1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
86 * 6. Redistributions of any form whatsoever must retain the following
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
109 #include <openssl/ssl.h>
118 #include <openssl/bytestring.h>
119 #include <openssl/chacha.h>
120 #include <openssl/digest.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/hmac.h>
124 #include <openssl/mem.h>
125 #include <openssl/nid.h>
126 #include <openssl/rand.h>
128 #include "internal.h"
129 #include "../crypto/internal.h"
134 static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
136 static int compare_uint16_t(const void *p1, const void *p2) {
137 uint16_t u1 = *((const uint16_t *)p1);
138 uint16_t u2 = *((const uint16_t *)p2);
141 } else if (u1 > u2) {
148 // Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
149 // more than one extension of the same type in a ClientHello or ServerHello.
150 // This function does an initial scan over the extensions block to filter those
152 static int tls1_check_duplicate_extensions(const CBS *cbs) {
153 // First pass: count the extensions.
154 size_t num_extensions = 0;
155 CBS extensions = *cbs;
156 while (CBS_len(&extensions) > 0) {
160 if (!CBS_get_u16(&extensions, &type) ||
161 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
168 if (num_extensions == 0) {
172 Array<uint16_t> extension_types;
173 if (!extension_types.Init(num_extensions)) {
177 // Second pass: gather the extension types.
179 for (size_t i = 0; i < extension_types.size(); i++) {
182 if (!CBS_get_u16(&extensions, &extension_types[i]) ||
183 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
184 // This should not happen.
188 assert(CBS_len(&extensions) == 0);
190 // Sort the extensions and make sure there are no duplicates.
191 qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),
193 for (size_t i = 1; i < num_extensions; i++) {
194 if (extension_types[i - 1] == extension_types[i]) {
202 int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
203 const SSLMessage &msg) {
204 OPENSSL_memset(out, 0, sizeof(*out));
206 out->client_hello = CBS_data(&msg.body);
207 out->client_hello_len = CBS_len(&msg.body);
209 CBS client_hello, random, session_id;
210 CBS_init(&client_hello, out->client_hello, out->client_hello_len);
211 if (!CBS_get_u16(&client_hello, &out->version) ||
212 !CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
213 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
214 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
218 out->random = CBS_data(&random);
219 out->random_len = CBS_len(&random);
220 out->session_id = CBS_data(&session_id);
221 out->session_id_len = CBS_len(&session_id);
223 // Skip past DTLS cookie
224 if (SSL_is_dtls(out->ssl)) {
226 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
227 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
232 CBS cipher_suites, compression_methods;
233 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
234 CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
235 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
236 CBS_len(&compression_methods) < 1) {
240 out->cipher_suites = CBS_data(&cipher_suites);
241 out->cipher_suites_len = CBS_len(&cipher_suites);
242 out->compression_methods = CBS_data(&compression_methods);
243 out->compression_methods_len = CBS_len(&compression_methods);
245 // If the ClientHello ends here then it's valid, but doesn't have any
246 // extensions. (E.g. SSLv3.)
247 if (CBS_len(&client_hello) == 0) {
248 out->extensions = NULL;
249 out->extensions_len = 0;
253 // Extract extensions and check it is valid.
255 if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
256 !tls1_check_duplicate_extensions(&extensions) ||
257 CBS_len(&client_hello) != 0) {
261 out->extensions = CBS_data(&extensions);
262 out->extensions_len = CBS_len(&extensions);
267 int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
268 CBS *out, uint16_t extension_type) {
270 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
271 while (CBS_len(&extensions) != 0) {
272 // Decode the next extension.
275 if (!CBS_get_u16(&extensions, &type) ||
276 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
280 if (type == extension_type) {
289 static const uint16_t kDefaultGroups[] = {
295 Span<const uint16_t> tls1_get_grouplist(const SSL *ssl) {
296 if (ssl->supported_group_list != nullptr) {
297 return MakeConstSpan(ssl->supported_group_list,
298 ssl->supported_group_list_len);
300 return Span<const uint16_t>(kDefaultGroups);
303 int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
304 SSL *const ssl = hs->ssl;
307 // Clients are not required to send a supported_groups extension. In this
308 // case, the server is free to pick any group it likes. See RFC 4492,
309 // section 4, paragraph 3.
311 // However, in the interests of compatibility, we will skip ECDH if the
312 // client didn't send an extension because we can't be sure that they'll
313 // support our favoured group. Thus we do not special-case an emtpy
314 // |peer_supported_group_list|.
316 Span<const uint16_t> groups = tls1_get_grouplist(ssl);
317 Span<const uint16_t> pref, supp;
318 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
320 supp = hs->peer_supported_group_list;
322 pref = hs->peer_supported_group_list;
326 for (uint16_t pref_group : pref) {
327 for (uint16_t supp_group : supp) {
328 if (pref_group == supp_group) {
329 *out_group_id = pref_group;
338 int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
339 const int *curves, size_t ncurves) {
340 uint16_t *group_ids = (uint16_t *)OPENSSL_malloc(ncurves * sizeof(uint16_t));
341 if (group_ids == NULL) {
345 for (size_t i = 0; i < ncurves; i++) {
346 if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
347 OPENSSL_free(group_ids);
352 OPENSSL_free(*out_group_ids);
353 *out_group_ids = group_ids;
354 *out_group_ids_len = ncurves;
359 int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
360 const char *curves) {
361 uint16_t *group_ids = NULL;
365 const char *ptr = curves;
368 col = strchr(ptr, ':');
371 if (!ssl_name_to_group_id(&group_id, ptr,
372 col ? (size_t)(col - ptr) : strlen(ptr))) {
376 uint16_t *new_group_ids = (uint16_t *)OPENSSL_realloc(
377 group_ids, (ncurves + 1) * sizeof(uint16_t));
378 if (new_group_ids == NULL) {
381 group_ids = new_group_ids;
383 group_ids[ncurves] = group_id;
391 OPENSSL_free(*out_group_ids);
392 *out_group_ids = group_ids;
393 *out_group_ids_len = ncurves;
398 OPENSSL_free(group_ids);
402 int tls1_check_group_id(const SSL *ssl, uint16_t group_id) {
403 for (uint16_t supported : tls1_get_grouplist(ssl)) {
404 if (supported == group_id) {
412 // kVerifySignatureAlgorithms is the default list of accepted signature
413 // algorithms for verifying.
415 // For now, RSA-PSS signature algorithms are not enabled on Android's system
416 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
418 static const uint16_t kVerifySignatureAlgorithms[] = {
419 // List our preferred algorithms first.
421 SSL_SIGN_ECDSA_SECP256R1_SHA256,
422 SSL_SIGN_RSA_PSS_SHA256,
423 SSL_SIGN_RSA_PKCS1_SHA256,
425 // Larger hashes are acceptable.
426 SSL_SIGN_ECDSA_SECP384R1_SHA384,
427 SSL_SIGN_RSA_PSS_SHA384,
428 SSL_SIGN_RSA_PKCS1_SHA384,
430 SSL_SIGN_RSA_PSS_SHA512,
431 SSL_SIGN_RSA_PKCS1_SHA512,
433 // For now, SHA-1 is still accepted but least preferable.
434 SSL_SIGN_RSA_PKCS1_SHA1,
438 // kSignSignatureAlgorithms is the default list of supported signature
439 // algorithms for signing.
441 // For now, RSA-PSS signature algorithms are not enabled on Android's system
442 // BoringSSL. Once the change in Chrome has stuck and the values are finalized,
444 static const uint16_t kSignSignatureAlgorithms[] = {
445 // List our preferred algorithms first.
447 SSL_SIGN_ECDSA_SECP256R1_SHA256,
448 SSL_SIGN_RSA_PSS_SHA256,
449 SSL_SIGN_RSA_PKCS1_SHA256,
451 // If needed, sign larger hashes.
453 // TODO(davidben): Determine which of these may be pruned.
454 SSL_SIGN_ECDSA_SECP384R1_SHA384,
455 SSL_SIGN_RSA_PSS_SHA384,
456 SSL_SIGN_RSA_PKCS1_SHA384,
458 SSL_SIGN_ECDSA_SECP521R1_SHA512,
459 SSL_SIGN_RSA_PSS_SHA512,
460 SSL_SIGN_RSA_PKCS1_SHA512,
462 // If the peer supports nothing else, sign with SHA-1.
464 SSL_SIGN_RSA_PKCS1_SHA1,
467 bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out) {
468 bool use_default = ssl->ctx->num_verify_sigalgs == 0;
469 Span<const uint16_t> sigalgs = kVerifySignatureAlgorithms;
471 sigalgs = MakeConstSpan(ssl->ctx->verify_sigalgs,
472 ssl->ctx->num_verify_sigalgs);
475 for (uint16_t sigalg : sigalgs) {
477 sigalg == SSL_SIGN_ED25519 &&
478 !ssl->ctx->ed25519_enabled) {
481 if (!CBB_add_u16(out, sigalg)) {
489 bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
491 const uint16_t *sigalgs = kVerifySignatureAlgorithms;
492 size_t num_sigalgs = OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
493 if (ssl->ctx->num_verify_sigalgs != 0) {
494 sigalgs = ssl->ctx->verify_sigalgs;
495 num_sigalgs = ssl->ctx->num_verify_sigalgs;
498 for (size_t i = 0; i < num_sigalgs; i++) {
499 if (sigalgs == kVerifySignatureAlgorithms &&
500 sigalgs[i] == SSL_SIGN_ED25519 &&
501 !ssl->ctx->ed25519_enabled) {
504 if (sigalg == sigalgs[i]) {
509 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
510 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
514 // tls_extension represents a TLS extension that is handled internally. The
515 // |init| function is called for each handshake, before any other functions of
516 // the extension. Then the add and parse callbacks are called as needed.
518 // The parse callbacks receive a |CBS| that contains the contents of the
519 // extension (i.e. not including the type and length bytes). If an extension is
520 // not received then the parse callbacks will be called with a NULL CBS so that
521 // they can do any processing needed to handle the absence of an extension.
523 // The add callbacks receive a |CBB| to which the extension can be appended but
524 // the function is responsible for appending the type and length bytes too.
526 // All callbacks return true for success and false for error. If a parse
527 // function returns zero then a fatal alert with value |*out_alert| will be
528 // sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.
529 struct tls_extension {
531 void (*init)(SSL_HANDSHAKE *hs);
533 bool (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
534 bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
537 bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
539 bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
542 static bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
544 if (contents != NULL) {
545 // Servers MUST NOT send this extension.
546 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
547 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
554 static bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
556 // This extension from the client is handled elsewhere.
560 static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
564 // Server name indication (SNI).
566 // https://tools.ietf.org/html/rfc6066#section-3.
568 static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
569 SSL *const ssl = hs->ssl;
570 if (ssl->tlsext_hostname == NULL) {
574 CBB contents, server_name_list, name;
575 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
576 !CBB_add_u16_length_prefixed(out, &contents) ||
577 !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
578 !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
579 !CBB_add_u16_length_prefixed(&server_name_list, &name) ||
580 !CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname,
581 strlen(ssl->tlsext_hostname)) ||
589 static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
591 // The server may acknowledge SNI with an empty extension. We check the syntax
592 // but otherwise ignore this signal.
593 return contents == NULL || CBS_len(contents) == 0;
596 static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
598 SSL *const ssl = hs->ssl;
599 if (contents == NULL) {
603 CBS server_name_list, host_name;
605 if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
606 !CBS_get_u8(&server_name_list, &name_type) ||
607 // Although the server_name extension was intended to be extensible to
608 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
609 // different name types will cause an error. Further, RFC 4366 originally
610 // defined syntax inextensibly. RFC 6066 corrected this mistake, but
611 // adding new name types is no longer feasible.
613 // Act as if the extensibility does not exist to simplify parsing.
614 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
615 CBS_len(&server_name_list) != 0 ||
616 CBS_len(contents) != 0) {
620 if (name_type != TLSEXT_NAMETYPE_host_name ||
621 CBS_len(&host_name) == 0 ||
622 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
623 CBS_contains_zero_byte(&host_name)) {
624 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
628 // Copy the hostname as a string.
630 if (!CBS_strdup(&host_name, &raw)) {
631 *out_alert = SSL_AD_INTERNAL_ERROR;
634 ssl->s3->hostname.reset(raw);
636 hs->should_ack_sni = true;
640 static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
641 if (hs->ssl->s3->session_reused ||
642 !hs->should_ack_sni) {
646 if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
647 !CBB_add_u16(out, 0 /* length */)) {
655 // Renegotiation indication.
657 // https://tools.ietf.org/html/rfc5746
659 static bool ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
660 SSL *const ssl = hs->ssl;
661 // Renegotiation indication is not necessary in TLS 1.3.
662 if (hs->min_version >= TLS1_3_VERSION) {
666 assert(ssl->s3->initial_handshake_complete ==
667 (ssl->s3->previous_client_finished_len != 0));
669 CBB contents, prev_finished;
670 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
671 !CBB_add_u16_length_prefixed(out, &contents) ||
672 !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
673 !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
674 ssl->s3->previous_client_finished_len) ||
682 static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
684 SSL *const ssl = hs->ssl;
685 if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
686 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
690 // Servers may not switch between omitting the extension and supporting it.
691 // See RFC 5746, sections 3.5 and 4.2.
692 if (ssl->s3->initial_handshake_complete &&
693 (contents != NULL) != ssl->s3->send_connection_binding) {
694 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
695 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
699 if (contents == NULL) {
700 // Strictly speaking, if we want to avoid an attack we should *always* see
701 // RI even on initial ServerHello because the client doesn't see any
702 // renegotiation during an attack. However this would mean we could not
703 // connect to any server which doesn't support RI.
705 // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
706 // practical terms every client sets it so it's just assumed here.
710 const size_t expected_len = ssl->s3->previous_client_finished_len +
711 ssl->s3->previous_server_finished_len;
713 // Check for logic errors
714 assert(!expected_len || ssl->s3->previous_client_finished_len);
715 assert(!expected_len || ssl->s3->previous_server_finished_len);
716 assert(ssl->s3->initial_handshake_complete ==
717 (ssl->s3->previous_client_finished_len != 0));
718 assert(ssl->s3->initial_handshake_complete ==
719 (ssl->s3->previous_server_finished_len != 0));
721 // Parse out the extension contents.
722 CBS renegotiated_connection;
723 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
724 CBS_len(contents) != 0) {
725 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
726 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
730 // Check that the extension matches.
731 if (CBS_len(&renegotiated_connection) != expected_len) {
732 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
733 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
737 const uint8_t *d = CBS_data(&renegotiated_connection);
738 bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
739 ssl->s3->previous_client_finished_len) == 0;
740 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
744 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
745 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
748 d += ssl->s3->previous_client_finished_len;
750 ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
751 ssl->s3->previous_server_finished_len) == 0;
752 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
756 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
757 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
760 ssl->s3->send_connection_binding = true;
765 static bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
767 SSL *const ssl = hs->ssl;
768 // Renegotiation isn't supported as a server so this function should never be
769 // called after the initial handshake.
770 assert(!ssl->s3->initial_handshake_complete);
772 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
776 if (contents == NULL) {
780 CBS renegotiated_connection;
781 if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
782 CBS_len(contents) != 0) {
783 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
787 // Check that the extension matches. We do not support renegotiation as a
788 // server, so this must be empty.
789 if (CBS_len(&renegotiated_connection) != 0) {
790 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
791 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
795 ssl->s3->send_connection_binding = true;
800 static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
801 SSL *const ssl = hs->ssl;
802 // Renegotiation isn't supported as a server so this function should never be
803 // called after the initial handshake.
804 assert(!ssl->s3->initial_handshake_complete);
806 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
810 if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
811 !CBB_add_u16(out, 1 /* length */) ||
812 !CBB_add_u8(out, 0 /* empty renegotiation info */)) {
820 // Extended Master Secret.
822 // https://tools.ietf.org/html/rfc7627
824 static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
825 // Extended master secret is not necessary in TLS 1.3.
826 if (hs->min_version >= TLS1_3_VERSION || hs->max_version <= SSL3_VERSION) {
830 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
831 !CBB_add_u16(out, 0 /* length */)) {
838 static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
840 SSL *const ssl = hs->ssl;
842 if (contents != NULL) {
843 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
844 ssl->version == SSL3_VERSION ||
845 CBS_len(contents) != 0) {
849 hs->extended_master_secret = true;
852 // Whether EMS is negotiated may not change on renegotiation.
853 if (ssl->s3->established_session != nullptr &&
854 hs->extended_master_secret !=
855 !!ssl->s3->established_session->extended_master_secret) {
856 OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
857 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
864 static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
866 uint16_t version = ssl_protocol_version(hs->ssl);
867 if (version >= TLS1_3_VERSION ||
868 version == SSL3_VERSION) {
872 if (contents == NULL) {
876 if (CBS_len(contents) != 0) {
880 hs->extended_master_secret = true;
884 static bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
885 if (!hs->extended_master_secret) {
889 if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
890 !CBB_add_u16(out, 0 /* length */)) {
900 // https://tools.ietf.org/html/rfc5077
902 static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
903 SSL *const ssl = hs->ssl;
904 // TLS 1.3 uses a different ticket extension.
905 if (hs->min_version >= TLS1_3_VERSION ||
906 SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
910 const uint8_t *ticket_data = NULL;
913 // Renegotiation does not participate in session resumption. However, still
914 // advertise the extension to avoid potentially breaking servers which carry
915 // over the state from the previous handshake, such as OpenSSL servers
916 // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
917 if (!ssl->s3->initial_handshake_complete &&
918 ssl->session != NULL &&
919 ssl->session->tlsext_tick != NULL &&
920 // Don't send TLS 1.3 session tickets in the ticket extension.
921 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
922 ticket_data = ssl->session->tlsext_tick;
923 ticket_len = ssl->session->tlsext_ticklen;
927 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
928 !CBB_add_u16_length_prefixed(out, &ticket) ||
929 !CBB_add_bytes(&ticket, ticket_data, ticket_len) ||
937 static bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
939 SSL *const ssl = hs->ssl;
940 if (contents == NULL) {
944 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
948 // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
949 // this function should never be called, even if the server tries to send the
951 assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
953 if (CBS_len(contents) != 0) {
957 hs->ticket_expected = true;
961 static bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
962 if (!hs->ticket_expected) {
966 // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
967 assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
969 if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
970 !CBB_add_u16(out, 0 /* length */)) {
978 // Signature Algorithms.
980 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
982 static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
983 SSL *const ssl = hs->ssl;
984 if (hs->max_version < TLS1_2_VERSION) {
988 CBB contents, sigalgs_cbb;
989 if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
990 !CBB_add_u16_length_prefixed(out, &contents) ||
991 !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
992 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
1000 static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1002 hs->peer_sigalgs.Reset();
1003 if (contents == NULL) {
1007 CBS supported_signature_algorithms;
1008 if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
1009 CBS_len(contents) != 0 ||
1010 CBS_len(&supported_signature_algorithms) == 0 ||
1011 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1021 // https://tools.ietf.org/html/rfc6066#section-8
1023 static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1024 SSL *const ssl = hs->ssl;
1025 if (!ssl->ocsp_stapling_enabled) {
1030 if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
1031 !CBB_add_u16_length_prefixed(out, &contents) ||
1032 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
1033 !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
1034 !CBB_add_u16(&contents, 0 /* empty request extensions */) ||
1042 static bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1044 SSL *const ssl = hs->ssl;
1045 if (contents == NULL) {
1049 // TLS 1.3 OCSP responses are included in the Certificate extensions.
1050 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1054 // OCSP stapling is forbidden on non-certificate ciphers.
1055 if (CBS_len(contents) != 0 ||
1056 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1060 // Note this does not check for resumption in TLS 1.2. Sending
1061 // status_request here does not make sense, but OpenSSL does so and the
1062 // specification does not say anything. Tolerate it but ignore it.
1064 hs->certificate_status_expected = true;
1068 static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1070 if (contents == NULL) {
1074 uint8_t status_type;
1075 if (!CBS_get_u8(contents, &status_type)) {
1079 // We cannot decide whether OCSP stapling will occur yet because the correct
1080 // SSL_CTX might not have been selected.
1081 hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
1086 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1087 SSL *const ssl = hs->ssl;
1088 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1089 !hs->ocsp_stapling_requested ||
1090 ssl->cert->ocsp_response == NULL ||
1091 ssl->s3->session_reused ||
1092 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1096 hs->certificate_status_expected = true;
1098 return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
1099 CBB_add_u16(out, 0 /* length */);
1103 // Next protocol negotiation.
1105 // https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
1107 static bool ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1108 SSL *const ssl = hs->ssl;
1109 if (ssl->s3->initial_handshake_complete ||
1110 ssl->ctx->next_proto_select_cb == NULL ||
1115 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1116 !CBB_add_u16(out, 0 /* length */)) {
1123 static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1125 SSL *const ssl = hs->ssl;
1126 if (contents == NULL) {
1130 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1134 // If any of these are false then we should never have sent the NPN
1135 // extension in the ClientHello and thus this function should never have been
1137 assert(!ssl->s3->initial_handshake_complete);
1138 assert(!SSL_is_dtls(ssl));
1139 assert(ssl->ctx->next_proto_select_cb != NULL);
1141 if (!ssl->s3->alpn_selected.empty()) {
1142 // NPN and ALPN may not be negotiated in the same connection.
1143 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1144 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1148 const uint8_t *const orig_contents = CBS_data(contents);
1149 const size_t orig_len = CBS_len(contents);
1151 while (CBS_len(contents) != 0) {
1153 if (!CBS_get_u8_length_prefixed(contents, &proto) ||
1154 CBS_len(&proto) == 0) {
1160 uint8_t selected_len;
1161 if (ssl->ctx->next_proto_select_cb(
1162 ssl, &selected, &selected_len, orig_contents, orig_len,
1163 ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
1164 !ssl->s3->next_proto_negotiated.CopyFrom(
1165 MakeConstSpan(selected, selected_len))) {
1166 *out_alert = SSL_AD_INTERNAL_ERROR;
1170 hs->next_proto_neg_seen = true;
1174 static bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1176 SSL *const ssl = hs->ssl;
1177 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1181 if (contents != NULL && CBS_len(contents) != 0) {
1185 if (contents == NULL ||
1186 ssl->s3->initial_handshake_complete ||
1187 ssl->ctx->next_protos_advertised_cb == NULL ||
1192 hs->next_proto_neg_seen = true;
1196 static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1197 SSL *const ssl = hs->ssl;
1198 // |next_proto_neg_seen| might have been cleared when an ALPN extension was
1200 if (!hs->next_proto_neg_seen) {
1207 if (ssl->ctx->next_protos_advertised_cb(
1208 ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
1209 SSL_TLSEXT_ERR_OK) {
1210 hs->next_proto_neg_seen = false;
1215 if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
1216 !CBB_add_u16_length_prefixed(out, &contents) ||
1217 !CBB_add_bytes(&contents, npa, npa_len) ||
1226 // Signed certificate timestamps.
1228 // https://tools.ietf.org/html/rfc6962#section-3.3.1
1230 static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1231 SSL *const ssl = hs->ssl;
1232 if (!ssl->signed_cert_timestamps_enabled) {
1236 if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
1237 !CBB_add_u16(out, 0 /* length */)) {
1244 static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1246 SSL *const ssl = hs->ssl;
1247 if (contents == NULL) {
1251 // TLS 1.3 SCTs are included in the Certificate extensions.
1252 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1253 *out_alert = SSL_AD_DECODE_ERROR;
1257 // If this is false then we should never have sent the SCT extension in the
1258 // ClientHello and thus this function should never have been called.
1259 assert(ssl->signed_cert_timestamps_enabled);
1261 if (!ssl_is_sct_list_valid(contents)) {
1262 *out_alert = SSL_AD_DECODE_ERROR;
1266 // Session resumption uses the original session information. The extension
1267 // should not be sent on resumption, but RFC 6962 did not make it a
1268 // requirement, so tolerate this.
1270 // TODO(davidben): Enforce this anyway.
1271 if (!ssl->s3->session_reused) {
1272 CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
1273 hs->new_session->signed_cert_timestamp_list =
1274 CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool);
1275 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
1276 *out_alert = SSL_AD_INTERNAL_ERROR;
1284 static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1286 if (contents == NULL) {
1290 if (CBS_len(contents) != 0) {
1294 hs->scts_requested = true;
1298 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1299 SSL *const ssl = hs->ssl;
1300 // The extension shouldn't be sent when resuming sessions.
1301 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
1302 ssl->s3->session_reused ||
1303 ssl->cert->signed_cert_timestamp_list == NULL) {
1308 return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
1309 CBB_add_u16_length_prefixed(out, &contents) &&
1312 CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list),
1313 CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) &&
1318 // Application-level Protocol Negotiation.
1320 // https://tools.ietf.org/html/rfc7301
1322 static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1323 SSL *const ssl = hs->ssl;
1324 if (ssl->alpn_client_proto_list == NULL ||
1325 ssl->s3->initial_handshake_complete) {
1329 CBB contents, proto_list;
1330 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1331 !CBB_add_u16_length_prefixed(out, &contents) ||
1332 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1333 !CBB_add_bytes(&proto_list, ssl->alpn_client_proto_list,
1334 ssl->alpn_client_proto_list_len) ||
1342 static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1344 SSL *const ssl = hs->ssl;
1345 if (contents == NULL) {
1349 assert(!ssl->s3->initial_handshake_complete);
1350 assert(ssl->alpn_client_proto_list != NULL);
1352 if (hs->next_proto_neg_seen) {
1353 // NPN and ALPN may not be negotiated in the same connection.
1354 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1355 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
1359 // The extension data consists of a ProtocolNameList which must have
1360 // exactly one ProtocolName. Each of these is length-prefixed.
1361 CBS protocol_name_list, protocol_name;
1362 if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
1363 CBS_len(contents) != 0 ||
1364 !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
1365 // Empty protocol names are forbidden.
1366 CBS_len(&protocol_name) == 0 ||
1367 CBS_len(&protocol_name_list) != 0) {
1371 if (!ssl_is_alpn_protocol_allowed(ssl, protocol_name)) {
1372 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
1373 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1377 if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {
1378 *out_alert = SSL_AD_INTERNAL_ERROR;
1385 bool ssl_is_alpn_protocol_allowed(const SSL *ssl,
1386 Span<const uint8_t> protocol) {
1387 if (ssl->alpn_client_proto_list == nullptr) {
1391 if (ssl->ctx->allow_unknown_alpn_protos) {
1395 // Check that the protocol name is one of the ones we advertised.
1396 CBS client_protocol_name_list, client_protocol_name;
1397 CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list,
1398 ssl->alpn_client_proto_list_len);
1399 while (CBS_len(&client_protocol_name_list) > 0) {
1400 if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
1401 &client_protocol_name)) {
1405 if (client_protocol_name == protocol) {
1413 bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1414 const SSL_CLIENT_HELLO *client_hello) {
1415 SSL *const ssl = hs->ssl;
1417 if (ssl->ctx->alpn_select_cb == NULL ||
1418 !ssl_client_hello_get_extension(
1419 client_hello, &contents,
1420 TLSEXT_TYPE_application_layer_protocol_negotiation)) {
1421 // Ignore ALPN if not configured or no extension was supplied.
1425 // ALPN takes precedence over NPN.
1426 hs->next_proto_neg_seen = false;
1428 CBS protocol_name_list;
1429 if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
1430 CBS_len(&contents) != 0 ||
1431 CBS_len(&protocol_name_list) < 2) {
1432 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1433 *out_alert = SSL_AD_DECODE_ERROR;
1437 // Validate the protocol list.
1438 CBS protocol_name_list_copy = protocol_name_list;
1439 while (CBS_len(&protocol_name_list_copy) > 0) {
1442 if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
1443 // Empty protocol names are forbidden.
1444 CBS_len(&protocol_name) == 0) {
1445 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
1446 *out_alert = SSL_AD_DECODE_ERROR;
1451 const uint8_t *selected;
1452 uint8_t selected_len;
1453 if (ssl->ctx->alpn_select_cb(
1454 ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
1455 CBS_len(&protocol_name_list),
1456 ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
1457 if (!ssl->s3->alpn_selected.CopyFrom(
1458 MakeConstSpan(selected, selected_len))) {
1459 *out_alert = SSL_AD_INTERNAL_ERROR;
1467 static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1468 SSL *const ssl = hs->ssl;
1469 if (ssl->s3->alpn_selected.empty()) {
1473 CBB contents, proto_list, proto;
1474 if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
1475 !CBB_add_u16_length_prefixed(out, &contents) ||
1476 !CBB_add_u16_length_prefixed(&contents, &proto_list) ||
1477 !CBB_add_u8_length_prefixed(&proto_list, &proto) ||
1478 !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),
1479 ssl->s3->alpn_selected.size()) ||
1490 // https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1492 static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
1493 hs->ssl->s3->tlsext_channel_id_valid = false;
1496 static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1497 SSL *const ssl = hs->ssl;
1498 if (!ssl->tlsext_channel_id_enabled ||
1503 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1504 !CBB_add_u16(out, 0 /* length */)) {
1511 static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
1514 SSL *const ssl = hs->ssl;
1515 if (contents == NULL) {
1519 assert(!SSL_is_dtls(ssl));
1520 assert(ssl->tlsext_channel_id_enabled);
1522 if (CBS_len(contents) != 0) {
1526 ssl->s3->tlsext_channel_id_valid = true;
1530 static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
1533 SSL *const ssl = hs->ssl;
1534 if (contents == NULL ||
1535 !ssl->tlsext_channel_id_enabled ||
1540 if (CBS_len(contents) != 0) {
1544 ssl->s3->tlsext_channel_id_valid = true;
1548 static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1549 SSL *const ssl = hs->ssl;
1550 if (!ssl->s3->tlsext_channel_id_valid) {
1554 if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
1555 !CBB_add_u16(out, 0 /* length */)) {
1563 // Secure Real-time Transport Protocol (SRTP) extension.
1565 // https://tools.ietf.org/html/rfc5764
1568 static void ext_srtp_init(SSL_HANDSHAKE *hs) {
1569 hs->ssl->srtp_profile = NULL;
1572 static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1573 SSL *const ssl = hs->ssl;
1574 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1575 if (profiles == NULL ||
1576 sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0) {
1580 CBB contents, profile_ids;
1581 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1582 !CBB_add_u16_length_prefixed(out, &contents) ||
1583 !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
1587 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1588 if (!CBB_add_u16(&profile_ids, profile->id)) {
1593 if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
1601 static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1603 SSL *const ssl = hs->ssl;
1604 if (contents == NULL) {
1608 // The extension consists of a u16-prefixed profile ID list containing a
1609 // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
1611 // See https://tools.ietf.org/html/rfc5764#section-4.1.1
1612 CBS profile_ids, srtp_mki;
1613 uint16_t profile_id;
1614 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1615 !CBS_get_u16(&profile_ids, &profile_id) ||
1616 CBS_len(&profile_ids) != 0 ||
1617 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1618 CBS_len(contents) != 0) {
1619 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1623 if (CBS_len(&srtp_mki) != 0) {
1624 // Must be no MKI, since we never offer one.
1625 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
1626 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1630 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
1632 // Check to see if the server gave us something we support (and presumably
1634 for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
1635 if (profile->id == profile_id) {
1636 ssl->srtp_profile = profile;
1641 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1642 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1646 static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1648 SSL *const ssl = hs->ssl;
1649 if (contents == NULL) {
1653 CBS profile_ids, srtp_mki;
1654 if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
1655 CBS_len(&profile_ids) < 2 ||
1656 !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
1657 CBS_len(contents) != 0) {
1658 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1661 // Discard the MKI value for now.
1663 const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
1664 SSL_get_srtp_profiles(ssl);
1666 // Pick the server's most preferred profile.
1667 for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
1668 CBS profile_ids_tmp;
1669 CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
1671 while (CBS_len(&profile_ids_tmp) > 0) {
1672 uint16_t profile_id;
1673 if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
1677 if (server_profile->id == profile_id) {
1678 ssl->srtp_profile = server_profile;
1687 static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1688 SSL *const ssl = hs->ssl;
1689 if (ssl->srtp_profile == NULL) {
1693 CBB contents, profile_ids;
1694 if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
1695 !CBB_add_u16_length_prefixed(out, &contents) ||
1696 !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
1697 !CBB_add_u16(&profile_ids, ssl->srtp_profile->id) ||
1698 !CBB_add_u8(&contents, 0 /* empty MKI */) ||
1707 // EC point formats.
1709 // https://tools.ietf.org/html/rfc4492#section-5.1.2
1711 static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
1712 CBB contents, formats;
1713 if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
1714 !CBB_add_u16_length_prefixed(out, &contents) ||
1715 !CBB_add_u8_length_prefixed(&contents, &formats) ||
1716 !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
1724 static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1725 // The point format extension is unneccessary in TLS 1.3.
1726 if (hs->min_version >= TLS1_3_VERSION) {
1730 return ext_ec_point_add_extension(hs, out);
1733 static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1735 if (contents == NULL) {
1739 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1743 CBS ec_point_format_list;
1744 if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
1745 CBS_len(contents) != 0) {
1749 // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
1751 if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
1752 TLSEXT_ECPOINTFORMAT_uncompressed,
1753 CBS_len(&ec_point_format_list)) == NULL) {
1754 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1761 static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
1763 if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
1767 return ext_ec_point_parse_serverhello(hs, out_alert, contents);
1770 static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1771 SSL *const ssl = hs->ssl;
1772 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
1776 const uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1777 const uint32_t alg_a = hs->new_cipher->algorithm_auth;
1778 const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
1784 return ext_ec_point_add_extension(hs, out);
1790 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
1792 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
1793 SSL *const ssl = hs->ssl;
1794 if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
1795 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
1799 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
1800 return 15 + ssl->session->tlsext_ticklen + binder_len;
1803 static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1804 SSL *const ssl = hs->ssl;
1805 hs->needs_psk_binder = false;
1806 if (hs->max_version < TLS1_3_VERSION || ssl->session == NULL ||
1807 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
1811 // Per draft-ietf-tls-tls13-21 section 4.1.4, skip offering the session if the
1812 // selected cipher in HelloRetryRequest does not match. This avoids performing
1813 // the transcript hash transformation for multiple hashes.
1814 if (hs->received_hello_retry_request &&
1815 ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
1819 struct OPENSSL_timeval now;
1820 ssl_get_current_time(ssl, &now);
1821 uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
1822 uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
1824 // Fill in a placeholder zero binder of the appropriate length. It will be
1825 // computed and filled in later after length prefixes are computed.
1826 uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
1827 size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
1829 CBB contents, identity, ticket, binders, binder;
1830 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1831 !CBB_add_u16_length_prefixed(out, &contents) ||
1832 !CBB_add_u16_length_prefixed(&contents, &identity) ||
1833 !CBB_add_u16_length_prefixed(&identity, &ticket) ||
1834 !CBB_add_bytes(&ticket, ssl->session->tlsext_tick,
1835 ssl->session->tlsext_ticklen) ||
1836 !CBB_add_u32(&identity, obfuscated_ticket_age) ||
1837 !CBB_add_u16_length_prefixed(&contents, &binders) ||
1838 !CBB_add_u8_length_prefixed(&binders, &binder) ||
1839 !CBB_add_bytes(&binder, zero_binder, binder_len)) {
1843 hs->needs_psk_binder = true;
1844 return CBB_flush(out);
1847 bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
1851 if (!CBS_get_u16(contents, &psk_id) ||
1852 CBS_len(contents) != 0) {
1853 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1854 *out_alert = SSL_AD_DECODE_ERROR;
1858 // We only advertise one PSK identity, so the only legal index is zero.
1860 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1861 *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
1868 bool ssl_ext_pre_shared_key_parse_clienthello(
1869 SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
1870 uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
1871 // We only process the first PSK identity since we don't support pure PSK.
1872 CBS identities, binders;
1873 if (!CBS_get_u16_length_prefixed(contents, &identities) ||
1874 !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
1875 !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
1876 !CBS_get_u16_length_prefixed(contents, &binders) ||
1877 CBS_len(&binders) == 0 ||
1878 CBS_len(contents) != 0) {
1879 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1880 *out_alert = SSL_AD_DECODE_ERROR;
1884 *out_binders = binders;
1886 // Check the syntax of the remaining identities, but do not process them.
1887 size_t num_identities = 1;
1888 while (CBS_len(&identities) != 0) {
1890 uint32_t unused_obfuscated_ticket_age;
1891 if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
1892 !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
1893 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1894 *out_alert = SSL_AD_DECODE_ERROR;
1901 // Check the syntax of the binders. The value will be checked later if
1903 size_t num_binders = 0;
1904 while (CBS_len(&binders) != 0) {
1906 if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
1907 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1908 *out_alert = SSL_AD_DECODE_ERROR;
1915 if (num_identities != num_binders) {
1916 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
1917 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
1924 bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
1925 if (!hs->ssl->s3->session_reused) {
1930 if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
1931 !CBB_add_u16_length_prefixed(out, &contents) ||
1932 // We only consider the first identity for resumption
1933 !CBB_add_u16(&contents, 0) ||
1942 // Pre-Shared Key Exchange Modes
1944 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
1946 static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
1948 if (hs->max_version < TLS1_3_VERSION) {
1952 CBB contents, ke_modes;
1953 if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
1954 !CBB_add_u16_length_prefixed(out, &contents) ||
1955 !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
1956 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
1960 return CBB_flush(out);
1963 static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
1966 if (contents == NULL) {
1971 if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
1972 CBS_len(&ke_modes) == 0 ||
1973 CBS_len(contents) != 0) {
1974 *out_alert = SSL_AD_DECODE_ERROR;
1978 // We only support tickets with PSK_DHE_KE.
1979 hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
1980 CBS_len(&ke_modes)) != NULL;
1986 // Early Data Indication
1988 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
1990 static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
1991 SSL *const ssl = hs->ssl;
1992 if (!ssl->cert->enable_early_data ||
1993 // Session must be 0-RTT capable.
1994 ssl->session == NULL ||
1995 ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION ||
1996 ssl->session->ticket_max_early_data == 0 ||
1997 // The second ClientHello never offers early data.
1998 hs->received_hello_retry_request ||
1999 // In case ALPN preferences changed since this session was established,
2000 // avoid reporting a confusing value in |SSL_get0_alpn_selected|.
2001 (ssl->session->early_alpn_len != 0 &&
2002 !ssl_is_alpn_protocol_allowed(
2003 ssl, MakeConstSpan(ssl->session->early_alpn,
2004 ssl->session->early_alpn_len)))) {
2008 hs->early_data_offered = true;
2010 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2011 !CBB_add_u16(out, 0) ||
2019 static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
2020 uint8_t *out_alert, CBS *contents) {
2021 SSL *const ssl = hs->ssl;
2022 if (contents == NULL) {
2026 if (CBS_len(contents) != 0) {
2027 *out_alert = SSL_AD_DECODE_ERROR;
2031 if (!ssl->s3->session_reused) {
2032 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2033 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
2037 ssl->s3->early_data_accepted = true;
2041 static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
2042 uint8_t *out_alert, CBS *contents) {
2043 SSL *const ssl = hs->ssl;
2044 if (contents == NULL ||
2045 ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2049 if (CBS_len(contents) != 0) {
2050 *out_alert = SSL_AD_DECODE_ERROR;
2054 hs->early_data_offered = true;
2058 static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2059 if (!hs->ssl->s3->early_data_accepted) {
2063 if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
2064 !CBB_add_u16(out, 0) ||
2075 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
2077 static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2078 SSL *const ssl = hs->ssl;
2079 if (hs->max_version < TLS1_3_VERSION) {
2083 CBB contents, kse_bytes;
2084 if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2085 !CBB_add_u16_length_prefixed(out, &contents) ||
2086 !CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
2090 uint16_t group_id = hs->retry_group;
2091 if (hs->received_hello_retry_request) {
2092 // We received a HelloRetryRequest without a new curve, so there is no new
2093 // share to append. Leave |hs->key_share| as-is.
2094 if (group_id == 0 &&
2095 !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),
2096 hs->key_share_bytes.size())) {
2099 hs->key_share_bytes.Reset();
2100 if (group_id == 0) {
2101 return CBB_flush(out);
2104 // Add a fake group. See draft-davidben-tls-grease-01.
2105 if (ssl->ctx->grease_enabled &&
2106 (!CBB_add_u16(&kse_bytes,
2107 ssl_get_grease_value(hs, ssl_grease_group)) ||
2108 !CBB_add_u16(&kse_bytes, 1 /* length */) ||
2109 !CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
2113 // Predict the most preferred group.
2114 Span<const uint16_t> groups = tls1_get_grouplist(ssl);
2115 if (groups.empty()) {
2116 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
2120 group_id = groups[0];
2123 hs->key_share = SSLKeyShare::Create(group_id);
2125 if (!hs->key_share ||
2126 !CBB_add_u16(&kse_bytes, group_id) ||
2127 !CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
2128 !hs->key_share->Offer(&key_exchange) ||
2129 !CBB_flush(&kse_bytes)) {
2133 // Save the contents of the extension to repeat it in the second ClientHello.
2134 if (!hs->received_hello_retry_request &&
2135 !hs->key_share_bytes.CopyFrom(
2136 MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
2140 return CBB_flush(out);
2143 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
2144 Array<uint8_t> *out_secret,
2145 uint8_t *out_alert, CBS *contents) {
2148 if (!CBS_get_u16(contents, &group_id) ||
2149 !CBS_get_u16_length_prefixed(contents, &peer_key) ||
2150 CBS_len(contents) != 0) {
2151 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2152 *out_alert = SSL_AD_DECODE_ERROR;
2156 if (hs->key_share->GroupID() != group_id) {
2157 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2158 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
2162 if (!hs->key_share->Finish(out_secret, out_alert, peer_key)) {
2163 *out_alert = SSL_AD_INTERNAL_ERROR;
2167 hs->new_session->group_id = group_id;
2168 hs->key_share.reset();
2172 bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
2173 Array<uint8_t> *out_secret,
2174 uint8_t *out_alert, CBS *contents) {
2177 if (!tls1_get_shared_group(hs, &group_id)) {
2178 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
2179 *out_alert = SSL_AD_HANDSHAKE_FAILURE;
2183 if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
2184 CBS_len(contents) != 0) {
2185 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2189 // Find the corresponding key share.
2191 CBS_init(&peer_key, NULL, 0);
2192 while (CBS_len(&key_shares) > 0) {
2195 if (!CBS_get_u16(&key_shares, &id) ||
2196 !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||
2197 CBS_len(&peer_key_tmp) == 0) {
2198 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2202 if (id == group_id) {
2203 if (CBS_len(&peer_key) != 0) {
2204 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
2205 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2209 peer_key = peer_key_tmp;
2210 // Continue parsing the structure to keep peers honest.
2214 if (CBS_len(&peer_key) == 0) {
2216 out_secret->Reset();
2220 // Compute the DH secret.
2221 Array<uint8_t> secret;
2222 ScopedCBB public_key;
2223 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
2225 !CBB_init(public_key.get(), 32) ||
2226 !key_share->Accept(public_key.get(), &secret, out_alert, peer_key) ||
2227 !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
2228 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2232 *out_secret = std::move(secret);
2237 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2239 CBB kse_bytes, public_key;
2240 if (!tls1_get_shared_group(hs, &group_id) ||
2241 !CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
2242 !CBB_add_u16_length_prefixed(out, &kse_bytes) ||
2243 !CBB_add_u16(&kse_bytes, group_id) ||
2244 !CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
2245 !CBB_add_bytes(&public_key, hs->ecdh_public_key.data(),
2246 hs->ecdh_public_key.size()) ||
2251 hs->ecdh_public_key.Reset();
2253 hs->new_session->group_id = group_id;
2258 // Supported Versions
2260 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
2262 static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2263 SSL *const ssl = hs->ssl;
2264 if (hs->max_version <= TLS1_2_VERSION) {
2268 CBB contents, versions;
2269 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
2270 !CBB_add_u16_length_prefixed(out, &contents) ||
2271 !CBB_add_u8_length_prefixed(&contents, &versions)) {
2275 // Add a fake version. See draft-davidben-tls-grease-01.
2276 if (ssl->ctx->grease_enabled &&
2277 !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {
2281 if (!ssl_add_supported_versions(hs, &versions) ||
2292 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
2294 static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2295 if (hs->cookie.empty()) {
2299 CBB contents, cookie;
2300 if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
2301 !CBB_add_u16_length_prefixed(out, &contents) ||
2302 !CBB_add_u16_length_prefixed(&contents, &cookie) ||
2303 !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||
2308 // The cookie is no longer needed in memory.
2314 // Dummy PQ Padding extension
2316 // Dummy post-quantum padding invovles the client (and later server) sending
2317 // useless, random-looking bytes in an extension in their ClientHello or
2318 // ServerHello. These extensions are sized to simulate a post-quantum
2319 // key-exchange and so enable measurement of the latency impact of the
2320 // additional bandwidth.
2322 static bool ext_dummy_pq_padding_add(CBB *out, size_t len) {
2325 if (!CBB_add_u16(out, TLSEXT_TYPE_dummy_pq_padding) ||
2326 !CBB_add_u16_length_prefixed(out, &contents) ||
2327 !CBB_add_space(&contents, &buffer, len)) {
2331 // The length is used as the nonce so that different length extensions have
2332 // different contents. There's no reason this has to be the case, it just
2333 // makes things a little more obvious in a packet dump.
2334 uint8_t nonce[12] = {0};
2335 memcpy(nonce, &len, sizeof(len));
2337 memset(buffer, 0, len);
2338 static const uint8_t kZeroKey[32] = {0};
2339 CRYPTO_chacha_20(buffer, buffer, len, kZeroKey, nonce, 0);
2341 return CBB_flush(out);
2344 static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2345 const size_t len = hs->ssl->dummy_pq_padding_len;
2350 return ext_dummy_pq_padding_add(out, len);
2353 static bool ext_dummy_pq_padding_parse_serverhello(SSL_HANDSHAKE *hs,
2356 if (contents == nullptr) {
2360 if (CBS_len(contents) != hs->ssl->dummy_pq_padding_len) {
2364 hs->ssl->did_dummy_pq_padding = true;
2368 static bool ext_dummy_pq_padding_parse_clienthello(SSL_HANDSHAKE *hs,
2371 if (contents != nullptr &&
2372 0 < CBS_len(contents) && CBS_len(contents) < (1 << 12)) {
2373 hs->dummy_pq_padding_len = CBS_len(contents);
2379 static bool ext_dummy_pq_padding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2380 if (!hs->dummy_pq_padding_len) {
2384 return ext_dummy_pq_padding_add(out, hs->dummy_pq_padding_len);
2387 // Negotiated Groups
2389 // https://tools.ietf.org/html/rfc4492#section-5.1.2
2390 // https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
2392 static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2393 SSL *const ssl = hs->ssl;
2394 CBB contents, groups_bytes;
2395 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
2396 !CBB_add_u16_length_prefixed(out, &contents) ||
2397 !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
2401 // Add a fake group. See draft-davidben-tls-grease-01.
2402 if (ssl->ctx->grease_enabled &&
2403 !CBB_add_u16(&groups_bytes,
2404 ssl_get_grease_value(hs, ssl_grease_group))) {
2408 for (uint16_t group : tls1_get_grouplist(ssl)) {
2409 if (!CBB_add_u16(&groups_bytes, group)) {
2414 return CBB_flush(out);
2417 static bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
2420 // This extension is not expected to be echoed by servers in TLS 1.2, but some
2421 // BigIP servers send it nonetheless, so do not enforce this.
2425 static bool parse_u16_array(const CBS *cbs, Array<uint16_t> *out) {
2427 if ((CBS_len(©) & 1) != 0) {
2428 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
2432 Array<uint16_t> ret;
2433 if (!ret.Init(CBS_len(©) / 2)) {
2436 for (size_t i = 0; i < ret.size(); i++) {
2437 if (!CBS_get_u16(©, &ret[i])) {
2438 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2443 assert(CBS_len(©) == 0);
2444 *out = std::move(ret);
2448 static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
2451 if (contents == NULL) {
2455 CBS supported_group_list;
2456 if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
2457 CBS_len(&supported_group_list) == 0 ||
2458 CBS_len(contents) != 0 ||
2459 !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
2468 // https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-10
2470 // The Token Binding version number currently matches the draft number of
2471 // draft-ietf-tokbind-protocol, and when published as an RFC it will be 0x0100.
2472 // Since there are no wire changes to the protocol from draft 13 through the
2473 // current draft (16), this implementation supports all versions in that range.
2474 static uint16_t kTokenBindingMaxVersion = 16;
2475 static uint16_t kTokenBindingMinVersion = 13;
2477 static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
2478 SSL *const ssl = hs->ssl;
2479 if (ssl->token_binding_params == nullptr || SSL_is_dtls(ssl)) {
2483 CBB contents, params;
2484 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2485 !CBB_add_u16_length_prefixed(out, &contents) ||
2486 !CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
2487 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2488 !CBB_add_bytes(¶ms, ssl->token_binding_params,
2489 ssl->token_binding_params_len) ||
2497 static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
2500 SSL *const ssl = hs->ssl;
2501 if (contents == nullptr) {
2508 if (!CBS_get_u16(contents, &version) ||
2509 !CBS_get_u8_length_prefixed(contents, ¶ms_list) ||
2510 !CBS_get_u8(¶ms_list, ¶m) ||
2511 CBS_len(¶ms_list) > 0 ||
2512 CBS_len(contents) > 0) {
2513 *out_alert = SSL_AD_DECODE_ERROR;
2517 // The server-negotiated version must be less than or equal to our version.
2518 if (version > kTokenBindingMaxVersion) {
2519 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2523 // If the server-selected version is less than what we support, then Token
2524 // Binding wasn't negotiated (but the extension was parsed successfully).
2525 if (version < kTokenBindingMinVersion) {
2529 for (size_t i = 0; i < ssl->token_binding_params_len; ++i) {
2530 if (param == ssl->token_binding_params[i]) {
2531 ssl->negotiated_token_binding_param = param;
2532 ssl->token_binding_negotiated = true;
2537 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
2541 // select_tb_param looks for the first token binding param in
2542 // |ssl->token_binding_params| that is also in |params| and puts it in
2543 // |ssl->negotiated_token_binding_param|. It returns true if a token binding
2544 // param is found, and false otherwise.
2545 static bool select_tb_param(SSL *ssl, Span<const uint8_t> peer_params) {
2546 for (size_t i = 0; i < ssl->token_binding_params_len; ++i) {
2547 uint8_t tb_param = ssl->token_binding_params[i];
2548 for (uint8_t peer_param : peer_params) {
2549 if (tb_param == peer_param) {
2550 ssl->negotiated_token_binding_param = tb_param;
2558 static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
2561 SSL *const ssl = hs->ssl;
2562 if (contents == nullptr || ssl->token_binding_params == nullptr) {
2568 if (!CBS_get_u16(contents, &version) ||
2569 !CBS_get_u8_length_prefixed(contents, ¶ms) ||
2570 CBS_len(¶ms) == 0 ||
2571 CBS_len(contents) > 0) {
2572 *out_alert = SSL_AD_DECODE_ERROR;
2576 // If the client-selected version is less than what we support, then Token
2577 // Binding wasn't negotiated (but the extension was parsed successfully).
2578 if (version < kTokenBindingMinVersion) {
2582 // If the client-selected version is higher than we support, use our max
2583 // version. Otherwise, use the client's version.
2584 hs->negotiated_token_binding_version =
2585 std::min(version, kTokenBindingMaxVersion);
2586 if (!select_tb_param(ssl, params)) {
2590 ssl->token_binding_negotiated = true;
2594 static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
2595 SSL *const ssl = hs->ssl;
2597 if (!ssl->token_binding_negotiated) {
2601 CBB contents, params;
2602 if (!CBB_add_u16(out, TLSEXT_TYPE_token_binding) ||
2603 !CBB_add_u16_length_prefixed(out, &contents) ||
2604 !CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
2605 !CBB_add_u8_length_prefixed(&contents, ¶ms) ||
2606 !CBB_add_u8(¶ms, ssl->negotiated_token_binding_param) ||
2614 // QUIC Transport Parameters
2616 static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
2618 SSL *const ssl = hs->ssl;
2619 if (!ssl->quic_transport_params || hs->max_version <= TLS1_2_VERSION) {
2624 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2625 !CBB_add_u16_length_prefixed(out, &contents) ||
2626 !CBB_add_bytes(&contents, ssl->quic_transport_params,
2627 ssl->quic_transport_params_len) ||
2634 static bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,
2637 SSL *const ssl = hs->ssl;
2638 if (contents == nullptr) {
2641 // QUIC requires TLS 1.3.
2642 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2643 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
2647 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2650 static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
2653 SSL *const ssl = hs->ssl;
2654 if (!contents || !ssl->quic_transport_params) {
2657 // Ignore the extension before TLS 1.3.
2658 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
2662 return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);
2665 static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
2667 SSL *const ssl = hs->ssl;
2668 if (!ssl->quic_transport_params) {
2673 if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
2674 !CBB_add_u16_length_prefixed(out, &contents) ||
2675 !CBB_add_bytes(&contents, ssl->quic_transport_params,
2676 ssl->quic_transport_params_len) ||
2685 // kExtensions contains all the supported extensions.
2686 static const struct tls_extension kExtensions[] = {
2688 TLSEXT_TYPE_renegotiate,
2690 ext_ri_add_clienthello,
2691 ext_ri_parse_serverhello,
2692 ext_ri_parse_clienthello,
2693 ext_ri_add_serverhello,
2696 TLSEXT_TYPE_server_name,
2698 ext_sni_add_clienthello,
2699 ext_sni_parse_serverhello,
2700 ext_sni_parse_clienthello,
2701 ext_sni_add_serverhello,
2704 TLSEXT_TYPE_extended_master_secret,
2706 ext_ems_add_clienthello,
2707 ext_ems_parse_serverhello,
2708 ext_ems_parse_clienthello,
2709 ext_ems_add_serverhello,
2712 TLSEXT_TYPE_session_ticket,
2714 ext_ticket_add_clienthello,
2715 ext_ticket_parse_serverhello,
2716 // Ticket extension client parsing is handled in ssl_session.c
2717 ignore_parse_clienthello,
2718 ext_ticket_add_serverhello,
2721 TLSEXT_TYPE_signature_algorithms,
2723 ext_sigalgs_add_clienthello,
2724 forbid_parse_serverhello,
2725 ext_sigalgs_parse_clienthello,
2726 dont_add_serverhello,
2729 TLSEXT_TYPE_status_request,
2731 ext_ocsp_add_clienthello,
2732 ext_ocsp_parse_serverhello,
2733 ext_ocsp_parse_clienthello,
2734 ext_ocsp_add_serverhello,
2737 TLSEXT_TYPE_next_proto_neg,
2739 ext_npn_add_clienthello,
2740 ext_npn_parse_serverhello,
2741 ext_npn_parse_clienthello,
2742 ext_npn_add_serverhello,
2745 TLSEXT_TYPE_certificate_timestamp,
2747 ext_sct_add_clienthello,
2748 ext_sct_parse_serverhello,
2749 ext_sct_parse_clienthello,
2750 ext_sct_add_serverhello,
2753 TLSEXT_TYPE_application_layer_protocol_negotiation,
2755 ext_alpn_add_clienthello,
2756 ext_alpn_parse_serverhello,
2757 // ALPN is negotiated late in |ssl_negotiate_alpn|.
2758 ignore_parse_clienthello,
2759 ext_alpn_add_serverhello,
2762 TLSEXT_TYPE_channel_id,
2763 ext_channel_id_init,
2764 ext_channel_id_add_clienthello,
2765 ext_channel_id_parse_serverhello,
2766 ext_channel_id_parse_clienthello,
2767 ext_channel_id_add_serverhello,
2772 ext_srtp_add_clienthello,
2773 ext_srtp_parse_serverhello,
2774 ext_srtp_parse_clienthello,
2775 ext_srtp_add_serverhello,
2778 TLSEXT_TYPE_ec_point_formats,
2780 ext_ec_point_add_clienthello,
2781 ext_ec_point_parse_serverhello,
2782 ext_ec_point_parse_clienthello,
2783 ext_ec_point_add_serverhello,
2786 TLSEXT_TYPE_key_share,
2788 ext_key_share_add_clienthello,
2789 forbid_parse_serverhello,
2790 ignore_parse_clienthello,
2791 dont_add_serverhello,
2794 TLSEXT_TYPE_psk_key_exchange_modes,
2796 ext_psk_key_exchange_modes_add_clienthello,
2797 forbid_parse_serverhello,
2798 ext_psk_key_exchange_modes_parse_clienthello,
2799 dont_add_serverhello,
2802 TLSEXT_TYPE_early_data,
2804 ext_early_data_add_clienthello,
2805 ext_early_data_parse_serverhello,
2806 ext_early_data_parse_clienthello,
2807 ext_early_data_add_serverhello,
2810 TLSEXT_TYPE_supported_versions,
2812 ext_supported_versions_add_clienthello,
2813 forbid_parse_serverhello,
2814 ignore_parse_clienthello,
2815 dont_add_serverhello,
2820 ext_cookie_add_clienthello,
2821 forbid_parse_serverhello,
2822 ignore_parse_clienthello,
2823 dont_add_serverhello,
2826 TLSEXT_TYPE_dummy_pq_padding,
2828 ext_dummy_pq_padding_add_clienthello,
2829 ext_dummy_pq_padding_parse_serverhello,
2830 ext_dummy_pq_padding_parse_clienthello,
2831 ext_dummy_pq_padding_add_serverhello,
2834 TLSEXT_TYPE_quic_transport_parameters,
2836 ext_quic_transport_params_add_clienthello,
2837 ext_quic_transport_params_parse_serverhello,
2838 ext_quic_transport_params_parse_clienthello,
2839 ext_quic_transport_params_add_serverhello,
2841 // The final extension must be non-empty. WebSphere Application Server 7.0 is
2842 // intolerant to the last extension being zero-length. See
2843 // https://crbug.com/363583.
2845 TLSEXT_TYPE_supported_groups,
2847 ext_supported_groups_add_clienthello,
2848 ext_supported_groups_parse_serverhello,
2849 ext_supported_groups_parse_clienthello,
2850 dont_add_serverhello,
2853 TLSEXT_TYPE_token_binding,
2855 ext_token_binding_add_clienthello,
2856 ext_token_binding_parse_serverhello,
2857 ext_token_binding_parse_clienthello,
2858 ext_token_binding_add_serverhello,
2862 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
2864 static_assert(kNumExtensions <=
2865 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
2866 "too many extensions for sent bitset");
2867 static_assert(kNumExtensions <=
2868 sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
2869 "too many extensions for received bitset");
2871 static const struct tls_extension *tls_extension_find(uint32_t *out_index,
2874 for (i = 0; i < kNumExtensions; i++) {
2875 if (kExtensions[i].value == value) {
2877 return &kExtensions[i];
2884 int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
2885 SSL *const ssl = hs->ssl;
2886 // Don't add extensions for SSLv3 unless doing secure renegotiation.
2887 if (hs->client_version == SSL3_VERSION &&
2888 !ssl->s3->send_connection_binding) {
2893 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
2894 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2898 hs->extensions.sent = 0;
2899 hs->custom_extensions.sent = 0;
2901 for (size_t i = 0; i < kNumExtensions; i++) {
2902 if (kExtensions[i].init != NULL) {
2903 kExtensions[i].init(hs);
2907 uint16_t grease_ext1 = 0;
2908 if (ssl->ctx->grease_enabled) {
2909 // Add a fake empty extension. See draft-davidben-tls-grease-01.
2910 grease_ext1 = ssl_get_grease_value(hs, ssl_grease_extension1);
2911 if (!CBB_add_u16(&extensions, grease_ext1) ||
2912 !CBB_add_u16(&extensions, 0 /* zero length */)) {
2913 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2918 for (size_t i = 0; i < kNumExtensions; i++) {
2919 const size_t len_before = CBB_len(&extensions);
2920 if (!kExtensions[i].add_clienthello(hs, &extensions)) {
2921 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
2922 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
2926 if (CBB_len(&extensions) != len_before) {
2927 hs->extensions.sent |= (1u << i);
2931 if (!custom_ext_add_clienthello(hs, &extensions)) {
2932 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2936 if (ssl->ctx->grease_enabled) {
2937 // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
2938 uint16_t grease_ext2 = ssl_get_grease_value(hs, ssl_grease_extension2);
2940 // The two fake extensions must not have the same value. GREASE values are
2941 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
2943 if (grease_ext1 == grease_ext2) {
2944 grease_ext2 ^= 0x1010;
2947 if (!CBB_add_u16(&extensions, grease_ext2) ||
2948 !CBB_add_u16(&extensions, 1 /* one byte length */) ||
2949 !CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
2950 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2955 if (!SSL_is_dtls(ssl)) {
2956 size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
2957 header_len += 2 + CBB_len(&extensions) + psk_extension_len;
2958 if (header_len > 0xff && header_len < 0x200) {
2959 // Add padding to workaround bugs in F5 terminators. See RFC 7685.
2961 // NB: because this code works out the length of all existing extensions
2962 // it MUST always appear last.
2963 size_t padding_len = 0x200 - header_len;
2964 // Extensions take at least four bytes to encode. Always include at least
2965 // one byte of data if including the extension. WebSphere Application
2966 // Server 7.0 is intolerant to the last extension being zero-length. See
2967 // https://crbug.com/363583.
2968 if (padding_len >= 4 + 1) {
2974 uint8_t *padding_bytes;
2975 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
2976 !CBB_add_u16(&extensions, padding_len) ||
2977 !CBB_add_space(&extensions, &padding_bytes, padding_len)) {
2978 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2982 OPENSSL_memset(padding_bytes, 0, padding_len);
2986 // The PSK extension must be last, including after the padding.
2987 if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
2988 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
2992 // Discard empty extensions blocks.
2993 if (CBB_len(&extensions) == 0) {
2994 CBB_discard_child(out);
2997 return CBB_flush(out);
3000 int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
3001 SSL *const ssl = hs->ssl;
3003 if (!CBB_add_u16_length_prefixed(out, &extensions)) {
3007 for (unsigned i = 0; i < kNumExtensions; i++) {
3008 if (!(hs->extensions.received & (1u << i))) {
3009 // Don't send extensions that were not received.
3013 if (!kExtensions[i].add_serverhello(hs, &extensions)) {
3014 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
3015 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3020 if (!custom_ext_add_serverhello(hs, &extensions)) {
3024 // Discard empty extensions blocks before TLS 1.3.
3025 if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
3026 CBB_len(&extensions) == 0) {
3027 CBB_discard_child(out);
3030 return CBB_flush(out);
3033 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3037 static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
3038 const SSL_CLIENT_HELLO *client_hello,
3040 SSL *const ssl = hs->ssl;
3041 for (size_t i = 0; i < kNumExtensions; i++) {
3042 if (kExtensions[i].init != NULL) {
3043 kExtensions[i].init(hs);
3047 hs->extensions.received = 0;
3048 hs->custom_extensions.received = 0;
3050 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
3051 while (CBS_len(&extensions) != 0) {
3055 // Decode the next extension.
3056 if (!CBS_get_u16(&extensions, &type) ||
3057 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3058 *out_alert = SSL_AD_DECODE_ERROR;
3062 // RFC 5746 made the existence of extensions in SSL 3.0 somewhat
3063 // ambiguous. Ignore all but the renegotiation_info extension.
3064 if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
3069 const struct tls_extension *const ext =
3070 tls_extension_find(&ext_index, type);
3073 if (!custom_ext_parse_clienthello(hs, out_alert, type, &extension)) {
3074 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3080 hs->extensions.received |= (1u << ext_index);
3081 uint8_t alert = SSL_AD_DECODE_ERROR;
3082 if (!ext->parse_clienthello(hs, &alert, &extension)) {
3084 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3085 ERR_add_error_dataf("extension %u", (unsigned)type);
3090 for (size_t i = 0; i < kNumExtensions; i++) {
3091 if (hs->extensions.received & (1u << i)) {
3095 CBS *contents = NULL, fake_contents;
3096 static const uint8_t kFakeRenegotiateExtension[] = {0};
3097 if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
3098 ssl_client_cipher_list_contains_cipher(client_hello,
3099 SSL3_CK_SCSV & 0xffff)) {
3100 // The renegotiation SCSV was received so pretend that we received a
3101 // renegotiation extension.
3102 CBS_init(&fake_contents, kFakeRenegotiateExtension,
3103 sizeof(kFakeRenegotiateExtension));
3104 contents = &fake_contents;
3105 hs->extensions.received |= (1u << i);
3108 // Extension wasn't observed so call the callback with a NULL
3110 uint8_t alert = SSL_AD_DECODE_ERROR;
3111 if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
3112 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3113 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3122 int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
3123 const SSL_CLIENT_HELLO *client_hello) {
3124 SSL *const ssl = hs->ssl;
3125 int alert = SSL_AD_DECODE_ERROR;
3126 if (ssl_scan_clienthello_tlsext(hs, client_hello, &alert) <= 0) {
3127 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3131 if (ssl_check_clienthello_tlsext(hs) <= 0) {
3132 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
3139 static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
3141 SSL *const ssl = hs->ssl;
3142 // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
3143 if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3147 // Decode the extensions block and check it is valid.
3149 if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
3150 !tls1_check_duplicate_extensions(&extensions)) {
3151 *out_alert = SSL_AD_DECODE_ERROR;
3155 uint32_t received = 0;
3156 while (CBS_len(&extensions) != 0) {
3160 // Decode the next extension.
3161 if (!CBS_get_u16(&extensions, &type) ||
3162 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
3163 *out_alert = SSL_AD_DECODE_ERROR;
3168 const struct tls_extension *const ext =
3169 tls_extension_find(&ext_index, type);
3172 hs->received_custom_extension = true;
3173 if (!custom_ext_parse_serverhello(hs, out_alert, type, &extension)) {
3179 static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
3182 if (!(hs->extensions.sent & (1u << ext_index)) &&
3183 type != TLSEXT_TYPE_renegotiate) {
3184 // If the extension was never sent then it is illegal, except for the
3185 // renegotiation extension which, in SSL 3.0, is signaled via SCSV.
3186 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
3187 ERR_add_error_dataf("extension :%u", (unsigned)type);
3188 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
3192 received |= (1u << ext_index);
3194 uint8_t alert = SSL_AD_DECODE_ERROR;
3195 if (!ext->parse_serverhello(hs, &alert, &extension)) {
3196 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
3197 ERR_add_error_dataf("extension %u", (unsigned)type);
3203 for (size_t i = 0; i < kNumExtensions; i++) {
3204 if (!(received & (1u << i))) {
3205 // Extension wasn't observed so call the callback with a NULL
3207 uint8_t alert = SSL_AD_DECODE_ERROR;
3208 if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
3209 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
3210 ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
3220 static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
3221 SSL *const ssl = hs->ssl;
3223 if (ssl->token_binding_negotiated &&
3224 !(SSL_get_secure_renegotiation_support(ssl) &&
3225 SSL_get_extms_support(ssl))) {
3226 OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
3227 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
3231 int ret = SSL_TLSEXT_ERR_NOACK;
3232 int al = SSL_AD_UNRECOGNIZED_NAME;
3234 if (ssl->ctx->tlsext_servername_callback != 0) {
3235 ret = ssl->ctx->tlsext_servername_callback(ssl, &al,
3236 ssl->ctx->tlsext_servername_arg);
3237 } else if (ssl->session_ctx->tlsext_servername_callback != 0) {
3238 ret = ssl->session_ctx->tlsext_servername_callback(
3239 ssl, &al, ssl->session_ctx->tlsext_servername_arg);
3243 case SSL_TLSEXT_ERR_ALERT_FATAL:
3244 ssl_send_alert(ssl, SSL3_AL_FATAL, al);
3247 case SSL_TLSEXT_ERR_NOACK:
3248 hs->should_ack_sni = false;
3256 int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
3257 SSL *const ssl = hs->ssl;
3258 int alert = SSL_AD_DECODE_ERROR;
3259 if (ssl_scan_serverhello_tlsext(hs, cbs, &alert) <= 0) {
3260 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
3267 static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
3268 uint8_t **out, size_t *out_len, EVP_CIPHER_CTX *cipher_ctx,
3269 HMAC_CTX *hmac_ctx, const uint8_t *ticket, size_t ticket_len) {
3270 size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
3272 // Check the MAC at the end of the ticket.
3273 uint8_t mac[EVP_MAX_MD_SIZE];
3274 size_t mac_len = HMAC_size(hmac_ctx);
3275 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
3276 // The ticket must be large enough for key name, IV, data, and MAC.
3277 return ssl_ticket_aead_ignore_ticket;
3279 HMAC_Update(hmac_ctx, ticket, ticket_len - mac_len);
3280 HMAC_Final(hmac_ctx, mac, NULL);
3282 CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0;
3283 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3287 return ssl_ticket_aead_ignore_ticket;
3290 // Decrypt the session data.
3291 const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
3292 size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
3294 UniquePtr<uint8_t> plaintext((uint8_t *)OPENSSL_malloc(ciphertext_len));
3296 return ssl_ticket_aead_error;
3298 size_t plaintext_len;
3299 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3300 OPENSSL_memcpy(plaintext.get(), ciphertext, ciphertext_len);
3301 plaintext_len = ciphertext_len;
3303 if (ciphertext_len >= INT_MAX) {
3304 return ssl_ticket_aead_ignore_ticket;
3307 if (!EVP_DecryptUpdate(cipher_ctx, plaintext.get(), &len1, ciphertext,
3308 (int)ciphertext_len) ||
3309 !EVP_DecryptFinal_ex(cipher_ctx, plaintext.get() + len1, &len2)) {
3311 return ssl_ticket_aead_ignore_ticket;
3313 plaintext_len = (size_t)(len1) + len2;
3316 *out = plaintext.release();
3317 *out_len = plaintext_len;
3318 return ssl_ticket_aead_success;
3321 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
3322 SSL *ssl, uint8_t **out, size_t *out_len, bool *out_renew_ticket,
3323 const uint8_t *ticket, size_t ticket_len) {
3324 assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3325 ScopedEVP_CIPHER_CTX cipher_ctx;
3326 ScopedHMAC_CTX hmac_ctx;
3327 const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
3328 int cb_ret = ssl->session_ctx->tlsext_ticket_key_cb(
3329 ssl, (uint8_t *)ticket /* name */, (uint8_t *)iv, cipher_ctx.get(),
3330 hmac_ctx.get(), 0 /* decrypt */);
3332 return ssl_ticket_aead_error;
3333 } else if (cb_ret == 0) {
3334 return ssl_ticket_aead_ignore_ticket;
3335 } else if (cb_ret == 2) {
3336 *out_renew_ticket = true;
3338 assert(cb_ret == 1);
3340 return decrypt_ticket_with_cipher_ctx(out, out_len, cipher_ctx.get(),
3341 hmac_ctx.get(), ticket, ticket_len);
3344 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
3345 SSL *ssl, uint8_t **out, size_t *out_len, const uint8_t *ticket,
3346 size_t ticket_len) {
3347 assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
3348 SSL_CTX *ctx = ssl->session_ctx;
3350 // Rotate the ticket key if necessary.
3351 if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
3352 return ssl_ticket_aead_error;
3355 // Pick the matching ticket key and decrypt.
3356 ScopedEVP_CIPHER_CTX cipher_ctx;
3357 ScopedHMAC_CTX hmac_ctx;
3359 MutexReadLock lock(&ctx->lock);
3360 const tlsext_ticket_key *key;
3361 if (ctx->tlsext_ticket_key_current &&
3362 !OPENSSL_memcmp(ctx->tlsext_ticket_key_current->name, ticket,
3363 SSL_TICKET_KEY_NAME_LEN)) {
3364 key = ctx->tlsext_ticket_key_current;
3365 } else if (ctx->tlsext_ticket_key_prev &&
3366 !OPENSSL_memcmp(ctx->tlsext_ticket_key_prev->name, ticket,
3367 SSL_TICKET_KEY_NAME_LEN)) {
3368 key = ctx->tlsext_ticket_key_prev;
3370 return ssl_ticket_aead_ignore_ticket;
3372 const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
3373 if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
3374 tlsext_tick_md(), NULL) ||
3375 !EVP_DecryptInit_ex(cipher_ctx.get(), EVP_aes_128_cbc(), NULL,
3376 key->aes_key, iv)) {
3377 return ssl_ticket_aead_error;
3380 return decrypt_ticket_with_cipher_ctx(out, out_len, cipher_ctx.get(),
3381 hmac_ctx.get(), ticket, ticket_len);
3384 static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
3385 SSL *ssl, uint8_t **out, size_t *out_len, bool *out_renew_ticket,
3386 const uint8_t *ticket, size_t ticket_len) {
3387 uint8_t *plaintext = (uint8_t *)OPENSSL_malloc(ticket_len);
3388 if (plaintext == NULL) {
3389 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
3390 return ssl_ticket_aead_error;
3393 size_t plaintext_len;
3394 const enum ssl_ticket_aead_result_t result =
3395 ssl->session_ctx->ticket_aead_method->open(
3396 ssl, plaintext, &plaintext_len, ticket_len, ticket, ticket_len);
3398 if (result == ssl_ticket_aead_success) {
3401 *out_len = plaintext_len;
3404 OPENSSL_free(plaintext);
3408 enum ssl_ticket_aead_result_t ssl_process_ticket(
3409 SSL *ssl, UniquePtr<SSL_SESSION> *out_session, bool *out_renew_ticket,
3410 const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id,
3411 size_t session_id_len) {
3412 *out_renew_ticket = false;
3413 out_session->reset();
3415 if ((SSL_get_options(ssl) & SSL_OP_NO_TICKET) ||
3416 session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
3417 return ssl_ticket_aead_ignore_ticket;
3420 uint8_t *plaintext = NULL;
3421 size_t plaintext_len;
3422 enum ssl_ticket_aead_result_t result;
3423 if (ssl->session_ctx->ticket_aead_method != NULL) {
3424 result = ssl_decrypt_ticket_with_method(
3425 ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
3427 // Ensure there is room for the key name and the largest IV
3428 // |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
3429 // but the maximum IV length should be well under the minimum size for the
3430 // session material and HMAC.
3431 if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
3432 return ssl_ticket_aead_ignore_ticket;
3434 if (ssl->session_ctx->tlsext_ticket_key_cb != NULL) {
3435 result = ssl_decrypt_ticket_with_cb(ssl, &plaintext, &plaintext_len,
3436 out_renew_ticket, ticket, ticket_len);
3438 result = ssl_decrypt_ticket_with_ticket_keys(
3439 ssl, &plaintext, &plaintext_len, ticket, ticket_len);
3443 if (result != ssl_ticket_aead_success) {
3447 // Decode the session.
3448 UniquePtr<SSL_SESSION> session(
3449 SSL_SESSION_from_bytes(plaintext, plaintext_len, ssl->ctx));
3450 OPENSSL_free(plaintext);
3453 ERR_clear_error(); // Don't leave an error on the queue.
3454 return ssl_ticket_aead_ignore_ticket;
3457 // Copy the client's session ID into the new session, to denote the ticket has
3459 OPENSSL_memcpy(session->session_id, session_id, session_id_len);
3460 session->session_id_length = session_id_len;
3462 *out_session = std::move(session);
3463 return ssl_ticket_aead_success;
3466 bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
3467 // Extension ignored for inappropriate versions
3468 if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {
3472 return parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
3475 bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
3476 switch (EVP_PKEY_id(pkey)) {
3478 *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
3481 *out = SSL_SIGN_ECDSA_SHA1;
3488 bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
3489 SSL *const ssl = hs->ssl;
3490 CERT *cert = ssl->cert;
3492 // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
3494 if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {
3495 if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
3496 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3502 Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
3503 if (cert->sigalgs != nullptr) {
3504 sigalgs = MakeConstSpan(cert->sigalgs, cert->num_sigalgs);
3507 Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
3508 if (peer_sigalgs.empty() && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
3509 // If the client didn't specify any signature_algorithms extension then
3510 // we can assume that it supports SHA1. See
3511 // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
3512 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
3513 SSL_SIGN_ECDSA_SHA1};
3514 peer_sigalgs = kDefaultPeerAlgorithms;
3517 for (uint16_t sigalg : sigalgs) {
3518 // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
3520 if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
3521 !ssl_private_key_supports_signature_algorithm(hs, sigalg)) {
3525 for (uint16_t peer_sigalg : peer_sigalgs) {
3526 if (sigalg == peer_sigalg) {
3533 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
3537 int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
3538 SSL *const ssl = hs->ssl;
3539 // A Channel ID handshake message is structured to contain multiple
3540 // extensions, but the only one that can be present is Channel ID.
3541 uint16_t extension_type;
3542 CBS channel_id = msg.body, extension;
3543 if (!CBS_get_u16(&channel_id, &extension_type) ||
3544 !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
3545 CBS_len(&channel_id) != 0 ||
3546 extension_type != TLSEXT_TYPE_channel_id ||
3547 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
3548 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
3549 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3553 UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
3555 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
3559 UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
3560 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3561 if (!sig || !x || !y) {
3565 const uint8_t *p = CBS_data(&extension);
3566 if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||
3567 BN_bin2bn(p + 32, 32, y.get()) == NULL ||
3568 BN_bin2bn(p + 64, 32, sig->r) == NULL ||
3569 BN_bin2bn(p + 96, 32, sig->s) == NULL) {
3573 UniquePtr<EC_KEY> key(EC_KEY_new());
3574 UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
3575 if (!key || !point ||
3576 !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
3577 y.get(), nullptr) ||
3578 !EC_KEY_set_group(key.get(), p256.get()) ||
3579 !EC_KEY_set_public_key(key.get(), point.get())) {
3583 uint8_t digest[EVP_MAX_MD_SIZE];
3585 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3589 int sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
3590 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
3595 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
3596 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
3597 ssl->s3->tlsext_channel_id_valid = false;
3601 OPENSSL_memcpy(ssl->s3->tlsext_channel_id, p, 64);
3605 bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
3606 SSL *const ssl = hs->ssl;
3607 uint8_t digest[EVP_MAX_MD_SIZE];
3609 if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
3613 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->tlsext_channel_id_private);
3614 if (ec_key == nullptr) {
3615 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3619 UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
3621 !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
3622 EC_KEY_get0_public_key(ec_key),
3623 x.get(), y.get(), nullptr)) {
3627 UniquePtr<ECDSA_SIG> sig(ECDSA_do_sign(digest, digest_len, ec_key));
3633 if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
3634 !CBB_add_u16_length_prefixed(cbb, &child) ||
3635 !BN_bn2cbb_padded(&child, 32, x.get()) ||
3636 !BN_bn2cbb_padded(&child, 32, y.get()) ||
3637 !BN_bn2cbb_padded(&child, 32, sig->r) ||
3638 !BN_bn2cbb_padded(&child, 32, sig->s) ||
3646 int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
3647 SSL *const ssl = hs->ssl;
3648 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
3650 if (!tls13_get_cert_verify_signature_input(hs, &msg,
3651 ssl_cert_verify_channel_id)) {
3654 SHA256(msg.data(), msg.size(), out);
3655 *out_len = SHA256_DIGEST_LENGTH;
3662 static const char kClientIDMagic[] = "TLS Channel ID signature";
3663 SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
3665 if (ssl->session != NULL) {
3666 static const char kResumptionMagic[] = "Resumption";
3667 SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
3668 if (ssl->session->original_handshake_hash_len == 0) {
3669 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
3672 SHA256_Update(&ctx, ssl->session->original_handshake_hash,
3673 ssl->session->original_handshake_hash_len);
3676 uint8_t hs_hash[EVP_MAX_MD_SIZE];
3678 if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
3681 SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
3682 SHA256_Final(out, &ctx);
3683 *out_len = SHA256_DIGEST_LENGTH;
3687 // tls1_record_handshake_hashes_for_channel_id records the current handshake
3688 // hashes in |hs->new_session| so that Channel ID resumptions can sign that
3690 int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
3691 SSL *const ssl = hs->ssl;
3692 // This function should never be called for a resumed session because the
3693 // handshake hashes that we wish to record are for the original, full
3695 if (ssl->session != NULL) {
3700 sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE,
3701 "original_handshake_hash is too small");
3704 if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
3709 static_assert(EVP_MAX_MD_SIZE <= 0xff,
3710 "EVP_MAX_MD_SIZE does not fit in uint8_t");
3711 hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
3716 int ssl_do_channel_id_callback(SSL *ssl) {
3717 if (ssl->tlsext_channel_id_private != NULL ||
3718 ssl->ctx->channel_id_cb == NULL) {
3722 EVP_PKEY *key = NULL;
3723 ssl->ctx->channel_id_cb(ssl, &key);
3725 // The caller should try again later.
3729 int ret = SSL_set1_tls_channel_id(ssl, key);
3734 int ssl_is_sct_list_valid(const CBS *contents) {
3735 // Shallow parse the SCT list for sanity. By the RFC
3736 // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
3737 // of the SCTs may be empty.
3738 CBS copy = *contents;
3740 if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
3741 CBS_len(©) != 0 ||
3742 CBS_len(&sct_list) == 0) {
3746 while (CBS_len(&sct_list) > 0) {
3748 if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
3749 CBS_len(&sct) == 0) {
3759 using namespace bssl;
3761 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
3762 uint16_t extension_type,
3763 const uint8_t **out_data,
3766 if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
3770 *out_data = CBS_data(&cbs);
3771 *out_len = CBS_len(&cbs);
3775 void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
3776 ctx->ed25519_enabled = !!enabled;
3779 int SSL_extension_supported(unsigned extension_value) {
3781 return extension_value == TLSEXT_TYPE_padding ||
3782 tls_extension_find(&index, extension_value) != NULL;