group_id) && |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 364 | ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { |
Adam Langley | 4ae4fb7 | 2023-04-11 18:25:37 +0000 | [diff] [blame] | 365 | // Post-quantum "groups" require TLS 1.3. |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 366 | return false; |
| 367 | } |
| 368 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 369 | // We internally assume zero is never allocated as a group ID. |
| 370 | if (group_id == 0) { |
| 371 | return false; |
| 372 | } |
| 373 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 374 | for (uint16_t supported : tls1_get_grouplist(hs)) { |
David Benjamin | cf0ce67 | 2017-09-21 02:25:59 -0400 | [diff] [blame] | 375 | if (supported == group_id) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 376 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 377 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 378 | } |
David Benjamin | 033e5f4 | 2014-11-13 18:47:41 -0500 | [diff] [blame] | 379 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 380 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 381 | } |
David Benjamin | 033e5f4 | 2014-11-13 18:47:41 -0500 | [diff] [blame] | 382 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 383 | // kVerifySignatureAlgorithms is the default list of accepted signature |
| 384 | // algorithms for verifying. |
David Benjamin | 3ef7697 | 2016-10-17 17:59:54 -0400 | [diff] [blame] | 385 | static const uint16_t kVerifySignatureAlgorithms[] = { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 386 | // List our preferred algorithms first. |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 387 | SSL_SIGN_ECDSA_SECP256R1_SHA256, |
David Benjamin | 6879e19 | 2018-04-13 16:01:02 -0400 | [diff] [blame] | 388 | SSL_SIGN_RSA_PSS_RSAE_SHA256, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 389 | SSL_SIGN_RSA_PKCS1_SHA256, |
| 390 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 391 | // Larger hashes are acceptable. |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 392 | SSL_SIGN_ECDSA_SECP384R1_SHA384, |
David Benjamin | 6879e19 | 2018-04-13 16:01:02 -0400 | [diff] [blame] | 393 | SSL_SIGN_RSA_PSS_RSAE_SHA384, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 394 | SSL_SIGN_RSA_PKCS1_SHA384, |
| 395 | |
David Benjamin | 6879e19 | 2018-04-13 16:01:02 -0400 | [diff] [blame] | 396 | SSL_SIGN_RSA_PSS_RSAE_SHA512, |
Steven Valdez | eff1e8d | 2016-07-06 14:24:47 -0400 | [diff] [blame] | 397 | SSL_SIGN_RSA_PKCS1_SHA512, |
Steven Valdez | eff1e8d | 2016-07-06 14:24:47 -0400 | [diff] [blame] | 398 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 399 | // For now, SHA-1 is still accepted but least preferable. |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 400 | SSL_SIGN_RSA_PKCS1_SHA1, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 401 | }; |
| 402 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 403 | // kSignSignatureAlgorithms is the default list of supported signature |
| 404 | // algorithms for signing. |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 405 | static const uint16_t kSignSignatureAlgorithms[] = { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 406 | // List our preferred algorithms first. |
David Benjamin | 6952211 | 2017-03-28 15:38:29 -0500 | [diff] [blame] | 407 | SSL_SIGN_ED25519, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 408 | SSL_SIGN_ECDSA_SECP256R1_SHA256, |
David Benjamin | 6879e19 | 2018-04-13 16:01:02 -0400 | [diff] [blame] | 409 | SSL_SIGN_RSA_PSS_RSAE_SHA256, |
Steven Valdez | eff1e8d | 2016-07-06 14:24:47 -0400 | [diff] [blame] | 410 | SSL_SIGN_RSA_PKCS1_SHA256, |
Steven Valdez | eff1e8d | 2016-07-06 14:24:47 -0400 | [diff] [blame] | 411 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 412 | // If needed, sign larger hashes. |
| 413 | // |
| 414 | // TODO(davidben): Determine which of these may be pruned. |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 415 | SSL_SIGN_ECDSA_SECP384R1_SHA384, |
David Benjamin | 6879e19 | 2018-04-13 16:01:02 -0400 | [diff] [blame] | 416 | SSL_SIGN_RSA_PSS_RSAE_SHA384, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 417 | SSL_SIGN_RSA_PKCS1_SHA384, |
| 418 | |
| 419 | SSL_SIGN_ECDSA_SECP521R1_SHA512, |
David Benjamin | 6879e19 | 2018-04-13 16:01:02 -0400 | [diff] [blame] | 420 | SSL_SIGN_RSA_PSS_RSAE_SHA512, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 421 | SSL_SIGN_RSA_PKCS1_SHA512, |
| 422 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 423 | // If the peer supports nothing else, sign with SHA-1. |
Steven Valdez | eff1e8d | 2016-07-06 14:24:47 -0400 | [diff] [blame] | 424 | SSL_SIGN_ECDSA_SHA1, |
David Benjamin | 3a322f5 | 2016-10-26 12:45:35 -0400 | [diff] [blame] | 425 | SSL_SIGN_RSA_PKCS1_SHA1, |
Steven Valdez | eff1e8d | 2016-07-06 14:24:47 -0400 | [diff] [blame] | 426 | }; |
| 427 | |
David Benjamin | 1766935 | 2020-02-05 17:33:36 -0500 | [diff] [blame] | 428 | static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) { |
| 429 | if (hs->config->verify_sigalgs.empty()) { |
| 430 | return Span<const uint16_t>(kVerifySignatureAlgorithms); |
David Benjamin | 71c21b4 | 2017-04-14 17:05:40 -0400 | [diff] [blame] | 431 | } |
David Benjamin | 1766935 | 2020-02-05 17:33:36 -0500 | [diff] [blame] | 432 | return hs->config->verify_sigalgs; |
David Benjamin | e28552d | 2018-04-08 13:59:25 -0400 | [diff] [blame] | 433 | } |
| 434 | |
David Benjamin | ebad508 | 2020-02-03 19:32:19 -0500 | [diff] [blame] | 435 | bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 1766935 | 2020-02-05 17:33:36 -0500 | [diff] [blame] | 436 | for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) { |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 437 | if (!CBB_add_u16(out, sigalg)) { |
| 438 | return false; |
David Benjamin | 6952211 | 2017-03-28 15:38:29 -0500 | [diff] [blame] | 439 | } |
| 440 | } |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 441 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 442 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 443 | |
David Benjamin | ebad508 | 2020-02-03 19:32:19 -0500 | [diff] [blame] | 444 | bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert, |
David Benjamin | e1d209d | 2024-04-17 11:57:44 -0400 | [diff] [blame] | 445 | uint16_t sigalg, EVP_PKEY *pkey) { |
| 446 | // The peer must have selected an algorithm that is consistent with its public |
| 447 | // key, the TLS version, and what we advertised. |
| 448 | Span<const uint16_t> sigalgs = tls12_get_verify_sigalgs(hs); |
| 449 | if (std::find(sigalgs.begin(), sigalgs.end(), sigalg) == sigalgs.end() || |
David Benjamin | 66d274d | 2021-02-25 01:37:16 -0500 | [diff] [blame] | 450 | !ssl_pkey_supports_algorithm(hs->ssl, pkey, sigalg, /*is_verify=*/true)) { |
David Benjamin | e1d209d | 2024-04-17 11:57:44 -0400 | [diff] [blame] | 451 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); |
| 452 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 453 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 454 | } |
| 455 | |
David Benjamin | e1d209d | 2024-04-17 11:57:44 -0400 | [diff] [blame] | 456 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 457 | } |
| 458 | |
David Benjamin | 52b3638 | 2021-05-19 13:26:19 -0400 | [diff] [blame] | 459 | // tls_extension represents a TLS extension that is handled internally. |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 460 | // |
| 461 | // The parse callbacks receive a |CBS| that contains the contents of the |
| 462 | // extension (i.e. not including the type and length bytes). If an extension is |
| 463 | // not received then the parse callbacks will be called with a NULL CBS so that |
| 464 | // they can do any processing needed to handle the absence of an extension. |
| 465 | // |
| 466 | // The add callbacks receive a |CBB| to which the extension can be appended but |
| 467 | // the function is responsible for appending the type and length bytes too. |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 468 | // |
| 469 | // |add_clienthello| may be called multiple times and must not mutate |hs|. It |
| 470 | // is additionally passed two output |CBB|s. If the extension is the same |
| 471 | // independent of the value of |type|, the callback may write to |
| 472 | // |out_compressible| instead of |out|. When serializing the ClientHelloInner, |
| 473 | // all compressible extensions will be made continguous and replaced with |
| 474 | // ech_outer_extensions when encrypted. When serializing the ClientHelloOuter |
| 475 | // or not offering ECH, |out| will be equal to |out_compressible|, so writing to |
| 476 | // |out_compressible| still works. |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 477 | // |
David Benjamin | 9052286 | 2021-05-27 14:50:31 -0400 | [diff] [blame] | 478 | // Note the |parse_serverhello| and |add_serverhello| callbacks refer to the |
| 479 | // TLS 1.2 ServerHello. In TLS 1.3, these callbacks act on EncryptedExtensions, |
| 480 | // with ServerHello extensions handled elsewhere in the handshake. |
| 481 | // |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 482 | // All callbacks return true for success and false for error. If a parse |
| 483 | // function returns zero then a fatal alert with value |*out_alert| will be |
| 484 | // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent. |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 485 | struct tls_extension { |
| 486 | uint16_t value; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 487 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 488 | bool (*add_clienthello)(const SSL_HANDSHAKE *hs, CBB *out, |
| 489 | CBB *out_compressible, ssl_client_hello_type_t type); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 490 | bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 491 | CBS *contents); |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 492 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 493 | bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 494 | CBS *contents); |
| 495 | bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out); |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 496 | }; |
| 497 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 498 | static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 499 | CBS *contents) { |
Steven Valdez | 6b8509a | 2016-07-12 13:38:32 -0400 | [diff] [blame] | 500 | if (contents != NULL) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 501 | // Servers MUST NOT send this extension. |
Steven Valdez | 6b8509a | 2016-07-12 13:38:32 -0400 | [diff] [blame] | 502 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
| 503 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 504 | return false; |
Steven Valdez | 6b8509a | 2016-07-12 13:38:32 -0400 | [diff] [blame] | 505 | } |
| 506 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 507 | return true; |
Steven Valdez | 6b8509a | 2016-07-12 13:38:32 -0400 | [diff] [blame] | 508 | } |
| 509 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 510 | static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 511 | CBS *contents) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 512 | // This extension from the client is handled elsewhere. |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 513 | return true; |
Steven Valdez | 6b8509a | 2016-07-12 13:38:32 -0400 | [diff] [blame] | 514 | } |
| 515 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 516 | static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 517 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 518 | // Server name indication (SNI). |
| 519 | // |
| 520 | // https://tools.ietf.org/html/rfc6066#section-3. |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 521 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 522 | static bool ext_sni_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 523 | CBB *out_compressible, |
| 524 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 525 | const SSL *const ssl = hs->ssl; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 526 | // If offering ECH, send the public name instead of the configured name. |
| 527 | Span<const uint8_t> hostname; |
| 528 | if (type == ssl_client_hello_outer) { |
| 529 | hostname = hs->selected_ech_config->public_name; |
| 530 | } else { |
| 531 | if (ssl->hostname == nullptr) { |
| 532 | return true; |
| 533 | } |
| 534 | hostname = |
| 535 | MakeConstSpan(reinterpret_cast<const uint8_t *>(ssl->hostname.get()), |
| 536 | strlen(ssl->hostname.get())); |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 537 | } |
| 538 | |
| 539 | CBB contents, server_name_list, name; |
| 540 | if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) || |
| 541 | !CBB_add_u16_length_prefixed(out, &contents) || |
| 542 | !CBB_add_u16_length_prefixed(&contents, &server_name_list) || |
| 543 | !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) || |
| 544 | !CBB_add_u16_length_prefixed(&server_name_list, &name) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 545 | !CBB_add_bytes(&name, hostname.data(), hostname.size()) || |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 546 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 547 | return false; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 548 | } |
| 549 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 550 | return true; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 551 | } |
| 552 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 553 | static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 554 | CBS *contents) { |
David Benjamin | a861460 | 2017-09-06 15:40:19 -0400 | [diff] [blame] | 555 | // The server may acknowledge SNI with an empty extension. We check the syntax |
| 556 | // but otherwise ignore this signal. |
| 557 | return contents == NULL || CBS_len(contents) == 0; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 558 | } |
| 559 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 560 | static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 561 | CBS *contents) { |
David Benjamin | ef0183c | 2019-07-20 09:11:05 -0400 | [diff] [blame] | 562 | // SNI has already been parsed earlier in the handshake. See |extract_sni|. |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 563 | return true; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 564 | } |
| 565 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 566 | static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 567 | if (hs->ssl->s3->session_reused || // |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 568 | !hs->should_ack_sni) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 569 | return true; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 570 | } |
| 571 | |
| 572 | if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) || |
| 573 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 574 | return false; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 575 | } |
| 576 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 577 | return true; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 578 | } |
| 579 | |
| 580 | |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 581 | // Encrypted ClientHello (ECH) |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 582 | // |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 583 | // https://tools.ietf.org/html/draft-ietf-tls-esni-13 |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 584 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 585 | static bool ext_ech_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 586 | CBB *out_compressible, |
| 587 | ssl_client_hello_type_t type) { |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 588 | if (type == ssl_client_hello_inner) { |
| 589 | if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) || |
| 590 | !CBB_add_u16(out, /* length */ 1) || |
| 591 | !CBB_add_u8(out, ECH_CLIENT_INNER)) { |
| 592 | return false; |
| 593 | } |
| 594 | return true; |
| 595 | } |
| 596 | |
| 597 | if (hs->ech_client_outer.empty()) { |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 598 | return true; |
| 599 | } |
| 600 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 601 | CBB ech_body; |
| 602 | if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) || |
| 603 | !CBB_add_u16_length_prefixed(out, &ech_body) || |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 604 | !CBB_add_u8(&ech_body, ECH_CLIENT_OUTER) || |
| 605 | !CBB_add_bytes(&ech_body, hs->ech_client_outer.data(), |
| 606 | hs->ech_client_outer.size()) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 607 | !CBB_flush(out)) { |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 608 | return false; |
| 609 | } |
David Benjamin | 246c556 | 2021-05-20 13:42:25 -0400 | [diff] [blame] | 610 | return true; |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 611 | } |
| 612 | |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 613 | static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 614 | CBS *contents) { |
David Benjamin | 5b7ec83 | 2021-06-02 11:12:13 -0400 | [diff] [blame] | 615 | SSL *const ssl = hs->ssl; |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 616 | if (contents == NULL) { |
| 617 | return true; |
| 618 | } |
| 619 | |
David Benjamin | 5b7ec83 | 2021-06-02 11:12:13 -0400 | [diff] [blame] | 620 | // The ECH extension may not be sent in TLS 1.2 ServerHello, only TLS 1.3 |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 621 | // EncryptedExtensions. It also may not be sent in response to an inner ECH |
| 622 | // extension. |
| 623 | if (ssl_protocol_version(ssl) < TLS1_3_VERSION || |
| 624 | ssl->s3->ech_status == ssl_ech_accepted) { |
David Benjamin | 5b7ec83 | 2021-06-02 11:12:13 -0400 | [diff] [blame] | 625 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
| 626 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
| 627 | return false; |
| 628 | } |
| 629 | |
David Benjamin | ba423c9 | 2021-06-15 16:26:58 -0400 | [diff] [blame] | 630 | if (!ssl_is_valid_ech_config_list(*contents)) { |
| 631 | *out_alert = SSL_AD_DECODE_ERROR; |
| 632 | return false; |
| 633 | } |
| 634 | |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 635 | if (ssl->s3->ech_status == ssl_ech_rejected && |
David Benjamin | ba423c9 | 2021-06-15 16:26:58 -0400 | [diff] [blame] | 636 | !hs->ech_retry_configs.CopyFrom(*contents)) { |
| 637 | *out_alert = SSL_AD_INTERNAL_ERROR; |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 638 | return false; |
| 639 | } |
David Benjamin | ba423c9 | 2021-06-15 16:26:58 -0400 | [diff] [blame] | 640 | |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 641 | return true; |
| 642 | } |
| 643 | |
Dan McArdle | c295935 | 2020-10-29 14:31:31 -0400 | [diff] [blame] | 644 | static bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 645 | CBS *contents) { |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 646 | if (contents == nullptr) { |
Dan McArdle | c295935 | 2020-10-29 14:31:31 -0400 | [diff] [blame] | 647 | return true; |
| 648 | } |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 649 | |
| 650 | uint8_t type; |
| 651 | if (!CBS_get_u8(contents, &type)) { |
| 652 | return false; |
| 653 | } |
| 654 | if (type == ECH_CLIENT_OUTER) { |
| 655 | // Outer ECH extensions are handled outside the callback. |
| 656 | return true; |
| 657 | } |
| 658 | if (type != ECH_CLIENT_INNER || CBS_len(contents) != 0) { |
| 659 | return false; |
| 660 | } |
| 661 | |
| 662 | hs->ech_is_inner = true; |
Dan McArdle | c295935 | 2020-10-29 14:31:31 -0400 | [diff] [blame] | 663 | return true; |
| 664 | } |
| 665 | |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 666 | static bool ext_ech_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
| 667 | SSL *const ssl = hs->ssl; |
David Benjamin | ba423c9 | 2021-06-15 16:26:58 -0400 | [diff] [blame] | 668 | if (ssl_protocol_version(ssl) < TLS1_3_VERSION || |
| 669 | ssl->s3->ech_status == ssl_ech_accepted || // |
David Benjamin | c3b373b | 2021-06-06 13:04:26 -0400 | [diff] [blame] | 670 | hs->ech_keys == nullptr) { |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 671 | return true; |
| 672 | } |
| 673 | |
David Benjamin | c3b373b | 2021-06-06 13:04:26 -0400 | [diff] [blame] | 674 | // Write the list of retry configs to |out|. Note |SSL_CTX_set1_ech_keys| |
| 675 | // ensures |ech_keys| contains at least one retry config. |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 676 | CBB body, retry_configs; |
| 677 | if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) || |
| 678 | !CBB_add_u16_length_prefixed(out, &body) || |
| 679 | !CBB_add_u16_length_prefixed(&body, &retry_configs)) { |
| 680 | return false; |
| 681 | } |
David Benjamin | c3b373b | 2021-06-06 13:04:26 -0400 | [diff] [blame] | 682 | for (const auto &config : hs->ech_keys->configs) { |
David Benjamin | 1d58cd1 | 2021-05-04 15:24:24 -0400 | [diff] [blame] | 683 | if (!config->is_retry_config()) { |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 684 | continue; |
| 685 | } |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 686 | if (!CBB_add_bytes(&retry_configs, config->ech_config().raw.data(), |
| 687 | config->ech_config().raw.size())) { |
Daniel McArdle | 00e434d | 2021-02-18 11:47:18 -0500 | [diff] [blame] | 688 | return false; |
| 689 | } |
| 690 | } |
| 691 | return CBB_flush(out); |
| 692 | } |
| 693 | |
Dan McArdle | 1920c6f | 2020-03-11 17:29:40 -0400 | [diff] [blame] | 694 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 695 | // Renegotiation indication. |
| 696 | // |
| 697 | // https://tools.ietf.org/html/rfc5746 |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 698 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 699 | static bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 700 | CBB *out_compressible, |
| 701 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 702 | const SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 703 | // Renegotiation indication is not necessary in TLS 1.3. |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 704 | if (hs->min_version >= TLS1_3_VERSION || // |
| 705 | type == ssl_client_hello_inner) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 706 | return true; |
David Benjamin | 7c7d831 | 2016-08-20 13:39:03 -0400 | [diff] [blame] | 707 | } |
| 708 | |
David Benjamin | 52bf690 | 2016-10-08 12:05:03 -0400 | [diff] [blame] | 709 | assert(ssl->s3->initial_handshake_complete == |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 710 | !ssl->s3->previous_client_finished.empty()); |
David Benjamin | 52bf690 | 2016-10-08 12:05:03 -0400 | [diff] [blame] | 711 | |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 712 | CBB contents, prev_finished; |
| 713 | if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) || |
| 714 | !CBB_add_u16_length_prefixed(out, &contents) || |
| 715 | !CBB_add_u8_length_prefixed(&contents, &prev_finished) || |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 716 | !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished.data(), |
| 717 | ssl->s3->previous_client_finished.size()) || |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 718 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 719 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 720 | } |
| 721 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 722 | return true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 723 | } |
| 724 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 725 | static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 726 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 727 | SSL *const ssl = hs->ssl; |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 728 | if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
Steven Valdez | 246eeee | 2017-03-26 12:49:17 -0500 | [diff] [blame] | 729 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 730 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 731 | } |
| 732 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 733 | // Servers may not switch between omitting the extension and supporting it. |
| 734 | // See RFC 5746, sections 3.5 and 4.2. |
David Benjamin | 3e052de | 2015-11-25 20:10:31 -0500 | [diff] [blame] | 735 | if (ssl->s3->initial_handshake_complete && |
| 736 | (contents != NULL) != ssl->s3->send_connection_binding) { |
| 737 | *out_alert = SSL_AD_HANDSHAKE_FAILURE; |
| 738 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 739 | return false; |
David Benjamin | 3e052de | 2015-11-25 20:10:31 -0500 | [diff] [blame] | 740 | } |
| 741 | |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 742 | if (contents == NULL) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 743 | // Strictly speaking, if we want to avoid an attack we should *always* see |
| 744 | // RI even on initial ServerHello because the client doesn't see any |
| 745 | // renegotiation during an attack. However this would mean we could not |
| 746 | // connect to any server which doesn't support RI. |
| 747 | // |
| 748 | // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in |
| 749 | // practical terms every client sets it so it's just assumed here. |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 750 | return true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 751 | } |
| 752 | |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 753 | // Check for logic errors. |
| 754 | assert(ssl->s3->previous_client_finished.size() == |
| 755 | ssl->s3->previous_server_finished.size()); |
David Benjamin | 52bf690 | 2016-10-08 12:05:03 -0400 | [diff] [blame] | 756 | assert(ssl->s3->initial_handshake_complete == |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 757 | !ssl->s3->previous_client_finished.empty()); |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 758 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 759 | // Parse out the extension contents. |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 760 | CBS renegotiated_connection; |
| 761 | if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) || |
| 762 | CBS_len(contents) != 0) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 763 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR); |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 764 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 765 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 766 | } |
| 767 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 768 | // Check that the extension matches. |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 769 | CBS client_verify, server_verify; |
| 770 | if (!CBS_get_bytes(&renegotiated_connection, &client_verify, |
| 771 | ssl->s3->previous_client_finished.size()) || |
| 772 | !CBS_get_bytes(&renegotiated_connection, &server_verify, |
| 773 | ssl->s3->previous_server_finished.size()) || |
| 774 | CBS_len(&renegotiated_connection) != 0) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 775 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 776 | *out_alert = SSL_AD_HANDSHAKE_FAILURE; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 777 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 778 | } |
| 779 | |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 780 | bool ok = |
| 781 | CBS_mem_equal(&client_verify, ssl->s3->previous_client_finished.data(), |
| 782 | ssl->s3->previous_client_finished.size()) && |
| 783 | CBS_mem_equal(&server_verify, ssl->s3->previous_server_finished.data(), |
| 784 | ssl->s3->previous_server_finished.size()); |
David Benjamin | 9343b0b | 2017-07-01 00:31:27 -0400 | [diff] [blame] | 785 | #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 786 | ok = true; |
David Benjamin | 9343b0b | 2017-07-01 00:31:27 -0400 | [diff] [blame] | 787 | #endif |
| 788 | if (!ok) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 789 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 790 | *out_alert = SSL_AD_HANDSHAKE_FAILURE; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 791 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 792 | } |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 793 | |
David Benjamin | 046bc1f | 2017-08-31 15:06:42 -0400 | [diff] [blame] | 794 | ssl->s3->send_connection_binding = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 795 | return true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 796 | } |
| 797 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 798 | static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 799 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 800 | SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 801 | // Renegotiation isn't supported as a server so this function should never be |
| 802 | // called after the initial handshake. |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 803 | assert(!ssl->s3->initial_handshake_complete); |
| 804 | |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 805 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 806 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 807 | } |
| 808 | |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 809 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 810 | return true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 811 | } |
| 812 | |
| 813 | CBS renegotiated_connection; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 814 | if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) || |
| 815 | CBS_len(contents) != 0) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 816 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 817 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 818 | } |
| 819 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 820 | // Check that the extension matches. We do not support renegotiation as a |
| 821 | // server, so this must be empty. |
David Benjamin | 52bf690 | 2016-10-08 12:05:03 -0400 | [diff] [blame] | 822 | if (CBS_len(&renegotiated_connection) != 0) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 823 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 824 | *out_alert = SSL_AD_HANDSHAKE_FAILURE; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 825 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 826 | } |
| 827 | |
David Benjamin | 046bc1f | 2017-08-31 15:06:42 -0400 | [diff] [blame] | 828 | ssl->s3->send_connection_binding = true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 829 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 830 | return true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 831 | } |
| 832 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 833 | static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 834 | SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 835 | // Renegotiation isn't supported as a server so this function should never be |
| 836 | // called after the initial handshake. |
David Benjamin | 52bf690 | 2016-10-08 12:05:03 -0400 | [diff] [blame] | 837 | assert(!ssl->s3->initial_handshake_complete); |
| 838 | |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 839 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 840 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 841 | } |
| 842 | |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 843 | if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) || |
David Benjamin | 52bf690 | 2016-10-08 12:05:03 -0400 | [diff] [blame] | 844 | !CBB_add_u16(out, 1 /* length */) || |
| 845 | !CBB_add_u8(out, 0 /* empty renegotiation info */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 846 | return false; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 847 | } |
| 848 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 849 | return true; |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 850 | } |
| 851 | |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 852 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 853 | // Extended Master Secret. |
| 854 | // |
| 855 | // https://tools.ietf.org/html/rfc7627 |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 856 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 857 | static bool ext_ems_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 858 | CBB *out_compressible, |
| 859 | ssl_client_hello_type_t type) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 860 | // Extended master secret is not necessary in TLS 1.3. |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 861 | if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 862 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 863 | } |
| 864 | |
| 865 | if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) || |
| 866 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 867 | return false; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 868 | } |
| 869 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 870 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 871 | } |
| 872 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 873 | static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 874 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 875 | SSL *const ssl = hs->ssl; |
David Benjamin | fc02b59 | 2017-02-17 16:26:01 -0500 | [diff] [blame] | 876 | |
| 877 | if (contents != NULL) { |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 878 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || // |
David Benjamin | fc02b59 | 2017-02-17 16:26:01 -0500 | [diff] [blame] | 879 | CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 880 | return false; |
David Benjamin | 163c956 | 2016-08-29 23:14:17 -0400 | [diff] [blame] | 881 | } |
| 882 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 883 | hs->extended_master_secret = true; |
David Benjamin | 163c956 | 2016-08-29 23:14:17 -0400 | [diff] [blame] | 884 | } |
| 885 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 886 | // Whether EMS is negotiated may not change on renegotiation. |
David Benjamin | 8e7bbba | 2017-10-13 17:18:35 -0400 | [diff] [blame] | 887 | if (ssl->s3->established_session != nullptr && |
David Benjamin | fc02b59 | 2017-02-17 16:26:01 -0500 | [diff] [blame] | 888 | hs->extended_master_secret != |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 889 | !!ssl->s3->established_session->extended_master_secret) { |
David Benjamin | fc02b59 | 2017-02-17 16:26:01 -0500 | [diff] [blame] | 890 | OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH); |
| 891 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 892 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 893 | } |
| 894 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 895 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 896 | } |
| 897 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 898 | static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 899 | CBS *contents) { |
David Benjamin | 9bb15f5 | 2018-06-26 00:07:40 -0400 | [diff] [blame] | 900 | if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 901 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 902 | } |
| 903 | |
| 904 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 905 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 906 | } |
| 907 | |
| 908 | if (CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 909 | return false; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 910 | } |
| 911 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 912 | hs->extended_master_secret = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 913 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 914 | } |
| 915 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 916 | static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | fc02b59 | 2017-02-17 16:26:01 -0500 | [diff] [blame] | 917 | if (!hs->extended_master_secret) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 918 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 919 | } |
| 920 | |
| 921 | if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) || |
| 922 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 923 | return false; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 924 | } |
| 925 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 926 | return true; |
Adam Langley | 0a05671 | 2015-07-01 15:03:33 -0700 | [diff] [blame] | 927 | } |
| 928 | |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 929 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 930 | // Session tickets. |
| 931 | // |
| 932 | // https://tools.ietf.org/html/rfc5077 |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 933 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 934 | static bool ext_ticket_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 935 | CBB *out_compressible, |
| 936 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 937 | const SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 938 | // TLS 1.3 uses a different ticket extension. |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 939 | if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner || |
David Benjamin | 7c7d831 | 2016-08-20 13:39:03 -0400 | [diff] [blame] | 940 | SSL_get_options(ssl) & SSL_OP_NO_TICKET) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 941 | return true; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 942 | } |
| 943 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 944 | // Renegotiation does not participate in session resumption. However, still |
| 945 | // advertise the extension to avoid potentially breaking servers which carry |
| 946 | // over the state from the previous handshake, such as OpenSSL servers |
| 947 | // without upstream's 3c3f0259238594d77264a78944d409f2127642c4. |
David Benjamin | e6b800f | 2024-11-11 17:31:41 -0500 | [diff] [blame] | 948 | Span<const uint8_t> ticket; |
| 949 | if (!ssl->s3->initial_handshake_complete && // |
David Benjamin | 50596f8 | 2018-07-02 19:47:27 -0400 | [diff] [blame] | 950 | ssl->session != nullptr && |
David Benjamin | e6b800f | 2024-11-11 17:31:41 -0500 | [diff] [blame] | 951 | ssl_session_get_type(ssl->session.get()) == SSLSessionType::kTicket) { |
David Benjamin | bfdd1a9 | 2018-06-29 16:26:38 -0400 | [diff] [blame] | 952 | ticket = ssl->session->ticket; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 953 | } |
| 954 | |
David Benjamin | bfdd1a9 | 2018-06-29 16:26:38 -0400 | [diff] [blame] | 955 | CBB ticket_cbb; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 956 | if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) || |
David Benjamin | bfdd1a9 | 2018-06-29 16:26:38 -0400 | [diff] [blame] | 957 | !CBB_add_u16_length_prefixed(out, &ticket_cbb) || |
| 958 | !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) || |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 959 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 960 | return false; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 961 | } |
| 962 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 963 | return true; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 964 | } |
| 965 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 966 | static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 967 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 968 | SSL *const ssl = hs->ssl; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 969 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 970 | return true; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 971 | } |
| 972 | |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 973 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 974 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 975 | } |
| 976 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 977 | // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and |
| 978 | // this function should never be called, even if the server tries to send the |
| 979 | // extension. |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 980 | assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0); |
| 981 | |
| 982 | if (CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 983 | return false; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 984 | } |
| 985 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 986 | hs->ticket_expected = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 987 | return true; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 988 | } |
| 989 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 990 | static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 991 | if (!hs->ticket_expected) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 992 | return true; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 993 | } |
| 994 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 995 | // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 996 | assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0); |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 997 | |
| 998 | if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) || |
| 999 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1000 | return false; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 1001 | } |
| 1002 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1003 | return true; |
Adam Langley | 9b05bc5 | 2015-07-01 15:25:33 -0700 | [diff] [blame] | 1004 | } |
| 1005 | |
| 1006 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1007 | // Signature Algorithms. |
| 1008 | // |
| 1009 | // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1010 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1011 | static bool ext_sigalgs_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1012 | CBB *out_compressible, |
| 1013 | ssl_client_hello_type_t type) { |
David Benjamin | 68161cb | 2017-06-20 14:49:43 -0400 | [diff] [blame] | 1014 | if (hs->max_version < TLS1_2_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1015 | return true; |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1016 | } |
| 1017 | |
David Benjamin | 0fc37ef | 2016-08-17 15:29:46 -0400 | [diff] [blame] | 1018 | CBB contents, sigalgs_cbb; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1019 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_signature_algorithms) || |
| 1020 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
David Benjamin | 6952211 | 2017-03-28 15:38:29 -0500 | [diff] [blame] | 1021 | !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) || |
David Benjamin | ebad508 | 2020-02-03 19:32:19 -0500 | [diff] [blame] | 1022 | !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1023 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1024 | return false; |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1025 | } |
| 1026 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1027 | return true; |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1028 | } |
| 1029 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1030 | static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1031 | CBS *contents) { |
David Benjamin | b1cf48e | 2017-09-21 11:37:46 -0400 | [diff] [blame] | 1032 | hs->peer_sigalgs.Reset(); |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1033 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1034 | return true; |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1035 | } |
| 1036 | |
| 1037 | CBS supported_signature_algorithms; |
| 1038 | if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) || |
Steven Valdez | 0d62f26 | 2015-09-04 12:41:04 -0400 | [diff] [blame] | 1039 | CBS_len(contents) != 0 || |
David Benjamin | f3c8f8d | 2016-11-17 17:20:47 +0900 | [diff] [blame] | 1040 | !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1041 | return false; |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1042 | } |
| 1043 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1044 | return true; |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1045 | } |
| 1046 | |
Adam Langley | 2e857bd | 2015-07-01 16:09:19 -0700 | [diff] [blame] | 1047 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1048 | // OCSP Stapling. |
| 1049 | // |
| 1050 | // https://tools.ietf.org/html/rfc6066#section-8 |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1051 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1052 | static bool ext_ocsp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1053 | CBB *out_compressible, |
| 1054 | ssl_client_hello_type_t type) { |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1055 | if (!hs->config->ocsp_stapling_enabled) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1056 | return true; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1057 | } |
| 1058 | |
| 1059 | CBB contents; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1060 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_status_request) || |
| 1061 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1062 | !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) || |
| 1063 | !CBB_add_u16(&contents, 0 /* empty responder ID list */) || |
| 1064 | !CBB_add_u16(&contents, 0 /* empty request extensions */) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1065 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1066 | return false; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1067 | } |
| 1068 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1069 | return true; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1070 | } |
| 1071 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1072 | static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1073 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1074 | SSL *const ssl = hs->ssl; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1075 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1076 | return true; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1077 | } |
| 1078 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1079 | // TLS 1.3 OCSP responses are included in the Certificate extensions. |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1080 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1081 | return false; |
Steven Valdez | 803c77a | 2016-09-06 14:13:43 -0400 | [diff] [blame] | 1082 | } |
| 1083 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1084 | // OCSP stapling is forbidden on non-certificate ciphers. |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1085 | if (CBS_len(contents) != 0 || |
David Benjamin | 45738dd | 2017-02-09 20:01:26 -0500 | [diff] [blame] | 1086 | !ssl_cipher_uses_certificate_auth(hs->new_cipher)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1087 | return false; |
David Benjamin | 942f4ed | 2016-07-16 19:03:49 +0300 | [diff] [blame] | 1088 | } |
| 1089 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1090 | // Note this does not check for resumption in TLS 1.2. Sending |
| 1091 | // status_request here does not make sense, but OpenSSL does so and the |
| 1092 | // specification does not say anything. Tolerate it but ignore it. |
David Benjamin | 942f4ed | 2016-07-16 19:03:49 +0300 | [diff] [blame] | 1093 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1094 | hs->certificate_status_expected = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1095 | return true; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1096 | } |
| 1097 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1098 | static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1099 | CBS *contents) { |
Paul Lietar | aeeff2c | 2015-08-12 11:47:11 +0100 | [diff] [blame] | 1100 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1101 | return true; |
Paul Lietar | aeeff2c | 2015-08-12 11:47:11 +0100 | [diff] [blame] | 1102 | } |
| 1103 | |
| 1104 | uint8_t status_type; |
| 1105 | if (!CBS_get_u8(contents, &status_type)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1106 | return false; |
Paul Lietar | aeeff2c | 2015-08-12 11:47:11 +0100 | [diff] [blame] | 1107 | } |
| 1108 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1109 | // We cannot decide whether OCSP stapling will occur yet because the correct |
| 1110 | // SSL_CTX might not have been selected. |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1111 | hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp; |
Paul Lietar | aeeff2c | 2015-08-12 11:47:11 +0100 | [diff] [blame] | 1112 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1113 | return true; |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1114 | } |
| 1115 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1116 | static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1117 | SSL *const ssl = hs->ssl; |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1118 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || |
David Benjamin | 4fa4804 | 2024-03-12 09:48:29 -0400 | [diff] [blame] | 1119 | !hs->ocsp_stapling_requested || ssl->s3->session_reused || |
| 1120 | !ssl_cipher_uses_certificate_auth(hs->new_cipher) || |
| 1121 | hs->credential->ocsp_response == nullptr) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1122 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1123 | } |
| 1124 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1125 | hs->certificate_status_expected = true; |
David Benjamin | 942f4ed | 2016-07-16 19:03:49 +0300 | [diff] [blame] | 1126 | |
Paul Lietar | aeeff2c | 2015-08-12 11:47:11 +0100 | [diff] [blame] | 1127 | return CBB_add_u16(out, TLSEXT_TYPE_status_request) && |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1128 | CBB_add_u16(out, 0 /* length */); |
Adam Langley | bb0bd04 | 2015-07-01 16:21:03 -0700 | [diff] [blame] | 1129 | } |
| 1130 | |
| 1131 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1132 | // Next protocol negotiation. |
| 1133 | // |
| 1134 | // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1135 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1136 | static bool ext_npn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1137 | CBB *out_compressible, |
| 1138 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 1139 | const SSL *const ssl = hs->ssl; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1140 | if (ssl->ctx->next_proto_select_cb == NULL || |
| 1141 | // Do not allow NPN to change on renegotiation. |
| 1142 | ssl->s3->initial_handshake_complete || |
| 1143 | // NPN is not defined in DTLS or TLS 1.3. |
| 1144 | SSL_is_dtls(ssl) || hs->min_version >= TLS1_3_VERSION || |
| 1145 | type == ssl_client_hello_inner) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1146 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1147 | } |
| 1148 | |
| 1149 | if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || |
| 1150 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1151 | return false; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1152 | } |
| 1153 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1154 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1155 | } |
| 1156 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1157 | static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1158 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1159 | SSL *const ssl = hs->ssl; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1160 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1161 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1162 | } |
| 1163 | |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1164 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1165 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1166 | } |
| 1167 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1168 | // If any of these are false then we should never have sent the NPN |
| 1169 | // extension in the ClientHello and thus this function should never have been |
| 1170 | // called. |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1171 | assert(!ssl->s3->initial_handshake_complete); |
David Benjamin | ce079fd | 2016-08-02 16:22:34 -0400 | [diff] [blame] | 1172 | assert(!SSL_is_dtls(ssl)); |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1173 | assert(ssl->ctx->next_proto_select_cb != NULL); |
| 1174 | |
David Benjamin | 8e7bbba | 2017-10-13 17:18:35 -0400 | [diff] [blame] | 1175 | if (!ssl->s3->alpn_selected.empty()) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1176 | // NPN and ALPN may not be negotiated in the same connection. |
David Benjamin | 76c2efc | 2015-08-31 14:24:29 -0400 | [diff] [blame] | 1177 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 1178 | OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1179 | return false; |
David Benjamin | 76c2efc | 2015-08-31 14:24:29 -0400 | [diff] [blame] | 1180 | } |
| 1181 | |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1182 | const uint8_t *const orig_contents = CBS_data(contents); |
| 1183 | const size_t orig_len = CBS_len(contents); |
| 1184 | |
| 1185 | while (CBS_len(contents) != 0) { |
| 1186 | CBS proto; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1187 | if (!CBS_get_u8_length_prefixed(contents, &proto) || // |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1188 | CBS_len(&proto) == 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1189 | return false; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1190 | } |
| 1191 | } |
| 1192 | |
David Benjamin | 9d64d8d | 2022-08-31 19:27:56 -0400 | [diff] [blame] | 1193 | // |orig_len| fits in |unsigned| because TLS extensions use 16-bit lengths. |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1194 | uint8_t *selected; |
| 1195 | uint8_t selected_len; |
| 1196 | if (ssl->ctx->next_proto_select_cb( |
David Benjamin | 9d64d8d | 2022-08-31 19:27:56 -0400 | [diff] [blame] | 1197 | ssl, &selected, &selected_len, orig_contents, |
| 1198 | static_cast<unsigned>(orig_len), |
David Benjamin | 8e7bbba | 2017-10-13 17:18:35 -0400 | [diff] [blame] | 1199 | ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK || |
| 1200 | !ssl->s3->next_proto_negotiated.CopyFrom( |
| 1201 | MakeConstSpan(selected, selected_len))) { |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1202 | *out_alert = SSL_AD_INTERNAL_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1203 | return false; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1204 | } |
| 1205 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1206 | hs->next_proto_neg_seen = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1207 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1208 | } |
| 1209 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1210 | static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1211 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1212 | SSL *const ssl = hs->ssl; |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1213 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1214 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1215 | } |
| 1216 | |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1217 | if (contents != NULL && CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1218 | return false; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1219 | } |
| 1220 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1221 | if (contents == NULL || // |
| 1222 | ssl->s3->initial_handshake_complete || // |
| 1223 | ssl->ctx->next_protos_advertised_cb == NULL || // |
David Benjamin | ce079fd | 2016-08-02 16:22:34 -0400 | [diff] [blame] | 1224 | SSL_is_dtls(ssl)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1225 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1226 | } |
| 1227 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1228 | hs->next_proto_neg_seen = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1229 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1230 | } |
| 1231 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1232 | static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1233 | SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1234 | // |next_proto_neg_seen| might have been cleared when an ALPN extension was |
| 1235 | // parsed. |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1236 | if (!hs->next_proto_neg_seen) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1237 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1238 | } |
| 1239 | |
| 1240 | const uint8_t *npa; |
| 1241 | unsigned npa_len; |
| 1242 | |
| 1243 | if (ssl->ctx->next_protos_advertised_cb( |
| 1244 | ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) != |
| 1245 | SSL_TLSEXT_ERR_OK) { |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1246 | hs->next_proto_neg_seen = false; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1247 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1248 | } |
| 1249 | |
| 1250 | CBB contents; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1251 | if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || // |
| 1252 | !CBB_add_u16_length_prefixed(out, &contents) || // |
| 1253 | !CBB_add_bytes(&contents, npa, npa_len) || // |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1254 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1255 | return false; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1256 | } |
| 1257 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1258 | return true; |
Adam Langley | 97dfcbf | 2015-07-01 18:35:20 -0700 | [diff] [blame] | 1259 | } |
| 1260 | |
| 1261 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1262 | // Signed certificate timestamps. |
| 1263 | // |
| 1264 | // https://tools.ietf.org/html/rfc6962#section-3.3.1 |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1265 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1266 | static bool ext_sct_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1267 | CBB *out_compressible, |
| 1268 | ssl_client_hello_type_t type) { |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1269 | if (!hs->config->signed_cert_timestamps_enabled) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1270 | return true; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1271 | } |
| 1272 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1273 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_certificate_timestamp) || |
| 1274 | !CBB_add_u16(out_compressible, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1275 | return false; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1276 | } |
| 1277 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1278 | return true; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1279 | } |
| 1280 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1281 | static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1282 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1283 | SSL *const ssl = hs->ssl; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1284 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1285 | return true; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1286 | } |
| 1287 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1288 | // TLS 1.3 SCTs are included in the Certificate extensions. |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1289 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 1290 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1291 | return false; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1292 | } |
| 1293 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1294 | // If this is false then we should never have sent the SCT extension in the |
| 1295 | // ClientHello and thus this function should never have been called. |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1296 | assert(hs->config->signed_cert_timestamps_enabled); |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1297 | |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 1298 | if (!ssl_is_sct_list_valid(contents)) { |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1299 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1300 | return false; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1301 | } |
| 1302 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1303 | // Session resumption uses the original session information. The extension |
| 1304 | // should not be sent on resumption, but RFC 6962 did not make it a |
| 1305 | // requirement, so tolerate this. |
| 1306 | // |
| 1307 | // TODO(davidben): Enforce this anyway. |
David Benjamin | 8fc2dc0 | 2017-08-22 15:07:51 -0700 | [diff] [blame] | 1308 | if (!ssl->s3->session_reused) { |
David Benjamin | bfdd1a9 | 2018-06-29 16:26:38 -0400 | [diff] [blame] | 1309 | hs->new_session->signed_cert_timestamp_list.reset( |
| 1310 | CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool)); |
David Benjamin | 8fc2dc0 | 2017-08-22 15:07:51 -0700 | [diff] [blame] | 1311 | if (hs->new_session->signed_cert_timestamp_list == nullptr) { |
| 1312 | *out_alert = SSL_AD_INTERNAL_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1313 | return false; |
David Benjamin | 8fc2dc0 | 2017-08-22 15:07:51 -0700 | [diff] [blame] | 1314 | } |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1315 | } |
| 1316 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1317 | return true; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1318 | } |
| 1319 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1320 | static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1321 | CBS *contents) { |
David Benjamin | 53210cb | 2016-11-16 09:01:48 +0900 | [diff] [blame] | 1322 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1323 | return true; |
David Benjamin | 53210cb | 2016-11-16 09:01:48 +0900 | [diff] [blame] | 1324 | } |
| 1325 | |
| 1326 | if (CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1327 | return false; |
David Benjamin | 53210cb | 2016-11-16 09:01:48 +0900 | [diff] [blame] | 1328 | } |
| 1329 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1330 | hs->scts_requested = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1331 | return true; |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1332 | } |
| 1333 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1334 | static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1335 | SSL *const ssl = hs->ssl; |
David Benjamin | 4fa4804 | 2024-03-12 09:48:29 -0400 | [diff] [blame] | 1336 | assert(hs->scts_requested); |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1337 | // The extension shouldn't be sent when resuming sessions. |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1338 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused || |
David Benjamin | 4fa4804 | 2024-03-12 09:48:29 -0400 | [diff] [blame] | 1339 | !ssl_cipher_uses_certificate_auth(hs->new_cipher) || |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 1340 | hs->credential->signed_cert_timestamp_list == nullptr) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1341 | return true; |
Paul Lietar | 4fac72e | 2015-09-09 13:44:55 +0100 | [diff] [blame] | 1342 | } |
| 1343 | |
| 1344 | CBB contents; |
| 1345 | return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) && |
| 1346 | CBB_add_u16_length_prefixed(out, &contents) && |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 1347 | CBB_add_bytes(&contents, |
| 1348 | CRYPTO_BUFFER_data( |
| 1349 | hs->credential->signed_cert_timestamp_list.get()), |
| 1350 | CRYPTO_BUFFER_len( |
| 1351 | hs->credential->signed_cert_timestamp_list.get())) && |
Paul Lietar | 4fac72e | 2015-09-09 13:44:55 +0100 | [diff] [blame] | 1352 | CBB_flush(out); |
Adam Langley | ab8d87d | 2015-07-10 12:21:39 -0700 | [diff] [blame] | 1353 | } |
| 1354 | |
| 1355 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1356 | // Application-level Protocol Negotiation. |
| 1357 | // |
| 1358 | // https://tools.ietf.org/html/rfc7301 |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1359 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1360 | static bool ext_alpn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1361 | CBB *out_compressible, |
| 1362 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 1363 | const SSL *const ssl = hs->ssl; |
Nick Harper | 74161f4 | 2020-07-24 15:35:27 -0700 | [diff] [blame] | 1364 | if (hs->config->alpn_client_proto_list.empty() && ssl->quic_method) { |
| 1365 | // ALPN MUST be used with QUIC. |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1366 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL); |
Nick Harper | 74161f4 | 2020-07-24 15:35:27 -0700 | [diff] [blame] | 1367 | return false; |
| 1368 | } |
| 1369 | |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 1370 | if (hs->config->alpn_client_proto_list.empty() || |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1371 | ssl->s3->initial_handshake_complete) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1372 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1373 | } |
| 1374 | |
| 1375 | CBB contents, proto_list; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1376 | if (!CBB_add_u16(out_compressible, |
| 1377 | TLSEXT_TYPE_application_layer_protocol_negotiation) || |
| 1378 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1379 | !CBB_add_u16_length_prefixed(&contents, &proto_list) || |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 1380 | !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(), |
| 1381 | hs->config->alpn_client_proto_list.size()) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1382 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1383 | return false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1384 | } |
| 1385 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1386 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1387 | } |
| 1388 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1389 | static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1390 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1391 | SSL *const ssl = hs->ssl; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1392 | if (contents == NULL) { |
Nick Harper | 74161f4 | 2020-07-24 15:35:27 -0700 | [diff] [blame] | 1393 | if (ssl->quic_method) { |
| 1394 | // ALPN is required when QUIC is used. |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1395 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL); |
Nick Harper | 74161f4 | 2020-07-24 15:35:27 -0700 | [diff] [blame] | 1396 | *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL; |
| 1397 | return false; |
| 1398 | } |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1399 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1400 | } |
| 1401 | |
| 1402 | assert(!ssl->s3->initial_handshake_complete); |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 1403 | assert(!hs->config->alpn_client_proto_list.empty()); |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1404 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1405 | if (hs->next_proto_neg_seen) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1406 | // NPN and ALPN may not be negotiated in the same connection. |
David Benjamin | 76c2efc | 2015-08-31 14:24:29 -0400 | [diff] [blame] | 1407 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 1408 | OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1409 | return false; |
David Benjamin | 76c2efc | 2015-08-31 14:24:29 -0400 | [diff] [blame] | 1410 | } |
| 1411 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1412 | // The extension data consists of a ProtocolNameList which must have |
| 1413 | // exactly one ProtocolName. Each of these is length-prefixed. |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1414 | CBS protocol_name_list, protocol_name; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1415 | if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) || // |
| 1416 | CBS_len(contents) != 0 || // |
| 1417 | !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || // |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1418 | // Empty protocol names are forbidden. |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1419 | CBS_len(&protocol_name) == 0 || // |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1420 | CBS_len(&protocol_name_list) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1421 | return false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1422 | } |
| 1423 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1424 | if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) { |
David Benjamin | dd6c2e8 | 2017-10-17 15:48:46 -0400 | [diff] [blame] | 1425 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL); |
| 1426 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 1427 | return false; |
David Benjamin | 3e51757d | 2016-08-11 11:52:23 -0400 | [diff] [blame] | 1428 | } |
| 1429 | |
David Benjamin | 8e7bbba | 2017-10-13 17:18:35 -0400 | [diff] [blame] | 1430 | if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) { |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1431 | *out_alert = SSL_AD_INTERNAL_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1432 | return false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1433 | } |
| 1434 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1435 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1436 | } |
| 1437 | |
David Benjamin | 12a3e7e | 2021-04-13 11:47:36 -0400 | [diff] [blame] | 1438 | bool ssl_is_valid_alpn_list(Span<const uint8_t> in) { |
| 1439 | CBS protocol_name_list = in; |
| 1440 | if (CBS_len(&protocol_name_list) == 0) { |
| 1441 | return false; |
| 1442 | } |
| 1443 | while (CBS_len(&protocol_name_list) > 0) { |
| 1444 | CBS protocol_name; |
| 1445 | if (!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || |
| 1446 | // Empty protocol names are forbidden. |
| 1447 | CBS_len(&protocol_name) == 0) { |
| 1448 | return false; |
| 1449 | } |
| 1450 | } |
| 1451 | return true; |
| 1452 | } |
| 1453 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1454 | bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, |
David Benjamin | dd6c2e8 | 2017-10-17 15:48:46 -0400 | [diff] [blame] | 1455 | Span<const uint8_t> protocol) { |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 1456 | if (hs->config->alpn_client_proto_list.empty()) { |
David Benjamin | dd6c2e8 | 2017-10-17 15:48:46 -0400 | [diff] [blame] | 1457 | return false; |
| 1458 | } |
| 1459 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 1460 | if (hs->ssl->ctx->allow_unknown_alpn_protos) { |
David Benjamin | dd6c2e8 | 2017-10-17 15:48:46 -0400 | [diff] [blame] | 1461 | return true; |
| 1462 | } |
| 1463 | |
| 1464 | // Check that the protocol name is one of the ones we advertised. |
David Benjamin | c1d9ac0 | 2024-05-22 13:56:56 -0400 | [diff] [blame] | 1465 | return ssl_alpn_list_contains_protocol(hs->config->alpn_client_proto_list, |
| 1466 | protocol); |
| 1467 | } |
| 1468 | |
| 1469 | bool ssl_alpn_list_contains_protocol(Span<const uint8_t> list, |
| 1470 | Span<const uint8_t> protocol) { |
| 1471 | CBS cbs = list, candidate; |
| 1472 | while (CBS_len(&cbs) > 0) { |
| 1473 | if (!CBS_get_u8_length_prefixed(&cbs, &candidate)) { |
David Benjamin | dd6c2e8 | 2017-10-17 15:48:46 -0400 | [diff] [blame] | 1474 | return false; |
| 1475 | } |
| 1476 | |
David Benjamin | c1d9ac0 | 2024-05-22 13:56:56 -0400 | [diff] [blame] | 1477 | if (candidate == protocol) { |
David Benjamin | dd6c2e8 | 2017-10-17 15:48:46 -0400 | [diff] [blame] | 1478 | return true; |
| 1479 | } |
| 1480 | } |
| 1481 | |
| 1482 | return false; |
| 1483 | } |
| 1484 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1485 | bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1486 | const SSL_CLIENT_HELLO *client_hello) { |
David Benjamin | f3c8f8d | 2016-11-17 17:20:47 +0900 | [diff] [blame] | 1487 | SSL *const ssl = hs->ssl; |
David Benjamin | 9ef31f0 | 2016-10-31 18:01:13 -0400 | [diff] [blame] | 1488 | CBS contents; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1489 | if (ssl->ctx->alpn_select_cb == NULL || |
David Benjamin | 731058e | 2016-12-03 23:15:13 -0500 | [diff] [blame] | 1490 | !ssl_client_hello_get_extension( |
David Benjamin | 9ef31f0 | 2016-10-31 18:01:13 -0400 | [diff] [blame] | 1491 | client_hello, &contents, |
| 1492 | TLSEXT_TYPE_application_layer_protocol_negotiation)) { |
Nick Harper | 74161f4 | 2020-07-24 15:35:27 -0700 | [diff] [blame] | 1493 | if (ssl->quic_method) { |
| 1494 | // ALPN is required when QUIC is used. |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1495 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL); |
Nick Harper | 74161f4 | 2020-07-24 15:35:27 -0700 | [diff] [blame] | 1496 | *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL; |
| 1497 | return false; |
| 1498 | } |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1499 | // Ignore ALPN if not configured or no extension was supplied. |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1500 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1501 | } |
| 1502 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1503 | // ALPN takes precedence over NPN. |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 1504 | hs->next_proto_neg_seen = false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1505 | |
| 1506 | CBS protocol_name_list; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1507 | if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) || // |
| 1508 | CBS_len(&contents) != 0 || // |
David Benjamin | 12a3e7e | 2021-04-13 11:47:36 -0400 | [diff] [blame] | 1509 | !ssl_is_valid_alpn_list(protocol_name_list)) { |
David Benjamin | 9ef31f0 | 2016-10-31 18:01:13 -0400 | [diff] [blame] | 1510 | OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); |
| 1511 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1512 | return false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1513 | } |
| 1514 | |
David Benjamin | 9d64d8d | 2022-08-31 19:27:56 -0400 | [diff] [blame] | 1515 | // |protocol_name_list| fits in |unsigned| because TLS extensions use 16-bit |
| 1516 | // lengths. |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1517 | const uint8_t *selected; |
| 1518 | uint8_t selected_len; |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1519 | int ret = ssl->ctx->alpn_select_cb( |
| 1520 | ssl, &selected, &selected_len, CBS_data(&protocol_name_list), |
David Benjamin | 9d64d8d | 2022-08-31 19:27:56 -0400 | [diff] [blame] | 1521 | static_cast<unsigned>(CBS_len(&protocol_name_list)), |
| 1522 | ssl->ctx->alpn_select_cb_arg); |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1523 | // ALPN is required when QUIC is used. |
| 1524 | if (ssl->quic_method && |
| 1525 | (ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) { |
| 1526 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 1527 | } |
| 1528 | switch (ret) { |
| 1529 | case SSL_TLSEXT_ERR_OK: |
| 1530 | if (selected_len == 0) { |
| 1531 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL); |
| 1532 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 1533 | return false; |
| 1534 | } |
| 1535 | if (!ssl->s3->alpn_selected.CopyFrom( |
| 1536 | MakeConstSpan(selected, selected_len))) { |
| 1537 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 1538 | return false; |
| 1539 | } |
| 1540 | break; |
| 1541 | case SSL_TLSEXT_ERR_NOACK: |
| 1542 | case SSL_TLSEXT_ERR_ALERT_WARNING: |
| 1543 | break; |
| 1544 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
| 1545 | *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL; |
| 1546 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL); |
David Benjamin | fa544f1 | 2018-05-15 15:06:28 -0400 | [diff] [blame] | 1547 | return false; |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1548 | default: |
| 1549 | // Invalid return value. |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1550 | *out_alert = SSL_AD_INTERNAL_ERROR; |
David Benjamin | c02c19e | 2021-02-10 17:49:20 -0500 | [diff] [blame] | 1551 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1552 | return false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1553 | } |
| 1554 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1555 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1556 | } |
| 1557 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1558 | static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1559 | SSL *const ssl = hs->ssl; |
David Benjamin | 8e7bbba | 2017-10-13 17:18:35 -0400 | [diff] [blame] | 1560 | if (ssl->s3->alpn_selected.empty()) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1561 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1562 | } |
| 1563 | |
| 1564 | CBB contents, proto_list, proto; |
| 1565 | if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) || |
| 1566 | !CBB_add_u16_length_prefixed(out, &contents) || |
| 1567 | !CBB_add_u16_length_prefixed(&contents, &proto_list) || |
| 1568 | !CBB_add_u8_length_prefixed(&proto_list, &proto) || |
David Benjamin | 8e7bbba | 2017-10-13 17:18:35 -0400 | [diff] [blame] | 1569 | !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(), |
| 1570 | ssl->s3->alpn_selected.size()) || |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1571 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1572 | return false; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1573 | } |
| 1574 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1575 | return true; |
Adam Langley | f18e453 | 2015-07-10 13:39:53 -0700 | [diff] [blame] | 1576 | } |
| 1577 | |
| 1578 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1579 | // Channel ID. |
| 1580 | // |
| 1581 | // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1582 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1583 | static bool ext_channel_id_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1584 | CBB *out_compressible, |
| 1585 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 1586 | const SSL *const ssl = hs->ssl; |
David Benjamin | ba423c9 | 2021-06-15 16:26:58 -0400 | [diff] [blame] | 1587 | if (!hs->config->channel_id_private || SSL_is_dtls(ssl) || |
| 1588 | // Don't offer Channel ID in ClientHelloOuter. ClientHelloOuter handshakes |
| 1589 | // are not authenticated for the name that can learn the Channel ID. |
| 1590 | // |
| 1591 | // We could alternatively offer the extension but sign with a random key. |
| 1592 | // For other extensions, we try to align |ssl_client_hello_outer| and |
| 1593 | // |ssl_client_hello_unencrypted|, to improve the effectiveness of ECH |
| 1594 | // GREASE. However, Channel ID is deprecated and unlikely to be used with |
| 1595 | // ECH, so do the simplest thing. |
| 1596 | type == ssl_client_hello_outer) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1597 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1598 | } |
| 1599 | |
David Benjamin | ba423c9 | 2021-06-15 16:26:58 -0400 | [diff] [blame] | 1600 | if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) || |
| 1601 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1602 | return false; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1603 | } |
| 1604 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1605 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1606 | } |
| 1607 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1608 | static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs, |
| 1609 | uint8_t *out_alert, |
| 1610 | CBS *contents) { |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1611 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1612 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1613 | } |
| 1614 | |
David Benjamin | 8acec00 | 2021-05-19 13:03:34 -0400 | [diff] [blame] | 1615 | assert(!SSL_is_dtls(hs->ssl)); |
David Benjamin | b587911 | 2021-05-18 17:10:18 -0400 | [diff] [blame] | 1616 | assert(hs->config->channel_id_private); |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1617 | |
| 1618 | if (CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1619 | return false; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1620 | } |
| 1621 | |
David Benjamin | 8acec00 | 2021-05-19 13:03:34 -0400 | [diff] [blame] | 1622 | hs->channel_id_negotiated = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1623 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1624 | } |
| 1625 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1626 | static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs, |
| 1627 | uint8_t *out_alert, |
| 1628 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1629 | SSL *const ssl = hs->ssl; |
David Benjamin | 4685376 | 2018-07-03 14:01:26 -0400 | [diff] [blame] | 1630 | if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1631 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1632 | } |
| 1633 | |
| 1634 | if (CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1635 | return false; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1636 | } |
| 1637 | |
David Benjamin | 8acec00 | 2021-05-19 13:03:34 -0400 | [diff] [blame] | 1638 | hs->channel_id_negotiated = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1639 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1640 | } |
| 1641 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1642 | static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8acec00 | 2021-05-19 13:03:34 -0400 | [diff] [blame] | 1643 | if (!hs->channel_id_negotiated) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1644 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1645 | } |
| 1646 | |
| 1647 | if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) || |
| 1648 | !CBB_add_u16(out, 0 /* length */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1649 | return false; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1650 | } |
| 1651 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1652 | return true; |
Adam Langley | 49c7af1 | 2015-07-10 14:33:46 -0700 | [diff] [blame] | 1653 | } |
| 1654 | |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1655 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1656 | // Secure Real-time Transport Protocol (SRTP) extension. |
| 1657 | // |
| 1658 | // https://tools.ietf.org/html/rfc5764 |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1659 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1660 | static bool ext_srtp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1661 | CBB *out_compressible, |
| 1662 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 1663 | const SSL *const ssl = hs->ssl; |
David Benjamin | b778b9c | 2021-05-20 11:31:05 -0400 | [diff] [blame] | 1664 | const STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = |
| 1665 | SSL_get_srtp_profiles(ssl); |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1666 | if (profiles == NULL || // |
| 1667 | sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 || // |
David Benjamin | bc4c91a | 2021-05-18 16:06:30 -0400 | [diff] [blame] | 1668 | !SSL_is_dtls(ssl)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1669 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1670 | } |
| 1671 | |
| 1672 | CBB contents, profile_ids; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1673 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_srtp) || |
| 1674 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1675 | !CBB_add_u16_length_prefixed(&contents, &profile_ids)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1676 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1677 | } |
| 1678 | |
David Benjamin | ee910bf | 2017-07-25 22:36:00 -0400 | [diff] [blame] | 1679 | for (const SRTP_PROTECTION_PROFILE *profile : profiles) { |
| 1680 | if (!CBB_add_u16(&profile_ids, profile->id)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1681 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1682 | } |
| 1683 | } |
| 1684 | |
| 1685 | if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1686 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1687 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1688 | } |
| 1689 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1690 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1691 | } |
| 1692 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1693 | static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1694 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1695 | SSL *const ssl = hs->ssl; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1696 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1697 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1698 | } |
| 1699 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1700 | // The extension consists of a u16-prefixed profile ID list containing a |
| 1701 | // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field. |
| 1702 | // |
| 1703 | // See https://tools.ietf.org/html/rfc5764#section-4.1.1 |
David Benjamin | bc4c91a | 2021-05-18 16:06:30 -0400 | [diff] [blame] | 1704 | assert(SSL_is_dtls(ssl)); |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1705 | CBS profile_ids, srtp_mki; |
| 1706 | uint16_t profile_id; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1707 | if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || // |
| 1708 | !CBS_get_u16(&profile_ids, &profile_id) || // |
| 1709 | CBS_len(&profile_ids) != 0 || // |
| 1710 | !CBS_get_u8_length_prefixed(contents, &srtp_mki) || // |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1711 | CBS_len(contents) != 0) { |
| 1712 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1713 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1714 | } |
| 1715 | |
| 1716 | if (CBS_len(&srtp_mki) != 0) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1717 | // Must be no MKI, since we never offer one. |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1718 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE); |
| 1719 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1720 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1721 | } |
| 1722 | |
David Benjamin | b778b9c | 2021-05-20 11:31:05 -0400 | [diff] [blame] | 1723 | // Check to see if the server gave us something we support and offered. |
| 1724 | for (const SRTP_PROTECTION_PROFILE *profile : SSL_get_srtp_profiles(ssl)) { |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1725 | if (profile->id == profile_id) { |
David Benjamin | fceca8e | 2018-04-12 16:37:19 -0400 | [diff] [blame] | 1726 | ssl->s3->srtp_profile = profile; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1727 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1728 | } |
| 1729 | } |
| 1730 | |
| 1731 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
| 1732 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1733 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1734 | } |
| 1735 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1736 | static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 1737 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1738 | SSL *const ssl = hs->ssl; |
David Benjamin | bc4c91a | 2021-05-18 16:06:30 -0400 | [diff] [blame] | 1739 | // DTLS-SRTP is only defined for DTLS. |
| 1740 | if (contents == NULL || !SSL_is_dtls(ssl)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1741 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1742 | } |
| 1743 | |
| 1744 | CBS profile_ids, srtp_mki; |
| 1745 | if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || |
| 1746 | CBS_len(&profile_ids) < 2 || |
| 1747 | !CBS_get_u8_length_prefixed(contents, &srtp_mki) || |
| 1748 | CBS_len(contents) != 0) { |
| 1749 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1750 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1751 | } |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1752 | // Discard the MKI value for now. |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1753 | |
| 1754 | const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles = |
| 1755 | SSL_get_srtp_profiles(ssl); |
| 1756 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1757 | // Pick the server's most preferred profile. |
David Benjamin | ee910bf | 2017-07-25 22:36:00 -0400 | [diff] [blame] | 1758 | for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) { |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1759 | CBS profile_ids_tmp; |
| 1760 | CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids)); |
| 1761 | |
| 1762 | while (CBS_len(&profile_ids_tmp) > 0) { |
| 1763 | uint16_t profile_id; |
| 1764 | if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1765 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1766 | } |
| 1767 | |
| 1768 | if (server_profile->id == profile_id) { |
David Benjamin | fceca8e | 2018-04-12 16:37:19 -0400 | [diff] [blame] | 1769 | ssl->s3->srtp_profile = server_profile; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1770 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1771 | } |
| 1772 | } |
| 1773 | } |
| 1774 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1775 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1776 | } |
| 1777 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1778 | static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1779 | SSL *const ssl = hs->ssl; |
David Benjamin | fceca8e | 2018-04-12 16:37:19 -0400 | [diff] [blame] | 1780 | if (ssl->s3->srtp_profile == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1781 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1782 | } |
| 1783 | |
David Benjamin | bc4c91a | 2021-05-18 16:06:30 -0400 | [diff] [blame] | 1784 | assert(SSL_is_dtls(ssl)); |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1785 | CBB contents, profile_ids; |
| 1786 | if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) || |
| 1787 | !CBB_add_u16_length_prefixed(out, &contents) || |
| 1788 | !CBB_add_u16_length_prefixed(&contents, &profile_ids) || |
David Benjamin | fceca8e | 2018-04-12 16:37:19 -0400 | [diff] [blame] | 1789 | !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) || |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1790 | !CBB_add_u8(&contents, 0 /* empty MKI */) || !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1791 | return false; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1792 | } |
| 1793 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1794 | return true; |
Adam Langley | 391250d | 2015-07-15 19:06:07 -0700 | [diff] [blame] | 1795 | } |
| 1796 | |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1797 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1798 | // EC point formats. |
| 1799 | // |
| 1800 | // https://tools.ietf.org/html/rfc4492#section-5.1.2 |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1801 | |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 1802 | static bool ext_ec_point_add_extension(const SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | fc05994 | 2015-07-30 23:01:59 -0400 | [diff] [blame] | 1803 | CBB contents, formats; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1804 | if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) || |
| 1805 | !CBB_add_u16_length_prefixed(out, &contents) || |
David Benjamin | fc05994 | 2015-07-30 23:01:59 -0400 | [diff] [blame] | 1806 | !CBB_add_u8_length_prefixed(&contents, &formats) || |
| 1807 | !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) || |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1808 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1809 | return false; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1810 | } |
| 1811 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1812 | return true; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1813 | } |
| 1814 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1815 | static bool ext_ec_point_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 1816 | CBB *out_compressible, |
| 1817 | ssl_client_hello_type_t type) { |
Adam Langley | ffe384c | 2019-05-01 11:13:12 -0700 | [diff] [blame] | 1818 | // The point format extension is unnecessary in TLS 1.3. |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1819 | if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1820 | return true; |
David Benjamin | 70aba26 | 2016-11-01 12:08:15 -0400 | [diff] [blame] | 1821 | } |
| 1822 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1823 | return ext_ec_point_add_extension(hs, out); |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1824 | } |
| 1825 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1826 | static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, |
| 1827 | uint8_t *out_alert, CBS *contents) { |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1828 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1829 | return true; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1830 | } |
| 1831 | |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1832 | if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1833 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1834 | } |
| 1835 | |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1836 | CBS ec_point_format_list; |
| 1837 | if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) || |
| 1838 | CBS_len(contents) != 0) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1839 | return false; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1840 | } |
| 1841 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1842 | // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed |
| 1843 | // point format. |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 1844 | if (OPENSSL_memchr(CBS_data(&ec_point_format_list), |
| 1845 | TLSEXT_ECPOINTFORMAT_uncompressed, |
| 1846 | CBS_len(&ec_point_format_list)) == NULL) { |
David Benjamin | fc05994 | 2015-07-30 23:01:59 -0400 | [diff] [blame] | 1847 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1848 | return false; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1849 | } |
| 1850 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1851 | return true; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1852 | } |
| 1853 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1854 | static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, |
| 1855 | uint8_t *out_alert, CBS *contents) { |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1856 | if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1857 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1858 | } |
| 1859 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1860 | return ext_ec_point_parse_serverhello(hs, out_alert, contents); |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1861 | } |
| 1862 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1863 | static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1864 | SSL *const ssl = hs->ssl; |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 1865 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1866 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1867 | } |
| 1868 | |
David Benjamin | 45738dd | 2017-02-09 20:01:26 -0500 | [diff] [blame] | 1869 | const uint32_t alg_k = hs->new_cipher->algorithm_mkey; |
| 1870 | const uint32_t alg_a = hs->new_cipher->algorithm_auth; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1871 | const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA); |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1872 | |
| 1873 | if (!using_ecc) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1874 | return true; |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1875 | } |
| 1876 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 1877 | return ext_ec_point_add_extension(hs, out); |
Adam Langley | bdd5d66 | 2015-07-20 16:19:08 -0700 | [diff] [blame] | 1878 | } |
| 1879 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1880 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1881 | // Pre Shared Key |
| 1882 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 1883 | // https://tools.ietf.org/html/rfc8446#section-4.2.11 |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1884 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1885 | static bool should_offer_psk(const SSL_HANDSHAKE *hs, |
| 1886 | ssl_client_hello_type_t type) { |
David Benjamin | 350fe3b | 2021-06-02 17:58:53 -0400 | [diff] [blame] | 1887 | const SSL *const ssl = hs->ssl; |
David Benjamin | 50596f8 | 2018-07-02 19:47:27 -0400 | [diff] [blame] | 1888 | if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr || |
David Benjamin | e6b800f | 2024-11-11 17:31:41 -0500 | [diff] [blame] | 1889 | ssl_session_get_type(ssl->session.get()) != |
| 1890 | SSLSessionType::kPreSharedKey || |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 1891 | // TODO(https://crbug.com/boringssl/275): Should we synthesize a |
| 1892 | // placeholder PSK, at least when we offer early data? Otherwise |
| 1893 | // ClientHelloOuter will contain an early_data extension without a |
| 1894 | // pre_shared_key extension and potentially break the recovery flow. |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1895 | type == ssl_client_hello_outer) { |
David Benjamin | 350fe3b | 2021-06-02 17:58:53 -0400 | [diff] [blame] | 1896 | return false; |
| 1897 | } |
| 1898 | |
| 1899 | // Per RFC 8446 section 4.1.4, skip offering the session if the selected |
| 1900 | // cipher in HelloRetryRequest does not match. This avoids performing the |
| 1901 | // transcript hash transformation for multiple hashes. |
| 1902 | if (ssl->s3->used_hello_retry_request && |
| 1903 | ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) { |
| 1904 | return false; |
| 1905 | } |
| 1906 | |
| 1907 | return true; |
| 1908 | } |
| 1909 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1910 | static size_t ext_pre_shared_key_clienthello_length( |
| 1911 | const SSL_HANDSHAKE *hs, ssl_client_hello_type_t type) { |
David Benjamin | 350fe3b | 2021-06-02 17:58:53 -0400 | [diff] [blame] | 1912 | const SSL *const ssl = hs->ssl; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1913 | if (!should_offer_psk(hs, type)) { |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1914 | return 0; |
| 1915 | } |
| 1916 | |
David Benjamin | 50596f8 | 2018-07-02 19:47:27 -0400 | [diff] [blame] | 1917 | size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get())); |
David Benjamin | bfdd1a9 | 2018-06-29 16:26:38 -0400 | [diff] [blame] | 1918 | return 15 + ssl->session->ticket.size() + binder_len; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1919 | } |
| 1920 | |
David Benjamin | 5acf9f4 | 2021-05-24 14:23:38 -0400 | [diff] [blame] | 1921 | static bool ext_pre_shared_key_add_clienthello(const SSL_HANDSHAKE *hs, |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1922 | CBB *out, bool *out_needs_binder, |
| 1923 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 1924 | const SSL *const ssl = hs->ssl; |
David Benjamin | 5acf9f4 | 2021-05-24 14:23:38 -0400 | [diff] [blame] | 1925 | *out_needs_binder = false; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 1926 | if (!should_offer_psk(hs, type)) { |
Steven Valdez | cd8470f | 2017-10-11 12:29:36 -0400 | [diff] [blame] | 1927 | return true; |
| 1928 | } |
| 1929 | |
David Benjamin | a5d14be | 2024-11-03 14:31:16 +0000 | [diff] [blame] | 1930 | OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get()); |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1931 | uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time); |
| 1932 | uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add; |
| 1933 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1934 | // Fill in a placeholder zero binder of the appropriate length. It will be |
| 1935 | // computed and filled in later after length prefixes are computed. |
David Benjamin | 50596f8 | 2018-07-02 19:47:27 -0400 | [diff] [blame] | 1936 | size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get())); |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1937 | |
| 1938 | CBB contents, identity, ticket, binders, binder; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1939 | if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || |
| 1940 | !CBB_add_u16_length_prefixed(out, &contents) || |
Steven Valdez | 5b98608 | 2016-09-01 12:29:49 -0400 | [diff] [blame] | 1941 | !CBB_add_u16_length_prefixed(&contents, &identity) || |
Steven Valdez | 5b98608 | 2016-09-01 12:29:49 -0400 | [diff] [blame] | 1942 | !CBB_add_u16_length_prefixed(&identity, &ticket) || |
David Benjamin | bfdd1a9 | 2018-06-29 16:26:38 -0400 | [diff] [blame] | 1943 | !CBB_add_bytes(&ticket, ssl->session->ticket.data(), |
| 1944 | ssl->session->ticket.size()) || |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1945 | !CBB_add_u32(&identity, obfuscated_ticket_age) || |
| 1946 | !CBB_add_u16_length_prefixed(&contents, &binders) || |
| 1947 | !CBB_add_u8_length_prefixed(&binders, &binder) || |
David Benjamin | 9545062 | 2021-07-16 18:24:02 -0400 | [diff] [blame] | 1948 | !CBB_add_zeros(&binder, binder_len)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1949 | return false; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1950 | } |
| 1951 | |
David Benjamin | 5acf9f4 | 2021-05-24 14:23:38 -0400 | [diff] [blame] | 1952 | *out_needs_binder = true; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1953 | return CBB_flush(out); |
| 1954 | } |
| 1955 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1956 | bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, |
| 1957 | uint8_t *out_alert, |
| 1958 | CBS *contents) { |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1959 | uint16_t psk_id; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1960 | if (!CBS_get_u16(contents, &psk_id) || // |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1961 | CBS_len(contents) != 0) { |
David Benjamin | 7f78df4 | 2016-10-05 22:33:19 -0400 | [diff] [blame] | 1962 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1963 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1964 | return false; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1965 | } |
| 1966 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1967 | // We only advertise one PSK identity, so the only legal index is zero. |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1968 | if (psk_id != 0) { |
David Benjamin | 7f78df4 | 2016-10-05 22:33:19 -0400 | [diff] [blame] | 1969 | OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1970 | *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1971 | return false; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1972 | } |
| 1973 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1974 | return true; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1975 | } |
| 1976 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 1977 | bool ssl_ext_pre_shared_key_parse_clienthello( |
David Benjamin | 707af29 | 2017-03-10 17:47:18 -0500 | [diff] [blame] | 1978 | SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders, |
David Benjamin | 9806ae0 | 2019-08-16 15:32:03 -0400 | [diff] [blame] | 1979 | uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, |
| 1980 | const SSL_CLIENT_HELLO *client_hello, CBS *contents) { |
| 1981 | // Verify that the pre_shared_key extension is the last extension in |
| 1982 | // ClientHello. |
| 1983 | if (CBS_data(contents) + CBS_len(contents) != |
| 1984 | client_hello->extensions + client_hello->extensions_len) { |
| 1985 | OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST); |
| 1986 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 1987 | return false; |
| 1988 | } |
| 1989 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 1990 | // We only process the first PSK identity since we don't support pure PSK. |
David Benjamin | 707af29 | 2017-03-10 17:47:18 -0500 | [diff] [blame] | 1991 | CBS identities, binders; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 1992 | if (!CBS_get_u16_length_prefixed(contents, &identities) || // |
| 1993 | !CBS_get_u16_length_prefixed(&identities, out_ticket) || // |
| 1994 | !CBS_get_u32(&identities, out_obfuscated_ticket_age) || // |
| 1995 | !CBS_get_u16_length_prefixed(contents, &binders) || // |
| 1996 | CBS_len(&binders) == 0 || // |
Steven Valdez | af3b8a9 | 2016-11-01 12:49:22 -0400 | [diff] [blame] | 1997 | CBS_len(contents) != 0) { |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1998 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 1999 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2000 | return false; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 2001 | } |
| 2002 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2003 | *out_binders = binders; |
| 2004 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2005 | // Check the syntax of the remaining identities, but do not process them. |
David Benjamin | aedf303 | 2016-12-01 16:47:56 -0500 | [diff] [blame] | 2006 | size_t num_identities = 1; |
| 2007 | while (CBS_len(&identities) != 0) { |
| 2008 | CBS unused_ticket; |
| 2009 | uint32_t unused_obfuscated_ticket_age; |
| 2010 | if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) || |
| 2011 | !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) { |
| 2012 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
| 2013 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2014 | return false; |
David Benjamin | aedf303 | 2016-12-01 16:47:56 -0500 | [diff] [blame] | 2015 | } |
| 2016 | |
| 2017 | num_identities++; |
| 2018 | } |
| 2019 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2020 | // Check the syntax of the binders. The value will be checked later if |
| 2021 | // resuming. |
David Benjamin | aedf303 | 2016-12-01 16:47:56 -0500 | [diff] [blame] | 2022 | size_t num_binders = 0; |
| 2023 | while (CBS_len(&binders) != 0) { |
| 2024 | CBS binder; |
| 2025 | if (!CBS_get_u8_length_prefixed(&binders, &binder)) { |
| 2026 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
| 2027 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2028 | return false; |
David Benjamin | aedf303 | 2016-12-01 16:47:56 -0500 | [diff] [blame] | 2029 | } |
| 2030 | |
| 2031 | num_binders++; |
| 2032 | } |
| 2033 | |
| 2034 | if (num_identities != num_binders) { |
| 2035 | OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH); |
| 2036 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2037 | return false; |
Steven Valdez | 5b98608 | 2016-09-01 12:29:49 -0400 | [diff] [blame] | 2038 | } |
| 2039 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2040 | return true; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 2041 | } |
| 2042 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2043 | bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8baf963 | 2016-11-17 17:11:16 +0900 | [diff] [blame] | 2044 | if (!hs->ssl->s3->session_reused) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2045 | return true; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 2046 | } |
| 2047 | |
| 2048 | CBB contents; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2049 | if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || // |
| 2050 | !CBB_add_u16_length_prefixed(out, &contents) || // |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2051 | // We only consider the first identity for resumption |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2052 | !CBB_add_u16(&contents, 0) || // |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 2053 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2054 | return false; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 2055 | } |
| 2056 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2057 | return true; |
Steven Valdez | 4aa154e | 2016-07-29 14:32:55 -0400 | [diff] [blame] | 2058 | } |
| 2059 | |
| 2060 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2061 | // Pre-Shared Key Exchange Modes |
| 2062 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2063 | // https://tools.ietf.org/html/rfc8446#section-4.2.9 |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2064 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2065 | static bool ext_psk_key_exchange_modes_add_clienthello( |
| 2066 | const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, |
| 2067 | ssl_client_hello_type_t type) { |
David Benjamin | 68161cb | 2017-06-20 14:49:43 -0400 | [diff] [blame] | 2068 | if (hs->max_version < TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2069 | return true; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2070 | } |
| 2071 | |
| 2072 | CBB contents, ke_modes; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2073 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_psk_key_exchange_modes) || |
| 2074 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2075 | !CBB_add_u8_length_prefixed(&contents, &ke_modes) || |
| 2076 | !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2077 | return false; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2078 | } |
| 2079 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2080 | return CBB_flush(out_compressible); |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2081 | } |
| 2082 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2083 | static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs, |
| 2084 | uint8_t *out_alert, |
| 2085 | CBS *contents) { |
David Benjamin | 4eb95cc | 2016-11-16 17:08:23 +0900 | [diff] [blame] | 2086 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2087 | return true; |
David Benjamin | 4eb95cc | 2016-11-16 17:08:23 +0900 | [diff] [blame] | 2088 | } |
| 2089 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2090 | CBS ke_modes; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2091 | if (!CBS_get_u8_length_prefixed(contents, &ke_modes) || // |
| 2092 | CBS_len(&ke_modes) == 0 || // |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2093 | CBS_len(contents) != 0) { |
| 2094 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2095 | return false; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2096 | } |
| 2097 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2098 | // We only support tickets with PSK_DHE_KE. |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 2099 | hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE, |
| 2100 | CBS_len(&ke_modes)) != NULL; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2101 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2102 | return true; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 2103 | } |
| 2104 | |
| 2105 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2106 | // Early Data Indication |
| 2107 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2108 | // https://tools.ietf.org/html/rfc8446#section-4.2.10 |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2109 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2110 | static bool ext_early_data_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 2111 | CBB *out_compressible, |
| 2112 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2113 | const SSL *const ssl = hs->ssl; |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2114 | // The second ClientHello never offers early data, and we must have already |
| 2115 | // filled in |early_data_reason| by this point. |
Kris Kwiatkowski | b11902a | 2019-08-24 11:01:04 +0100 | [diff] [blame] | 2116 | if (ssl->s3->used_hello_retry_request) { |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2117 | assert(ssl->s3->early_data_reason != ssl_early_data_unknown); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2118 | return true; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2119 | } |
| 2120 | |
David Benjamin | 4e93cd4 | 2021-05-18 13:38:25 -0400 | [diff] [blame] | 2121 | if (!hs->early_data_offered) { |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2122 | return true; |
| 2123 | } |
| 2124 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2125 | // If offering ECH, the extension only applies to ClientHelloInner, but we |
| 2126 | // send the extension in both ClientHellos. This ensures that, if the server |
| 2127 | // handshakes with ClientHelloOuter, it can skip past early data. See |
David Benjamin | 0fa3030 | 2021-09-03 17:23:28 -0400 | [diff] [blame] | 2128 | // draft-ietf-tls-esni-13, section 6.1. |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2129 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) || // |
| 2130 | !CBB_add_u16(out_compressible, 0) || // |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2131 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2132 | return false; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2133 | } |
| 2134 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2135 | return true; |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2136 | } |
| 2137 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2138 | static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs, |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2139 | uint8_t *out_alert, |
| 2140 | CBS *contents) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 2141 | SSL *const ssl = hs->ssl; |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2142 | if (contents == NULL) { |
Kris Kwiatkowski | b11902a | 2019-08-24 11:01:04 +0100 | [diff] [blame] | 2143 | if (hs->early_data_offered && !ssl->s3->used_hello_retry_request) { |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2144 | ssl->s3->early_data_reason = ssl->s3->session_reused |
| 2145 | ? ssl_early_data_peer_declined |
| 2146 | : ssl_early_data_session_not_resumed; |
| 2147 | } else { |
| 2148 | // We already filled in |early_data_reason| when declining to offer 0-RTT |
| 2149 | // or handling the implicit HelloRetryRequest reject. |
| 2150 | assert(ssl->s3->early_data_reason != ssl_early_data_unknown); |
| 2151 | } |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2152 | return true; |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2153 | } |
| 2154 | |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2155 | // If we received an HRR, the second ClientHello never offers early data, so |
| 2156 | // the extensions logic will automatically reject early data extensions as |
| 2157 | // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test. |
Kris Kwiatkowski | b11902a | 2019-08-24 11:01:04 +0100 | [diff] [blame] | 2158 | assert(!ssl->s3->used_hello_retry_request); |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2159 | |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2160 | if (CBS_len(contents) != 0) { |
| 2161 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2162 | return false; |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2163 | } |
| 2164 | |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2165 | if (!ssl->s3->session_reused) { |
| 2166 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
| 2167 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2168 | return false; |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2169 | } |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2170 | |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 2171 | ssl->s3->early_data_reason = ssl_early_data_accepted; |
David Benjamin | 02e6256 | 2017-12-18 18:04:01 -0500 | [diff] [blame] | 2172 | ssl->s3->early_data_accepted = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2173 | return true; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2174 | } |
| 2175 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2176 | static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs, |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2177 | uint8_t *out_alert, |
| 2178 | CBS *contents) { |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2179 | SSL *const ssl = hs->ssl; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2180 | if (contents == NULL || ssl_protocol_version(ssl) < TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2181 | return true; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2182 | } |
| 2183 | |
| 2184 | if (CBS_len(contents) != 0) { |
| 2185 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2186 | return false; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2187 | } |
| 2188 | |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 2189 | hs->early_data_offered = true; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2190 | return true; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2191 | } |
| 2192 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2193 | static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 02e6256 | 2017-12-18 18:04:01 -0500 | [diff] [blame] | 2194 | if (!hs->ssl->s3->early_data_accepted) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2195 | return true; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2196 | } |
| 2197 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2198 | if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || // |
| 2199 | !CBB_add_u16(out, 0) || // |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2200 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2201 | return false; |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 2202 | } |
| 2203 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2204 | return true; |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 2205 | } |
| 2206 | |
| 2207 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2208 | // Key Share |
| 2209 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2210 | // https://tools.ietf.org/html/rfc8446#section-4.2.8 |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2211 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2212 | bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 2213 | SSL *const ssl = hs->ssl; |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2214 | hs->key_shares[0].reset(); |
| 2215 | hs->key_shares[1].reset(); |
| 2216 | hs->key_share_bytes.Reset(); |
| 2217 | |
David Benjamin | 68161cb | 2017-06-20 14:49:43 -0400 | [diff] [blame] | 2218 | if (hs->max_version < TLS1_3_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2219 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2220 | } |
| 2221 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2222 | bssl::ScopedCBB cbb; |
| 2223 | if (!CBB_init(cbb.get(), 64)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2224 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2225 | } |
| 2226 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2227 | if (override_group_id == 0 && ssl->ctx->grease_enabled) { |
David Benjamin | 3675eb3 | 2021-05-18 14:01:07 -0400 | [diff] [blame] | 2228 | // Add a fake group. See RFC 8701. |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2229 | if (!CBB_add_u16(cbb.get(), ssl_get_grease_value(hs, ssl_grease_group)) || |
| 2230 | !CBB_add_u16(cbb.get(), 1 /* length */) || |
| 2231 | !CBB_add_u8(cbb.get(), 0 /* one byte key share */)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2232 | return false; |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 2233 | } |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2234 | } |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 2235 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2236 | uint16_t group_id = override_group_id; |
| 2237 | uint16_t second_group_id = 0; |
| 2238 | if (override_group_id == 0) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2239 | // Predict the most preferred group. |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 2240 | Span<const uint16_t> groups = tls1_get_grouplist(hs); |
David Benjamin | b949355 | 2017-09-27 19:02:51 -0400 | [diff] [blame] | 2241 | if (groups.empty()) { |
David Benjamin | c8b6b4f | 2016-09-08 23:47:48 -0400 | [diff] [blame] | 2242 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2243 | return false; |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 2244 | } |
David Benjamin | c8b6b4f | 2016-09-08 23:47:48 -0400 | [diff] [blame] | 2245 | |
| 2246 | group_id = groups[0]; |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2247 | |
Adam Langley | 1e97ce3 | 2023-01-23 21:11:44 +0000 | [diff] [blame] | 2248 | // We'll try to include one post-quantum and one classical initial key |
| 2249 | // share. |
| 2250 | for (size_t i = 1; i < groups.size() && second_group_id == 0; i++) { |
| 2251 | if (is_post_quantum_group(group_id) != is_post_quantum_group(groups[i])) { |
| 2252 | second_group_id = groups[i]; |
| 2253 | assert(second_group_id != group_id); |
| 2254 | } |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2255 | } |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 2256 | } |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2257 | |
David Benjamin | c8b6b4f | 2016-09-08 23:47:48 -0400 | [diff] [blame] | 2258 | CBB key_exchange; |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2259 | hs->key_shares[0] = SSLKeyShare::Create(group_id); |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2260 | if (!hs->key_shares[0] || // |
| 2261 | !CBB_add_u16(cbb.get(), group_id) || |
| 2262 | !CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) || |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2263 | !hs->key_shares[0]->Generate(&key_exchange)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2264 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2265 | } |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2266 | |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2267 | if (second_group_id != 0) { |
| 2268 | hs->key_shares[1] = SSLKeyShare::Create(second_group_id); |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2269 | if (!hs->key_shares[1] || // |
| 2270 | !CBB_add_u16(cbb.get(), second_group_id) || |
| 2271 | !CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) || |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2272 | !hs->key_shares[1]->Generate(&key_exchange)) { |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2273 | return false; |
| 2274 | } |
| 2275 | } |
| 2276 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2277 | return CBBFinishArray(cbb.get(), &hs->key_share_bytes); |
| 2278 | } |
| 2279 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2280 | static bool ext_key_share_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 2281 | CBB *out_compressible, |
| 2282 | ssl_client_hello_type_t type) { |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2283 | if (hs->max_version < TLS1_3_VERSION) { |
| 2284 | return true; |
| 2285 | } |
| 2286 | |
| 2287 | assert(!hs->key_share_bytes.empty()); |
| 2288 | CBB contents, kse_bytes; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2289 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_key_share) || |
| 2290 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2291 | !CBB_add_u16_length_prefixed(&contents, &kse_bytes) || |
| 2292 | !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(), |
| 2293 | hs->key_share_bytes.size()) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2294 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2295 | return false; |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 2296 | } |
| 2297 | |
David Benjamin | 97ede40 | 2021-05-18 14:17:52 -0400 | [diff] [blame] | 2298 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2299 | } |
| 2300 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2301 | bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, |
| 2302 | Array<uint8_t> *out_secret, |
| 2303 | uint8_t *out_alert, CBS *contents) { |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2304 | CBS ciphertext; |
David Benjamin | 5c4e857 | 2016-08-19 17:44:53 -0400 | [diff] [blame] | 2305 | uint16_t group_id; |
| 2306 | if (!CBS_get_u16(contents, &group_id) || |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2307 | !CBS_get_u16_length_prefixed(contents, &ciphertext) || |
David Benjamin | a70de14 | 2016-08-02 16:52:57 -0400 | [diff] [blame] | 2308 | CBS_len(contents) != 0) { |
David Benjamin | ac4d534 | 2017-11-17 01:42:04 +0800 | [diff] [blame] | 2309 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2310 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2311 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2312 | } |
| 2313 | |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2314 | SSLKeyShare *key_share = hs->key_shares[0].get(); |
| 2315 | if (key_share->GroupID() != group_id) { |
| 2316 | if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) { |
| 2317 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 2318 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); |
| 2319 | return false; |
| 2320 | } |
| 2321 | key_share = hs->key_shares[1].get(); |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2322 | } |
| 2323 | |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2324 | if (!key_share->Decap(out_secret, out_alert, ciphertext)) { |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2325 | *out_alert = SSL_AD_INTERNAL_ERROR; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2326 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2327 | } |
| 2328 | |
David Benjamin | 45738dd | 2017-02-09 20:01:26 -0500 | [diff] [blame] | 2329 | hs->new_session->group_id = group_id; |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2330 | hs->key_shares[0].reset(); |
| 2331 | hs->key_shares[1].reset(); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2332 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2333 | } |
| 2334 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2335 | bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found, |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2336 | Span<const uint8_t> *out_peer_key, |
| 2337 | uint8_t *out_alert, |
| 2338 | const SSL_CLIENT_HELLO *client_hello) { |
| 2339 | // We only support connections that include an ECDHE key exchange. |
| 2340 | CBS contents; |
| 2341 | if (!ssl_client_hello_get_extension(client_hello, &contents, |
| 2342 | TLSEXT_TYPE_key_share)) { |
| 2343 | OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); |
| 2344 | *out_alert = SSL_AD_MISSING_EXTENSION; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2345 | return false; |
Steven Valdez | 803c77a | 2016-09-06 14:13:43 -0400 | [diff] [blame] | 2346 | } |
| 2347 | |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2348 | CBS key_shares; |
| 2349 | if (!CBS_get_u16_length_prefixed(&contents, &key_shares) || |
| 2350 | CBS_len(&contents) != 0) { |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2351 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2352 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2353 | } |
| 2354 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2355 | // Find the corresponding key share. |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2356 | const uint16_t group_id = hs->new_session->group_id; |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2357 | CBS peer_key; |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2358 | CBS_init(&peer_key, nullptr, 0); |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2359 | while (CBS_len(&key_shares) > 0) { |
| 2360 | uint16_t id; |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2361 | CBS peer_key_tmp; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2362 | if (!CBS_get_u16(&key_shares, &id) || |
Steven Valdez | 619c8ce | 2017-10-16 13:12:33 -0400 | [diff] [blame] | 2363 | !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) || |
| 2364 | CBS_len(&peer_key_tmp) == 0) { |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2365 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2366 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2367 | } |
| 2368 | |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2369 | if (id == group_id) { |
Steven Valdez | 619c8ce | 2017-10-16 13:12:33 -0400 | [diff] [blame] | 2370 | if (CBS_len(&peer_key) != 0) { |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2371 | OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE); |
| 2372 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2373 | return false; |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2374 | } |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2375 | |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2376 | peer_key = peer_key_tmp; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2377 | // Continue parsing the structure to keep peers honest. |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2378 | } |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2379 | } |
| 2380 | |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2381 | if (out_peer_key != nullptr) { |
| 2382 | *out_peer_key = peer_key; |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 2383 | } |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2384 | *out_found = CBS_len(&peer_key) != 0; |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2385 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2386 | } |
| 2387 | |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2388 | bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2389 | CBB entry, ciphertext; |
David Benjamin | 3b8c5ec | 2021-04-12 17:43:23 -0400 | [diff] [blame] | 2390 | if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) || |
David Benjamin | 08b1f38 | 2023-02-28 17:22:23 -0500 | [diff] [blame] | 2391 | !CBB_add_u16_length_prefixed(out, &entry) || |
| 2392 | !CBB_add_u16(&entry, hs->new_session->group_id) || |
| 2393 | !CBB_add_u16_length_prefixed(&entry, &ciphertext) || |
| 2394 | !CBB_add_bytes(&ciphertext, hs->key_share_ciphertext.data(), |
| 2395 | hs->key_share_ciphertext.size()) || |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2396 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2397 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2398 | } |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2399 | return true; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 2400 | } |
| 2401 | |
| 2402 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2403 | // Supported Versions |
| 2404 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2405 | // https://tools.ietf.org/html/rfc8446#section-4.2.1 |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 2406 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2407 | static bool ext_supported_versions_add_clienthello( |
| 2408 | const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, |
| 2409 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2410 | const SSL *const ssl = hs->ssl; |
David Benjamin | 68161cb | 2017-06-20 14:49:43 -0400 | [diff] [blame] | 2411 | if (hs->max_version <= TLS1_2_VERSION) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2412 | return true; |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 2413 | } |
| 2414 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2415 | // supported_versions is compressible in ECH if ClientHelloOuter already |
| 2416 | // requires TLS 1.3. Otherwise the extensions differ in the older versions. |
| 2417 | if (hs->min_version >= TLS1_3_VERSION) { |
| 2418 | out = out_compressible; |
| 2419 | } |
| 2420 | |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 2421 | CBB contents, versions; |
| 2422 | if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || |
| 2423 | !CBB_add_u16_length_prefixed(out, &contents) || |
| 2424 | !CBB_add_u8_length_prefixed(&contents, &versions)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2425 | return false; |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 2426 | } |
| 2427 | |
David Benjamin | 3675eb3 | 2021-05-18 14:01:07 -0400 | [diff] [blame] | 2428 | // Add a fake version. See RFC 8701. |
David Benjamin | d9791bf | 2016-09-27 16:39:52 -0400 | [diff] [blame] | 2429 | if (ssl->ctx->grease_enabled && |
David Benjamin | a7bc944 | 2018-01-18 10:08:53 -0500 | [diff] [blame] | 2430 | !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2431 | return false; |
David Benjamin | d9791bf | 2016-09-27 16:39:52 -0400 | [diff] [blame] | 2432 | } |
| 2433 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2434 | // Encrypted ClientHellos requires TLS 1.3 or later. |
| 2435 | uint16_t extra_min_version = |
| 2436 | type == ssl_client_hello_inner ? TLS1_3_VERSION : 0; |
| 2437 | if (!ssl_add_supported_versions(hs, &versions, extra_min_version) || |
Steven Valdez | 8f36c51 | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 2438 | !CBB_flush(out)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2439 | return false; |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 2440 | } |
| 2441 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2442 | return true; |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 2443 | } |
| 2444 | |
| 2445 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2446 | // Cookie |
| 2447 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2448 | // https://tools.ietf.org/html/rfc8446#section-4.2.2 |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 2449 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2450 | static bool ext_cookie_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 2451 | CBB *out_compressible, |
| 2452 | ssl_client_hello_type_t type) { |
David Benjamin | b949355 | 2017-09-27 19:02:51 -0400 | [diff] [blame] | 2453 | if (hs->cookie.empty()) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2454 | return true; |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 2455 | } |
| 2456 | |
| 2457 | CBB contents, cookie; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2458 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_cookie) || |
| 2459 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 2460 | !CBB_add_u16_length_prefixed(&contents, &cookie) || |
David Benjamin | 08f5c76 | 2017-09-21 02:43:05 -0400 | [diff] [blame] | 2461 | !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2462 | !CBB_flush(out_compressible)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2463 | return false; |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 2464 | } |
| 2465 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2466 | return true; |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 2467 | } |
| 2468 | |
| 2469 | |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2470 | // Supported Groups |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2471 | // |
David Benjamin | a130ce0 | 2018-08-14 22:26:39 -0500 | [diff] [blame] | 2472 | // https://tools.ietf.org/html/rfc4492#section-5.1.1 |
| 2473 | // https://tools.ietf.org/html/rfc8446#section-4.2.7 |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2474 | |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2475 | static bool ext_supported_groups_add_clienthello(const SSL_HANDSHAKE *hs, |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2476 | CBB *out, |
| 2477 | CBB *out_compressible, |
| 2478 | ssl_client_hello_type_t type) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2479 | const SSL *const ssl = hs->ssl; |
Steven Valdez | ce902a9 | 2016-05-17 11:47:53 -0400 | [diff] [blame] | 2480 | CBB contents, groups_bytes; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2481 | if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_supported_groups) || |
| 2482 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
Steven Valdez | ce902a9 | 2016-05-17 11:47:53 -0400 | [diff] [blame] | 2483 | !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2484 | return false; |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2485 | } |
| 2486 | |
David Benjamin | 3675eb3 | 2021-05-18 14:01:07 -0400 | [diff] [blame] | 2487 | // Add a fake group. See RFC 8701. |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 2488 | if (ssl->ctx->grease_enabled && |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2489 | !CBB_add_u16(&groups_bytes, ssl_get_grease_value(hs, ssl_grease_group))) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2490 | return false; |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 2491 | } |
| 2492 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 2493 | for (uint16_t group : tls1_get_grouplist(hs)) { |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2494 | if (is_post_quantum_group(group) && hs->max_version < TLS1_3_VERSION) { |
Adam Langley | 7b93593 | 2018-11-12 13:53:42 -0800 | [diff] [blame] | 2495 | continue; |
| 2496 | } |
David Benjamin | cf0ce67 | 2017-09-21 02:25:59 -0400 | [diff] [blame] | 2497 | if (!CBB_add_u16(&groups_bytes, group)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2498 | return false; |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2499 | } |
| 2500 | } |
| 2501 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2502 | return CBB_flush(out_compressible); |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2503 | } |
| 2504 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2505 | static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs, |
| 2506 | uint8_t *out_alert, |
| 2507 | CBS *contents) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 2508 | // This extension is not expected to be echoed by servers in TLS 1.2, but some |
| 2509 | // BigIP servers send it nonetheless, so do not enforce this. |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2510 | return true; |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2511 | } |
| 2512 | |
David Benjamin | b1cf48e | 2017-09-21 11:37:46 -0400 | [diff] [blame] | 2513 | static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) { |
| 2514 | CBS copy = *cbs; |
| 2515 | if ((CBS_len(©) & 1) != 0) { |
| 2516 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
| 2517 | return false; |
| 2518 | } |
| 2519 | |
| 2520 | Array<uint16_t> ret; |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 2521 | if (!ret.InitForOverwrite(CBS_len(©) / 2)) { |
David Benjamin | b1cf48e | 2017-09-21 11:37:46 -0400 | [diff] [blame] | 2522 | return false; |
| 2523 | } |
| 2524 | for (size_t i = 0; i < ret.size(); i++) { |
| 2525 | if (!CBS_get_u16(©, &ret[i])) { |
| 2526 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 2527 | return false; |
| 2528 | } |
| 2529 | } |
| 2530 | |
| 2531 | assert(CBS_len(©) == 0); |
| 2532 | *out = std::move(ret); |
Anton Bikineev | 50e7ea5 | 2022-01-23 22:35:48 +0100 | [diff] [blame] | 2533 | return true; |
David Benjamin | b1cf48e | 2017-09-21 11:37:46 -0400 | [diff] [blame] | 2534 | } |
| 2535 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2536 | static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs, |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2537 | uint8_t *out_alert, |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2538 | CBS *contents) { |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2539 | if (contents == NULL) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2540 | return true; |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2541 | } |
| 2542 | |
Steven Valdez | ce902a9 | 2016-05-17 11:47:53 -0400 | [diff] [blame] | 2543 | CBS supported_group_list; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2544 | if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) || // |
| 2545 | CBS_len(&supported_group_list) == 0 || // |
| 2546 | CBS_len(contents) != 0 || // |
David Benjamin | b1cf48e | 2017-09-21 11:37:46 -0400 | [diff] [blame] | 2547 | !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) { |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2548 | return false; |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2549 | } |
| 2550 | |
David Benjamin | 3164093 | 2017-10-11 13:22:39 -0400 | [diff] [blame] | 2551 | return true; |
Adam Langley | 273d49c | 2015-07-20 16:38:52 -0700 | [diff] [blame] | 2552 | } |
| 2553 | |
| 2554 | |
Bob Beck | 7152433 | 2024-09-23 17:45:46 +0000 | [diff] [blame] | 2555 | // Certificate Authorities. |
| 2556 | // |
| 2557 | // https://tools.ietf.org/html/rfc8446#section-4.2.4 |
| 2558 | |
| 2559 | static bool ext_certificate_authorities_add_clienthello( |
| 2560 | const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, |
| 2561 | ssl_client_hello_type_t type) { |
| 2562 | if (ssl_has_CA_names(hs->config)) { |
| 2563 | CBB ca_contents; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2564 | if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_authorities) || // |
| 2565 | !CBB_add_u16_length_prefixed(out, &ca_contents) || // |
| 2566 | !ssl_add_CA_names(hs, &ca_contents) || // |
Bob Beck | 7152433 | 2024-09-23 17:45:46 +0000 | [diff] [blame] | 2567 | !CBB_flush(out)) { |
| 2568 | return false; |
| 2569 | } |
| 2570 | } |
| 2571 | return true; |
| 2572 | } |
| 2573 | |
| 2574 | static bool ext_certificate_authorities_parse_clienthello(SSL_HANDSHAKE *hs, |
| 2575 | uint8_t *out_alert, |
| 2576 | CBS *contents) { |
| 2577 | if (contents == NULL) { |
| 2578 | return true; |
| 2579 | } |
| 2580 | |
| 2581 | if (CBS_len(contents) == 0) { |
| 2582 | return false; |
| 2583 | } |
| 2584 | |
| 2585 | hs->ca_names = SSL_parse_CA_list(hs->ssl, out_alert, contents); |
| 2586 | if (!hs->ca_names) { |
| 2587 | return false; |
| 2588 | } |
| 2589 | |
| 2590 | return true; |
| 2591 | } |
| 2592 | |
| 2593 | |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2594 | // QUIC Transport Parameters |
| 2595 | |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2596 | static bool ext_quic_transport_params_add_clienthello_impl( |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2597 | const SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) { |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2598 | if (hs->config->quic_transport_params.empty() && !hs->ssl->quic_method) { |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2599 | return true; |
| 2600 | } |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2601 | if (hs->config->quic_transport_params.empty() || !hs->ssl->quic_method) { |
| 2602 | // QUIC Transport Parameters must be sent over QUIC, and they must not be |
| 2603 | // sent over non-QUIC transports. If transport params are set, then |
| 2604 | // SSL(_CTX)_set_quic_method must also be called. |
| 2605 | OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED); |
| 2606 | return false; |
| 2607 | } |
| 2608 | assert(hs->min_version > TLS1_2_VERSION); |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2609 | if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) { |
| 2610 | // Do nothing, we'll send the other codepoint. |
| 2611 | return true; |
| 2612 | } |
| 2613 | |
David Benjamin | a1d3bfb | 2021-06-01 12:12:44 -0400 | [diff] [blame] | 2614 | uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters; |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2615 | if (hs->config->quic_use_legacy_codepoint) { |
| 2616 | extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy; |
| 2617 | } |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2618 | |
| 2619 | CBB contents; |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2620 | if (!CBB_add_u16(out, extension_type) || |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2621 | !CBB_add_u16_length_prefixed(out, &contents) || |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 2622 | !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), |
| 2623 | hs->config->quic_transport_params.size()) || |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2624 | !CBB_flush(out)) { |
| 2625 | return false; |
| 2626 | } |
| 2627 | return true; |
| 2628 | } |
| 2629 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2630 | static bool ext_quic_transport_params_add_clienthello( |
| 2631 | const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, |
| 2632 | ssl_client_hello_type_t type) { |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2633 | return ext_quic_transport_params_add_clienthello_impl( |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2634 | hs, out_compressible, /*use_legacy_codepoint=*/false); |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2635 | } |
| 2636 | |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2637 | static bool ext_quic_transport_params_add_clienthello_legacy( |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2638 | const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, |
| 2639 | ssl_client_hello_type_t type) { |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2640 | return ext_quic_transport_params_add_clienthello_impl( |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2641 | hs, out_compressible, /*use_legacy_codepoint=*/true); |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2642 | } |
| 2643 | |
| 2644 | static bool ext_quic_transport_params_parse_serverhello_impl( |
| 2645 | SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents, |
| 2646 | bool used_legacy_codepoint) { |
Adam Langley | ca058c0 | 2020-12-16 10:11:08 -0800 | [diff] [blame] | 2647 | SSL *const ssl = hs->ssl; |
| 2648 | if (contents == nullptr) { |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2649 | if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) { |
| 2650 | // Silently ignore because we expect the other QUIC codepoint. |
| 2651 | return true; |
| 2652 | } |
Adam Langley | ca058c0 | 2020-12-16 10:11:08 -0800 | [diff] [blame] | 2653 | if (!ssl->quic_method) { |
| 2654 | return true; |
| 2655 | } |
Adam Langley | ca058c0 | 2020-12-16 10:11:08 -0800 | [diff] [blame] | 2656 | *out_alert = SSL_AD_MISSING_EXTENSION; |
| 2657 | return false; |
David Schinazi | 7ba96a6 | 2020-12-14 14:46:56 -0800 | [diff] [blame] | 2658 | } |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2659 | // The extensions parser will check for unsolicited extensions before |
| 2660 | // calling the callback. |
| 2661 | assert(ssl->quic_method != nullptr); |
Adam Langley | ca058c0 | 2020-12-16 10:11:08 -0800 | [diff] [blame] | 2662 | assert(ssl_protocol_version(ssl) == TLS1_3_VERSION); |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2663 | assert(used_legacy_codepoint == hs->config->quic_use_legacy_codepoint); |
Adam Langley | ca058c0 | 2020-12-16 10:11:08 -0800 | [diff] [blame] | 2664 | return ssl->s3->peer_quic_transport_params.CopyFrom(*contents); |
| 2665 | } |
| 2666 | |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2667 | static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs, |
Adam Langley | ca058c0 | 2020-12-16 10:11:08 -0800 | [diff] [blame] | 2668 | uint8_t *out_alert, |
| 2669 | CBS *contents) { |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2670 | return ext_quic_transport_params_parse_serverhello_impl( |
| 2671 | hs, out_alert, contents, /*used_legacy_codepoint=*/false); |
| 2672 | } |
| 2673 | |
| 2674 | static bool ext_quic_transport_params_parse_serverhello_legacy( |
| 2675 | SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { |
| 2676 | return ext_quic_transport_params_parse_serverhello_impl( |
| 2677 | hs, out_alert, contents, /*used_legacy_codepoint=*/true); |
| 2678 | } |
| 2679 | |
| 2680 | static bool ext_quic_transport_params_parse_clienthello_impl( |
| 2681 | SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents, |
| 2682 | bool used_legacy_codepoint) { |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2683 | SSL *const ssl = hs->ssl; |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2684 | if (!contents) { |
| 2685 | if (!ssl->quic_method) { |
| 2686 | if (hs->config->quic_transport_params.empty()) { |
| 2687 | return true; |
| 2688 | } |
| 2689 | // QUIC transport parameters must not be set if |ssl| is not configured |
| 2690 | // for QUIC. |
| 2691 | OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED); |
| 2692 | *out_alert = SSL_AD_INTERNAL_ERROR; |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2693 | return false; |
| 2694 | } |
| 2695 | if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) { |
| 2696 | // Silently ignore because we expect the other QUIC codepoint. |
| 2697 | return true; |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2698 | } |
| 2699 | *out_alert = SSL_AD_MISSING_EXTENSION; |
| 2700 | return false; |
| 2701 | } |
| 2702 | if (!ssl->quic_method) { |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2703 | if (used_legacy_codepoint) { |
| 2704 | // Ignore the legacy private-use codepoint because that could be sent |
| 2705 | // to mean something else than QUIC transport parameters. |
| 2706 | return true; |
| 2707 | } |
| 2708 | // Fail if we received the codepoint registered with IANA for QUIC |
| 2709 | // because that is not allowed outside of QUIC. |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2710 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
| 2711 | return false; |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2712 | } |
Nick Harper | 80ddfc7 | 2020-03-11 18:26:31 -0700 | [diff] [blame] | 2713 | assert(ssl_protocol_version(ssl) == TLS1_3_VERSION); |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2714 | if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) { |
| 2715 | // Silently ignore because we expect the other QUIC codepoint. |
| 2716 | return true; |
| 2717 | } |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2718 | return ssl->s3->peer_quic_transport_params.CopyFrom(*contents); |
| 2719 | } |
| 2720 | |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2721 | static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs, |
| 2722 | uint8_t *out_alert, |
| 2723 | CBS *contents) { |
| 2724 | return ext_quic_transport_params_parse_clienthello_impl( |
| 2725 | hs, out_alert, contents, /*used_legacy_codepoint=*/false); |
| 2726 | } |
| 2727 | |
| 2728 | static bool ext_quic_transport_params_parse_clienthello_legacy( |
| 2729 | SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { |
| 2730 | return ext_quic_transport_params_parse_clienthello_impl( |
| 2731 | hs, out_alert, contents, /*used_legacy_codepoint=*/true); |
| 2732 | } |
| 2733 | |
| 2734 | static bool ext_quic_transport_params_add_serverhello_impl( |
| 2735 | SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) { |
| 2736 | if (hs->ssl->quic_method == nullptr && use_legacy_codepoint) { |
| 2737 | // Ignore the legacy private-use codepoint because that could be sent |
| 2738 | // to mean something else than QUIC transport parameters. |
| 2739 | return true; |
| 2740 | } |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2741 | assert(hs->ssl->quic_method != nullptr); |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 2742 | if (hs->config->quic_transport_params.empty()) { |
Nick Harper | 72cff81 | 2020-03-26 18:06:16 -0700 | [diff] [blame] | 2743 | // Transport parameters must be set when using QUIC. |
| 2744 | OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED); |
| 2745 | return false; |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2746 | } |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2747 | if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) { |
| 2748 | // Do nothing, we'll send the other codepoint. |
| 2749 | return true; |
| 2750 | } |
| 2751 | |
David Benjamin | a1d3bfb | 2021-06-01 12:12:44 -0400 | [diff] [blame] | 2752 | uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters; |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2753 | if (hs->config->quic_use_legacy_codepoint) { |
| 2754 | extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy; |
| 2755 | } |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2756 | |
| 2757 | CBB contents; |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2758 | if (!CBB_add_u16(out, extension_type) || |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2759 | !CBB_add_u16_length_prefixed(out, &contents) || |
David Benjamin | 0ce090a | 2018-07-02 20:24:40 -0400 | [diff] [blame] | 2760 | !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(), |
| 2761 | hs->config->quic_transport_params.size()) || |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2762 | !CBB_flush(out)) { |
| 2763 | return false; |
| 2764 | } |
| 2765 | |
| 2766 | return true; |
| 2767 | } |
| 2768 | |
David Schinazi | 3d8b8c3 | 2021-01-14 11:25:49 -0800 | [diff] [blame] | 2769 | static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs, |
| 2770 | CBB *out) { |
| 2771 | return ext_quic_transport_params_add_serverhello_impl( |
| 2772 | hs, out, /*use_legacy_codepoint=*/false); |
| 2773 | } |
| 2774 | |
| 2775 | static bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs, |
| 2776 | CBB *out) { |
| 2777 | return ext_quic_transport_params_add_serverhello_impl( |
| 2778 | hs, out, /*use_legacy_codepoint=*/true); |
| 2779 | } |
| 2780 | |
Christopher Patton | 6c1b376 | 2018-07-17 12:49:41 -0700 | [diff] [blame] | 2781 | // Delegated credentials. |
| 2782 | // |
David Benjamin | 48b0edf | 2024-02-11 17:14:41 -0500 | [diff] [blame] | 2783 | // https://www.rfc-editor.org/rfc/rfc9345.html |
Christopher Patton | 6c1b376 | 2018-07-17 12:49:41 -0700 | [diff] [blame] | 2784 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2785 | static bool ext_delegated_credential_add_clienthello( |
| 2786 | const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, |
| 2787 | ssl_client_hello_type_t type) { |
Christopher Patton | 6c1b376 | 2018-07-17 12:49:41 -0700 | [diff] [blame] | 2788 | return true; |
| 2789 | } |
| 2790 | |
| 2791 | static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs, |
| 2792 | uint8_t *out_alert, |
| 2793 | CBS *contents) { |
Christopher Patton | 6c1b376 | 2018-07-17 12:49:41 -0700 | [diff] [blame] | 2794 | if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { |
| 2795 | // Don't use delegated credentials unless we're negotiating TLS 1.3 or |
| 2796 | // higher. |
| 2797 | return true; |
| 2798 | } |
| 2799 | |
Watson Ladd | dcd6e44 | 2020-08-10 15:12:45 -0400 | [diff] [blame] | 2800 | // The contents of the extension are the signature algorithms the client will |
| 2801 | // accept for a delegated credential. |
| 2802 | CBS sigalg_list; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2803 | if (!CBS_get_u16_length_prefixed(contents, &sigalg_list) || // |
| 2804 | CBS_len(&sigalg_list) == 0 || // |
| 2805 | CBS_len(contents) != 0 || // |
Watson Ladd | dcd6e44 | 2020-08-10 15:12:45 -0400 | [diff] [blame] | 2806 | !parse_u16_array(&sigalg_list, &hs->peer_delegated_credential_sigalgs)) { |
| 2807 | return false; |
| 2808 | } |
| 2809 | |
Christopher Patton | 6c1b376 | 2018-07-17 12:49:41 -0700 | [diff] [blame] | 2810 | return true; |
| 2811 | } |
| 2812 | |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2813 | // Certificate compression |
| 2814 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2815 | static bool cert_compression_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 2816 | CBB *out_compressible, |
| 2817 | ssl_client_hello_type_t type) { |
Adam Langley | 0080d83 | 2018-06-07 16:39:49 -0700 | [diff] [blame] | 2818 | bool first = true; |
| 2819 | CBB contents, algs; |
| 2820 | |
David Benjamin | 8fe1584 | 2019-10-08 16:57:38 -0400 | [diff] [blame] | 2821 | for (const auto &alg : hs->ssl->ctx->cert_compression_algs) { |
| 2822 | if (alg.decompress == nullptr) { |
Adam Langley | 0080d83 | 2018-06-07 16:39:49 -0700 | [diff] [blame] | 2823 | continue; |
| 2824 | } |
| 2825 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2826 | if (first && |
| 2827 | (!CBB_add_u16(out_compressible, TLSEXT_TYPE_cert_compression) || |
| 2828 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
| 2829 | !CBB_add_u8_length_prefixed(&contents, &algs))) { |
Adam Langley | 0080d83 | 2018-06-07 16:39:49 -0700 | [diff] [blame] | 2830 | return false; |
| 2831 | } |
| 2832 | first = false; |
David Benjamin | 8fe1584 | 2019-10-08 16:57:38 -0400 | [diff] [blame] | 2833 | if (!CBB_add_u16(&algs, alg.alg_id)) { |
Adam Langley | 0080d83 | 2018-06-07 16:39:49 -0700 | [diff] [blame] | 2834 | return false; |
| 2835 | } |
| 2836 | } |
| 2837 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2838 | return first || CBB_flush(out_compressible); |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2839 | } |
| 2840 | |
| 2841 | static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs, |
| 2842 | uint8_t *out_alert, |
| 2843 | CBS *contents) { |
| 2844 | if (contents == nullptr) { |
| 2845 | return true; |
| 2846 | } |
| 2847 | |
| 2848 | // The server may not echo this extension. Any server to client negotiation is |
| 2849 | // advertised in the CertificateRequest message. |
| 2850 | return false; |
| 2851 | } |
| 2852 | |
| 2853 | static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs, |
| 2854 | uint8_t *out_alert, |
| 2855 | CBS *contents) { |
| 2856 | if (contents == nullptr) { |
| 2857 | return true; |
| 2858 | } |
| 2859 | |
David Benjamin | 8fe1584 | 2019-10-08 16:57:38 -0400 | [diff] [blame] | 2860 | const SSL_CTX *ctx = hs->ssl->ctx.get(); |
| 2861 | const size_t num_algs = ctx->cert_compression_algs.size(); |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2862 | |
| 2863 | CBS alg_ids; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2864 | if (!CBS_get_u8_length_prefixed(contents, &alg_ids) || // |
| 2865 | CBS_len(contents) != 0 || // |
| 2866 | CBS_len(&alg_ids) == 0 || // |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2867 | CBS_len(&alg_ids) % 2 == 1) { |
| 2868 | return false; |
| 2869 | } |
| 2870 | |
| 2871 | const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2; |
| 2872 | Array<uint16_t> given_alg_ids; |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 2873 | if (!given_alg_ids.InitForOverwrite(num_given_alg_ids)) { |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2874 | return false; |
| 2875 | } |
| 2876 | |
| 2877 | size_t best_index = num_algs; |
| 2878 | size_t given_alg_idx = 0; |
| 2879 | |
| 2880 | while (CBS_len(&alg_ids) > 0) { |
| 2881 | uint16_t alg_id; |
| 2882 | if (!CBS_get_u16(&alg_ids, &alg_id)) { |
| 2883 | return false; |
| 2884 | } |
| 2885 | |
| 2886 | given_alg_ids[given_alg_idx++] = alg_id; |
| 2887 | |
| 2888 | for (size_t i = 0; i < num_algs; i++) { |
David Benjamin | 8fe1584 | 2019-10-08 16:57:38 -0400 | [diff] [blame] | 2889 | const auto &alg = ctx->cert_compression_algs[i]; |
| 2890 | if (alg.alg_id == alg_id && alg.compress != nullptr) { |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2891 | if (i < best_index) { |
| 2892 | best_index = i; |
| 2893 | } |
| 2894 | break; |
| 2895 | } |
| 2896 | } |
| 2897 | } |
| 2898 | |
| 2899 | qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t), |
| 2900 | compare_uint16_t); |
| 2901 | for (size_t i = 1; i < num_given_alg_ids; i++) { |
| 2902 | if (given_alg_ids[i - 1] == given_alg_ids[i]) { |
| 2903 | return false; |
| 2904 | } |
| 2905 | } |
| 2906 | |
| 2907 | if (best_index < num_algs && |
| 2908 | ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { |
| 2909 | hs->cert_compression_negotiated = true; |
David Benjamin | 8fe1584 | 2019-10-08 16:57:38 -0400 | [diff] [blame] | 2910 | hs->cert_compression_alg_id = ctx->cert_compression_algs[best_index].alg_id; |
Adam Langley | a307cb7 | 2018-05-02 09:06:48 -0700 | [diff] [blame] | 2911 | } |
| 2912 | |
| 2913 | return true; |
| 2914 | } |
| 2915 | |
| 2916 | static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
| 2917 | return true; |
| 2918 | } |
Nick Harper | 3c034b2 | 2017-12-22 15:50:43 -0800 | [diff] [blame] | 2919 | |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 2920 | // Application-level Protocol Settings |
| 2921 | // |
| 2922 | // https://tools.ietf.org/html/draft-vvv-tls-alps-01 |
| 2923 | |
David Benjamin | 4e93cd4 | 2021-05-18 13:38:25 -0400 | [diff] [blame] | 2924 | bool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs, |
| 2925 | Span<const uint8_t> *out_settings, |
| 2926 | Span<const uint8_t> protocol) { |
| 2927 | for (const ALPSConfig &config : hs->config->alps_configs) { |
| 2928 | if (protocol == config.protocol) { |
| 2929 | *out_settings = config.settings; |
| 2930 | return true; |
| 2931 | } |
| 2932 | } |
| 2933 | return false; |
| 2934 | } |
| 2935 | |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 2936 | static bool ext_alps_add_clienthello_impl(const SSL_HANDSHAKE *hs, CBB *out, |
| 2937 | CBB *out_compressible, |
| 2938 | ssl_client_hello_type_t type, |
| 2939 | bool use_new_codepoint) { |
David Benjamin | 14e51ad | 2021-05-19 15:24:34 -0400 | [diff] [blame] | 2940 | const SSL *const ssl = hs->ssl; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2941 | if ( // ALPS requires TLS 1.3. |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 2942 | hs->max_version < TLS1_3_VERSION || |
| 2943 | // Do not offer ALPS without ALPN. |
| 2944 | hs->config->alpn_client_proto_list.empty() || |
| 2945 | // Do not offer ALPS if not configured. |
| 2946 | hs->config->alps_configs.empty() || |
| 2947 | // Do not offer ALPS on renegotiation handshakes. |
| 2948 | ssl->s3->initial_handshake_complete) { |
| 2949 | return true; |
| 2950 | } |
| 2951 | |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 2952 | if (use_new_codepoint != hs->config->alps_use_new_codepoint) { |
| 2953 | // Do nothing, we'll send the other codepoint. |
| 2954 | return true; |
| 2955 | } |
| 2956 | |
| 2957 | uint16_t extension_type = TLSEXT_TYPE_application_settings_old; |
| 2958 | if (hs->config->alps_use_new_codepoint) { |
| 2959 | extension_type = TLSEXT_TYPE_application_settings; |
| 2960 | } |
| 2961 | |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 2962 | CBB contents, proto_list, proto; |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 2963 | if (!CBB_add_u16(out_compressible, extension_type) || |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2964 | !CBB_add_u16_length_prefixed(out_compressible, &contents) || |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 2965 | !CBB_add_u16_length_prefixed(&contents, &proto_list)) { |
| 2966 | return false; |
| 2967 | } |
| 2968 | |
| 2969 | for (const ALPSConfig &config : hs->config->alps_configs) { |
| 2970 | if (!CBB_add_u8_length_prefixed(&proto_list, &proto) || |
| 2971 | !CBB_add_bytes(&proto, config.protocol.data(), |
| 2972 | config.protocol.size())) { |
| 2973 | return false; |
| 2974 | } |
| 2975 | } |
| 2976 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 2977 | return CBB_flush(out_compressible); |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 2978 | } |
| 2979 | |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 2980 | static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, |
| 2981 | CBB *out_compressible, |
| 2982 | ssl_client_hello_type_t type) { |
| 2983 | return ext_alps_add_clienthello_impl(hs, out, out_compressible, type, |
| 2984 | /*use_new_codepoint=*/true); |
| 2985 | } |
| 2986 | |
| 2987 | static bool ext_alps_add_clienthello_old(const SSL_HANDSHAKE *hs, CBB *out, |
| 2988 | CBB *out_compressible, |
| 2989 | ssl_client_hello_type_t type) { |
| 2990 | return ext_alps_add_clienthello_impl(hs, out, out_compressible, type, |
| 2991 | /*use_new_codepoint=*/false); |
| 2992 | } |
| 2993 | |
| 2994 | static bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs, |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 2995 | uint8_t *out_alert, CBS *contents, |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 2996 | bool use_new_codepoint) { |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 2997 | SSL *const ssl = hs->ssl; |
| 2998 | if (contents == nullptr) { |
| 2999 | return true; |
| 3000 | } |
| 3001 | |
| 3002 | assert(!ssl->s3->initial_handshake_complete); |
| 3003 | assert(!hs->config->alpn_client_proto_list.empty()); |
| 3004 | assert(!hs->config->alps_configs.empty()); |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3005 | assert(use_new_codepoint == hs->config->alps_use_new_codepoint); |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3006 | |
| 3007 | // ALPS requires TLS 1.3. |
| 3008 | if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { |
| 3009 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
| 3010 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
| 3011 | return false; |
| 3012 | } |
| 3013 | |
| 3014 | // Note extension callbacks may run in any order, so we defer checking |
| 3015 | // consistency with ALPN to |ssl_check_serverhello_tlsext|. |
| 3016 | if (!hs->new_session->peer_application_settings.CopyFrom(*contents)) { |
| 3017 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 3018 | return false; |
| 3019 | } |
| 3020 | |
| 3021 | hs->new_session->has_application_settings = true; |
| 3022 | return true; |
| 3023 | } |
| 3024 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3025 | static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3026 | CBS *contents) { |
| 3027 | return ext_alps_parse_serverhello_impl(hs, out_alert, contents, |
| 3028 | /*use_new_codepoint=*/true); |
| 3029 | } |
| 3030 | |
| 3031 | static bool ext_alps_parse_serverhello_old(SSL_HANDSHAKE *hs, |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3032 | uint8_t *out_alert, CBS *contents) { |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3033 | return ext_alps_parse_serverhello_impl(hs, out_alert, contents, |
| 3034 | /*use_new_codepoint=*/false); |
| 3035 | } |
| 3036 | |
| 3037 | static bool ext_alps_add_serverhello_impl(SSL_HANDSHAKE *hs, CBB *out, |
| 3038 | bool use_new_codepoint) { |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3039 | SSL *const ssl = hs->ssl; |
| 3040 | // If early data is accepted, we omit the ALPS extension. It is implicitly |
| 3041 | // carried over from the previous connection. |
| 3042 | if (hs->new_session == nullptr || |
| 3043 | !hs->new_session->has_application_settings || |
| 3044 | ssl->s3->early_data_accepted) { |
| 3045 | return true; |
| 3046 | } |
| 3047 | |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3048 | if (use_new_codepoint != hs->config->alps_use_new_codepoint) { |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3049 | // Do nothing, we'll send the other codepoint. |
| 3050 | return true; |
| 3051 | } |
| 3052 | |
| 3053 | uint16_t extension_type = TLSEXT_TYPE_application_settings_old; |
| 3054 | if (hs->config->alps_use_new_codepoint) { |
| 3055 | extension_type = TLSEXT_TYPE_application_settings; |
| 3056 | } |
| 3057 | |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3058 | CBB contents; |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3059 | if (!CBB_add_u16(out, extension_type) || |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3060 | !CBB_add_u16_length_prefixed(out, &contents) || |
| 3061 | !CBB_add_bytes(&contents, |
| 3062 | hs->new_session->local_application_settings.data(), |
| 3063 | hs->new_session->local_application_settings.size()) || |
| 3064 | !CBB_flush(out)) { |
| 3065 | return false; |
| 3066 | } |
| 3067 | |
| 3068 | return true; |
| 3069 | } |
| 3070 | |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3071 | static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { |
| 3072 | return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/true); |
| 3073 | } |
| 3074 | |
| 3075 | static bool ext_alps_add_serverhello_old(SSL_HANDSHAKE *hs, CBB *out) { |
| 3076 | return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/false); |
| 3077 | } |
| 3078 | |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3079 | bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
| 3080 | const SSL_CLIENT_HELLO *client_hello) { |
| 3081 | SSL *const ssl = hs->ssl; |
| 3082 | if (ssl->s3->alpn_selected.empty()) { |
| 3083 | return true; |
| 3084 | } |
| 3085 | |
| 3086 | // If we negotiate ALPN over TLS 1.3, try to negotiate ALPS. |
| 3087 | CBS alps_contents; |
| 3088 | Span<const uint8_t> settings; |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3089 | uint16_t extension_type = TLSEXT_TYPE_application_settings_old; |
| 3090 | if (hs->config->alps_use_new_codepoint) { |
| 3091 | extension_type = TLSEXT_TYPE_application_settings; |
| 3092 | } |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3093 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION && |
| 3094 | ssl_get_local_application_settings(hs, &settings, |
| 3095 | ssl->s3->alpn_selected) && |
| 3096 | ssl_client_hello_get_extension(client_hello, &alps_contents, |
Victor Tan | 558960d | 2023-06-23 15:04:33 +0000 | [diff] [blame] | 3097 | extension_type)) { |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3098 | // Check if the client supports ALPS with the selected ALPN. |
| 3099 | bool found = false; |
| 3100 | CBS alps_list; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3101 | if (!CBS_get_u16_length_prefixed(&alps_contents, &alps_list) || // |
| 3102 | CBS_len(&alps_contents) != 0 || // |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3103 | CBS_len(&alps_list) == 0) { |
| 3104 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
| 3105 | *out_alert = SSL_AD_DECODE_ERROR; |
| 3106 | return false; |
| 3107 | } |
| 3108 | while (CBS_len(&alps_list) > 0) { |
| 3109 | CBS protocol_name; |
| 3110 | if (!CBS_get_u8_length_prefixed(&alps_list, &protocol_name) || |
| 3111 | // Empty protocol names are forbidden. |
| 3112 | CBS_len(&protocol_name) == 0) { |
| 3113 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
| 3114 | *out_alert = SSL_AD_DECODE_ERROR; |
| 3115 | return false; |
| 3116 | } |
| 3117 | if (protocol_name == MakeConstSpan(ssl->s3->alpn_selected)) { |
| 3118 | found = true; |
| 3119 | } |
| 3120 | } |
| 3121 | |
| 3122 | // Negotiate ALPS if both client also supports ALPS for this protocol. |
| 3123 | if (found) { |
| 3124 | hs->new_session->has_application_settings = true; |
| 3125 | if (!hs->new_session->local_application_settings.CopyFrom(settings)) { |
| 3126 | *out_alert = SSL_AD_INTERNAL_ERROR; |
| 3127 | return false; |
| 3128 | } |
| 3129 | } |
| 3130 | } |
| 3131 | |
| 3132 | return true; |
| 3133 | } |
Adam Langley | a86c698 | 2019-07-16 15:26:21 -0700 | [diff] [blame] | 3134 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3135 | // kExtensions contains all the supported extensions. |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3136 | static const struct tls_extension kExtensions[] = { |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3137 | { |
| 3138 | TLSEXT_TYPE_server_name, |
| 3139 | ext_sni_add_clienthello, |
| 3140 | ext_sni_parse_serverhello, |
| 3141 | ext_sni_parse_clienthello, |
| 3142 | ext_sni_add_serverhello, |
| 3143 | }, |
| 3144 | { |
| 3145 | TLSEXT_TYPE_encrypted_client_hello, |
| 3146 | ext_ech_add_clienthello, |
| 3147 | ext_ech_parse_serverhello, |
| 3148 | ext_ech_parse_clienthello, |
| 3149 | ext_ech_add_serverhello, |
| 3150 | }, |
| 3151 | { |
| 3152 | TLSEXT_TYPE_extended_master_secret, |
| 3153 | ext_ems_add_clienthello, |
| 3154 | ext_ems_parse_serverhello, |
| 3155 | ext_ems_parse_clienthello, |
| 3156 | ext_ems_add_serverhello, |
| 3157 | }, |
| 3158 | { |
| 3159 | TLSEXT_TYPE_renegotiate, |
| 3160 | ext_ri_add_clienthello, |
| 3161 | ext_ri_parse_serverhello, |
| 3162 | ext_ri_parse_clienthello, |
| 3163 | ext_ri_add_serverhello, |
| 3164 | }, |
| 3165 | { |
| 3166 | TLSEXT_TYPE_supported_groups, |
| 3167 | ext_supported_groups_add_clienthello, |
| 3168 | ext_supported_groups_parse_serverhello, |
| 3169 | ext_supported_groups_parse_clienthello, |
| 3170 | dont_add_serverhello, |
| 3171 | }, |
| 3172 | { |
| 3173 | TLSEXT_TYPE_ec_point_formats, |
| 3174 | ext_ec_point_add_clienthello, |
| 3175 | ext_ec_point_parse_serverhello, |
| 3176 | ext_ec_point_parse_clienthello, |
| 3177 | ext_ec_point_add_serverhello, |
| 3178 | }, |
| 3179 | { |
| 3180 | TLSEXT_TYPE_session_ticket, |
| 3181 | ext_ticket_add_clienthello, |
| 3182 | ext_ticket_parse_serverhello, |
| 3183 | // Ticket extension client parsing is handled in ssl_session.c |
| 3184 | ignore_parse_clienthello, |
| 3185 | ext_ticket_add_serverhello, |
| 3186 | }, |
| 3187 | { |
| 3188 | TLSEXT_TYPE_application_layer_protocol_negotiation, |
| 3189 | ext_alpn_add_clienthello, |
| 3190 | ext_alpn_parse_serverhello, |
| 3191 | // ALPN is negotiated late in |ssl_negotiate_alpn|. |
| 3192 | ignore_parse_clienthello, |
| 3193 | ext_alpn_add_serverhello, |
| 3194 | }, |
| 3195 | { |
| 3196 | TLSEXT_TYPE_status_request, |
| 3197 | ext_ocsp_add_clienthello, |
| 3198 | ext_ocsp_parse_serverhello, |
| 3199 | ext_ocsp_parse_clienthello, |
| 3200 | ext_ocsp_add_serverhello, |
| 3201 | }, |
| 3202 | { |
| 3203 | TLSEXT_TYPE_signature_algorithms, |
| 3204 | ext_sigalgs_add_clienthello, |
| 3205 | forbid_parse_serverhello, |
| 3206 | ext_sigalgs_parse_clienthello, |
| 3207 | dont_add_serverhello, |
| 3208 | }, |
| 3209 | { |
| 3210 | TLSEXT_TYPE_next_proto_neg, |
| 3211 | ext_npn_add_clienthello, |
| 3212 | ext_npn_parse_serverhello, |
| 3213 | ext_npn_parse_clienthello, |
| 3214 | ext_npn_add_serverhello, |
| 3215 | }, |
| 3216 | { |
| 3217 | TLSEXT_TYPE_certificate_timestamp, |
| 3218 | ext_sct_add_clienthello, |
| 3219 | ext_sct_parse_serverhello, |
| 3220 | ext_sct_parse_clienthello, |
| 3221 | ext_sct_add_serverhello, |
| 3222 | }, |
| 3223 | { |
| 3224 | TLSEXT_TYPE_channel_id, |
| 3225 | ext_channel_id_add_clienthello, |
| 3226 | ext_channel_id_parse_serverhello, |
| 3227 | ext_channel_id_parse_clienthello, |
| 3228 | ext_channel_id_add_serverhello, |
| 3229 | }, |
| 3230 | { |
| 3231 | TLSEXT_TYPE_srtp, |
| 3232 | ext_srtp_add_clienthello, |
| 3233 | ext_srtp_parse_serverhello, |
| 3234 | ext_srtp_parse_clienthello, |
| 3235 | ext_srtp_add_serverhello, |
| 3236 | }, |
| 3237 | { |
| 3238 | TLSEXT_TYPE_key_share, |
| 3239 | ext_key_share_add_clienthello, |
| 3240 | forbid_parse_serverhello, |
| 3241 | ignore_parse_clienthello, |
| 3242 | dont_add_serverhello, |
| 3243 | }, |
| 3244 | { |
| 3245 | TLSEXT_TYPE_psk_key_exchange_modes, |
| 3246 | ext_psk_key_exchange_modes_add_clienthello, |
| 3247 | forbid_parse_serverhello, |
| 3248 | ext_psk_key_exchange_modes_parse_clienthello, |
| 3249 | dont_add_serverhello, |
| 3250 | }, |
| 3251 | { |
| 3252 | TLSEXT_TYPE_early_data, |
| 3253 | ext_early_data_add_clienthello, |
| 3254 | ext_early_data_parse_serverhello, |
| 3255 | ext_early_data_parse_clienthello, |
| 3256 | ext_early_data_add_serverhello, |
| 3257 | }, |
| 3258 | { |
| 3259 | TLSEXT_TYPE_supported_versions, |
| 3260 | ext_supported_versions_add_clienthello, |
| 3261 | forbid_parse_serverhello, |
| 3262 | ignore_parse_clienthello, |
| 3263 | dont_add_serverhello, |
| 3264 | }, |
| 3265 | { |
| 3266 | TLSEXT_TYPE_cookie, |
| 3267 | ext_cookie_add_clienthello, |
| 3268 | forbid_parse_serverhello, |
| 3269 | ignore_parse_clienthello, |
| 3270 | dont_add_serverhello, |
| 3271 | }, |
| 3272 | { |
| 3273 | TLSEXT_TYPE_quic_transport_parameters, |
| 3274 | ext_quic_transport_params_add_clienthello, |
| 3275 | ext_quic_transport_params_parse_serverhello, |
| 3276 | ext_quic_transport_params_parse_clienthello, |
| 3277 | ext_quic_transport_params_add_serverhello, |
| 3278 | }, |
| 3279 | { |
| 3280 | TLSEXT_TYPE_quic_transport_parameters_legacy, |
| 3281 | ext_quic_transport_params_add_clienthello_legacy, |
| 3282 | ext_quic_transport_params_parse_serverhello_legacy, |
| 3283 | ext_quic_transport_params_parse_clienthello_legacy, |
| 3284 | ext_quic_transport_params_add_serverhello_legacy, |
| 3285 | }, |
| 3286 | { |
| 3287 | TLSEXT_TYPE_cert_compression, |
| 3288 | cert_compression_add_clienthello, |
| 3289 | cert_compression_parse_serverhello, |
| 3290 | cert_compression_parse_clienthello, |
| 3291 | cert_compression_add_serverhello, |
| 3292 | }, |
| 3293 | { |
| 3294 | TLSEXT_TYPE_delegated_credential, |
| 3295 | ext_delegated_credential_add_clienthello, |
| 3296 | forbid_parse_serverhello, |
| 3297 | ext_delegated_credential_parse_clienthello, |
| 3298 | dont_add_serverhello, |
| 3299 | }, |
| 3300 | { |
| 3301 | TLSEXT_TYPE_application_settings, |
| 3302 | ext_alps_add_clienthello, |
| 3303 | ext_alps_parse_serverhello, |
| 3304 | // ALPS is negotiated late in |ssl_negotiate_alpn|. |
| 3305 | ignore_parse_clienthello, |
| 3306 | ext_alps_add_serverhello, |
| 3307 | }, |
| 3308 | { |
| 3309 | TLSEXT_TYPE_application_settings_old, |
| 3310 | ext_alps_add_clienthello_old, |
| 3311 | ext_alps_parse_serverhello_old, |
| 3312 | // ALPS is negotiated late in |ssl_negotiate_alpn|. |
| 3313 | ignore_parse_clienthello, |
| 3314 | ext_alps_add_serverhello_old, |
| 3315 | }, |
| 3316 | { |
| 3317 | TLSEXT_TYPE_certificate_authorities, |
| 3318 | ext_certificate_authorities_add_clienthello, |
| 3319 | forbid_parse_serverhello, |
| 3320 | ext_certificate_authorities_parse_clienthello, |
| 3321 | dont_add_serverhello, |
| 3322 | }, |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3323 | }; |
| 3324 | |
| 3325 | #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension)) |
| 3326 | |
David Benjamin | a3d76d0 | 2017-07-14 19:36:07 -0400 | [diff] [blame] | 3327 | static_assert(kNumExtensions <= |
| 3328 | sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8, |
| 3329 | "too many extensions for sent bitset"); |
| 3330 | static_assert(kNumExtensions <= |
| 3331 | sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8, |
| 3332 | "too many extensions for received bitset"); |
Adam Langley | 4cfa96b | 2015-07-01 11:56:55 -0700 | [diff] [blame] | 3333 | |
David Benjamin | e9c5d72 | 2021-06-09 17:43:16 -0400 | [diff] [blame] | 3334 | bool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) { |
| 3335 | if (!hs->config->permute_extensions) { |
| 3336 | return true; |
| 3337 | } |
| 3338 | |
| 3339 | static_assert(kNumExtensions <= UINT8_MAX, |
| 3340 | "extensions_permutation type is too small"); |
| 3341 | uint32_t seeds[kNumExtensions - 1]; |
| 3342 | Array<uint8_t> permutation; |
| 3343 | if (!RAND_bytes(reinterpret_cast<uint8_t *>(seeds), sizeof(seeds)) || |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 3344 | !permutation.InitForOverwrite(kNumExtensions)) { |
David Benjamin | e9c5d72 | 2021-06-09 17:43:16 -0400 | [diff] [blame] | 3345 | return false; |
| 3346 | } |
| 3347 | for (size_t i = 0; i < kNumExtensions; i++) { |
| 3348 | permutation[i] = i; |
| 3349 | } |
| 3350 | for (size_t i = kNumExtensions - 1; i > 0; i--) { |
| 3351 | // Set element |i| to a randomly-selected element 0 <= j <= i. |
| 3352 | std::swap(permutation[i], permutation[seeds[i - 1] % (i + 1)]); |
| 3353 | } |
| 3354 | hs->extension_permutation = std::move(permutation); |
| 3355 | return true; |
| 3356 | } |
| 3357 | |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3358 | static const struct tls_extension *tls_extension_find(uint32_t *out_index, |
| 3359 | uint16_t value) { |
| 3360 | unsigned i; |
| 3361 | for (i = 0; i < kNumExtensions; i++) { |
| 3362 | if (kExtensions[i].value == value) { |
| 3363 | *out_index = i; |
| 3364 | return &kExtensions[i]; |
| 3365 | } |
| 3366 | } |
| 3367 | |
| 3368 | return NULL; |
| 3369 | } |
| 3370 | |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3371 | static bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) { |
| 3372 | CBB child; |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3373 | if (!CBB_add_u16(cbb, ext) || // |
| 3374 | !CBB_add_u16_length_prefixed(cbb, &child) || |
David Benjamin | 9545062 | 2021-07-16 18:24:02 -0400 | [diff] [blame] | 3375 | !CBB_add_zeros(&child, len)) { |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3376 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 3377 | return false; |
| 3378 | } |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3379 | return CBB_flush(cbb); |
| 3380 | } |
| 3381 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3382 | static bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out, |
| 3383 | CBB *out_encoded, |
| 3384 | bool *out_needs_psk_binder) { |
| 3385 | // When writing ClientHelloInner, we construct the real and encoded |
| 3386 | // ClientHellos concurrently, to handle compression. Uncompressed extensions |
| 3387 | // are written to |extensions| and copied to |extensions_encoded|. Compressed |
| 3388 | // extensions are buffered in |compressed| and written to the end. (ECH can |
| 3389 | // only compress continguous extensions.) |
| 3390 | SSL *const ssl = hs->ssl; |
| 3391 | bssl::ScopedCBB compressed, outer_extensions; |
| 3392 | CBB extensions, extensions_encoded; |
| 3393 | if (!CBB_add_u16_length_prefixed(out, &extensions) || |
| 3394 | !CBB_add_u16_length_prefixed(out_encoded, &extensions_encoded) || |
| 3395 | !CBB_init(compressed.get(), 64) || |
| 3396 | !CBB_init(outer_extensions.get(), 64)) { |
| 3397 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 3398 | return false; |
| 3399 | } |
| 3400 | |
| 3401 | hs->inner_extensions_sent = 0; |
| 3402 | |
| 3403 | if (ssl->ctx->grease_enabled) { |
| 3404 | // Add a fake empty extension. See RFC 8701. This always matches |
| 3405 | // |ssl_add_clienthello_tlsext|, so compress it. |
| 3406 | uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension1); |
| 3407 | if (!add_padding_extension(compressed.get(), grease_ext, 0) || |
| 3408 | !CBB_add_u16(outer_extensions.get(), grease_ext)) { |
| 3409 | return false; |
| 3410 | } |
| 3411 | } |
| 3412 | |
David Benjamin | e9c5d72 | 2021-06-09 17:43:16 -0400 | [diff] [blame] | 3413 | for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) { |
| 3414 | size_t i = hs->extension_permutation.empty() |
| 3415 | ? unpermuted |
| 3416 | : hs->extension_permutation[unpermuted]; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3417 | const size_t len_before = CBB_len(&extensions); |
| 3418 | const size_t len_compressed_before = CBB_len(compressed.get()); |
| 3419 | if (!kExtensions[i].add_clienthello(hs, &extensions, compressed.get(), |
| 3420 | ssl_client_hello_inner)) { |
| 3421 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION); |
| 3422 | ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); |
| 3423 | return false; |
| 3424 | } |
| 3425 | |
| 3426 | const size_t bytes_written = CBB_len(&extensions) - len_before; |
| 3427 | const size_t bytes_written_compressed = |
| 3428 | CBB_len(compressed.get()) - len_compressed_before; |
| 3429 | // The callback may write to at most one output. |
| 3430 | assert(bytes_written == 0 || bytes_written_compressed == 0); |
| 3431 | if (bytes_written != 0 || bytes_written_compressed != 0) { |
| 3432 | hs->inner_extensions_sent |= (1u << i); |
| 3433 | } |
| 3434 | // If compressed, update the running ech_outer_extensions extension. |
| 3435 | if (bytes_written_compressed != 0 && |
| 3436 | !CBB_add_u16(outer_extensions.get(), kExtensions[i].value)) { |
| 3437 | return false; |
| 3438 | } |
| 3439 | } |
| 3440 | |
| 3441 | if (ssl->ctx->grease_enabled) { |
| 3442 | // Add a fake non-empty extension. See RFC 8701. This always matches |
| 3443 | // |ssl_add_clienthello_tlsext|, so compress it. |
| 3444 | uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension2); |
| 3445 | if (!add_padding_extension(compressed.get(), grease_ext, 1) || |
| 3446 | !CBB_add_u16(outer_extensions.get(), grease_ext)) { |
| 3447 | return false; |
| 3448 | } |
| 3449 | } |
| 3450 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3451 | // Uncompressed extensions are encoded as-is. |
| 3452 | if (!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions), |
| 3453 | CBB_len(&extensions))) { |
| 3454 | return false; |
| 3455 | } |
| 3456 | |
| 3457 | // Flush all the compressed extensions. |
| 3458 | if (CBB_len(compressed.get()) != 0) { |
| 3459 | CBB extension, child; |
| 3460 | // Copy them as-is in the real ClientHelloInner. |
| 3461 | if (!CBB_add_bytes(&extensions, CBB_data(compressed.get()), |
| 3462 | CBB_len(compressed.get())) || |
| 3463 | // Replace with ech_outer_extensions in the encoded form. |
| 3464 | !CBB_add_u16(&extensions_encoded, TLSEXT_TYPE_ech_outer_extensions) || |
| 3465 | !CBB_add_u16_length_prefixed(&extensions_encoded, &extension) || |
| 3466 | !CBB_add_u8_length_prefixed(&extension, &child) || |
| 3467 | !CBB_add_bytes(&child, CBB_data(outer_extensions.get()), |
| 3468 | CBB_len(outer_extensions.get())) || |
| 3469 | !CBB_flush(&extensions_encoded)) { |
| 3470 | return false; |
| 3471 | } |
| 3472 | } |
| 3473 | |
| 3474 | // The PSK extension must be last. It is never compressed. Note, if there is a |
| 3475 | // binder, the caller will need to update both ClientHelloInner and |
| 3476 | // EncodedClientHelloInner after computing it. |
| 3477 | const size_t len_before = CBB_len(&extensions); |
| 3478 | if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder, |
| 3479 | ssl_client_hello_inner) || |
| 3480 | !CBB_add_bytes(&extensions_encoded, CBB_data(&extensions) + len_before, |
| 3481 | CBB_len(&extensions) - len_before) || |
| 3482 | !CBB_flush(out) || // |
| 3483 | !CBB_flush(out_encoded)) { |
| 3484 | return false; |
| 3485 | } |
| 3486 | |
| 3487 | return true; |
| 3488 | } |
| 3489 | |
| 3490 | bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded, |
| 3491 | bool *out_needs_psk_binder, |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 3492 | ssl_client_hello_type_t type, |
| 3493 | size_t header_len) { |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3494 | *out_needs_psk_binder = false; |
| 3495 | |
| 3496 | if (type == ssl_client_hello_inner) { |
| 3497 | return ssl_add_clienthello_tlsext_inner(hs, out, out_encoded, |
| 3498 | out_needs_psk_binder); |
| 3499 | } |
| 3500 | |
| 3501 | assert(out_encoded == nullptr); // Only ClientHelloInner needs two outputs. |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3502 | SSL *const ssl = hs->ssl; |
David Benjamin | e8d5350 | 2015-10-10 14:13:23 -0400 | [diff] [blame] | 3503 | CBB extensions; |
| 3504 | if (!CBB_add_u16_length_prefixed(out, &extensions)) { |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3505 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3506 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3507 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3508 | |
David Benjamin | 6477012 | 2019-05-04 11:00:04 -0500 | [diff] [blame] | 3509 | // Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS |
| 3510 | // 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is |
| 3511 | // important to reset this value. |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3512 | hs->extensions.sent = 0; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3513 | |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3514 | // Add a fake empty extension. See RFC 8701. |
| 3515 | if (ssl->ctx->grease_enabled && |
| 3516 | !add_padding_extension( |
| 3517 | &extensions, ssl_get_grease_value(hs, ssl_grease_extension1), 0)) { |
| 3518 | return false; |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 3519 | } |
| 3520 | |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3521 | bool last_was_empty = false; |
David Benjamin | e9c5d72 | 2021-06-09 17:43:16 -0400 | [diff] [blame] | 3522 | for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) { |
| 3523 | size_t i = hs->extension_permutation.empty() |
| 3524 | ? unpermuted |
| 3525 | : hs->extension_permutation[unpermuted]; |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 3526 | const size_t len_before = CBB_len(&extensions); |
| 3527 | if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) { |
| 3528 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION); |
| 3529 | ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); |
| 3530 | return false; |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3531 | } |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 3532 | |
| 3533 | const size_t bytes_written = CBB_len(&extensions) - len_before; |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3534 | if (bytes_written != 0) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3535 | hs->extensions.sent |= (1u << i); |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3536 | } |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3537 | // If the difference in lengths is only four bytes then the extension had |
| 3538 | // an empty body. |
| 3539 | last_was_empty = (bytes_written == 4); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3540 | } |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 3541 | |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 3542 | if (ssl->ctx->grease_enabled) { |
David Benjamin | 3675eb3 | 2021-05-18 14:01:07 -0400 | [diff] [blame] | 3543 | // Add a fake non-empty extension. See RFC 8701. |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3544 | if (!add_padding_extension( |
| 3545 | &extensions, ssl_get_grease_value(hs, ssl_grease_extension2), 1)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3546 | return false; |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 3547 | } |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3548 | last_was_empty = false; |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 3549 | } |
| 3550 | |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3551 | // In cleartext ClientHellos, we add the padding extension to work around |
| 3552 | // bugs. We also apply this padding to ClientHelloOuter, to keep the wire |
| 3553 | // images aligned. |
| 3554 | size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs, type); |
David Benjamin | cd89004 | 2021-06-02 18:35:31 -0400 | [diff] [blame] | 3555 | if (!SSL_is_dtls(ssl) && !ssl->quic_method && |
| 3556 | !ssl->s3->used_hello_retry_request) { |
David Benjamin | 18b6836 | 2021-06-18 23:13:46 -0400 | [diff] [blame] | 3557 | header_len += |
| 3558 | SSL3_HM_HEADER_LENGTH + 2 + CBB_len(&extensions) + psk_extension_len; |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3559 | size_t padding_len = 0; |
| 3560 | |
| 3561 | // The final extension must be non-empty. WebSphere Application |
| 3562 | // Server 7.0 is intolerant to the last extension being zero-length. See |
| 3563 | // https://crbug.com/363583. |
| 3564 | if (last_was_empty && psk_extension_len == 0) { |
| 3565 | padding_len = 1; |
| 3566 | // The addition of the padding extension may push us into the F5 bug. |
| 3567 | header_len += 4 + padding_len; |
| 3568 | } |
| 3569 | |
| 3570 | // Add padding to workaround bugs in F5 terminators. See RFC 7685. |
| 3571 | // |
| 3572 | // NB: because this code works out the length of all existing extensions |
| 3573 | // it MUST always appear last (save for any PSK extension). |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3574 | if (header_len > 0xff && header_len < 0x200) { |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3575 | // If our calculations already included a padding extension, remove that |
| 3576 | // factor because we're about to change its length. |
| 3577 | if (padding_len != 0) { |
| 3578 | header_len -= 4 + padding_len; |
| 3579 | } |
| 3580 | padding_len = 0x200 - header_len; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3581 | // Extensions take at least four bytes to encode. Always include at least |
| 3582 | // one byte of data if including the extension. WebSphere Application |
| 3583 | // Server 7.0 is intolerant to the last extension being zero-length. See |
| 3584 | // https://crbug.com/363583. |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3585 | if (padding_len >= 4 + 1) { |
| 3586 | padding_len -= 4; |
| 3587 | } else { |
| 3588 | padding_len = 1; |
| 3589 | } |
Adam Langley | 7f4f41f | 2018-08-23 08:58:49 -0700 | [diff] [blame] | 3590 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3591 | |
David Benjamin | fb4d257 | 2021-06-01 15:58:30 -0400 | [diff] [blame] | 3592 | if (padding_len != 0 && |
| 3593 | !add_padding_extension(&extensions, TLSEXT_TYPE_padding, padding_len)) { |
| 3594 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3595 | } |
| 3596 | } |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 3597 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3598 | // The PSK extension must be last, including after the padding. |
David Benjamin | 350fe3b | 2021-06-02 17:58:53 -0400 | [diff] [blame] | 3599 | const size_t len_before = CBB_len(&extensions); |
David Benjamin | 83a4993 | 2021-05-20 15:57:09 -0400 | [diff] [blame] | 3600 | if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder, |
| 3601 | type)) { |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3602 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3603 | return false; |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 3604 | } |
David Benjamin | 350fe3b | 2021-06-02 17:58:53 -0400 | [diff] [blame] | 3605 | assert(psk_extension_len == CBB_len(&extensions) - len_before); |
| 3606 | (void)len_before; // |assert| is omitted in release builds. |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 3607 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3608 | // Discard empty extensions blocks. |
David Benjamin | a01deee | 2015-12-08 18:56:31 -0500 | [diff] [blame] | 3609 | if (CBB_len(&extensions) == 0) { |
David Benjamin | e8d5350 | 2015-10-10 14:13:23 -0400 | [diff] [blame] | 3610 | CBB_discard_child(out); |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3611 | } |
| 3612 | |
David Benjamin | e8d5350 | 2015-10-10 14:13:23 -0400 | [diff] [blame] | 3613 | return CBB_flush(out); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3614 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3615 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3616 | bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3617 | SSL *const ssl = hs->ssl; |
David Benjamin | 5638046 | 2015-10-10 14:59:09 -0400 | [diff] [blame] | 3618 | CBB extensions; |
| 3619 | if (!CBB_add_u16_length_prefixed(out, &extensions)) { |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3620 | goto err; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3621 | } |
| 3622 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3623 | for (unsigned i = 0; i < kNumExtensions; i++) { |
| 3624 | if (!(hs->extensions.received & (1u << i))) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3625 | // Don't send extensions that were not received. |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3626 | continue; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3627 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3628 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3629 | if (!kExtensions[i].add_serverhello(hs, &extensions)) { |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3630 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION); |
Adam Langley | fbbef12 | 2016-11-17 12:55:14 -0800 | [diff] [blame] | 3631 | ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3632 | goto err; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3633 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3634 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3635 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3636 | // Discard empty extensions blocks before TLS 1.3. |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3637 | if (ssl_protocol_version(ssl) < TLS1_3_VERSION && // |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3638 | CBB_len(&extensions) == 0) { |
David Benjamin | 5638046 | 2015-10-10 14:59:09 -0400 | [diff] [blame] | 3639 | CBB_discard_child(out); |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3640 | } |
| 3641 | |
David Benjamin | 5638046 | 2015-10-10 14:59:09 -0400 | [diff] [blame] | 3642 | return CBB_flush(out); |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3643 | |
| 3644 | err: |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3645 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3646 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3647 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3648 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3649 | static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs, |
| 3650 | const SSL_CLIENT_HELLO *client_hello, |
| 3651 | int *out_alert) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3652 | hs->extensions.received = 0; |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3653 | CBS extensions; |
| 3654 | CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); |
| 3655 | while (CBS_len(&extensions) != 0) { |
| 3656 | uint16_t type; |
| 3657 | CBS extension; |
| 3658 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3659 | // Decode the next extension. |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3660 | if (!CBS_get_u16(&extensions, &type) || |
| 3661 | !CBS_get_u16_length_prefixed(&extensions, &extension)) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3662 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3663 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3664 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3665 | |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3666 | unsigned ext_index; |
| 3667 | const struct tls_extension *const ext = |
| 3668 | tls_extension_find(&ext_index, type); |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3669 | if (ext == NULL) { |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3670 | continue; |
| 3671 | } |
| 3672 | |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3673 | hs->extensions.received |= (1u << ext_index); |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3674 | uint8_t alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3675 | if (!ext->parse_clienthello(hs, &alert, &extension)) { |
David Benjamin | e14ff06 | 2016-08-09 16:21:24 -0400 | [diff] [blame] | 3676 | *out_alert = alert; |
| 3677 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION); |
Adam Langley | fbbef12 | 2016-11-17 12:55:14 -0800 | [diff] [blame] | 3678 | ERR_add_error_dataf("extension %u", (unsigned)type); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3679 | return false; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3680 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3681 | } |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 3682 | |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3683 | for (size_t i = 0; i < kNumExtensions; i++) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3684 | if (hs->extensions.received & (1u << i)) { |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3685 | continue; |
| 3686 | } |
| 3687 | |
| 3688 | CBS *contents = NULL, fake_contents; |
| 3689 | static const uint8_t kFakeRenegotiateExtension[] = {0}; |
| 3690 | if (kExtensions[i].value == TLSEXT_TYPE_renegotiate && |
| 3691 | ssl_client_cipher_list_contains_cipher(client_hello, |
| 3692 | SSL3_CK_SCSV & 0xffff)) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3693 | // The renegotiation SCSV was received so pretend that we received a |
| 3694 | // renegotiation extension. |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3695 | CBS_init(&fake_contents, kFakeRenegotiateExtension, |
| 3696 | sizeof(kFakeRenegotiateExtension)); |
| 3697 | contents = &fake_contents; |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3698 | hs->extensions.received |= (1u << i); |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3699 | } |
| 3700 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3701 | // Extension wasn't observed so call the callback with a NULL |
| 3702 | // parameter. |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3703 | uint8_t alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3704 | if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) { |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3705 | OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); |
Adam Langley | fbbef12 | 2016-11-17 12:55:14 -0800 | [diff] [blame] | 3706 | ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); |
David Benjamin | 1deb41b | 2016-08-09 19:36:38 -0400 | [diff] [blame] | 3707 | *out_alert = alert; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3708 | return false; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3709 | } |
| 3710 | } |
| 3711 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3712 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3713 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3714 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3715 | bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, |
| 3716 | const SSL_CLIENT_HELLO *client_hello) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3717 | SSL *const ssl = hs->ssl; |
Adam Langley | c68e5b9 | 2017-02-08 13:33:15 -0800 | [diff] [blame] | 3718 | int alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3719 | if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) { |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 3720 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3721 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3722 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3723 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3724 | if (!ssl_check_clienthello_tlsext(hs)) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 3725 | OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3726 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3727 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3728 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3729 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3730 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3731 | |
David Benjamin | e2cb423 | 2021-06-23 18:14:22 -0400 | [diff] [blame] | 3732 | static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs, |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3733 | int *out_alert) { |
David Benjamin | e2cb423 | 2021-06-23 18:14:22 -0400 | [diff] [blame] | 3734 | CBS extensions = *cbs; |
| 3735 | if (!tls1_check_duplicate_extensions(&extensions)) { |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3736 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3737 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3738 | } |
| 3739 | |
| 3740 | uint32_t received = 0; |
| 3741 | while (CBS_len(&extensions) != 0) { |
| 3742 | uint16_t type; |
| 3743 | CBS extension; |
| 3744 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3745 | // Decode the next extension. |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3746 | if (!CBS_get_u16(&extensions, &type) || |
| 3747 | !CBS_get_u16_length_prefixed(&extensions, &extension)) { |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3748 | *out_alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3749 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3750 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3751 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3752 | unsigned ext_index; |
| 3753 | const struct tls_extension *const ext = |
| 3754 | tls_extension_find(&ext_index, type); |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3755 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3756 | if (ext == NULL) { |
David Benjamin | 0a3e07a | 2018-07-09 16:28:22 -0400 | [diff] [blame] | 3757 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
| 3758 | ERR_add_error_dataf("extension %u", (unsigned)type); |
| 3759 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3760 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3761 | } |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3762 | |
David Benjamin | a3d76d0 | 2017-07-14 19:36:07 -0400 | [diff] [blame] | 3763 | static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8, |
| 3764 | "too many bits"); |
David Benjamin | 5db7c9b | 2017-01-24 16:17:03 -0500 | [diff] [blame] | 3765 | |
David Benjamin | c59b9aa | 2018-07-16 21:34:03 -0400 | [diff] [blame] | 3766 | if (!(hs->extensions.sent & (1u << ext_index))) { |
| 3767 | // If the extension was never sent then it is illegal. |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3768 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
| 3769 | ERR_add_error_dataf("extension :%u", (unsigned)type); |
David Benjamin | 0c40a96 | 2016-08-01 12:05:50 -0400 | [diff] [blame] | 3770 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3771 | return false; |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3772 | } |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3773 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3774 | received |= (1u << ext_index); |
Adam Langley | 0950563 | 2015-07-30 18:10:13 -0700 | [diff] [blame] | 3775 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3776 | uint8_t alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3777 | if (!ext->parse_serverhello(hs, &alert, &extension)) { |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3778 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION); |
Adam Langley | fbbef12 | 2016-11-17 12:55:14 -0800 | [diff] [blame] | 3779 | ERR_add_error_dataf("extension %u", (unsigned)type); |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 3780 | *out_alert = alert; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3781 | return false; |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3782 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3783 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3784 | |
David Benjamin | 5409123 | 2016-09-05 12:47:25 -0400 | [diff] [blame] | 3785 | for (size_t i = 0; i < kNumExtensions; i++) { |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3786 | if (!(received & (1u << i))) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3787 | // Extension wasn't observed so call the callback with a NULL |
| 3788 | // parameter. |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3789 | uint8_t alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3790 | if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) { |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 3791 | OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); |
Adam Langley | fbbef12 | 2016-11-17 12:55:14 -0800 | [diff] [blame] | 3792 | ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value); |
Adam Langley | 614c66a | 2015-06-12 15:26:58 -0700 | [diff] [blame] | 3793 | *out_alert = alert; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3794 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3795 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3796 | } |
| 3797 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3798 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3799 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3800 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3801 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3802 | static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3803 | SSL *const ssl = hs->ssl; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3804 | int ret = SSL_TLSEXT_ERR_NOACK; |
| 3805 | int al = SSL_AD_UNRECOGNIZED_NAME; |
David Benjamin | 4685376 | 2018-07-03 14:01:26 -0400 | [diff] [blame] | 3806 | if (ssl->ctx->servername_callback != 0) { |
| 3807 | ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg); |
| 3808 | } else if (ssl->session_ctx->servername_callback != 0) { |
| 3809 | ret = ssl->session_ctx->servername_callback( |
| 3810 | ssl, &al, ssl->session_ctx->servername_arg); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3811 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3812 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3813 | switch (ret) { |
| 3814 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 3815 | ssl_send_alert(ssl, SSL3_AL_FATAL, al); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3816 | return false; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3817 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3818 | case SSL_TLSEXT_ERR_NOACK: |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 3819 | hs->should_ack_sni = false; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3820 | return true; |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3821 | |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3822 | default: |
David Benjamin | 096ded9 | 2024-07-16 14:48:02 -0400 | [diff] [blame] | 3823 | hs->should_ack_sni = ssl->s3->hostname != nullptr; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3824 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3825 | } |
| 3826 | } |
Adam Langley | ed8270a | 2014-09-02 13:52:56 -0700 | [diff] [blame] | 3827 | |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3828 | static bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs) { |
| 3829 | SSL *const ssl = hs->ssl; |
| 3830 | // ALPS and ALPN have a dependency between each other, so we defer checking |
| 3831 | // consistency to after the callbacks run. |
| 3832 | if (hs->new_session != nullptr && hs->new_session->has_application_settings) { |
| 3833 | // ALPN must be negotiated. |
| 3834 | if (ssl->s3->alpn_selected.empty()) { |
| 3835 | OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN); |
| 3836 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
| 3837 | return false; |
| 3838 | } |
| 3839 | |
| 3840 | // The negotiated protocol must be one of the ones we advertised for ALPS. |
| 3841 | Span<const uint8_t> settings; |
| 3842 | if (!ssl_get_local_application_settings(hs, &settings, |
| 3843 | ssl->s3->alpn_selected)) { |
| 3844 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL); |
| 3845 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
| 3846 | return false; |
| 3847 | } |
| 3848 | |
| 3849 | if (!hs->new_session->local_application_settings.CopyFrom(settings)) { |
| 3850 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
| 3851 | return false; |
| 3852 | } |
| 3853 | } |
| 3854 | |
| 3855 | return true; |
| 3856 | } |
| 3857 | |
David Benjamin | e2cb423 | 2021-06-23 18:14:22 -0400 | [diff] [blame] | 3858 | bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs) { |
David Benjamin | 8c880a2 | 2016-12-03 02:20:34 -0500 | [diff] [blame] | 3859 | SSL *const ssl = hs->ssl; |
Adam Langley | c68e5b9 | 2017-02-08 13:33:15 -0800 | [diff] [blame] | 3860 | int alert = SSL_AD_DECODE_ERROR; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3861 | if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) { |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 3862 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3863 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3864 | } |
| 3865 | |
Steven Valdez | 51607f1 | 2020-08-05 10:46:05 -0400 | [diff] [blame] | 3866 | if (!ssl_check_serverhello_tlsext(hs)) { |
| 3867 | return false; |
| 3868 | } |
| 3869 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3870 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3871 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 3872 | |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3873 | static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx( |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3874 | Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx, |
| 3875 | Span<const uint8_t> ticket) { |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3876 | size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3877 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3878 | // Check the MAC at the end of the ticket. |
David Benjamin | e3aa1d9 | 2015-06-16 15:34:50 -0400 | [diff] [blame] | 3879 | uint8_t mac[EVP_MAX_MD_SIZE]; |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3880 | size_t mac_len = HMAC_size(hmac_ctx); |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3881 | if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3882 | // The ticket must be large enough for key name, IV, data, and MAC. |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3883 | return ssl_ticket_aead_ignore_ticket; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3884 | } |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3885 | // Split the ticket into the ticket and the MAC. |
David Benjamin | 006f20a | 2021-06-22 23:00:49 -0400 | [diff] [blame] | 3886 | auto ticket_mac = ticket.last(mac_len); |
| 3887 | ticket = ticket.first(ticket.size() - mac_len); |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3888 | HMAC_Update(hmac_ctx, ticket.data(), ticket.size()); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3889 | HMAC_Final(hmac_ctx, mac, NULL); |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3890 | assert(mac_len == ticket_mac.size()); |
| 3891 | bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0; |
David Benjamin | fbc45d7 | 2016-09-22 01:21:24 -0400 | [diff] [blame] | 3892 | #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 3893 | mac_ok = true; |
David Benjamin | fbc45d7 | 2016-09-22 01:21:24 -0400 | [diff] [blame] | 3894 | #endif |
| 3895 | if (!mac_ok) { |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3896 | return ssl_ticket_aead_ignore_ticket; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3897 | } |
| 3898 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3899 | // Decrypt the session data. |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3900 | auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len); |
| 3901 | Array<uint8_t> plaintext; |
| 3902 | #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) |
| 3903 | if (!plaintext.CopyFrom(ciphertext)) { |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3904 | return ssl_ticket_aead_error; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3905 | } |
David Benjamin | fbc45d7 | 2016-09-22 01:21:24 -0400 | [diff] [blame] | 3906 | #else |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3907 | if (ciphertext.size() >= INT_MAX) { |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3908 | return ssl_ticket_aead_ignore_ticket; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3909 | } |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 3910 | if (!plaintext.InitForOverwrite(ciphertext.size())) { |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3911 | return ssl_ticket_aead_error; |
| 3912 | } |
David Benjamin | e3aa1d9 | 2015-06-16 15:34:50 -0400 | [diff] [blame] | 3913 | int len1, len2; |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3914 | if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(), |
| 3915 | (int)ciphertext.size()) || |
| 3916 | !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) { |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 3917 | ERR_clear_error(); |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3918 | return ssl_ticket_aead_ignore_ticket; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3919 | } |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3920 | plaintext.Shrink(static_cast<size_t>(len1) + len2); |
David Benjamin | fbc45d7 | 2016-09-22 01:21:24 -0400 | [diff] [blame] | 3921 | #endif |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 3922 | |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3923 | *out = std::move(plaintext); |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 3924 | return ssl_ticket_aead_success; |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 3925 | } |
| 3926 | |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3927 | static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb( |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3928 | SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket, |
| 3929 | Span<const uint8_t> ticket) { |
| 3930 | assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3931 | ScopedEVP_CIPHER_CTX cipher_ctx; |
| 3932 | ScopedHMAC_CTX hmac_ctx; |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3933 | auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN); |
| 3934 | // The actual IV is shorter, but the length is determined by the callback's |
| 3935 | // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure |
| 3936 | // the callback has enough. |
| 3937 | auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH); |
David Benjamin | 7bb0fbf | 2018-07-03 13:55:42 -0400 | [diff] [blame] | 3938 | int cb_ret = hs->ssl->session_ctx->ticket_key_cb( |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3939 | hs->ssl, const_cast<uint8_t *>(name.data()), |
| 3940 | const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(), |
| 3941 | 0 /* decrypt */); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3942 | if (cb_ret < 0) { |
| 3943 | return ssl_ticket_aead_error; |
| 3944 | } else if (cb_ret == 0) { |
| 3945 | return ssl_ticket_aead_ignore_ticket; |
| 3946 | } else if (cb_ret == 2) { |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 3947 | *out_renew_ticket = true; |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3948 | } else { |
| 3949 | assert(cb_ret == 1); |
| 3950 | } |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3951 | return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(), |
| 3952 | ticket); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3953 | } |
| 3954 | |
| 3955 | static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys( |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3956 | SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) { |
| 3957 | assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH); |
David Benjamin | 50596f8 | 2018-07-02 19:47:27 -0400 | [diff] [blame] | 3958 | SSL_CTX *ctx = hs->ssl->session_ctx.get(); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3959 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3960 | // Rotate the ticket key if necessary. |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3961 | if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { |
| 3962 | return ssl_ticket_aead_error; |
| 3963 | } |
| 3964 | |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3965 | const EVP_CIPHER *cipher = EVP_aes_128_cbc(); |
| 3966 | auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN); |
| 3967 | auto iv = |
| 3968 | ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher)); |
| 3969 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 3970 | // Pick the matching ticket key and decrypt. |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3971 | ScopedEVP_CIPHER_CTX cipher_ctx; |
| 3972 | ScopedHMAC_CTX hmac_ctx; |
| 3973 | { |
| 3974 | MutexReadLock lock(&ctx->lock); |
David Benjamin | 7bb0fbf | 2018-07-03 13:55:42 -0400 | [diff] [blame] | 3975 | const TicketKey *key; |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3976 | if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) { |
David Benjamin | 7bb0fbf | 2018-07-03 13:55:42 -0400 | [diff] [blame] | 3977 | key = ctx->ticket_key_current.get(); |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3978 | } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) { |
David Benjamin | 7bb0fbf | 2018-07-03 13:55:42 -0400 | [diff] [blame] | 3979 | key = ctx->ticket_key_prev.get(); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3980 | } else { |
| 3981 | return ssl_ticket_aead_ignore_ticket; |
| 3982 | } |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3983 | if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key), |
| 3984 | tlsext_tick_md(), NULL) || |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 3985 | !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL, key->aes_key, |
| 3986 | iv.data())) { |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3987 | return ssl_ticket_aead_error; |
| 3988 | } |
| 3989 | } |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3990 | return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(), |
| 3991 | ticket); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 3992 | } |
| 3993 | |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 3994 | static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method( |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 3995 | SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket, |
| 3996 | Span<const uint8_t> ticket) { |
| 3997 | Array<uint8_t> plaintext; |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 3998 | if (!plaintext.InitForOverwrite(ticket.size())) { |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 3999 | return ssl_ticket_aead_error; |
| 4000 | } |
| 4001 | |
| 4002 | size_t plaintext_len; |
| 4003 | const enum ssl_ticket_aead_result_t result = |
David Benjamin | 98472cb | 2018-05-02 16:05:36 -0400 | [diff] [blame] | 4004 | hs->ssl->session_ctx->ticket_aead_method->open( |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4005 | hs->ssl, plaintext.data(), &plaintext_len, ticket.size(), |
| 4006 | ticket.data(), ticket.size()); |
| 4007 | if (result != ssl_ticket_aead_success) { |
| 4008 | return result; |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4009 | } |
| 4010 | |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4011 | plaintext.Shrink(plaintext_len); |
| 4012 | *out = std::move(plaintext); |
| 4013 | return ssl_ticket_aead_success; |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4014 | } |
| 4015 | |
| 4016 | enum ssl_ticket_aead_result_t ssl_process_ticket( |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 4017 | SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session, |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4018 | bool *out_renew_ticket, Span<const uint8_t> ticket, |
| 4019 | Span<const uint8_t> session_id) { |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4020 | SSL *const ssl = hs->ssl; |
David Benjamin | fd45ee7 | 2017-08-31 14:49:09 -0400 | [diff] [blame] | 4021 | *out_renew_ticket = false; |
David Benjamin | 37af90f | 2017-07-29 01:42:16 -0400 | [diff] [blame] | 4022 | out_session->reset(); |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4023 | |
Matthew Braithwaite | b7bc80a | 2018-04-13 15:51:30 -0700 | [diff] [blame] | 4024 | if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) || |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4025 | session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) { |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4026 | return ssl_ticket_aead_ignore_ticket; |
| 4027 | } |
| 4028 | |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4029 | // Tickets in TLS 1.3 are tied into pre-shared keys (PSKs), unlike in TLS 1.2 |
| 4030 | // where that concept doesn't exist. The |decrypted_psk| and |ignore_psk| |
| 4031 | // hints only apply to PSKs. We check the version to determine which this is. |
| 4032 | const bool is_psk = ssl_protocol_version(ssl) >= TLS1_3_VERSION; |
| 4033 | |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4034 | Array<uint8_t> plaintext; |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4035 | enum ssl_ticket_aead_result_t result; |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4036 | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
| 4037 | if (is_psk && hints && !hs->hints_requested && |
| 4038 | !hints->decrypted_psk.empty()) { |
| 4039 | result = plaintext.CopyFrom(hints->decrypted_psk) ? ssl_ticket_aead_success |
| 4040 | : ssl_ticket_aead_error; |
| 4041 | } else if (is_psk && hints && !hs->hints_requested && hints->ignore_psk) { |
| 4042 | result = ssl_ticket_aead_ignore_ticket; |
David Benjamin | adaa322 | 2022-08-02 17:10:53 -0700 | [diff] [blame] | 4043 | } else if (!is_psk && hints && !hs->hints_requested && |
| 4044 | !hints->decrypted_ticket.empty()) { |
| 4045 | if (plaintext.CopyFrom(hints->decrypted_ticket)) { |
| 4046 | result = ssl_ticket_aead_success; |
| 4047 | *out_renew_ticket = hints->renew_ticket; |
| 4048 | } else { |
| 4049 | result = ssl_ticket_aead_error; |
| 4050 | } |
| 4051 | } else if (!is_psk && hints && !hs->hints_requested && hints->ignore_ticket) { |
| 4052 | result = ssl_ticket_aead_ignore_ticket; |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4053 | } else if (ssl->session_ctx->ticket_aead_method != NULL) { |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4054 | result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket, |
| 4055 | ticket); |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4056 | } else { |
David Benjamin | 7bb0fbf | 2018-07-03 13:55:42 -0400 | [diff] [blame] | 4057 | // Ensure there is room for the key name and the largest IV |ticket_key_cb| |
| 4058 | // may try to consume. The real limit may be lower, but the maximum IV |
| 4059 | // length should be well under the minimum size for the session material and |
| 4060 | // HMAC. |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4061 | if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) { |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4062 | result = ssl_ticket_aead_ignore_ticket; |
| 4063 | } else if (ssl->session_ctx->ticket_key_cb != NULL) { |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4064 | result = |
| 4065 | ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 4066 | } else { |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4067 | result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket); |
Martin Kreichgauer | 72912d2 | 2017-08-04 12:06:43 -0700 | [diff] [blame] | 4068 | } |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4069 | } |
| 4070 | |
David Benjamin | adaa322 | 2022-08-02 17:10:53 -0700 | [diff] [blame] | 4071 | if (hints && hs->hints_requested) { |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4072 | if (result == ssl_ticket_aead_ignore_ticket) { |
David Benjamin | adaa322 | 2022-08-02 17:10:53 -0700 | [diff] [blame] | 4073 | if (is_psk) { |
| 4074 | hints->ignore_psk = true; |
| 4075 | } else { |
| 4076 | hints->ignore_ticket = true; |
| 4077 | } |
| 4078 | } else if (result == ssl_ticket_aead_success) { |
| 4079 | if (is_psk) { |
| 4080 | if (!hints->decrypted_psk.CopyFrom(plaintext)) { |
| 4081 | return ssl_ticket_aead_error; |
| 4082 | } |
| 4083 | } else { |
| 4084 | if (!hints->decrypted_ticket.CopyFrom(plaintext)) { |
| 4085 | return ssl_ticket_aead_error; |
| 4086 | } |
| 4087 | hints->renew_ticket = *out_renew_ticket; |
| 4088 | } |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4089 | } |
| 4090 | } |
| 4091 | |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4092 | if (result != ssl_ticket_aead_success) { |
| 4093 | return result; |
| 4094 | } |
| 4095 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4096 | // Decode the session. |
David Benjamin | 2865567 | 2018-07-18 23:23:25 -0400 | [diff] [blame] | 4097 | UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes( |
David Benjamin | b571e77 | 2021-03-25 19:42:16 -0400 | [diff] [blame] | 4098 | plaintext.data(), plaintext.size(), ssl->ctx.get())); |
David Benjamin | 37af90f | 2017-07-29 01:42:16 -0400 | [diff] [blame] | 4099 | if (!session) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4100 | ERR_clear_error(); // Don't leave an error on the queue. |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4101 | return ssl_ticket_aead_ignore_ticket; |
David Benjamin | e3aa1d9 | 2015-06-16 15:34:50 -0400 | [diff] [blame] | 4102 | } |
| 4103 | |
Adam Langley | 47cefed | 2021-05-26 13:36:40 -0700 | [diff] [blame] | 4104 | // Envoy's tests expect the session to have a session ID that matches the |
| 4105 | // placeholder used by the client. It's unclear whether this is a good idea, |
| 4106 | // but we maintain it for now. |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 4107 | session->session_id.ResizeForOverwrite(SHA256_DIGEST_LENGTH); |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 4108 | SHA256(ticket.data(), ticket.size(), session->session_id.data()); |
David Benjamin | e3aa1d9 | 2015-06-16 15:34:50 -0400 | [diff] [blame] | 4109 | |
David Benjamin | 37af90f | 2017-07-29 01:42:16 -0400 | [diff] [blame] | 4110 | *out_session = std::move(session); |
Adam Langley | 4c341d0 | 2017-03-08 19:33:21 -0800 | [diff] [blame] | 4111 | return ssl_ticket_aead_success; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4112 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 4113 | |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4114 | bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4115 | // Extension ignored for inappropriate versions |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 4116 | if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) { |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4117 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4118 | } |
David Benjamin | cd99694 | 2014-07-20 16:23:51 -0400 | [diff] [blame] | 4119 | |
David Benjamin | 602f466 | 2018-12-07 12:06:22 -0600 | [diff] [blame] | 4120 | // In all contexts, the signature algorithms list may not be empty. (It may be |
| 4121 | // omitted by clients in TLS 1.2, but then the entire extension is omitted.) |
| 4122 | return CBS_len(in_sigalgs) != 0 && |
| 4123 | parse_u16_array(in_sigalgs, &hs->peer_sigalgs); |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4124 | } |
David Benjamin | ec2f27d | 2014-11-13 19:17:25 -0500 | [diff] [blame] | 4125 | |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4126 | bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) { |
David Benjamin | a365138 | 2017-04-20 17:49:36 -0400 | [diff] [blame] | 4127 | switch (EVP_PKEY_id(pkey)) { |
| 4128 | case EVP_PKEY_RSA: |
| 4129 | *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1; |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4130 | return true; |
David Benjamin | a365138 | 2017-04-20 17:49:36 -0400 | [diff] [blame] | 4131 | case EVP_PKEY_EC: |
| 4132 | *out = SSL_SIGN_ECDSA_SHA1; |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4133 | return true; |
David Benjamin | a365138 | 2017-04-20 17:49:36 -0400 | [diff] [blame] | 4134 | default: |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4135 | return false; |
David Benjamin | a365138 | 2017-04-20 17:49:36 -0400 | [diff] [blame] | 4136 | } |
| 4137 | } |
| 4138 | |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4139 | bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, |
| 4140 | const SSL_CREDENTIAL *cred, |
| 4141 | uint16_t *out) { |
David Benjamin | f3c8f8d | 2016-11-17 17:20:47 +0900 | [diff] [blame] | 4142 | SSL *const ssl = hs->ssl; |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4143 | if (!cred->UsesPrivateKey()) { |
| 4144 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
| 4145 | return false; |
| 4146 | } |
David Benjamin | ec2f27d | 2014-11-13 19:17:25 -0500 | [diff] [blame] | 4147 | |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4148 | // Before TLS 1.2, the signature algorithm isn't negotiated as part of the |
| 4149 | // handshake. |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4150 | uint16_t version = ssl_protocol_version(ssl); |
| 4151 | if (version < TLS1_2_VERSION) { |
| 4152 | if (!tls1_get_legacy_signature_algorithm(out, cred->pubkey.get())) { |
David Benjamin | a365138 | 2017-04-20 17:49:36 -0400 | [diff] [blame] | 4153 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4154 | return false; |
Steven Valdez | f0451ca | 2016-06-29 13:16:27 -0400 | [diff] [blame] | 4155 | } |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4156 | return true; |
Steven Valdez | f0451ca | 2016-06-29 13:16:27 -0400 | [diff] [blame] | 4157 | } |
| 4158 | |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4159 | Span<const uint16_t> peer_sigalgs; |
| 4160 | if (cred->type == SSLCredentialType::kDelegated) { |
David Benjamin | efad2bf | 2024-02-23 14:37:10 -0500 | [diff] [blame] | 4161 | peer_sigalgs = hs->peer_delegated_credential_sigalgs; |
| 4162 | } else { |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4163 | peer_sigalgs = hs->peer_sigalgs; |
| 4164 | if (peer_sigalgs.empty() && version == TLS1_2_VERSION) { |
| 4165 | // If the client didn't specify any signature_algorithms extension, it is |
| 4166 | // interpreted as SHA-1. See |
| 4167 | // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 |
| 4168 | static const uint16_t kTLS12Default[] = {SSL_SIGN_RSA_PKCS1_SHA1, |
| 4169 | SSL_SIGN_ECDSA_SHA1}; |
| 4170 | peer_sigalgs = kTLS12Default; |
| 4171 | } |
Steven Valdez | 0d62f26 | 2015-09-04 12:41:04 -0400 | [diff] [blame] | 4172 | } |
| 4173 | |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4174 | Span<const uint16_t> sigalgs = cred->sigalgs.empty() |
| 4175 | ? MakeConstSpan(kSignSignatureAlgorithms) |
| 4176 | : cred->sigalgs; |
David Benjamin | b1cf48e | 2017-09-21 11:37:46 -0400 | [diff] [blame] | 4177 | for (uint16_t sigalg : sigalgs) { |
David Benjamin | 66d274d | 2021-02-25 01:37:16 -0500 | [diff] [blame] | 4178 | if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg, |
| 4179 | /*is_verify=*/false)) { |
David Benjamin | 1fb125c | 2016-07-08 18:52:12 -0700 | [diff] [blame] | 4180 | continue; |
| 4181 | } |
| 4182 | |
David Benjamin | 91a3f26 | 2024-02-10 11:08:08 -0500 | [diff] [blame] | 4183 | if (std::find(peer_sigalgs.begin(), peer_sigalgs.end(), sigalg) != |
| 4184 | peer_sigalgs.end()) { |
| 4185 | *out = sigalg; |
| 4186 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4187 | } |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4188 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 4189 | |
David Benjamin | ea9a0d5 | 2016-07-08 15:52:59 -0700 | [diff] [blame] | 4190 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); |
David Benjamin | 610cdbb | 2018-01-22 19:08:38 -0500 | [diff] [blame] | 4191 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4192 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 4193 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4194 | bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) { |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4195 | SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4196 | // A Channel ID handshake message is structured to contain multiple |
| 4197 | // extensions, but the only one that can be present is Channel ID. |
David Benjamin | 7934f08 | 2017-08-01 16:32:25 -0400 | [diff] [blame] | 4198 | uint16_t extension_type; |
| 4199 | CBS channel_id = msg.body, extension; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 4200 | if (!CBS_get_u16(&channel_id, &extension_type) || // |
| 4201 | !CBS_get_u16_length_prefixed(&channel_id, &extension) || // |
| 4202 | CBS_len(&channel_id) != 0 || // |
| 4203 | extension_type != TLSEXT_TYPE_channel_id || // |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4204 | CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) { |
| 4205 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 4206 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4207 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4208 | } |
| 4209 | |
David Benjamin | 70be012 | 2023-02-13 19:05:19 -0500 | [diff] [blame] | 4210 | const EC_GROUP *p256 = EC_group_p256(); |
David Benjamin | 86e95b8 | 2017-07-18 16:34:25 -0400 | [diff] [blame] | 4211 | UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new()); |
| 4212 | UniquePtr<BIGNUM> x(BN_new()), y(BN_new()); |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 4213 | if (!sig || !x || !y) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4214 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4215 | } |
| 4216 | |
| 4217 | const uint8_t *p = CBS_data(&extension); |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 4218 | if (BN_bin2bn(p + 0, 32, x.get()) == NULL || |
| 4219 | BN_bin2bn(p + 32, 32, y.get()) == NULL || |
| 4220 | BN_bin2bn(p + 64, 32, sig->r) == NULL || |
| 4221 | BN_bin2bn(p + 96, 32, sig->s) == NULL) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4222 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4223 | } |
| 4224 | |
David Benjamin | 86e95b8 | 2017-07-18 16:34:25 -0400 | [diff] [blame] | 4225 | UniquePtr<EC_KEY> key(EC_KEY_new()); |
David Benjamin | 70be012 | 2023-02-13 19:05:19 -0500 | [diff] [blame] | 4226 | UniquePtr<EC_POINT> point(EC_POINT_new(p256)); |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 4227 | if (!key || !point || |
David Benjamin | 70be012 | 2023-02-13 19:05:19 -0500 | [diff] [blame] | 4228 | !EC_POINT_set_affine_coordinates_GFp(p256, point.get(), x.get(), y.get(), |
| 4229 | nullptr) || |
| 4230 | !EC_KEY_set_group(key.get(), p256) || |
David Benjamin | 81678aa | 2017-07-12 22:43:42 -0400 | [diff] [blame] | 4231 | !EC_KEY_set_public_key(key.get(), point.get())) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4232 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4233 | } |
| 4234 | |
| 4235 | uint8_t digest[EVP_MAX_MD_SIZE]; |
| 4236 | size_t digest_len; |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4237 | if (!tls1_channel_id_hash(hs, digest, &digest_len)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4238 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4239 | } |
| 4240 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4241 | bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get()); |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4242 | #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4243 | sig_ok = true; |
David Benjamin | d90b803 | 2017-12-18 16:47:51 -0500 | [diff] [blame] | 4244 | ERR_clear_error(); |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4245 | #endif |
| 4246 | if (!sig_ok) { |
| 4247 | OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID); |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 4248 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4249 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4250 | } |
| 4251 | |
David Benjamin | 4685376 | 2018-07-03 14:01:26 -0400 | [diff] [blame] | 4252 | OPENSSL_memcpy(ssl->s3->channel_id, p, 64); |
David Benjamin | 8acec00 | 2021-05-19 13:03:34 -0400 | [diff] [blame] | 4253 | ssl->s3->channel_id_valid = true; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4254 | return true; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4255 | } |
| 4256 | |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4257 | bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) { |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4258 | uint8_t digest[EVP_MAX_MD_SIZE]; |
| 4259 | size_t digest_len; |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4260 | if (!tls1_channel_id_hash(hs, digest, &digest_len)) { |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4261 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4262 | } |
| 4263 | |
David Benjamin | 4685376 | 2018-07-03 14:01:26 -0400 | [diff] [blame] | 4264 | EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get()); |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4265 | if (ec_key == nullptr) { |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4266 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4267 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4268 | } |
| 4269 | |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4270 | UniquePtr<BIGNUM> x(BN_new()), y(BN_new()); |
| 4271 | if (!x || !y || |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4272 | !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key), |
| 4273 | EC_KEY_get0_public_key(ec_key), |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4274 | x.get(), y.get(), nullptr)) { |
| 4275 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4276 | } |
| 4277 | |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4278 | UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key)); |
| 4279 | if (!sig) { |
| 4280 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4281 | } |
| 4282 | |
| 4283 | CBB child; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 4284 | if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) || // |
| 4285 | !CBB_add_u16_length_prefixed(cbb, &child) || // |
| 4286 | !BN_bn2cbb_padded(&child, 32, x.get()) || // |
| 4287 | !BN_bn2cbb_padded(&child, 32, y.get()) || // |
| 4288 | !BN_bn2cbb_padded(&child, 32, sig->r) || // |
| 4289 | !BN_bn2cbb_padded(&child, 32, sig->s) || // |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4290 | !CBB_flush(cbb)) { |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4291 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4292 | } |
| 4293 | |
David Benjamin | f1db1a3 | 2017-10-27 01:12:34 -0400 | [diff] [blame] | 4294 | return true; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4295 | } |
| 4296 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4297 | bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) { |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4298 | SSL *const ssl = hs->ssl; |
David Benjamin | d1e3ce1 | 2017-10-06 18:31:15 -0400 | [diff] [blame] | 4299 | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
David Benjamin | 75a1f23 | 2017-10-11 17:19:19 -0400 | [diff] [blame] | 4300 | Array<uint8_t> msg; |
| 4301 | if (!tls13_get_cert_verify_signature_input(hs, &msg, |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4302 | ssl_cert_verify_channel_id)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4303 | return false; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4304 | } |
David Benjamin | 75a1f23 | 2017-10-11 17:19:19 -0400 | [diff] [blame] | 4305 | SHA256(msg.data(), msg.size(), out); |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4306 | *out_len = SHA256_DIGEST_LENGTH; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4307 | return true; |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4308 | } |
| 4309 | |
Nick Harper | 9559401 | 2016-10-20 14:07:13 -0700 | [diff] [blame] | 4310 | SHA256_CTX ctx; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4311 | |
Nick Harper | 9559401 | 2016-10-20 14:07:13 -0700 | [diff] [blame] | 4312 | SHA256_Init(&ctx); |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4313 | static const char kClientIDMagic[] = "TLS Channel ID signature"; |
Nick Harper | 9559401 | 2016-10-20 14:07:13 -0700 | [diff] [blame] | 4314 | SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic)); |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4315 | |
Steven Valdez | 87eab49 | 2016-06-27 16:34:59 -0400 | [diff] [blame] | 4316 | if (ssl->session != NULL) { |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4317 | static const char kResumptionMagic[] = "Resumption"; |
Nick Harper | 9559401 | 2016-10-20 14:07:13 -0700 | [diff] [blame] | 4318 | SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic)); |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 4319 | if (ssl->session->original_handshake_hash.empty()) { |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4320 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4321 | return false; |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4322 | } |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 4323 | SHA256_Update(&ctx, ssl->session->original_handshake_hash.data(), |
| 4324 | ssl->session->original_handshake_hash.size()); |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4325 | } |
| 4326 | |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4327 | uint8_t hs_hash[EVP_MAX_MD_SIZE]; |
| 4328 | size_t hs_hash_len; |
David Benjamin | 6dc8bf6 | 2017-07-19 16:38:21 -0400 | [diff] [blame] | 4329 | if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4330 | return false; |
David Benjamin | d6a4ae9 | 2015-08-06 11:10:51 -0400 | [diff] [blame] | 4331 | } |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4332 | SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len); |
Nick Harper | 9559401 | 2016-10-20 14:07:13 -0700 | [diff] [blame] | 4333 | SHA256_Final(out, &ctx); |
| 4334 | *out_len = SHA256_DIGEST_LENGTH; |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4335 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4336 | } |
Adam Langley | 1258b6a | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 4337 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4338 | bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) { |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4339 | SSL *const ssl = hs->ssl; |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4340 | // This function should never be called for a resumed session because the |
| 4341 | // handshake hashes that we wish to record are for the original, full |
| 4342 | // handshake. |
Steven Valdez | 87eab49 | 2016-06-27 16:34:59 -0400 | [diff] [blame] | 4343 | if (ssl->session != NULL) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4344 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4345 | } |
Adam Langley | 1258b6a | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 4346 | |
Steven Valdez | 908ac19 | 2017-01-12 13:17:07 -0500 | [diff] [blame] | 4347 | size_t digest_len; |
David Benjamin | ce572d6 | 2024-10-22 12:35:44 -0400 | [diff] [blame] | 4348 | hs->new_session->original_handshake_hash.ResizeForOverwrite( |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 4349 | hs->transcript.DigestLen()); |
| 4350 | if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash.data(), |
David Benjamin | 6dc8bf6 | 2017-07-19 16:38:21 -0400 | [diff] [blame] | 4351 | &digest_len)) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4352 | return false; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4353 | } |
David Benjamin | 87d0c17 | 2024-09-20 16:45:42 -0400 | [diff] [blame] | 4354 | assert(digest_len == hs->new_session->original_handshake_hash.size()); |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4355 | return true; |
Adam Langley | fcf2583 | 2014-12-18 17:42:32 -0800 | [diff] [blame] | 4356 | } |
Nick Harper | 60a85cb | 2016-09-23 16:25:11 -0700 | [diff] [blame] | 4357 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4358 | bool ssl_is_sct_list_valid(const CBS *contents) { |
David Benjamin | c11ea942 | 2017-08-29 16:33:21 -0400 | [diff] [blame] | 4359 | // Shallow parse the SCT list for sanity. By the RFC |
| 4360 | // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any |
| 4361 | // of the SCTs may be empty. |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 4362 | CBS copy = *contents; |
| 4363 | CBS sct_list; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 4364 | if (!CBS_get_u16_length_prefixed(©, &sct_list) || CBS_len(©) != 0 || |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 4365 | CBS_len(&sct_list) == 0) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4366 | return false; |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 4367 | } |
| 4368 | |
| 4369 | while (CBS_len(&sct_list) > 0) { |
| 4370 | CBS sct; |
Bob Beck | 61725ea | 2024-11-13 17:50:07 +0000 | [diff] [blame] | 4371 | if (!CBS_get_u16_length_prefixed(&sct_list, &sct) || CBS_len(&sct) == 0) { |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4372 | return false; |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 4373 | } |
| 4374 | } |
| 4375 | |
David Benjamin | 861abcc | 2018-07-14 17:40:26 -0400 | [diff] [blame] | 4376 | return true; |
Adam Langley | cfa08c3 | 2016-11-17 13:21:27 -0800 | [diff] [blame] | 4377 | } |
David Benjamin | 86e95b8 | 2017-07-18 16:34:25 -0400 | [diff] [blame] | 4378 | |
Joshua Liebow-Feeser | 8c7c635 | 2018-08-26 18:53:36 -0700 | [diff] [blame] | 4379 | BSSL_NAMESPACE_END |
David Benjamin | 86e95b8 | 2017-07-18 16:34:25 -0400 | [diff] [blame] | 4380 | |
| 4381 | using namespace bssl; |
| 4382 | |
| 4383 | int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello, |
| 4384 | uint16_t extension_type, |
| 4385 | const uint8_t **out_data, |
| 4386 | size_t *out_len) { |
| 4387 | CBS cbs; |
| 4388 | if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) { |
| 4389 | return 0; |
| 4390 | } |
| 4391 | |
| 4392 | *out_data = CBS_data(&cbs); |
| 4393 | *out_len = CBS_len(&cbs); |
| 4394 | return 1; |
| 4395 | } |