2014-06-20 20:00:00 +01:00
|
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This package is an SSL implementation written
|
|
|
|
* by Eric Young (eay@cryptsoft.com).
|
|
|
|
* The implementation was written so as to conform with Netscapes SSL.
|
|
|
|
*
|
|
|
|
* This library is free for commercial and non-commercial use as long as
|
|
|
|
* the following conditions are aheared to. The following conditions
|
|
|
|
* apply to all code found in this distribution, be it the RC4, RSA,
|
|
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
|
|
|
* included with this distribution is covered by the same copyright terms
|
|
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
|
|
|
*
|
|
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in
|
|
|
|
* the code are not to be removed.
|
|
|
|
* If this package is used in a product, Eric Young should be given attribution
|
|
|
|
* as the author of the parts of the library used.
|
|
|
|
* This can be in the form of a textual message at program startup or
|
|
|
|
* in documentation (online or textual) provided with the package.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
|
|
* must display the following acknowledgement:
|
|
|
|
* "This product includes cryptographic software written by
|
|
|
|
* Eric Young (eay@cryptsoft.com)"
|
|
|
|
* The word 'cryptographic' can be left out if the rouines from the library
|
|
|
|
* being used are not cryptographic related :-).
|
|
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from
|
|
|
|
* the apps directory (application code) you must include an acknowledgement:
|
|
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* The licence and distribution terms for any publically available version or
|
|
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
|
|
|
* copied and put under another distribution licence
|
|
|
|
* [including the GNU Public Licence.]
|
|
|
|
*/
|
|
|
|
/* ====================================================================
|
|
|
|
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
*
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
*
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in
|
|
|
|
* the documentation and/or other materials provided with the
|
|
|
|
* distribution.
|
|
|
|
*
|
|
|
|
* 3. All advertising materials mentioning features or use of this
|
|
|
|
* software must display the following acknowledgment:
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
|
|
*
|
|
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
|
|
* endorse or promote products derived from this software without
|
|
|
|
* prior written permission. For written permission, please contact
|
|
|
|
* openssl-core@openssl.org.
|
|
|
|
*
|
|
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
|
|
* permission of the OpenSSL Project.
|
|
|
|
*
|
|
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
|
|
* acknowledgment:
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
* ====================================================================
|
|
|
|
*
|
|
|
|
* This product includes cryptographic software written by Eric Young
|
|
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
|
|
* Hudson (tjh@cryptsoft.com). */
|
|
|
|
|
2015-09-15 06:48:04 +01:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
2015-04-08 04:05:04 +01:00
|
|
|
#include <assert.h>
|
2015-06-16 20:34:50 +01:00
|
|
|
#include <limits.h>
|
2014-07-05 05:23:20 +01:00
|
|
|
#include <stdlib.h>
|
2015-04-08 04:05:04 +01:00
|
|
|
#include <string.h>
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2014-06-25 04:27:17 +01:00
|
|
|
#include <openssl/bytestring.h>
|
2015-08-06 16:10:51 +01:00
|
|
|
#include <openssl/digest.h>
|
2015-04-08 04:05:04 +01:00
|
|
|
#include <openssl/err.h>
|
2014-06-20 20:00:00 +01:00
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/hmac.h>
|
|
|
|
#include <openssl/mem.h>
|
2016-03-25 22:07:11 +00:00
|
|
|
#include <openssl/nid.h>
|
2014-06-20 20:00:00 +01:00
|
|
|
#include <openssl/rand.h>
|
2015-09-30 23:24:05 +01:00
|
|
|
#include <openssl/type_check.h>
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2015-04-08 03:38:30 +01:00
|
|
|
#include "internal.h"
|
2016-08-17 21:56:14 +01:00
|
|
|
#include "../crypto/internal.h"
|
2014-12-19 01:42:32 +00:00
|
|
|
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2014-12-19 01:42:32 +00:00
|
|
|
static int compare_uint16_t(const void *p1, const void *p2) {
|
|
|
|
uint16_t u1 = *((const uint16_t *)p1);
|
|
|
|
uint16_t u2 = *((const uint16_t *)p2);
|
|
|
|
if (u1 < u2) {
|
|
|
|
return -1;
|
|
|
|
} else if (u1 > u2) {
|
|
|
|
return 1;
|
|
|
|
} else {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
|
|
|
|
* more than one extension of the same type in a ClientHello or ServerHello.
|
|
|
|
* This function does an initial scan over the extensions block to filter those
|
2014-07-05 05:23:20 +01:00
|
|
|
* out. */
|
2014-12-19 01:42:32 +00:00
|
|
|
static int tls1_check_duplicate_extensions(const CBS *cbs) {
|
|
|
|
CBS extensions = *cbs;
|
|
|
|
size_t num_extensions = 0, i = 0;
|
|
|
|
uint16_t *extension_types = NULL;
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
/* First pass: count the extensions. */
|
|
|
|
while (CBS_len(&extensions) > 0) {
|
|
|
|
uint16_t type;
|
|
|
|
CBS extension;
|
|
|
|
|
|
|
|
if (!CBS_get_u16(&extensions, &type) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
num_extensions++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (num_extensions == 0) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-02-07 19:36:04 +00:00
|
|
|
extension_types = OPENSSL_malloc(sizeof(uint16_t) * num_extensions);
|
2014-12-19 01:42:32 +00:00
|
|
|
if (extension_types == NULL) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
2014-12-19 01:42:32 +00:00
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Second pass: gather the extension types. */
|
|
|
|
extensions = *cbs;
|
|
|
|
for (i = 0; i < num_extensions; i++) {
|
|
|
|
CBS extension;
|
|
|
|
|
|
|
|
if (!CBS_get_u16(&extensions, &extension_types[i]) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
|
|
|
/* This should not happen. */
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
assert(CBS_len(&extensions) == 0);
|
|
|
|
|
|
|
|
/* Sort the extensions and make sure there are no duplicates. */
|
|
|
|
qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
|
|
|
|
for (i = 1; i < num_extensions; i++) {
|
|
|
|
if (extension_types[i - 1] == extension_types[i]) {
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2014-12-19 01:42:32 +00:00
|
|
|
done:
|
2015-04-22 21:17:58 +01:00
|
|
|
OPENSSL_free(extension_types);
|
2014-12-19 01:42:32 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, const uint8_t *in,
|
|
|
|
size_t in_len) {
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(out, 0, sizeof(*out));
|
2016-12-04 04:15:13 +00:00
|
|
|
out->ssl = ssl;
|
|
|
|
out->client_hello = in;
|
|
|
|
out->client_hello_len = in_len;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-08-09 21:21:24 +01:00
|
|
|
CBS client_hello, random, session_id;
|
2016-12-04 04:15:13 +00:00
|
|
|
CBS_init(&client_hello, out->client_hello, out->client_hello_len);
|
|
|
|
if (!CBS_get_u16(&client_hello, &out->version) ||
|
2016-08-09 21:21:24 +01:00
|
|
|
!CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
|
|
|
|
!CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
|
|
|
|
CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
out->random = CBS_data(&random);
|
|
|
|
out->random_len = CBS_len(&random);
|
|
|
|
out->session_id = CBS_data(&session_id);
|
|
|
|
out->session_id_len = CBS_len(&session_id);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
|
|
|
/* Skip past DTLS cookie */
|
2016-12-04 04:15:13 +00:00
|
|
|
if (SSL_is_dtls(out->ssl)) {
|
2014-12-19 01:42:32 +00:00
|
|
|
CBS cookie;
|
2016-08-09 21:21:24 +01:00
|
|
|
if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
|
|
|
|
CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-09 21:21:24 +01:00
|
|
|
CBS cipher_suites, compression_methods;
|
2014-12-19 01:42:32 +00:00
|
|
|
if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
|
2016-08-09 21:21:24 +01:00
|
|
|
CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
|
|
|
|
!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
|
|
|
|
CBS_len(&compression_methods) < 1) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2016-08-09 21:21:24 +01:00
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
out->cipher_suites = CBS_data(&cipher_suites);
|
|
|
|
out->cipher_suites_len = CBS_len(&cipher_suites);
|
|
|
|
out->compression_methods = CBS_data(&compression_methods);
|
|
|
|
out->compression_methods_len = CBS_len(&compression_methods);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
|
|
|
/* If the ClientHello ends here then it's valid, but doesn't have any
|
|
|
|
* extensions. (E.g. SSLv3.) */
|
|
|
|
if (CBS_len(&client_hello) == 0) {
|
2016-12-04 04:15:13 +00:00
|
|
|
out->extensions = NULL;
|
|
|
|
out->extensions_len = 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Extract extensions and check it is valid. */
|
2016-08-09 21:21:24 +01:00
|
|
|
CBS extensions;
|
2014-12-19 01:42:32 +00:00
|
|
|
if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
|
|
|
|
!tls1_check_duplicate_extensions(&extensions) ||
|
|
|
|
CBS_len(&client_hello) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
2016-08-09 21:21:24 +01:00
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
out->extensions = CBS_data(&extensions);
|
|
|
|
out->extensions_len = CBS_len(&extensions);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
|
|
|
|
CBS *out, uint16_t extension_type) {
|
2014-12-19 01:42:32 +00:00
|
|
|
CBS extensions;
|
2016-12-04 04:15:13 +00:00
|
|
|
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
|
2014-12-19 01:42:32 +00:00
|
|
|
while (CBS_len(&extensions) != 0) {
|
2016-08-02 22:41:33 +01:00
|
|
|
/* Decode the next extension. */
|
2014-12-19 01:42:32 +00:00
|
|
|
uint16_t type;
|
|
|
|
CBS extension;
|
|
|
|
if (!CBS_get_u16(&extensions, &type) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (type == extension_type) {
|
2016-08-02 22:41:33 +01:00
|
|
|
*out = extension;
|
2014-12-19 01:42:32 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
|
|
|
|
uint16_t extension_type,
|
|
|
|
const uint8_t **out_data,
|
|
|
|
size_t *out_len) {
|
2016-08-02 22:41:33 +01:00
|
|
|
CBS cbs;
|
2016-12-04 04:15:13 +00:00
|
|
|
if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {
|
2016-08-02 22:41:33 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
*out_data = CBS_data(&cbs);
|
|
|
|
*out_len = CBS_len(&cbs);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
static const uint16_t kDefaultGroups[] = {
|
2016-06-30 19:55:33 +01:00
|
|
|
SSL_CURVE_X25519,
|
|
|
|
SSL_CURVE_SECP256R1,
|
|
|
|
SSL_CURVE_SECP384R1,
|
2014-12-19 01:42:32 +00:00
|
|
|
};
|
|
|
|
|
2016-10-07 05:37:55 +01:00
|
|
|
void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids,
|
2016-07-18 17:40:30 +01:00
|
|
|
size_t *out_group_ids_len) {
|
2016-05-17 16:47:53 +01:00
|
|
|
*out_group_ids = ssl->supported_group_list;
|
|
|
|
*out_group_ids_len = ssl->supported_group_list_len;
|
|
|
|
if (!*out_group_ids) {
|
|
|
|
*out_group_ids = kDefaultGroups;
|
2016-08-17 21:56:14 +01:00
|
|
|
*out_group_ids_len = OPENSSL_ARRAY_SIZE(kDefaultGroups);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:20:47 +00:00
|
|
|
int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-10-07 05:37:55 +01:00
|
|
|
assert(ssl->server);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-10-07 05:37:55 +01:00
|
|
|
const uint16_t *groups, *pref, *supp;
|
|
|
|
size_t groups_len, pref_len, supp_len;
|
|
|
|
tls1_get_grouplist(ssl, &groups, &groups_len);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-10-07 05:37:55 +01:00
|
|
|
/* Clients are not required to send a supported_groups extension. In this
|
|
|
|
* case, the server is free to pick any group it likes. See RFC 4492,
|
|
|
|
* section 4, paragraph 3.
|
|
|
|
*
|
|
|
|
* However, in the interests of compatibility, we will skip ECDH if the
|
|
|
|
* client didn't send an extension because we can't be sure that they'll
|
|
|
|
* support our favoured group. Thus we do not special-case an emtpy
|
|
|
|
* |peer_supported_group_list|. */
|
2015-04-20 19:45:55 +01:00
|
|
|
|
2015-12-19 05:18:25 +00:00
|
|
|
if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
|
2016-05-17 16:47:53 +01:00
|
|
|
pref = groups;
|
|
|
|
pref_len = groups_len;
|
2016-11-17 08:20:47 +00:00
|
|
|
supp = hs->peer_supported_group_list;
|
|
|
|
supp_len = hs->peer_supported_group_list_len;
|
2015-04-20 19:45:55 +01:00
|
|
|
} else {
|
2016-11-17 08:20:47 +00:00
|
|
|
pref = hs->peer_supported_group_list;
|
|
|
|
pref_len = hs->peer_supported_group_list_len;
|
2016-05-17 16:47:53 +01:00
|
|
|
supp = groups;
|
|
|
|
supp_len = groups_len;
|
2015-04-20 19:45:55 +01:00
|
|
|
}
|
|
|
|
|
2016-10-07 05:37:55 +01:00
|
|
|
for (size_t i = 0; i < pref_len; i++) {
|
|
|
|
for (size_t j = 0; j < supp_len; j++) {
|
2014-12-19 01:42:32 +00:00
|
|
|
if (pref[i] == supp[j]) {
|
2016-05-17 16:47:53 +01:00
|
|
|
*out_group_id = pref[i];
|
2015-12-19 05:18:25 +00:00
|
|
|
return 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-19 05:18:25 +00:00
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
|
2014-12-19 01:42:32 +00:00
|
|
|
const int *curves, size_t ncurves) {
|
2016-05-17 16:47:53 +01:00
|
|
|
uint16_t *group_ids;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
group_ids = OPENSSL_malloc(ncurves * sizeof(uint16_t));
|
|
|
|
if (group_ids == NULL) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < ncurves; i++) {
|
2016-05-17 16:47:53 +01:00
|
|
|
if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
|
|
|
|
OPENSSL_free(group_ids);
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
OPENSSL_free(*out_group_ids);
|
|
|
|
*out_group_ids = group_ids;
|
|
|
|
*out_group_ids_len = ncurves;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-09-28 21:04:25 +01:00
|
|
|
int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
|
|
|
|
const char *curves) {
|
|
|
|
uint16_t *group_ids = NULL;
|
|
|
|
size_t ncurves = 0;
|
|
|
|
|
|
|
|
const char *col;
|
|
|
|
const char *ptr = curves;
|
|
|
|
|
|
|
|
do {
|
|
|
|
col = strchr(ptr, ':');
|
|
|
|
|
|
|
|
uint16_t group_id;
|
|
|
|
if (!ssl_name_to_group_id(&group_id, ptr,
|
|
|
|
col ? (size_t)(col - ptr) : strlen(ptr))) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint16_t *new_group_ids = OPENSSL_realloc(group_ids,
|
|
|
|
(ncurves + 1) * sizeof(uint16_t));
|
|
|
|
if (new_group_ids == NULL) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
group_ids = new_group_ids;
|
|
|
|
|
|
|
|
group_ids[ncurves] = group_id;
|
|
|
|
ncurves++;
|
|
|
|
|
|
|
|
if (col) {
|
|
|
|
ptr = col + 1;
|
|
|
|
}
|
|
|
|
} while (col);
|
|
|
|
|
|
|
|
OPENSSL_free(*out_group_ids);
|
|
|
|
*out_group_ids = group_ids;
|
|
|
|
*out_group_ids_len = ncurves;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
err:
|
|
|
|
OPENSSL_free(group_ids);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
int tls1_check_group_id(SSL *ssl, uint16_t group_id) {
|
|
|
|
const uint16_t *groups;
|
2016-10-07 05:34:08 +01:00
|
|
|
size_t groups_len;
|
2016-10-07 05:37:55 +01:00
|
|
|
tls1_get_grouplist(ssl, &groups, &groups_len);
|
2016-10-07 05:34:08 +01:00
|
|
|
for (size_t i = 0; i < groups_len; i++) {
|
|
|
|
if (groups[i] == group_id) {
|
|
|
|
return 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-07 05:34:08 +01:00
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-10-17 22:59:54 +01:00
|
|
|
/* kVerifySignatureAlgorithms is the default list of accepted signature
|
2016-10-26 17:45:35 +01:00
|
|
|
* algorithms for verifying.
|
|
|
|
*
|
|
|
|
* For now, RSA-PSS signature algorithms are not enabled on Android's system
|
|
|
|
* BoringSSL. Once the change in Chrome has stuck and the values are finalized,
|
|
|
|
* restore them. */
|
2016-10-17 22:59:54 +01:00
|
|
|
static const uint16_t kVerifySignatureAlgorithms[] = {
|
2016-10-26 17:45:35 +01:00
|
|
|
/* Prefer SHA-256 algorithms. */
|
|
|
|
SSL_SIGN_ECDSA_SECP256R1_SHA256,
|
2016-10-17 22:59:54 +01:00
|
|
|
#if !defined(BORINGSSL_ANDROID_SYSTEM)
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PSS_SHA256,
|
2016-10-17 22:59:54 +01:00
|
|
|
#endif
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA256,
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-10-26 17:45:35 +01:00
|
|
|
/* Larger hashes are acceptable. */
|
|
|
|
SSL_SIGN_ECDSA_SECP384R1_SHA384,
|
2016-10-17 22:59:54 +01:00
|
|
|
#if !defined(BORINGSSL_ANDROID_SYSTEM)
|
|
|
|
SSL_SIGN_RSA_PSS_SHA384,
|
|
|
|
#endif
|
|
|
|
SSL_SIGN_RSA_PKCS1_SHA384,
|
|
|
|
|
2016-09-08 21:03:49 +01:00
|
|
|
/* TODO(davidben): Remove this. */
|
2016-10-26 17:45:35 +01:00
|
|
|
#if defined(BORINGSSL_ANDROID_SYSTEM)
|
|
|
|
SSL_SIGN_ECDSA_SECP521R1_SHA512,
|
|
|
|
#endif
|
2016-10-17 22:59:54 +01:00
|
|
|
#if !defined(BORINGSSL_ANDROID_SYSTEM)
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PSS_SHA512,
|
2016-10-17 22:59:54 +01:00
|
|
|
#endif
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA512,
|
2016-10-17 22:59:54 +01:00
|
|
|
|
2016-10-26 17:45:35 +01:00
|
|
|
/* For now, SHA-1 is still accepted but least preferable. */
|
2016-10-17 22:59:54 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA1,
|
2016-10-26 17:45:35 +01:00
|
|
|
|
2016-10-17 22:59:54 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
/* kSignSignatureAlgorithms is the default list of supported signature
|
2016-10-26 17:45:35 +01:00
|
|
|
* algorithms for signing.
|
|
|
|
*
|
|
|
|
* For now, RSA-PSS signature algorithms are not enabled on Android's system
|
|
|
|
* BoringSSL. Once the change in Chrome has stuck and the values are finalized,
|
|
|
|
* restore them. */
|
2016-10-17 22:59:54 +01:00
|
|
|
static const uint16_t kSignSignatureAlgorithms[] = {
|
2016-10-26 17:45:35 +01:00
|
|
|
/* Prefer SHA-256 algorithms. */
|
|
|
|
SSL_SIGN_ECDSA_SECP256R1_SHA256,
|
2016-08-30 05:30:38 +01:00
|
|
|
#if !defined(BORINGSSL_ANDROID_SYSTEM)
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PSS_SHA256,
|
2016-08-30 05:30:38 +01:00
|
|
|
#endif
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA256,
|
2016-07-06 19:24:47 +01:00
|
|
|
|
2016-10-26 17:45:35 +01:00
|
|
|
/* If needed, sign larger hashes.
|
|
|
|
*
|
|
|
|
* TODO(davidben): Determine which of these may be pruned. */
|
|
|
|
SSL_SIGN_ECDSA_SECP384R1_SHA384,
|
2016-08-30 05:30:38 +01:00
|
|
|
#if !defined(BORINGSSL_ANDROID_SYSTEM)
|
2016-07-06 19:24:47 +01:00
|
|
|
SSL_SIGN_RSA_PSS_SHA384,
|
2016-08-30 05:30:38 +01:00
|
|
|
#endif
|
2016-07-06 19:24:47 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA384,
|
|
|
|
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_ECDSA_SECP521R1_SHA512,
|
2016-08-30 05:30:38 +01:00
|
|
|
#if !defined(BORINGSSL_ANDROID_SYSTEM)
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PSS_SHA512,
|
2016-08-30 05:30:38 +01:00
|
|
|
#endif
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA512,
|
2016-07-06 19:24:47 +01:00
|
|
|
|
2016-10-26 17:45:35 +01:00
|
|
|
/* If the peer supports nothing else, sign with SHA-1. */
|
2016-07-06 19:24:47 +01:00
|
|
|
SSL_SIGN_ECDSA_SHA1,
|
2016-10-26 17:45:35 +01:00
|
|
|
SSL_SIGN_RSA_PKCS1_SHA1,
|
2016-07-06 19:24:47 +01:00
|
|
|
};
|
|
|
|
|
2016-10-17 22:59:54 +01:00
|
|
|
size_t tls12_get_verify_sigalgs(const SSL *ssl, const uint16_t **out) {
|
|
|
|
*out = kVerifySignatureAlgorithms;
|
|
|
|
return OPENSSL_ARRAY_SIZE(kVerifySignatureAlgorithms);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-07-09 00:15:32 +01:00
|
|
|
int tls12_check_peer_sigalg(SSL *ssl, int *out_alert, uint16_t sigalg) {
|
2016-10-17 22:59:54 +01:00
|
|
|
const uint16_t *verify_sigalgs;
|
|
|
|
size_t num_verify_sigalgs = tls12_get_verify_sigalgs(ssl, &verify_sigalgs);
|
|
|
|
for (size_t i = 0; i < num_verify_sigalgs; i++) {
|
|
|
|
if (sigalg == verify_sigalgs[i]) {
|
|
|
|
return 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-17 22:59:54 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2015-06-12 23:26:58 +01:00
|
|
|
/* tls_extension represents a TLS extension that is handled internally. The
|
|
|
|
* |init| function is called for each handshake, before any other functions of
|
|
|
|
* the extension. Then the add and parse callbacks are called as needed.
|
|
|
|
*
|
|
|
|
* The parse callbacks receive a |CBS| that contains the contents of the
|
|
|
|
* extension (i.e. not including the type and length bytes). If an extension is
|
|
|
|
* not received then the parse callbacks will be called with a NULL CBS so that
|
|
|
|
* they can do any processing needed to handle the absence of an extension.
|
|
|
|
*
|
|
|
|
* The add callbacks receive a |CBB| to which the extension can be appended but
|
|
|
|
* the function is responsible for appending the type and length bytes too.
|
|
|
|
*
|
|
|
|
* All callbacks return one for success and zero for error. If a parse function
|
|
|
|
* returns zero then a fatal alert with value |*out_alert| will be sent. If
|
|
|
|
* |*out_alert| isn't set, then a |decode_error| alert will be sent. */
|
|
|
|
struct tls_extension {
|
|
|
|
uint16_t value;
|
2016-12-03 07:20:34 +00:00
|
|
|
void (*init)(SSL_HANDSHAKE *hs);
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
int (*add_clienthello)(SSL_HANDSHAKE *hs, CBB *out);
|
|
|
|
int (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
|
CBS *contents);
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
int (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
|
CBS *contents);
|
|
|
|
int (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);
|
2015-06-12 23:26:58 +01:00
|
|
|
};
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
|
CBS *contents) {
|
2016-07-12 18:38:32 +01:00
|
|
|
if (contents != NULL) {
|
|
|
|
/* Servers MUST NOT send this extension. */
|
|
|
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
|
|
CBS *contents) {
|
2016-07-12 18:38:32 +01:00
|
|
|
/* This extension from the client is handled elsewhere. */
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2016-07-12 18:38:32 +01:00
|
|
|
return 1;
|
|
|
|
}
|
2015-06-12 23:26:58 +01:00
|
|
|
|
|
|
|
/* Server name indication (SNI).
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc6066#section-3. */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-06-12 23:26:58 +01:00
|
|
|
if (ssl->tlsext_hostname == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, server_name_list, name;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
|
|
|
|
!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&server_name_list, &name) ||
|
|
|
|
!CBB_add_bytes(&name, (const uint8_t *)ssl->tlsext_hostname,
|
|
|
|
strlen(ssl->tlsext_hostname)) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-12-19 22:05:56 +00:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-06-12 23:26:58 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
assert(ssl->tlsext_hostname != NULL);
|
|
|
|
|
2016-06-27 21:34:59 +01:00
|
|
|
if (ssl->session == NULL) {
|
2017-02-06 17:06:01 +00:00
|
|
|
OPENSSL_free(ssl->s3->new_session->tlsext_hostname);
|
2016-06-27 21:34:59 +01:00
|
|
|
ssl->s3->new_session->tlsext_hostname = BUF_strdup(ssl->tlsext_hostname);
|
|
|
|
if (!ssl->s3->new_session->tlsext_hostname) {
|
2015-06-12 23:26:58 +01:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-12-19 22:05:56 +00:00
|
|
|
CBS *contents) {
|
2015-06-12 23:26:58 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-03-03 13:48:30 +00:00
|
|
|
CBS server_name_list, host_name;
|
|
|
|
uint8_t name_type;
|
2015-06-12 23:26:58 +01:00
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
|
2016-03-03 13:48:30 +00:00
|
|
|
!CBS_get_u8(&server_name_list, &name_type) ||
|
|
|
|
/* Although the server_name extension was intended to be extensible to
|
|
|
|
* new name types and multiple names, OpenSSL 1.0.x had a bug which meant
|
|
|
|
* different name types will cause an error. Further, RFC 4366 originally
|
|
|
|
* defined syntax inextensibly. RFC 6066 corrected this mistake, but
|
|
|
|
* adding new name types is no longer feasible.
|
|
|
|
*
|
|
|
|
* Act as if the extensibility does not exist to simplify parsing. */
|
|
|
|
!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
|
|
|
|
CBS_len(&server_name_list) != 0 ||
|
2015-06-12 23:26:58 +01:00
|
|
|
CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-03-03 13:48:30 +00:00
|
|
|
if (name_type != TLSEXT_NAMETYPE_host_name ||
|
|
|
|
CBS_len(&host_name) == 0 ||
|
|
|
|
CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
|
|
|
|
CBS_contains_zero_byte(&host_name)) {
|
|
|
|
*out_alert = SSL_AD_UNRECOGNIZED_NAME;
|
|
|
|
return 0;
|
|
|
|
}
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-11-16 08:08:23 +00:00
|
|
|
/* Copy the hostname as a string. */
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!CBS_strdup(&host_name, &hs->hostname)) {
|
2016-11-16 08:08:23 +00:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->should_ack_sni = 1;
|
2015-06-12 23:26:58 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
if (hs->ssl->s3->session_reused ||
|
|
|
|
!hs->should_ack_sni) {
|
2015-06-12 23:26:58 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
/* Renegotiation indication.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc5746 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-08-20 18:39:03 +01:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Renegotiation indication is not necessary in TLS 1.3. */
|
|
|
|
if (min_version >= TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-10-08 17:05:03 +01:00
|
|
|
assert(ssl->s3->initial_handshake_complete ==
|
|
|
|
(ssl->s3->previous_client_finished_len != 0));
|
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
CBB contents, prev_finished;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u8_length_prefixed(&contents, &prev_finished) ||
|
|
|
|
!CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished,
|
|
|
|
ssl->s3->previous_client_finished_len) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-06-13 02:27:58 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
if (contents != NULL && ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-11-26 01:10:31 +00:00
|
|
|
/* Servers may not switch between omitting the extension and supporting it.
|
|
|
|
* See RFC 5746, sections 3.5 and 4.2. */
|
|
|
|
if (ssl->s3->initial_handshake_complete &&
|
|
|
|
(contents != NULL) != ssl->s3->send_connection_binding) {
|
|
|
|
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
if (contents == NULL) {
|
2015-11-23 19:36:40 +00:00
|
|
|
/* Strictly speaking, if we want to avoid an attack we should *always* see
|
2015-06-13 02:27:58 +01:00
|
|
|
* RI even on initial ServerHello because the client doesn't see any
|
|
|
|
* renegotiation during an attack. However this would mean we could not
|
|
|
|
* connect to any server which doesn't support RI.
|
|
|
|
*
|
2015-11-23 19:36:40 +00:00
|
|
|
* OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
|
|
|
|
* practical terms every client sets it so it's just assumed here. */
|
|
|
|
return 1;
|
2015-06-13 02:27:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
const size_t expected_len = ssl->s3->previous_client_finished_len +
|
|
|
|
ssl->s3->previous_server_finished_len;
|
|
|
|
|
|
|
|
/* Check for logic errors */
|
|
|
|
assert(!expected_len || ssl->s3->previous_client_finished_len);
|
|
|
|
assert(!expected_len || ssl->s3->previous_server_finished_len);
|
2016-10-08 17:05:03 +01:00
|
|
|
assert(ssl->s3->initial_handshake_complete ==
|
|
|
|
(ssl->s3->previous_client_finished_len != 0));
|
|
|
|
assert(ssl->s3->initial_handshake_complete ==
|
|
|
|
(ssl->s3->previous_server_finished_len != 0));
|
2015-06-13 02:27:58 +01:00
|
|
|
|
|
|
|
/* Parse out the extension contents. */
|
|
|
|
CBS renegotiated_connection;
|
|
|
|
if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
|
|
|
|
CBS_len(contents) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
|
2015-06-13 02:27:58 +01:00
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check that the extension matches. */
|
|
|
|
if (CBS_len(&renegotiated_connection) != expected_len) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
2015-06-13 02:27:58 +01:00
|
|
|
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *d = CBS_data(&renegotiated_connection);
|
|
|
|
if (CRYPTO_memcmp(d, ssl->s3->previous_client_finished,
|
|
|
|
ssl->s3->previous_client_finished_len)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
2015-06-13 02:27:58 +01:00
|
|
|
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
d += ssl->s3->previous_client_finished_len;
|
|
|
|
|
|
|
|
if (CRYPTO_memcmp(d, ssl->s3->previous_server_finished,
|
|
|
|
ssl->s3->previous_server_finished_len)) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
2015-06-13 02:27:58 +01:00
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
ssl->s3->send_connection_binding = 1;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-06-13 02:27:58 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-06-13 02:27:58 +01:00
|
|
|
/* Renegotiation isn't supported as a server so this function should never be
|
|
|
|
* called after the initial handshake. */
|
|
|
|
assert(!ssl->s3->initial_handshake_complete);
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
if (contents == NULL) {
|
2016-08-10 00:36:38 +01:00
|
|
|
return 1;
|
2015-06-13 02:27:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
CBS renegotiated_connection;
|
|
|
|
if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
|
|
|
|
CBS_len(contents) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);
|
2015-06-13 02:27:58 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-10-08 17:05:03 +01:00
|
|
|
/* Check that the extension matches. We do not support renegotiation as a
|
|
|
|
* server, so this must be empty. */
|
|
|
|
if (CBS_len(&renegotiated_connection) != 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
2015-06-13 02:27:58 +01:00
|
|
|
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ssl->s3->send_connection_binding = 1;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-10-08 17:05:03 +01:00
|
|
|
/* Renegotiation isn't supported as a server so this function should never be
|
|
|
|
* called after the initial handshake. */
|
|
|
|
assert(!ssl->s3->initial_handshake_complete);
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||
|
2016-10-08 17:05:03 +01:00
|
|
|
!CBB_add_u16(out, 1 /* length */) ||
|
|
|
|
!CBB_add_u8(out, 0 /* empty renegotiation info */)) {
|
2015-06-13 02:27:58 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-01 23:03:33 +01:00
|
|
|
|
|
|
|
/* Extended Master Secret.
|
|
|
|
*
|
2016-02-01 13:42:19 +00:00
|
|
|
* https://tools.ietf.org/html/rfc7627 */
|
2015-07-01 23:03:33 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2016-08-20 18:39:03 +01:00
|
|
|
uint16_t min_version, max_version;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!ssl_get_version_range(hs->ssl, &min_version, &max_version)) {
|
2016-08-20 18:39:03 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Extended master secret is not necessary in TLS 1.3. */
|
|
|
|
if (min_version >= TLS1_3_VERSION || max_version <= SSL3_VERSION) {
|
2015-07-01 23:03:33 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-01 23:03:33 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-08-30 04:14:17 +01:00
|
|
|
/* Whether EMS is negotiated may not change on renegotation. */
|
|
|
|
if (ssl->s3->initial_handshake_complete) {
|
|
|
|
if ((contents != NULL) != ssl->s3->tmp.extended_master_secret) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-01 23:03:33 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
|
|
|
|
ssl->version == SSL3_VERSION) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
2015-07-01 23:03:33 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ssl->s3->tmp.extended_master_secret = 1;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-12-19 22:05:56 +00:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
|
|
|
uint16_t version = ssl3_protocol_version(ssl);
|
|
|
|
if (version >= TLS1_3_VERSION ||
|
|
|
|
version == SSL3_VERSION) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (contents == NULL) {
|
2015-07-01 23:03:33 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ssl->s3->tmp.extended_master_secret = 1;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
if (!hs->ssl->s3->tmp.extended_master_secret) {
|
2015-07-01 23:03:33 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-01 23:25:33 +01:00
|
|
|
|
|
|
|
/* Session tickets.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc5077 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-08-20 18:39:03 +01:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* TLS 1.3 uses a different ticket extension. */
|
|
|
|
if (min_version >= TLS1_3_VERSION ||
|
|
|
|
SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
|
2015-07-01 23:25:33 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *ticket_data = NULL;
|
|
|
|
int ticket_len = 0;
|
|
|
|
|
|
|
|
/* Renegotiation does not participate in session resumption. However, still
|
|
|
|
* advertise the extension to avoid potentially breaking servers which carry
|
|
|
|
* over the state from the previous handshake, such as OpenSSL servers
|
|
|
|
* without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
|
2016-09-20 00:57:37 +01:00
|
|
|
uint16_t session_version;
|
2015-07-01 23:25:33 +01:00
|
|
|
if (!ssl->s3->initial_handshake_complete &&
|
|
|
|
ssl->session != NULL &&
|
2016-07-29 19:32:55 +01:00
|
|
|
ssl->session->tlsext_tick != NULL &&
|
|
|
|
/* Don't send TLS 1.3 session tickets in the ticket extension. */
|
2016-09-20 00:57:37 +01:00
|
|
|
ssl->method->version_from_wire(&session_version,
|
|
|
|
ssl->session->ssl_version) &&
|
|
|
|
session_version < TLS1_3_VERSION) {
|
2015-07-01 23:25:33 +01:00
|
|
|
ticket_data = ssl->session->tlsext_tick;
|
|
|
|
ticket_len = ssl->session->tlsext_ticklen;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB ticket;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &ticket) ||
|
|
|
|
!CBB_add_bytes(&ticket, ticket_data, ticket_len) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-01 23:25:33 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-01 23:25:33 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-01 23:25:33 +01:00
|
|
|
/* If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
|
|
|
|
* this function should never be called, even if the server tries to send the
|
|
|
|
* extension. */
|
|
|
|
assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->ticket_expected = 1;
|
2015-07-01 23:25:33 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
if (!hs->ticket_expected) {
|
2015-07-01 23:25:33 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-12 02:20:55 +00:00
|
|
|
/* If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. */
|
2016-12-03 07:20:34 +00:00
|
|
|
assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
|
2015-07-01 23:25:33 +01:00
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-07-02 00:09:19 +01:00
|
|
|
/* Signature Algorithms.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-09-20 00:57:37 +01:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (max_version < TLS1_2_VERSION) {
|
2015-07-02 00:09:19 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
const uint16_t *sigalgs;
|
2016-10-17 22:59:54 +01:00
|
|
|
const size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
|
2015-07-02 00:09:19 +01:00
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
CBB contents, sigalgs_cbb;
|
2015-07-02 00:09:19 +01:00
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2016-08-17 20:29:46 +01:00
|
|
|
!CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb)) {
|
2016-06-23 18:33:05 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
for (size_t i = 0; i < num_sigalgs; i++) {
|
|
|
|
if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
|
2016-06-23 18:33:05 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_flush(out)) {
|
2015-07-02 00:09:19 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-02 00:09:19 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
OPENSSL_free(hs->peer_sigalgs);
|
|
|
|
hs->peer_sigalgs = NULL;
|
|
|
|
hs->num_peer_sigalgs = 0;
|
2015-07-02 00:09:19 +01:00
|
|
|
|
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBS supported_signature_algorithms;
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
|
2015-09-04 17:41:04 +01:00
|
|
|
CBS_len(contents) != 0 ||
|
|
|
|
CBS_len(&supported_signature_algorithms) == 0 ||
|
2016-11-17 08:20:47 +00:00
|
|
|
!tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
|
2015-07-02 00:09:19 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-07-02 00:21:03 +01:00
|
|
|
/* OCSP Stapling.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc6066#section-8 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-02 00:21:03 +01:00
|
|
|
if (!ssl->ocsp_stapling_enabled) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_status_request) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
|
|
|
|
!CBB_add_u16(&contents, 0 /* empty responder ID list */) ||
|
|
|
|
!CBB_add_u16(&contents, 0 /* empty request extensions */) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-08-12 11:47:11 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-02 00:21:03 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* TLS 1.3 OCSP responses are included in the Certificate extensions. */
|
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
2016-09-06 19:13:43 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* OCSP stapling is forbidden on non-certificate ciphers. */
|
|
|
|
if (CBS_len(contents) != 0 ||
|
|
|
|
!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
|
2016-07-16 17:03:49 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* Note this does not check for resumption in TLS 1.2. Sending
|
|
|
|
* status_request here does not make sense, but OpenSSL does so and the
|
|
|
|
* specification does not say anything. Tolerate it but ignore it. */
|
2015-07-02 00:21:03 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->certificate_status_expected = 1;
|
2015-07-02 00:21:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-02 00:21:03 +01:00
|
|
|
CBS *contents) {
|
2015-08-12 11:47:11 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint8_t status_type;
|
|
|
|
if (!CBS_get_u8(contents, &status_type)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* We cannot decide whether OCSP stapling will occur yet because the correct
|
|
|
|
* SSL_CTX might not have been selected. */
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
|
2015-08-12 11:47:11 +01:00
|
|
|
|
2015-07-02 00:21:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-11-01 17:39:36 +00:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
|
2016-12-03 07:20:34 +00:00
|
|
|
!hs->ocsp_stapling_requested ||
|
2016-12-07 12:55:32 +00:00
|
|
|
ssl->ocsp_response == NULL ||
|
2016-09-06 19:13:43 +01:00
|
|
|
ssl->s3->session_reused ||
|
2016-11-01 17:39:36 +00:00
|
|
|
!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->certificate_status_expected = 1;
|
2016-07-16 17:03:49 +01:00
|
|
|
|
2015-08-12 11:47:11 +01:00
|
|
|
return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
|
2016-11-01 17:39:36 +00:00
|
|
|
CBB_add_u16(out, 0 /* length */);
|
2015-07-02 00:21:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-07-02 02:35:20 +01:00
|
|
|
/* Next protocol negotiation.
|
|
|
|
*
|
|
|
|
* https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-02 02:35:20 +01:00
|
|
|
if (ssl->s3->initial_handshake_complete ||
|
|
|
|
ssl->ctx->next_proto_select_cb == NULL ||
|
2016-12-08 02:32:37 +00:00
|
|
|
SSL_is_dtls(ssl)) {
|
2015-07-02 02:35:20 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-02 02:35:20 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-02 02:35:20 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-02 02:35:20 +01:00
|
|
|
/* If any of these are false then we should never have sent the NPN
|
|
|
|
* extension in the ClientHello and thus this function should never have been
|
|
|
|
* called. */
|
|
|
|
assert(!ssl->s3->initial_handshake_complete);
|
2016-08-02 21:22:34 +01:00
|
|
|
assert(!SSL_is_dtls(ssl));
|
2015-07-02 02:35:20 +01:00
|
|
|
assert(ssl->ctx->next_proto_select_cb != NULL);
|
|
|
|
|
2015-08-31 19:24:29 +01:00
|
|
|
if (ssl->s3->alpn_selected != NULL) {
|
|
|
|
/* NPN and ALPN may not be negotiated in the same connection. */
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-02 02:35:20 +01:00
|
|
|
const uint8_t *const orig_contents = CBS_data(contents);
|
|
|
|
const size_t orig_len = CBS_len(contents);
|
|
|
|
|
|
|
|
while (CBS_len(contents) != 0) {
|
|
|
|
CBS proto;
|
|
|
|
if (!CBS_get_u8_length_prefixed(contents, &proto) ||
|
|
|
|
CBS_len(&proto) == 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
uint8_t *selected;
|
|
|
|
uint8_t selected_len;
|
|
|
|
if (ssl->ctx->next_proto_select_cb(
|
|
|
|
ssl, &selected, &selected_len, orig_contents, orig_len,
|
|
|
|
ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) {
|
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-12-25 20:56:49 +00:00
|
|
|
OPENSSL_free(ssl->s3->next_proto_negotiated);
|
|
|
|
ssl->s3->next_proto_negotiated = BUF_memdup(selected, selected_len);
|
|
|
|
if (ssl->s3->next_proto_negotiated == NULL) {
|
2015-07-02 02:35:20 +01:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-12-25 20:56:49 +00:00
|
|
|
ssl->s3->next_proto_negotiated_len = selected_len;
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->next_proto_neg_seen = 1;
|
2015-07-02 02:35:20 +01:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-02 02:35:20 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-02 02:35:20 +01:00
|
|
|
if (contents != NULL && CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (contents == NULL ||
|
|
|
|
ssl->s3->initial_handshake_complete ||
|
|
|
|
ssl->ctx->next_protos_advertised_cb == NULL ||
|
2016-08-02 21:22:34 +01:00
|
|
|
SSL_is_dtls(ssl)) {
|
2015-07-02 02:35:20 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->next_proto_neg_seen = 1;
|
2015-07-02 02:35:20 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-02 02:35:20 +01:00
|
|
|
/* |next_proto_neg_seen| might have been cleared when an ALPN extension was
|
|
|
|
* parsed. */
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!hs->next_proto_neg_seen) {
|
2015-07-02 02:35:20 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *npa;
|
|
|
|
unsigned npa_len;
|
|
|
|
|
|
|
|
if (ssl->ctx->next_protos_advertised_cb(
|
|
|
|
ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
|
|
|
|
SSL_TLSEXT_ERR_OK) {
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->next_proto_neg_seen = 0;
|
2015-07-02 02:35:20 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_bytes(&contents, npa, npa_len) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-07-10 20:21:39 +01:00
|
|
|
/* Signed certificate timestamps.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc6962#section-3.3.1 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 20:21:39 +01:00
|
|
|
if (!ssl->signed_cert_timestamps_enabled) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-10 20:21:39 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 20:21:39 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* TLS 1.3 SCTs are included in the Certificate extensions. */
|
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
2016-11-17 21:21:27 +00:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
2016-11-01 17:39:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-10 20:21:39 +01:00
|
|
|
/* If this is false then we should never have sent the SCT extension in the
|
|
|
|
* ClientHello and thus this function should never have been called. */
|
|
|
|
assert(ssl->signed_cert_timestamps_enabled);
|
|
|
|
|
2016-11-17 21:21:27 +00:00
|
|
|
if (!ssl_is_sct_list_valid(contents)) {
|
2015-07-10 20:21:39 +01:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-10-04 21:32:16 +01:00
|
|
|
/* Session resumption uses the original session information. The extension
|
|
|
|
* should not be sent on resumption, but RFC 6962 did not make it a
|
|
|
|
* requirement, so tolerate this.
|
|
|
|
*
|
|
|
|
* TODO(davidben): Enforce this anyway. */
|
2016-07-29 19:32:55 +01:00
|
|
|
if (!ssl->s3->session_reused &&
|
2016-06-27 21:34:59 +01:00
|
|
|
!CBS_stow(
|
|
|
|
contents,
|
|
|
|
&ssl->s3->new_session->tlsext_signed_cert_timestamp_list,
|
|
|
|
&ssl->s3->new_session->tlsext_signed_cert_timestamp_list_length)) {
|
2015-07-10 20:21:39 +01:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-10 20:21:39 +01:00
|
|
|
CBS *contents) {
|
2016-11-16 00:01:48 +00:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->scts_requested = 1;
|
2016-11-16 00:01:48 +00:00
|
|
|
return 1;
|
2015-07-10 20:21:39 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-09-16 10:03:30 +01:00
|
|
|
/* The extension shouldn't be sent when resuming sessions. */
|
2016-11-01 17:39:36 +00:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
|
|
|
|
ssl->s3->session_reused ||
|
2017-02-06 13:33:51 +00:00
|
|
|
ssl->signed_cert_timestamp_list == NULL) {
|
2015-09-09 13:44:55 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents;
|
|
|
|
return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&
|
|
|
|
CBB_add_u16_length_prefixed(out, &contents) &&
|
2017-02-06 13:33:51 +00:00
|
|
|
CBB_add_bytes(&contents,
|
|
|
|
CRYPTO_BUFFER_data(ssl->signed_cert_timestamp_list),
|
|
|
|
CRYPTO_BUFFER_len(ssl->signed_cert_timestamp_list)) &&
|
2015-09-09 13:44:55 +01:00
|
|
|
CBB_flush(out);
|
2015-07-10 20:21:39 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-07-10 21:39:53 +01:00
|
|
|
/* Application-level Protocol Negotiation.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc7301 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 21:39:53 +01:00
|
|
|
if (ssl->alpn_client_proto_list == NULL ||
|
|
|
|
ssl->s3->initial_handshake_complete) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, proto_list;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &proto_list) ||
|
|
|
|
!CBB_add_bytes(&proto_list, ssl->alpn_client_proto_list,
|
|
|
|
ssl->alpn_client_proto_list_len) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-10 21:39:53 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 21:39:53 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
assert(!ssl->s3->initial_handshake_complete);
|
|
|
|
assert(ssl->alpn_client_proto_list != NULL);
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
if (hs->next_proto_neg_seen) {
|
2015-08-31 19:24:29 +01:00
|
|
|
/* NPN and ALPN may not be negotiated in the same connection. */
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-10 21:39:53 +01:00
|
|
|
/* The extension data consists of a ProtocolNameList which must have
|
|
|
|
* exactly one ProtocolName. Each of these is length-prefixed. */
|
|
|
|
CBS protocol_name_list, protocol_name;
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
|
|
|
|
CBS_len(contents) != 0 ||
|
|
|
|
!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
|
|
|
|
/* Empty protocol names are forbidden. */
|
|
|
|
CBS_len(&protocol_name) == 0 ||
|
|
|
|
CBS_len(&protocol_name_list) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-08-11 16:52:23 +01:00
|
|
|
/* Check that the protcol name is one of the ones we advertised. */
|
|
|
|
int protocol_ok = 0;
|
|
|
|
CBS client_protocol_name_list, client_protocol_name;
|
|
|
|
CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list,
|
|
|
|
ssl->alpn_client_proto_list_len);
|
|
|
|
while (CBS_len(&client_protocol_name_list) > 0) {
|
|
|
|
if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
|
|
|
|
&client_protocol_name)) {
|
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(&client_protocol_name) == CBS_len(&protocol_name) &&
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcmp(CBS_data(&client_protocol_name),
|
|
|
|
CBS_data(&protocol_name),
|
|
|
|
CBS_len(&protocol_name)) == 0) {
|
2016-08-11 16:52:23 +01:00
|
|
|
protocol_ok = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!protocol_ok) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-10 21:39:53 +01:00
|
|
|
if (!CBS_stow(&protocol_name, &ssl->s3->alpn_selected,
|
|
|
|
&ssl->s3->alpn_selected_len)) {
|
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:20:47 +00:00
|
|
|
int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2016-12-04 04:15:13 +00:00
|
|
|
const SSL_CLIENT_HELLO *client_hello) {
|
2016-11-17 08:20:47 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-10-31 22:01:13 +00:00
|
|
|
CBS contents;
|
2015-07-10 21:39:53 +01:00
|
|
|
if (ssl->ctx->alpn_select_cb == NULL ||
|
2016-12-04 04:15:13 +00:00
|
|
|
!ssl_client_hello_get_extension(
|
2016-10-31 22:01:13 +00:00
|
|
|
client_hello, &contents,
|
|
|
|
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
|
|
|
|
/* Ignore ALPN if not configured or no extension was supplied. */
|
2015-07-10 21:39:53 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ALPN takes precedence over NPN. */
|
2016-11-17 08:20:47 +00:00
|
|
|
hs->next_proto_neg_seen = 0;
|
2015-07-10 21:39:53 +01:00
|
|
|
|
|
|
|
CBS protocol_name_list;
|
2016-10-31 22:01:13 +00:00
|
|
|
if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
|
|
|
|
CBS_len(&contents) != 0 ||
|
2015-07-10 21:39:53 +01:00
|
|
|
CBS_len(&protocol_name_list) < 2) {
|
2016-10-31 22:01:13 +00:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
2015-07-10 21:39:53 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate the protocol list. */
|
|
|
|
CBS protocol_name_list_copy = protocol_name_list;
|
|
|
|
while (CBS_len(&protocol_name_list_copy) > 0) {
|
|
|
|
CBS protocol_name;
|
|
|
|
|
|
|
|
if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
|
|
|
|
/* Empty protocol names are forbidden. */
|
|
|
|
CBS_len(&protocol_name) == 0) {
|
2016-10-31 22:01:13 +00:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
2015-07-10 21:39:53 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *selected;
|
|
|
|
uint8_t selected_len;
|
|
|
|
if (ssl->ctx->alpn_select_cb(
|
|
|
|
ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
|
|
|
|
CBS_len(&protocol_name_list),
|
|
|
|
ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
|
|
|
|
OPENSSL_free(ssl->s3->alpn_selected);
|
|
|
|
ssl->s3->alpn_selected = BUF_memdup(selected, selected_len);
|
|
|
|
if (ssl->s3->alpn_selected == NULL) {
|
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
ssl->s3->alpn_selected_len = selected_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 21:39:53 +01:00
|
|
|
if (ssl->s3->alpn_selected == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, proto_list, proto;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &proto_list) ||
|
|
|
|
!CBB_add_u8_length_prefixed(&proto_list, &proto) ||
|
2015-12-19 22:05:56 +00:00
|
|
|
!CBB_add_bytes(&proto, ssl->s3->alpn_selected,
|
|
|
|
ssl->s3->alpn_selected_len) ||
|
2015-07-10 21:39:53 +01:00
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-07-10 22:33:46 +01:00
|
|
|
/* Channel ID.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
|
|
|
|
hs->ssl->s3->tlsext_channel_id_valid = 0;
|
2015-07-10 22:33:46 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 22:33:46 +01:00
|
|
|
if (!ssl->tlsext_channel_id_enabled ||
|
2016-08-02 21:22:34 +01:00
|
|
|
SSL_is_dtls(ssl)) {
|
2015-07-10 22:33:46 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert, CBS *contents) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 22:33:46 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-08-02 21:22:34 +01:00
|
|
|
assert(!SSL_is_dtls(ssl));
|
2015-07-10 22:33:46 +01:00
|
|
|
assert(ssl->tlsext_channel_id_enabled);
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ssl->s3->tlsext_channel_id_valid = 1;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert, CBS *contents) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 22:33:46 +01:00
|
|
|
if (contents == NULL ||
|
|
|
|
!ssl->tlsext_channel_id_enabled ||
|
2016-08-02 21:22:34 +01:00
|
|
|
SSL_is_dtls(ssl)) {
|
2015-07-10 22:33:46 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ssl->s3->tlsext_channel_id_valid = 1;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-10 22:33:46 +01:00
|
|
|
if (!ssl->s3->tlsext_channel_id_valid) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||
|
|
|
|
!CBB_add_u16(out, 0 /* length */)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-16 03:06:07 +01:00
|
|
|
|
|
|
|
/* Secure Real-time Transport Protocol (SRTP) extension.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc5764 */
|
|
|
|
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static void ext_srtp_init(SSL_HANDSHAKE *hs) {
|
|
|
|
hs->ssl->srtp_profile = NULL;
|
2015-07-16 03:06:07 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-16 03:06:07 +01:00
|
|
|
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
|
|
|
|
if (profiles == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
const size_t num_profiles = sk_SRTP_PROTECTION_PROFILE_num(profiles);
|
|
|
|
if (num_profiles == 0) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, profile_ids;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &profile_ids)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < num_profiles; i++) {
|
2015-07-16 03:06:07 +01:00
|
|
|
if (!CBB_add_u16(&profile_ids,
|
|
|
|
sk_SRTP_PROTECTION_PROFILE_value(profiles, i)->id)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-16 03:06:07 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-16 03:06:07 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* The extension consists of a u16-prefixed profile ID list containing a
|
|
|
|
* single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
|
|
|
|
*
|
|
|
|
* See https://tools.ietf.org/html/rfc5764#section-4.1.1 */
|
|
|
|
CBS profile_ids, srtp_mki;
|
|
|
|
uint16_t profile_id;
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
|
|
|
|
!CBS_get_u16(&profile_ids, &profile_id) ||
|
|
|
|
CBS_len(&profile_ids) != 0 ||
|
|
|
|
!CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
|
|
|
|
CBS_len(contents) != 0) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(&srtp_mki) != 0) {
|
|
|
|
/* Must be no MKI, since we never offer one. */
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
|
|
|
|
|
|
|
|
/* Check to see if the server gave us something we support (and presumably
|
|
|
|
* offered). */
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(profiles); i++) {
|
2015-07-16 03:06:07 +01:00
|
|
|
const SRTP_PROTECTION_PROFILE *profile =
|
|
|
|
sk_SRTP_PROTECTION_PROFILE_value(profiles, i);
|
|
|
|
|
|
|
|
if (profile->id == profile_id) {
|
|
|
|
ssl->srtp_profile = profile;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-16 03:06:07 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-16 03:06:07 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBS profile_ids, srtp_mki;
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
|
|
|
|
CBS_len(&profile_ids) < 2 ||
|
|
|
|
!CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
|
|
|
|
CBS_len(contents) != 0) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
/* Discard the MKI value for now. */
|
|
|
|
|
|
|
|
const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
|
|
|
|
SSL_get_srtp_profiles(ssl);
|
|
|
|
|
|
|
|
/* Pick the server's most preferred profile. */
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(server_profiles); i++) {
|
2015-07-16 03:06:07 +01:00
|
|
|
const SRTP_PROTECTION_PROFILE *server_profile =
|
|
|
|
sk_SRTP_PROTECTION_PROFILE_value(server_profiles, i);
|
|
|
|
|
|
|
|
CBS profile_ids_tmp;
|
|
|
|
CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
|
|
|
|
|
|
|
|
while (CBS_len(&profile_ids_tmp) > 0) {
|
|
|
|
uint16_t profile_id;
|
|
|
|
if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (server_profile->id == profile_id) {
|
|
|
|
ssl->srtp_profile = server_profile;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-16 03:06:07 +01:00
|
|
|
if (ssl->srtp_profile == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, profile_ids;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
|
|
|
|
!CBB_add_u16(&profile_ids, ssl->srtp_profile->id) ||
|
|
|
|
!CBB_add_u8(&contents, 0 /* empty MKI */) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-21 00:19:08 +01:00
|
|
|
|
|
|
|
/* EC point formats.
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/rfc4492#section-5.1.2 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
|
2015-07-31 04:01:59 +01:00
|
|
|
CBB contents, formats;
|
2015-07-21 00:19:08 +01:00
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2015-07-31 04:01:59 +01:00
|
|
|
!CBB_add_u8_length_prefixed(&contents, &formats) ||
|
|
|
|
!CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||
|
2015-07-21 00:19:08 +01:00
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2016-11-01 16:08:15 +00:00
|
|
|
uint16_t min_version, max_version;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!ssl_get_version_range(hs->ssl, &min_version, &max_version)) {
|
2016-11-01 16:08:15 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* The point format extension is unneccessary in TLS 1.3. */
|
|
|
|
if (min_version >= TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
return ext_ec_point_add_extension(hs, out);
|
2015-07-21 00:19:08 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-21 00:19:08 +01:00
|
|
|
CBS *contents) {
|
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
if (ssl3_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-21 00:19:08 +01:00
|
|
|
CBS ec_point_format_list;
|
|
|
|
if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||
|
|
|
|
CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-31 04:01:59 +01:00
|
|
|
/* Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
|
|
|
|
* point format. */
|
2016-12-13 06:07:13 +00:00
|
|
|
if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
|
|
|
|
TLSEXT_ECPOINTFORMAT_uncompressed,
|
|
|
|
CBS_len(&ec_point_format_list)) == NULL) {
|
2015-07-31 04:01:59 +01:00
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2015-07-21 00:19:08 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
2015-07-21 00:19:08 +01:00
|
|
|
CBS *contents) {
|
2016-12-03 07:20:34 +00:00
|
|
|
if (ssl3_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
return ext_ec_point_parse_serverhello(hs, out_alert, contents);
|
2015-07-21 00:19:08 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2015-07-21 00:19:08 +01:00
|
|
|
const uint32_t alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey;
|
|
|
|
const uint32_t alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
|
2015-07-31 04:01:59 +01:00
|
|
|
const int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
|
2015-07-21 00:19:08 +01:00
|
|
|
|
|
|
|
if (!using_ecc) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
return ext_ec_point_add_extension(hs, out);
|
2015-07-21 00:19:08 +01:00
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
|
2016-07-29 19:32:55 +01:00
|
|
|
/* Pre Shared Key
|
|
|
|
*
|
2016-11-01 17:39:36 +00:00
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-11-01 17:39:36 +00:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint16_t session_version;
|
|
|
|
if (max_version < TLS1_3_VERSION || ssl->session == NULL ||
|
|
|
|
!ssl->method->version_from_wire(&session_version,
|
|
|
|
ssl->session->ssl_version) ||
|
|
|
|
session_version < TLS1_3_VERSION) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
const EVP_MD *digest =
|
|
|
|
ssl_get_handshake_digest(ssl->session->cipher->algorithm_prf);
|
|
|
|
size_t binder_len = EVP_MD_size(digest);
|
|
|
|
return 15 + ssl->session->tlsext_ticklen + binder_len;
|
|
|
|
}
|
2016-07-29 19:32:55 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-29 19:32:55 +01:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-20 00:57:37 +01:00
|
|
|
uint16_t session_version;
|
2016-07-29 19:32:55 +01:00
|
|
|
if (max_version < TLS1_3_VERSION || ssl->session == NULL ||
|
2016-09-20 00:57:37 +01:00
|
|
|
!ssl->method->version_from_wire(&session_version,
|
|
|
|
ssl->session->ssl_version) ||
|
|
|
|
session_version < TLS1_3_VERSION) {
|
2016-07-29 19:32:55 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
struct timeval now;
|
|
|
|
ssl_get_current_time(ssl, &now);
|
|
|
|
uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
|
|
|
|
uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
|
|
|
|
|
|
|
|
/* Fill in a placeholder zero binder of the appropriate length. It will be
|
|
|
|
* computed and filled in later after length prefixes are computed. */
|
|
|
|
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
|
|
|
|
const EVP_MD *digest =
|
|
|
|
ssl_get_handshake_digest(ssl->session->cipher->algorithm_prf);
|
|
|
|
size_t binder_len = EVP_MD_size(digest);
|
|
|
|
|
|
|
|
CBB contents, identity, ticket, binders, binder;
|
2016-07-29 19:32:55 +01:00
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2016-09-01 17:29:49 +01:00
|
|
|
!CBB_add_u16_length_prefixed(&contents, &identity) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&identity, &ticket) ||
|
|
|
|
!CBB_add_bytes(&ticket, ssl->session->tlsext_tick,
|
2016-11-01 17:39:36 +00:00
|
|
|
ssl->session->tlsext_ticklen) ||
|
|
|
|
!CBB_add_u32(&identity, obfuscated_ticket_age) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &binders) ||
|
|
|
|
!CBB_add_u8_length_prefixed(&binders, &binder) ||
|
|
|
|
!CBB_add_bytes(&binder, zero_binder, binder_len)) {
|
2016-07-29 19:32:55 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->needs_psk_binder = 1;
|
2016-07-29 19:32:55 +01:00
|
|
|
return CBB_flush(out);
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert,
|
2016-07-29 19:32:55 +01:00
|
|
|
CBS *contents) {
|
|
|
|
uint16_t psk_id;
|
|
|
|
if (!CBS_get_u16(contents, &psk_id) ||
|
|
|
|
CBS_len(contents) != 0) {
|
2016-10-06 03:33:19 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
2016-07-29 19:32:55 +01:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-09 23:32:35 +00:00
|
|
|
/* We only advertise one PSK identity, so the only legal index is zero. */
|
2016-07-29 19:32:55 +01:00
|
|
|
if (psk_id != 0) {
|
2016-10-06 03:33:19 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
|
2016-07-29 19:32:55 +01:00
|
|
|
*out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
int ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE *hs,
|
2016-07-29 19:32:55 +01:00
|
|
|
SSL_SESSION **out_session,
|
2016-11-01 17:39:36 +00:00
|
|
|
CBS *out_binders,
|
2016-07-29 19:32:55 +01:00
|
|
|
uint8_t *out_alert,
|
|
|
|
CBS *contents) {
|
2016-11-17 08:11:16 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-09-01 17:29:49 +01:00
|
|
|
/* We only process the first PSK identity since we don't support pure PSK. */
|
2016-11-01 17:39:36 +00:00
|
|
|
uint32_t obfuscated_ticket_age;
|
2016-12-01 21:47:56 +00:00
|
|
|
CBS identities, ticket, binders;
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &identities) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&identities, &ticket) ||
|
|
|
|
!CBS_get_u32(&identities, &obfuscated_ticket_age) ||
|
2016-11-01 17:39:36 +00:00
|
|
|
!CBS_get_u16_length_prefixed(contents, &binders) ||
|
2016-12-01 21:47:56 +00:00
|
|
|
CBS_len(&binders) == 0 ||
|
2016-11-01 16:49:22 +00:00
|
|
|
CBS_len(contents) != 0) {
|
2016-11-01 17:39:36 +00:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
2016-07-29 19:32:55 +01:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
*out_binders = binders;
|
|
|
|
|
2016-12-01 21:47:56 +00:00
|
|
|
/* Check the syntax of the remaining identities, but do not process them. */
|
|
|
|
size_t num_identities = 1;
|
|
|
|
while (CBS_len(&identities) != 0) {
|
|
|
|
CBS unused_ticket;
|
|
|
|
uint32_t unused_obfuscated_ticket_age;
|
|
|
|
if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||
|
|
|
|
!CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
num_identities++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check the syntax of the binders. The value will be checked later if
|
|
|
|
* resuming. */
|
|
|
|
size_t num_binders = 0;
|
|
|
|
while (CBS_len(&binders) != 0) {
|
|
|
|
CBS binder;
|
|
|
|
if (!CBS_get_u8_length_prefixed(&binders, &binder)) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
num_binders++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (num_identities != num_binders) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2016-11-01 17:39:36 +00:00
|
|
|
return 0;
|
2016-09-01 17:29:49 +01:00
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* TODO(svaldez): Check that the ticket_age is valid when attempting to use
|
|
|
|
* the PSK for 0-RTT. http://crbug.com/boringssl/113 */
|
|
|
|
|
2016-07-29 19:32:55 +01:00
|
|
|
/* TLS 1.3 session tickets are renewed separately as part of the
|
|
|
|
* NewSessionTicket. */
|
2016-11-16 09:54:25 +00:00
|
|
|
int unused_renew;
|
|
|
|
if (!tls_process_ticket(ssl, out_session, &unused_renew, CBS_data(&ticket),
|
|
|
|
CBS_len(&ticket), NULL, 0)) {
|
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
2016-07-29 19:32:55 +01:00
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
if (!hs->ssl->s3->session_reused) {
|
2016-07-29 19:32:55 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
/* We only consider the first identity for resumption */
|
|
|
|
!CBB_add_u16(&contents, 0) ||
|
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* Pre-Shared Key Exchange Modes
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 */
|
2016-11-29 18:36:45 +00:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
|
|
|
|
CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-11-01 17:39:36 +00:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (max_version < TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, ke_modes;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_psk_key_exchange_modes) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u8_length_prefixed(&contents, &ke_modes) ||
|
|
|
|
!CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return CBB_flush(out);
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
|
2016-11-16 08:08:23 +00:00
|
|
|
uint8_t *out_alert,
|
|
|
|
CBS *contents) {
|
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
CBS ke_modes;
|
|
|
|
if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
|
|
|
|
CBS_len(&ke_modes) == 0 ||
|
|
|
|
CBS_len(contents) != 0) {
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* We only support tickets with PSK_DHE_KE. */
|
2016-12-13 06:07:13 +00:00
|
|
|
hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
|
|
|
|
CBS_len(&ke_modes)) != NULL;
|
2016-11-01 17:39:36 +00:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-29 18:36:45 +00:00
|
|
|
/* Early Data Indication
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2016-11-29 18:36:45 +00:00
|
|
|
/* TODO(svaldez): Support 0RTT. */
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert, CBS *contents) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-11-29 18:36:45 +00:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Since we don't currently accept 0-RTT, we have to skip past any early data
|
|
|
|
* the client might have sent. */
|
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
ssl->s3->skip_early_data = 1;
|
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Key Share
|
|
|
|
*
|
2016-10-13 19:26:33 +01:00
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 */
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-10-08 02:04:12 +01:00
|
|
|
if (max_version < TLS1_3_VERSION) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, kse_bytes;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &kse_bytes)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
uint16_t group_id = hs->retry_group;
|
|
|
|
if (hs->received_hello_retry_request) {
|
2016-11-01 17:39:36 +00:00
|
|
|
/* We received a HelloRetryRequest without a new curve, so there is no new
|
|
|
|
* share to append. Leave |ecdh_ctx| as-is. */
|
|
|
|
if (group_id == 0 &&
|
2016-12-03 07:20:34 +00:00
|
|
|
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes,
|
|
|
|
hs->key_share_bytes_len)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2016-12-03 07:20:34 +00:00
|
|
|
OPENSSL_free(hs->key_share_bytes);
|
|
|
|
hs->key_share_bytes = NULL;
|
|
|
|
hs->key_share_bytes_len = 0;
|
2016-10-08 02:10:38 +01:00
|
|
|
if (group_id == 0) {
|
|
|
|
return CBB_flush(out);
|
|
|
|
}
|
2016-07-18 17:40:30 +01:00
|
|
|
} else {
|
2016-09-03 02:35:25 +01:00
|
|
|
/* Add a fake group. See draft-davidben-tls-grease-01. */
|
|
|
|
if (ssl->ctx->grease_enabled &&
|
|
|
|
(!CBB_add_u16(&kse_bytes,
|
|
|
|
ssl_get_grease_value(ssl, ssl_grease_group)) ||
|
|
|
|
!CBB_add_u16(&kse_bytes, 1 /* length */) ||
|
|
|
|
!CBB_add_u8(&kse_bytes, 0 /* one byte key share */))) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
Only predict X25519 in TLS 1.3.
We'd previously been assuming we'd want to predict P-256 and X25519 but,
on reflection, that's nonsense. Although, today, P-256 is widespread and
X25519 is less so, that's not the right question to ask. Those servers
are all 1.2.
The right question is whether we believe enough servers will get to TLS
1.3 before X25519 to justify wasting 64 bytes on all other connections.
Given that OpenSSL has already shipped X25519 and Microsoft was doing
interop testing on X25519 around when we were shipping it, I think the
answer is no.
Moreover, if we are wrong, it will be easier to go from predicting one
group to two rather than the inverse (provided we send a fake one with
GREASE). I anticipate prediction-miss HelloRetryRequest logic across the
TLS/TCP ecosystem will be largely untested (no one wants to pay an RTT),
so taking a group out of the predicted set will likely be a risky
operation.
Only predicting one group also makes things a bit simpler. I haven't
done this here, but we'll be able to fold the 1.2 and 1.3 ecdh_ctx's
together, even.
Change-Id: Ie7e42d3105aca48eb9d97e2e05a16c5379aa66a3
Reviewed-on: https://boringssl-review.googlesource.com/10960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-09 04:47:48 +01:00
|
|
|
/* Predict the most preferred group. */
|
|
|
|
const uint16_t *groups;
|
|
|
|
size_t groups_len;
|
2016-10-07 05:37:55 +01:00
|
|
|
tls1_get_grouplist(ssl, &groups, &groups_len);
|
Only predict X25519 in TLS 1.3.
We'd previously been assuming we'd want to predict P-256 and X25519 but,
on reflection, that's nonsense. Although, today, P-256 is widespread and
X25519 is less so, that's not the right question to ask. Those servers
are all 1.2.
The right question is whether we believe enough servers will get to TLS
1.3 before X25519 to justify wasting 64 bytes on all other connections.
Given that OpenSSL has already shipped X25519 and Microsoft was doing
interop testing on X25519 around when we were shipping it, I think the
answer is no.
Moreover, if we are wrong, it will be easier to go from predicting one
group to two rather than the inverse (provided we send a fake one with
GREASE). I anticipate prediction-miss HelloRetryRequest logic across the
TLS/TCP ecosystem will be largely untested (no one wants to pay an RTT),
so taking a group out of the predicted set will likely be a risky
operation.
Only predicting one group also makes things a bit simpler. I haven't
done this here, but we'll be able to fold the 1.2 and 1.3 ecdh_ctx's
together, even.
Change-Id: Ie7e42d3105aca48eb9d97e2e05a16c5379aa66a3
Reviewed-on: https://boringssl-review.googlesource.com/10960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-09 04:47:48 +01:00
|
|
|
if (groups_len == 0) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
|
|
|
|
return 0;
|
2016-07-18 17:40:30 +01:00
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
Only predict X25519 in TLS 1.3.
We'd previously been assuming we'd want to predict P-256 and X25519 but,
on reflection, that's nonsense. Although, today, P-256 is widespread and
X25519 is less so, that's not the right question to ask. Those servers
are all 1.2.
The right question is whether we believe enough servers will get to TLS
1.3 before X25519 to justify wasting 64 bytes on all other connections.
Given that OpenSSL has already shipped X25519 and Microsoft was doing
interop testing on X25519 around when we were shipping it, I think the
answer is no.
Moreover, if we are wrong, it will be easier to go from predicting one
group to two rather than the inverse (provided we send a fake one with
GREASE). I anticipate prediction-miss HelloRetryRequest logic across the
TLS/TCP ecosystem will be largely untested (no one wants to pay an RTT),
so taking a group out of the predicted set will likely be a risky
operation.
Only predicting one group also makes things a bit simpler. I haven't
done this here, but we'll be able to fold the 1.2 and 1.3 ecdh_ctx's
together, even.
Change-Id: Ie7e42d3105aca48eb9d97e2e05a16c5379aa66a3
Reviewed-on: https://boringssl-review.googlesource.com/10960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-09 04:47:48 +01:00
|
|
|
group_id = groups[0];
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
Only predict X25519 in TLS 1.3.
We'd previously been assuming we'd want to predict P-256 and X25519 but,
on reflection, that's nonsense. Although, today, P-256 is widespread and
X25519 is less so, that's not the right question to ask. Those servers
are all 1.2.
The right question is whether we believe enough servers will get to TLS
1.3 before X25519 to justify wasting 64 bytes on all other connections.
Given that OpenSSL has already shipped X25519 and Microsoft was doing
interop testing on X25519 around when we were shipping it, I think the
answer is no.
Moreover, if we are wrong, it will be easier to go from predicting one
group to two rather than the inverse (provided we send a fake one with
GREASE). I anticipate prediction-miss HelloRetryRequest logic across the
TLS/TCP ecosystem will be largely untested (no one wants to pay an RTT),
so taking a group out of the predicted set will likely be a risky
operation.
Only predicting one group also makes things a bit simpler. I haven't
done this here, but we'll be able to fold the 1.2 and 1.3 ecdh_ctx's
together, even.
Change-Id: Ie7e42d3105aca48eb9d97e2e05a16c5379aa66a3
Reviewed-on: https://boringssl-review.googlesource.com/10960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-09 04:47:48 +01:00
|
|
|
CBB key_exchange;
|
|
|
|
if (!CBB_add_u16(&kse_bytes, group_id) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
|
2016-12-03 07:20:34 +00:00
|
|
|
!SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) ||
|
|
|
|
!SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &key_exchange) ||
|
Only predict X25519 in TLS 1.3.
We'd previously been assuming we'd want to predict P-256 and X25519 but,
on reflection, that's nonsense. Although, today, P-256 is widespread and
X25519 is less so, that's not the right question to ask. Those servers
are all 1.2.
The right question is whether we believe enough servers will get to TLS
1.3 before X25519 to justify wasting 64 bytes on all other connections.
Given that OpenSSL has already shipped X25519 and Microsoft was doing
interop testing on X25519 around when we were shipping it, I think the
answer is no.
Moreover, if we are wrong, it will be easier to go from predicting one
group to two rather than the inverse (provided we send a fake one with
GREASE). I anticipate prediction-miss HelloRetryRequest logic across the
TLS/TCP ecosystem will be largely untested (no one wants to pay an RTT),
so taking a group out of the predicted set will likely be a risky
operation.
Only predicting one group also makes things a bit simpler. I haven't
done this here, but we'll be able to fold the 1.2 and 1.3 ecdh_ctx's
together, even.
Change-Id: Ie7e42d3105aca48eb9d97e2e05a16c5379aa66a3
Reviewed-on: https://boringssl-review.googlesource.com/10960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-09 04:47:48 +01:00
|
|
|
!CBB_flush(&kse_bytes)) {
|
|
|
|
return 0;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!hs->received_hello_retry_request) {
|
2016-07-18 17:40:30 +01:00
|
|
|
/* Save the contents of the extension to repeat it in the second
|
|
|
|
* ClientHello. */
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->key_share_bytes_len = CBB_len(&kse_bytes);
|
|
|
|
hs->key_share_bytes = BUF_memdup(CBB_data(&kse_bytes), CBB_len(&kse_bytes));
|
|
|
|
if (hs->key_share_bytes == NULL) {
|
2016-07-18 17:40:30 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
return CBB_flush(out);
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret,
|
2016-08-02 21:55:05 +01:00
|
|
|
size_t *out_secret_len,
|
|
|
|
uint8_t *out_alert, CBS *contents) {
|
2016-11-17 08:11:16 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
CBS peer_key;
|
2016-08-19 22:44:53 +01:00
|
|
|
uint16_t group_id;
|
|
|
|
if (!CBS_get_u16(contents, &group_id) ||
|
2016-08-02 21:52:57 +01:00
|
|
|
!CBS_get_u16_length_prefixed(contents, &peer_key) ||
|
|
|
|
CBS_len(contents) != 0) {
|
2016-07-11 18:19:03 +01:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) != group_id) {
|
2016-07-11 18:19:03 +01:00
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, out_secret, out_secret_len, out_alert,
|
|
|
|
CBS_data(&peer_key), CBS_len(&peer_key))) {
|
2016-07-11 18:19:03 +01:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-11 07:48:12 +00:00
|
|
|
ssl->s3->new_session->group_id = group_id;
|
2016-11-17 08:11:16 +00:00
|
|
|
SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
|
2016-07-11 18:19:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
|
2016-08-02 21:55:05 +01:00
|
|
|
uint8_t **out_secret,
|
|
|
|
size_t *out_secret_len,
|
|
|
|
uint8_t *out_alert, CBS *contents) {
|
2016-07-11 18:19:03 +01:00
|
|
|
uint16_t group_id;
|
|
|
|
CBS key_shares;
|
2016-11-17 08:20:47 +00:00
|
|
|
if (!tls1_get_shared_group(hs, &group_id)) {
|
2016-09-06 19:13:43 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
|
|
|
|
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &key_shares) ||
|
2016-08-02 21:52:57 +01:00
|
|
|
CBS_len(contents) != 0) {
|
2016-09-21 00:24:40 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
2016-07-11 18:19:03 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-21 00:24:40 +01:00
|
|
|
/* Find the corresponding key share. */
|
|
|
|
int found = 0;
|
|
|
|
CBS peer_key;
|
2016-07-11 18:19:03 +01:00
|
|
|
while (CBS_len(&key_shares) > 0) {
|
|
|
|
uint16_t id;
|
2016-09-21 00:24:40 +01:00
|
|
|
CBS peer_key_tmp;
|
2016-07-11 18:19:03 +01:00
|
|
|
if (!CBS_get_u16(&key_shares, &id) ||
|
2016-09-21 00:24:40 +01:00
|
|
|
!CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp)) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
2016-07-11 18:19:03 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-21 00:24:40 +01:00
|
|
|
if (id == group_id) {
|
|
|
|
if (found) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);
|
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
|
|
return 0;
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2016-09-21 00:24:40 +01:00
|
|
|
found = 1;
|
|
|
|
peer_key = peer_key_tmp;
|
|
|
|
/* Continue parsing the structure to keep peers honest. */
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
2016-09-21 00:24:40 +01:00
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2016-09-21 00:24:40 +01:00
|
|
|
if (!found) {
|
|
|
|
*out_found = 0;
|
|
|
|
*out_secret = NULL;
|
|
|
|
*out_secret_len = 0;
|
|
|
|
return 1;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2016-09-21 00:24:40 +01:00
|
|
|
/* Compute the DH secret. */
|
|
|
|
uint8_t *secret = NULL;
|
|
|
|
size_t secret_len;
|
|
|
|
SSL_ECDH_CTX group;
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(&group, 0, sizeof(SSL_ECDH_CTX));
|
2016-09-21 00:24:40 +01:00
|
|
|
CBB public_key;
|
|
|
|
if (!CBB_init(&public_key, 32) ||
|
|
|
|
!SSL_ECDH_CTX_init(&group, group_id) ||
|
2016-11-17 08:11:16 +00:00
|
|
|
!SSL_ECDH_CTX_accept(&group, &public_key, &secret, &secret_len, out_alert,
|
|
|
|
CBS_data(&peer_key), CBS_len(&peer_key)) ||
|
|
|
|
!CBB_finish(&public_key, &hs->public_key, &hs->public_key_len)) {
|
2016-09-21 00:24:40 +01:00
|
|
|
OPENSSL_free(secret);
|
|
|
|
SSL_ECDH_CTX_cleanup(&group);
|
|
|
|
CBB_cleanup(&public_key);
|
2016-09-06 19:13:43 +01:00
|
|
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2016-09-21 00:24:40 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_ECDH_CTX_cleanup(&group);
|
|
|
|
|
|
|
|
*out_secret = secret;
|
|
|
|
*out_secret_len = secret_len;
|
|
|
|
*out_found = 1;
|
2016-07-18 17:40:30 +01:00
|
|
|
return 1;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
uint16_t group_id;
|
|
|
|
CBB kse_bytes, public_key;
|
2016-11-17 08:20:47 +00:00
|
|
|
if (!tls1_get_shared_group(hs, &group_id) ||
|
2016-07-11 18:19:03 +01:00
|
|
|
!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &kse_bytes) ||
|
|
|
|
!CBB_add_u16(&kse_bytes, group_id) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
|
2016-11-17 08:11:16 +00:00
|
|
|
!CBB_add_bytes(&public_key, hs->public_key, hs->public_key_len) ||
|
2016-07-11 18:19:03 +01:00
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
OPENSSL_free(hs->public_key);
|
|
|
|
hs->public_key = NULL;
|
|
|
|
hs->public_key_len = 0;
|
2016-08-16 07:17:03 +01:00
|
|
|
|
2016-12-11 07:48:12 +00:00
|
|
|
ssl->s3->new_session->group_id = group_id;
|
2016-07-11 18:19:03 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-09-15 21:27:05 +01:00
|
|
|
/* Supported Versions
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-09-15 21:27:05 +01:00
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (max_version <= TLS1_2_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, versions;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u8_length_prefixed(&contents, &versions)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-27 21:39:52 +01:00
|
|
|
/* Add a fake version. See draft-davidben-tls-grease-01. */
|
|
|
|
if (ssl->ctx->grease_enabled &&
|
|
|
|
!CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-15 21:27:05 +01:00
|
|
|
for (uint16_t version = max_version; version >= min_version; version--) {
|
|
|
|
if (!CBB_add_u16(&versions, ssl->method->version_to_wire(version))) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-10-08 02:10:38 +01:00
|
|
|
/* Cookie
|
|
|
|
*
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 */
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
if (hs->cookie == NULL) {
|
2016-10-08 02:10:38 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB contents, cookie;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_cookie) ||
|
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&contents, &cookie) ||
|
2016-12-03 07:20:34 +00:00
|
|
|
!CBB_add_bytes(&cookie, hs->cookie, hs->cookie_len) ||
|
2016-10-08 02:10:38 +01:00
|
|
|
!CBB_flush(out)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* The cookie is no longer needed in memory. */
|
2016-12-03 07:20:34 +00:00
|
|
|
OPENSSL_free(hs->cookie);
|
|
|
|
hs->cookie = NULL;
|
|
|
|
hs->cookie_len = 0;
|
2016-10-08 02:10:38 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-12-21 21:06:54 +00:00
|
|
|
/* Short record headers
|
|
|
|
*
|
|
|
|
* This is a non-standard extension which negotiates
|
|
|
|
* https://github.com/tlswg/tls13-spec/pull/762 for experimenting. */
|
|
|
|
|
|
|
|
static int ext_short_header_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
|
|
|
uint16_t min_version, max_version;
|
|
|
|
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (max_version < TLS1_3_VERSION ||
|
|
|
|
!ssl->ctx->short_header_enabled) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return CBB_add_u16(out, TLSEXT_TYPE_short_header) &&
|
|
|
|
CBB_add_u16(out, 0 /* empty extension */);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int ext_short_header_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert,
|
|
|
|
CBS *contents) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
|
|
|
if (contents == NULL ||
|
|
|
|
!ssl->ctx->short_header_enabled ||
|
|
|
|
ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ssl->s3->short_header = 1;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
/* Negotiated Groups
|
2015-07-21 00:38:52 +01:00
|
|
|
*
|
2016-05-17 16:47:53 +01:00
|
|
|
* https://tools.ietf.org/html/rfc4492#section-5.1.2
|
2016-10-13 19:26:33 +01:00
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 */
|
2015-07-21 00:38:52 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-05-17 16:47:53 +01:00
|
|
|
CBB contents, groups_bytes;
|
|
|
|
if (!CBB_add_u16(out, TLSEXT_TYPE_supported_groups) ||
|
2015-07-21 00:38:52 +01:00
|
|
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2016-05-17 16:47:53 +01:00
|
|
|
!CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {
|
2015-07-21 00:38:52 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-03 02:35:25 +01:00
|
|
|
/* Add a fake group. See draft-davidben-tls-grease-01. */
|
|
|
|
if (ssl->ctx->grease_enabled &&
|
|
|
|
!CBB_add_u16(&groups_bytes,
|
|
|
|
ssl_get_grease_value(ssl, ssl_grease_group))) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
const uint16_t *groups;
|
|
|
|
size_t groups_len;
|
2016-10-07 05:37:55 +01:00
|
|
|
tls1_get_grouplist(ssl, &groups, &groups_len);
|
2015-07-21 00:38:52 +01:00
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < groups_len; i++) {
|
2016-05-17 16:47:53 +01:00
|
|
|
if (!CBB_add_u16(&groups_bytes, groups[i])) {
|
2015-07-21 00:38:52 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return CBB_flush(out);
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert,
|
2016-05-17 16:47:53 +01:00
|
|
|
CBS *contents) {
|
2016-08-12 20:50:48 +01:00
|
|
|
/* This extension is not expected to be echoed by servers in TLS 1.2, but some
|
|
|
|
* BigIP servers send it nonetheless, so do not enforce this. */
|
2015-07-21 00:38:52 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
|
|
uint8_t *out_alert,
|
2016-05-17 16:47:53 +01:00
|
|
|
CBS *contents) {
|
2015-07-21 00:38:52 +01:00
|
|
|
if (contents == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
CBS supported_group_list;
|
|
|
|
if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
|
|
|
|
CBS_len(&supported_group_list) == 0 ||
|
|
|
|
(CBS_len(&supported_group_list) & 1) != 0 ||
|
2015-07-21 00:38:52 +01:00
|
|
|
CBS_len(contents) != 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->peer_supported_group_list =
|
|
|
|
OPENSSL_malloc(CBS_len(&supported_group_list));
|
|
|
|
if (hs->peer_supported_group_list == NULL) {
|
2015-07-21 00:38:52 +01:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
const size_t num_groups = CBS_len(&supported_group_list) / 2;
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < num_groups; i++) {
|
2016-05-17 16:47:53 +01:00
|
|
|
if (!CBS_get_u16(&supported_group_list,
|
2016-12-03 07:20:34 +00:00
|
|
|
&hs->peer_supported_group_list[i])) {
|
2015-07-21 00:38:52 +01:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-05-17 16:47:53 +01:00
|
|
|
assert(CBS_len(&supported_group_list) == 0);
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->peer_supported_group_list_len = num_groups;
|
2015-07-21 00:38:52 +01:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
err:
|
2016-12-03 07:20:34 +00:00
|
|
|
OPENSSL_free(hs->peer_supported_group_list);
|
|
|
|
hs->peer_supported_group_list = NULL;
|
2015-07-21 00:38:52 +01:00
|
|
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ext_supported_groups_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2015-07-21 00:38:52 +01:00
|
|
|
/* Servers don't echo this extension. */
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-06-12 23:26:58 +01:00
|
|
|
/* kExtensions contains all the supported extensions. */
|
|
|
|
static const struct tls_extension kExtensions[] = {
|
2015-06-13 02:27:58 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_renegotiate,
|
|
|
|
NULL,
|
|
|
|
ext_ri_add_clienthello,
|
|
|
|
ext_ri_parse_serverhello,
|
|
|
|
ext_ri_parse_clienthello,
|
|
|
|
ext_ri_add_serverhello,
|
|
|
|
},
|
2015-06-12 23:26:58 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_server_name,
|
2016-10-07 00:11:32 +01:00
|
|
|
NULL,
|
2015-06-12 23:26:58 +01:00
|
|
|
ext_sni_add_clienthello,
|
|
|
|
ext_sni_parse_serverhello,
|
|
|
|
ext_sni_parse_clienthello,
|
|
|
|
ext_sni_add_serverhello,
|
|
|
|
},
|
2015-07-01 23:03:33 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_extended_master_secret,
|
2016-08-30 04:14:17 +01:00
|
|
|
NULL,
|
2015-07-01 23:03:33 +01:00
|
|
|
ext_ems_add_clienthello,
|
|
|
|
ext_ems_parse_serverhello,
|
|
|
|
ext_ems_parse_clienthello,
|
|
|
|
ext_ems_add_serverhello,
|
|
|
|
},
|
2015-07-01 23:25:33 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_session_ticket,
|
|
|
|
NULL,
|
|
|
|
ext_ticket_add_clienthello,
|
|
|
|
ext_ticket_parse_serverhello,
|
2016-07-12 18:38:32 +01:00
|
|
|
/* Ticket extension client parsing is handled in ssl_session.c */
|
|
|
|
ignore_parse_clienthello,
|
2015-07-01 23:25:33 +01:00
|
|
|
ext_ticket_add_serverhello,
|
|
|
|
},
|
2015-07-02 00:09:19 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_signature_algorithms,
|
|
|
|
NULL,
|
|
|
|
ext_sigalgs_add_clienthello,
|
2016-07-12 18:38:32 +01:00
|
|
|
forbid_parse_serverhello,
|
2015-07-02 00:09:19 +01:00
|
|
|
ext_sigalgs_parse_clienthello,
|
2016-07-12 18:38:32 +01:00
|
|
|
dont_add_serverhello,
|
2015-07-02 00:09:19 +01:00
|
|
|
},
|
2015-07-02 00:21:03 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_status_request,
|
2017-01-13 21:32:05 +00:00
|
|
|
NULL,
|
2015-07-02 00:21:03 +01:00
|
|
|
ext_ocsp_add_clienthello,
|
|
|
|
ext_ocsp_parse_serverhello,
|
|
|
|
ext_ocsp_parse_clienthello,
|
|
|
|
ext_ocsp_add_serverhello,
|
|
|
|
},
|
2015-07-02 02:35:20 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_next_proto_neg,
|
2016-10-07 00:43:48 +01:00
|
|
|
NULL,
|
2015-07-02 02:35:20 +01:00
|
|
|
ext_npn_add_clienthello,
|
|
|
|
ext_npn_parse_serverhello,
|
|
|
|
ext_npn_parse_clienthello,
|
|
|
|
ext_npn_add_serverhello,
|
|
|
|
},
|
2015-07-10 20:21:39 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_certificate_timestamp,
|
|
|
|
NULL,
|
|
|
|
ext_sct_add_clienthello,
|
|
|
|
ext_sct_parse_serverhello,
|
|
|
|
ext_sct_parse_clienthello,
|
|
|
|
ext_sct_add_serverhello,
|
|
|
|
},
|
2015-07-10 21:39:53 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_application_layer_protocol_negotiation,
|
2016-11-16 06:38:27 +00:00
|
|
|
NULL,
|
2015-07-10 21:39:53 +01:00
|
|
|
ext_alpn_add_clienthello,
|
|
|
|
ext_alpn_parse_serverhello,
|
2016-10-31 22:01:13 +00:00
|
|
|
/* ALPN is negotiated late in |ssl_negotiate_alpn|. */
|
|
|
|
ignore_parse_clienthello,
|
2015-07-10 21:39:53 +01:00
|
|
|
ext_alpn_add_serverhello,
|
|
|
|
},
|
2015-07-10 22:33:46 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_channel_id,
|
|
|
|
ext_channel_id_init,
|
|
|
|
ext_channel_id_add_clienthello,
|
|
|
|
ext_channel_id_parse_serverhello,
|
|
|
|
ext_channel_id_parse_clienthello,
|
|
|
|
ext_channel_id_add_serverhello,
|
|
|
|
},
|
2015-07-16 03:06:07 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_srtp,
|
|
|
|
ext_srtp_init,
|
|
|
|
ext_srtp_add_clienthello,
|
|
|
|
ext_srtp_parse_serverhello,
|
|
|
|
ext_srtp_parse_clienthello,
|
|
|
|
ext_srtp_add_serverhello,
|
|
|
|
},
|
2015-07-21 00:19:08 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_ec_point_formats,
|
2015-07-31 04:01:59 +01:00
|
|
|
NULL,
|
2015-07-21 00:19:08 +01:00
|
|
|
ext_ec_point_add_clienthello,
|
|
|
|
ext_ec_point_parse_serverhello,
|
|
|
|
ext_ec_point_parse_clienthello,
|
|
|
|
ext_ec_point_add_serverhello,
|
|
|
|
},
|
2016-07-11 18:19:03 +01:00
|
|
|
{
|
2016-09-15 21:27:05 +01:00
|
|
|
TLSEXT_TYPE_key_share,
|
2016-07-11 18:19:03 +01:00
|
|
|
NULL,
|
2016-09-15 21:27:05 +01:00
|
|
|
ext_key_share_add_clienthello,
|
2016-07-11 18:19:03 +01:00
|
|
|
forbid_parse_serverhello,
|
|
|
|
ignore_parse_clienthello,
|
|
|
|
dont_add_serverhello,
|
|
|
|
},
|
|
|
|
{
|
2016-11-01 17:39:36 +00:00
|
|
|
TLSEXT_TYPE_psk_key_exchange_modes,
|
2016-07-11 18:19:03 +01:00
|
|
|
NULL,
|
2016-11-01 17:39:36 +00:00
|
|
|
ext_psk_key_exchange_modes_add_clienthello,
|
2016-07-11 18:19:03 +01:00
|
|
|
forbid_parse_serverhello,
|
2016-11-16 08:08:23 +00:00
|
|
|
ext_psk_key_exchange_modes_parse_clienthello,
|
2016-07-11 18:19:03 +01:00
|
|
|
dont_add_serverhello,
|
|
|
|
},
|
2016-11-29 18:36:45 +00:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_early_data,
|
|
|
|
NULL,
|
|
|
|
ext_early_data_add_clienthello,
|
|
|
|
forbid_parse_serverhello,
|
|
|
|
ext_early_data_parse_clienthello,
|
|
|
|
dont_add_serverhello,
|
|
|
|
},
|
2016-07-29 19:32:55 +01:00
|
|
|
{
|
2016-09-15 21:27:05 +01:00
|
|
|
TLSEXT_TYPE_supported_versions,
|
2016-07-29 19:32:55 +01:00
|
|
|
NULL,
|
2016-09-15 21:27:05 +01:00
|
|
|
ext_supported_versions_add_clienthello,
|
2016-07-29 19:32:55 +01:00
|
|
|
forbid_parse_serverhello,
|
|
|
|
ignore_parse_clienthello,
|
|
|
|
dont_add_serverhello,
|
|
|
|
},
|
2016-10-08 02:10:38 +01:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_cookie,
|
|
|
|
NULL,
|
|
|
|
ext_cookie_add_clienthello,
|
|
|
|
forbid_parse_serverhello,
|
|
|
|
ignore_parse_clienthello,
|
|
|
|
dont_add_serverhello,
|
|
|
|
},
|
2016-12-21 21:06:54 +00:00
|
|
|
{
|
|
|
|
TLSEXT_TYPE_short_header,
|
|
|
|
NULL,
|
|
|
|
ext_short_header_add_clienthello,
|
|
|
|
forbid_parse_serverhello,
|
|
|
|
ext_short_header_parse_clienthello,
|
|
|
|
dont_add_serverhello,
|
|
|
|
},
|
2016-03-25 22:56:10 +00:00
|
|
|
/* The final extension must be non-empty. WebSphere Application Server 7.0 is
|
|
|
|
* intolerant to the last extension being zero-length. See
|
|
|
|
* https://crbug.com/363583. */
|
2015-07-21 00:38:52 +01:00
|
|
|
{
|
2016-05-17 16:47:53 +01:00
|
|
|
TLSEXT_TYPE_supported_groups,
|
2016-10-07 05:41:50 +01:00
|
|
|
NULL,
|
2016-05-17 16:47:53 +01:00
|
|
|
ext_supported_groups_add_clienthello,
|
|
|
|
ext_supported_groups_parse_serverhello,
|
|
|
|
ext_supported_groups_parse_clienthello,
|
|
|
|
ext_supported_groups_add_serverhello,
|
2015-07-21 00:38:52 +01:00
|
|
|
},
|
2015-06-12 23:26:58 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
|
|
|
|
|
2015-07-01 19:56:55 +01:00
|
|
|
OPENSSL_COMPILE_ASSERT(kNumExtensions <=
|
2016-10-07 00:39:20 +01:00
|
|
|
sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,
|
2015-07-13 21:43:47 +01:00
|
|
|
too_many_extensions_for_sent_bitset);
|
2016-10-07 00:39:20 +01:00
|
|
|
OPENSSL_COMPILE_ASSERT(
|
|
|
|
kNumExtensions <= sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,
|
|
|
|
too_many_extensions_for_received_bitset);
|
2015-07-01 19:56:55 +01:00
|
|
|
|
2015-06-12 23:26:58 +01:00
|
|
|
static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
|
|
|
uint16_t value) {
|
|
|
|
unsigned i;
|
|
|
|
for (i = 0; i < kNumExtensions; i++) {
|
|
|
|
if (kExtensions[i].value == value) {
|
|
|
|
*out_index = i;
|
|
|
|
return &kExtensions[i];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2015-07-31 02:10:13 +01:00
|
|
|
int SSL_extension_supported(unsigned extension_value) {
|
|
|
|
uint32_t index;
|
|
|
|
return extension_value == TLSEXT_TYPE_padding ||
|
|
|
|
tls_extension_find(&index, extension_value) != NULL;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-12-06 18:35:25 +00:00
|
|
|
/* Don't add extensions for SSLv3 unless doing secure renegotiation. */
|
|
|
|
if (hs->client_version == SSL3_VERSION &&
|
2015-10-10 19:13:23 +01:00
|
|
|
!ssl->s3->send_connection_binding) {
|
|
|
|
return 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2015-10-10 19:13:23 +01:00
|
|
|
CBB extensions;
|
|
|
|
if (!CBB_add_u16_length_prefixed(out, &extensions)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
goto err;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->extensions.sent = 0;
|
|
|
|
hs->custom_extensions.sent = 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2015-06-12 23:26:58 +01:00
|
|
|
if (kExtensions[i].init != NULL) {
|
2016-12-03 07:20:34 +00:00
|
|
|
kExtensions[i].init(hs);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-09-03 02:35:25 +01:00
|
|
|
uint16_t grease_ext1 = 0;
|
|
|
|
if (ssl->ctx->grease_enabled) {
|
|
|
|
/* Add a fake empty extension. See draft-davidben-tls-grease-01. */
|
|
|
|
grease_ext1 = ssl_get_grease_value(ssl, ssl_grease_extension1);
|
|
|
|
if (!CBB_add_u16(&extensions, grease_ext1) ||
|
|
|
|
!CBB_add_u16(&extensions, 0 /* zero length */)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2015-07-21 01:43:53 +01:00
|
|
|
const size_t len_before = CBB_len(&extensions);
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!kExtensions[i].add_clienthello(hs, &extensions)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
2016-11-17 20:55:14 +00:00
|
|
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
2015-07-21 01:43:53 +01:00
|
|
|
goto err;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2015-07-21 01:43:53 +01:00
|
|
|
if (CBB_len(&extensions) != len_before) {
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->extensions.sent |= (1u << i);
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-11-17 07:47:15 +00:00
|
|
|
if (!custom_ext_add_clienthello(hs, &extensions)) {
|
2015-07-31 02:10:13 +01:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2016-09-03 02:35:25 +01:00
|
|
|
if (ssl->ctx->grease_enabled) {
|
|
|
|
/* Add a fake non-empty extension. See draft-davidben-tls-grease-01. */
|
|
|
|
uint16_t grease_ext2 = ssl_get_grease_value(ssl, ssl_grease_extension2);
|
|
|
|
|
|
|
|
/* The two fake extensions must not have the same value. GREASE values are
|
|
|
|
* of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
|
|
|
|
* one. */
|
|
|
|
if (grease_ext1 == grease_ext2) {
|
|
|
|
grease_ext2 ^= 0x1010;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!CBB_add_u16(&extensions, grease_ext2) ||
|
|
|
|
!CBB_add_u16(&extensions, 1 /* one byte length */) ||
|
|
|
|
!CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-02 21:22:34 +01:00
|
|
|
if (!SSL_is_dtls(ssl)) {
|
2016-12-03 07:20:34 +00:00
|
|
|
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
|
2016-11-01 17:39:36 +00:00
|
|
|
header_len += 2 + CBB_len(&extensions) + psk_extension_len;
|
2014-12-19 01:42:32 +00:00
|
|
|
if (header_len > 0xff && header_len < 0x200) {
|
2015-10-21 22:49:23 +01:00
|
|
|
/* Add padding to workaround bugs in F5 terminators. See RFC 7685.
|
2014-12-19 01:42:32 +00:00
|
|
|
*
|
|
|
|
* NB: because this code works out the length of all existing extensions
|
|
|
|
* it MUST always appear last. */
|
2015-07-22 03:06:19 +01:00
|
|
|
size_t padding_len = 0x200 - header_len;
|
2016-03-25 22:56:10 +00:00
|
|
|
/* Extensions take at least four bytes to encode. Always include at least
|
2014-12-19 01:42:32 +00:00
|
|
|
* one byte of data if including the extension. WebSphere Application
|
2016-03-25 22:56:10 +00:00
|
|
|
* Server 7.0 is intolerant to the last extension being zero-length. See
|
|
|
|
* https://crbug.com/363583. */
|
2014-12-19 01:42:32 +00:00
|
|
|
if (padding_len >= 4 + 1) {
|
|
|
|
padding_len -= 4;
|
|
|
|
} else {
|
|
|
|
padding_len = 1;
|
|
|
|
}
|
|
|
|
|
2015-07-21 01:43:53 +01:00
|
|
|
uint8_t *padding_bytes;
|
|
|
|
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
|
|
|
|
!CBB_add_u16(&extensions, padding_len) ||
|
|
|
|
!CBB_add_space(&extensions, &padding_bytes, padding_len)) {
|
|
|
|
goto err;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(padding_bytes, 0, padding_len);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
/* The PSK extension must be last, including after the padding. */
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
|
2016-11-01 17:39:36 +00:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
/* Discard empty extensions blocks. */
|
|
|
|
if (CBB_len(&extensions) == 0) {
|
2015-10-10 19:13:23 +01:00
|
|
|
CBB_discard_child(out);
|
2015-07-21 01:43:53 +01:00
|
|
|
}
|
|
|
|
|
2015-10-10 19:13:23 +01:00
|
|
|
return CBB_flush(out);
|
2015-07-21 01:43:53 +01:00
|
|
|
|
|
|
|
err:
|
|
|
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2015-10-10 19:13:23 +01:00
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-10-10 19:59:09 +01:00
|
|
|
CBB extensions;
|
|
|
|
if (!CBB_add_u16_length_prefixed(out, &extensions)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
goto err;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
for (unsigned i = 0; i < kNumExtensions; i++) {
|
|
|
|
if (!(hs->extensions.received & (1u << i))) {
|
2015-06-12 23:26:58 +01:00
|
|
|
/* Don't send extensions that were not received. */
|
|
|
|
continue;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!kExtensions[i].add_serverhello(hs, &extensions)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
2016-11-17 20:55:14 +00:00
|
|
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
2015-07-21 01:43:53 +01:00
|
|
|
goto err;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-11-17 07:47:15 +00:00
|
|
|
if (!custom_ext_add_serverhello(hs, &extensions)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
goto err;
|
|
|
|
}
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Discard empty extensions blocks before TLS 1.3. */
|
|
|
|
if (ssl3_protocol_version(ssl) < TLS1_3_VERSION &&
|
|
|
|
CBB_len(&extensions) == 0) {
|
2015-10-10 19:59:09 +01:00
|
|
|
CBB_discard_child(out);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2015-10-10 19:59:09 +01:00
|
|
|
return CBB_flush(out);
|
2015-07-21 01:43:53 +01:00
|
|
|
|
|
|
|
err:
|
|
|
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2015-10-10 19:59:09 +01:00
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
|
|
const SSL_CLIENT_HELLO *client_hello,
|
|
|
|
int *out_alert) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-08-10 00:36:38 +01:00
|
|
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2015-06-12 23:26:58 +01:00
|
|
|
if (kExtensions[i].init != NULL) {
|
2016-12-03 07:20:34 +00:00
|
|
|
kExtensions[i].init(hs);
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->extensions.received = 0;
|
|
|
|
hs->custom_extensions.received = 0;
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-08-09 21:21:24 +01:00
|
|
|
CBS extensions;
|
|
|
|
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
|
|
|
|
while (CBS_len(&extensions) != 0) {
|
|
|
|
uint16_t type;
|
|
|
|
CBS extension;
|
|
|
|
|
|
|
|
/* Decode the next extension. */
|
|
|
|
if (!CBS_get_u16(&extensions, &type) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
2014-12-19 01:42:32 +00:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-08-09 21:21:24 +01:00
|
|
|
/* RFC 5746 made the existence of extensions in SSL 3.0 somewhat
|
|
|
|
* ambiguous. Ignore all but the renegotiation_info extension. */
|
|
|
|
if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
|
|
|
|
continue;
|
|
|
|
}
|
2015-07-21 01:43:53 +01:00
|
|
|
|
2016-08-09 21:21:24 +01:00
|
|
|
unsigned ext_index;
|
|
|
|
const struct tls_extension *const ext =
|
|
|
|
tls_extension_find(&ext_index, type);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-08-09 21:21:24 +01:00
|
|
|
if (ext == NULL) {
|
2016-11-17 07:47:15 +00:00
|
|
|
if (!custom_ext_parse_clienthello(hs, out_alert, type, &extension)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
2015-06-12 23:26:58 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2016-08-09 21:21:24 +01:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->extensions.received |= (1u << ext_index);
|
2016-08-09 21:21:24 +01:00
|
|
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!ext->parse_clienthello(hs, &alert, &extension)) {
|
2016-08-09 21:21:24 +01:00
|
|
|
*out_alert = alert;
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
2016-11-17 20:55:14 +00:00
|
|
|
ERR_add_error_dataf("extension %u", (unsigned)type);
|
2016-08-09 21:21:24 +01:00
|
|
|
return 0;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-08-10 00:36:38 +01:00
|
|
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2016-12-03 07:20:34 +00:00
|
|
|
if (hs->extensions.received & (1u << i)) {
|
2016-08-10 00:36:38 +01:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBS *contents = NULL, fake_contents;
|
|
|
|
static const uint8_t kFakeRenegotiateExtension[] = {0};
|
|
|
|
if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
|
|
|
|
ssl_client_cipher_list_contains_cipher(client_hello,
|
|
|
|
SSL3_CK_SCSV & 0xffff)) {
|
|
|
|
/* The renegotiation SCSV was received so pretend that we received a
|
|
|
|
* renegotiation extension. */
|
|
|
|
CBS_init(&fake_contents, kFakeRenegotiateExtension,
|
|
|
|
sizeof(kFakeRenegotiateExtension));
|
|
|
|
contents = &fake_contents;
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->extensions.received |= (1u << i);
|
2016-08-10 00:36:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Extension wasn't observed so call the callback with a NULL
|
|
|
|
* parameter. */
|
|
|
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
|
2016-08-10 00:36:38 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
|
2016-11-17 20:55:14 +00:00
|
|
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
2016-08-10 00:36:38 +01:00
|
|
|
*out_alert = alert;
|
|
|
|
return 0;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-12-19 01:42:32 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
|
|
const SSL_CLIENT_HELLO *client_hello) {
|
2016-12-03 07:20:34 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2014-12-19 01:42:32 +00:00
|
|
|
int alert = -1;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (ssl_scan_clienthello_tlsext(hs, client_hello, &alert) <= 0) {
|
2015-12-19 22:05:56 +00:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
if (ssl_check_clienthello_tlsext(hs) <= 0) {
|
2015-06-29 05:28:17 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
|
|
int *out_alert) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. */
|
|
|
|
if (CBS_len(cbs) == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Decode the extensions block and check it is valid. */
|
|
|
|
CBS extensions;
|
|
|
|
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
|
|
|
!tls1_check_duplicate_extensions(&extensions)) {
|
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-06-12 23:26:58 +01:00
|
|
|
uint32_t received = 0;
|
2016-07-11 18:19:03 +01:00
|
|
|
while (CBS_len(&extensions) != 0) {
|
|
|
|
uint16_t type;
|
|
|
|
CBS extension;
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Decode the next extension. */
|
|
|
|
if (!CBS_get_u16(&extensions, &type) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
2014-12-19 01:42:32 +00:00
|
|
|
*out_alert = SSL_AD_DECODE_ERROR;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
unsigned ext_index;
|
|
|
|
const struct tls_extension *const ext =
|
|
|
|
tls_extension_find(&ext_index, type);
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
if (ext == NULL) {
|
2016-11-17 07:47:15 +00:00
|
|
|
if (!custom_ext_parse_serverhello(hs, out_alert, type, &extension)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
continue;
|
|
|
|
}
|
2015-07-21 01:43:53 +01:00
|
|
|
|
2017-01-24 21:17:03 +00:00
|
|
|
OPENSSL_COMPILE_ASSERT(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
|
|
|
|
too_many_bits);
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!(hs->extensions.sent & (1u << ext_index)) &&
|
2016-08-10 00:36:38 +01:00
|
|
|
type != TLSEXT_TYPE_renegotiate) {
|
|
|
|
/* If the extension was never sent then it is illegal, except for the
|
|
|
|
* renegotiation extension which, in SSL 3.0, is signaled via SCSV. */
|
2016-07-11 18:19:03 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
|
|
ERR_add_error_dataf("extension :%u", (unsigned)type);
|
2016-08-01 17:05:50 +01:00
|
|
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
2016-07-11 18:19:03 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
received |= (1u << ext_index);
|
2015-06-12 23:26:58 +01:00
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!ext->parse_serverhello(hs, &alert, &extension)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
2016-11-17 20:55:14 +00:00
|
|
|
ERR_add_error_dataf("extension %u", (unsigned)type);
|
2016-07-11 18:19:03 +01:00
|
|
|
*out_alert = alert;
|
|
|
|
return 0;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2015-06-12 23:26:58 +01:00
|
|
|
if (!(received & (1u << i))) {
|
|
|
|
/* Extension wasn't observed so call the callback with a NULL
|
|
|
|
* parameter. */
|
|
|
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
|
2015-07-21 01:43:53 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
|
2016-11-17 20:55:14 +00:00
|
|
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
2015-06-12 23:26:58 +01:00
|
|
|
*out_alert = alert;
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2014-12-19 01:42:32 +00:00
|
|
|
int ret = SSL_TLSEXT_ERR_NOACK;
|
|
|
|
int al = SSL_AD_UNRECOGNIZED_NAME;
|
|
|
|
|
2016-03-10 21:33:58 +00:00
|
|
|
if (ssl->ctx->tlsext_servername_callback != 0) {
|
2015-12-19 22:05:56 +00:00
|
|
|
ret = ssl->ctx->tlsext_servername_callback(ssl, &al,
|
2016-03-10 21:33:58 +00:00
|
|
|
ssl->ctx->tlsext_servername_arg);
|
|
|
|
} else if (ssl->initial_ctx->tlsext_servername_callback != 0) {
|
2015-12-19 22:05:56 +00:00
|
|
|
ret = ssl->initial_ctx->tlsext_servername_callback(
|
|
|
|
ssl, &al, ssl->initial_ctx->tlsext_servername_arg);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
switch (ret) {
|
|
|
|
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
2015-12-19 22:05:56 +00:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
|
2014-12-19 01:42:32 +00:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
case SSL_TLSEXT_ERR_NOACK:
|
2016-12-03 07:20:34 +00:00
|
|
|
hs->should_ack_sni = 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-12-03 07:20:34 +00:00
|
|
|
int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2014-12-19 01:42:32 +00:00
|
|
|
int alert = -1;
|
2016-12-03 07:20:34 +00:00
|
|
|
if (ssl_scan_serverhello_tlsext(hs, cbs, &alert) <= 0) {
|
2015-12-19 22:05:56 +00:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2015-06-16 20:34:50 +01:00
|
|
|
int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session,
|
2015-11-21 19:05:44 +00:00
|
|
|
int *out_renew_ticket, const uint8_t *ticket,
|
2015-06-16 20:34:50 +01:00
|
|
|
size_t ticket_len, const uint8_t *session_id,
|
|
|
|
size_t session_id_len) {
|
|
|
|
int ret = 1; /* Most errors are non-fatal. */
|
|
|
|
SSL_CTX *ssl_ctx = ssl->initial_ctx;
|
|
|
|
uint8_t *plaintext = NULL;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2015-06-16 20:34:50 +01:00
|
|
|
HMAC_CTX hmac_ctx;
|
|
|
|
HMAC_CTX_init(&hmac_ctx);
|
|
|
|
EVP_CIPHER_CTX cipher_ctx;
|
|
|
|
EVP_CIPHER_CTX_init(&cipher_ctx);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2015-11-21 19:05:44 +00:00
|
|
|
*out_renew_ticket = 0;
|
2015-06-16 20:34:50 +01:00
|
|
|
*out_session = NULL;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-07-29 19:32:55 +01:00
|
|
|
if (SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
2015-06-16 20:34:50 +01:00
|
|
|
if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2015-04-26 18:07:57 +01:00
|
|
|
/* Ensure there is room for the key name and the largest IV
|
|
|
|
* |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
|
|
|
|
* the maximum IV length should be well under the minimum size for the
|
|
|
|
* session material and HMAC. */
|
2015-06-16 20:34:50 +01:00
|
|
|
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
|
|
|
|
|
|
|
|
if (ssl_ctx->tlsext_ticket_key_cb != NULL) {
|
2015-12-19 22:05:56 +00:00
|
|
|
int cb_ret = ssl_ctx->tlsext_ticket_key_cb(
|
|
|
|
ssl, (uint8_t *)ticket /* name */, (uint8_t *)iv, &cipher_ctx,
|
|
|
|
&hmac_ctx, 0 /* decrypt */);
|
2015-06-16 20:34:50 +01:00
|
|
|
if (cb_ret < 0) {
|
|
|
|
ret = 0;
|
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2015-06-16 20:34:50 +01:00
|
|
|
if (cb_ret == 0) {
|
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2015-06-16 20:34:50 +01:00
|
|
|
if (cb_ret == 2) {
|
2015-11-21 19:05:44 +00:00
|
|
|
*out_renew_ticket = 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
} else {
|
2015-06-16 20:34:50 +01:00
|
|
|
/* Check the key name matches. */
|
2016-12-13 06:07:13 +00:00
|
|
|
if (OPENSSL_memcmp(ticket, ssl_ctx->tlsext_tick_key_name,
|
|
|
|
SSL_TICKET_KEY_NAME_LEN) != 0) {
|
2015-06-16 20:34:50 +01:00
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2015-06-16 20:34:50 +01:00
|
|
|
if (!HMAC_Init_ex(&hmac_ctx, ssl_ctx->tlsext_tick_hmac_key,
|
|
|
|
sizeof(ssl_ctx->tlsext_tick_hmac_key), tlsext_tick_md(),
|
2014-12-19 01:42:32 +00:00
|
|
|
NULL) ||
|
2015-06-16 20:34:50 +01:00
|
|
|
!EVP_DecryptInit_ex(&cipher_ctx, EVP_aes_128_cbc(), NULL,
|
|
|
|
ssl_ctx->tlsext_tick_aes_key, iv)) {
|
|
|
|
ret = 0;
|
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
2015-06-16 20:34:50 +01:00
|
|
|
size_t iv_len = EVP_CIPHER_CTX_iv_length(&cipher_ctx);
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2015-06-16 20:34:50 +01:00
|
|
|
/* Check the MAC at the end of the ticket. */
|
|
|
|
uint8_t mac[EVP_MAX_MD_SIZE];
|
|
|
|
size_t mac_len = HMAC_size(&hmac_ctx);
|
|
|
|
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
|
2015-04-26 18:07:57 +01:00
|
|
|
/* The ticket must be large enough for key name, IV, data, and MAC. */
|
2015-06-16 20:34:50 +01:00
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2015-06-16 20:34:50 +01:00
|
|
|
HMAC_Update(&hmac_ctx, ticket, ticket_len - mac_len);
|
|
|
|
HMAC_Final(&hmac_ctx, mac, NULL);
|
2016-09-22 06:21:24 +01:00
|
|
|
int mac_ok =
|
|
|
|
CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0;
|
|
|
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
|
|
|
mac_ok = 1;
|
|
|
|
#endif
|
|
|
|
if (!mac_ok) {
|
2015-06-16 20:34:50 +01:00
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2015-06-16 20:34:50 +01:00
|
|
|
/* Decrypt the session data. */
|
|
|
|
const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
|
|
|
|
size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
|
|
|
|
mac_len;
|
|
|
|
plaintext = OPENSSL_malloc(ciphertext_len);
|
|
|
|
if (plaintext == NULL) {
|
|
|
|
ret = 0;
|
|
|
|
goto done;
|
|
|
|
}
|
2016-09-22 06:21:24 +01:00
|
|
|
size_t plaintext_len;
|
|
|
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcpy(plaintext, ciphertext, ciphertext_len);
|
2016-09-22 06:21:24 +01:00
|
|
|
plaintext_len = ciphertext_len;
|
|
|
|
#else
|
2015-06-16 20:34:50 +01:00
|
|
|
if (ciphertext_len >= INT_MAX) {
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
int len1, len2;
|
|
|
|
if (!EVP_DecryptUpdate(&cipher_ctx, plaintext, &len1, ciphertext,
|
|
|
|
(int)ciphertext_len) ||
|
|
|
|
!EVP_DecryptFinal_ex(&cipher_ctx, plaintext + len1, &len2)) {
|
|
|
|
ERR_clear_error(); /* Don't leave an error on the queue. */
|
|
|
|
goto done;
|
|
|
|
}
|
2016-09-22 06:21:24 +01:00
|
|
|
plaintext_len = (size_t)(len1 + len2);
|
|
|
|
#endif
|
2015-06-16 20:34:50 +01:00
|
|
|
|
|
|
|
/* Decode the session. */
|
2016-09-22 06:21:24 +01:00
|
|
|
SSL_SESSION *session = SSL_SESSION_from_bytes(plaintext, plaintext_len);
|
2015-06-16 20:34:50 +01:00
|
|
|
if (session == NULL) {
|
|
|
|
ERR_clear_error(); /* Don't leave an error on the queue. */
|
|
|
|
goto done;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2015-06-16 20:34:50 +01:00
|
|
|
/* Copy the client's session ID into the new session, to denote the ticket has
|
|
|
|
* been accepted. */
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcpy(session->session_id, session_id, session_id_len);
|
2015-06-16 20:34:50 +01:00
|
|
|
session->session_id_length = session_id_len;
|
|
|
|
|
|
|
|
*out_session = session;
|
|
|
|
|
|
|
|
done:
|
|
|
|
OPENSSL_free(plaintext);
|
|
|
|
HMAC_CTX_cleanup(&hmac_ctx);
|
|
|
|
EVP_CIPHER_CTX_cleanup(&cipher_ctx);
|
|
|
|
return ret;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-11-17 08:20:47 +00:00
|
|
|
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
|
2015-09-04 17:41:04 +01:00
|
|
|
/* Extension ignored for inappropriate versions */
|
2016-11-17 08:20:47 +00:00
|
|
|
if (ssl3_protocol_version(hs->ssl) < TLS1_2_VERSION) {
|
2015-09-04 17:41:04 +01:00
|
|
|
return 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
OPENSSL_free(hs->peer_sigalgs);
|
|
|
|
hs->peer_sigalgs = NULL;
|
|
|
|
hs->num_peer_sigalgs = 0;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2015-09-04 17:41:04 +01:00
|
|
|
size_t num_sigalgs = CBS_len(in_sigalgs);
|
|
|
|
if (num_sigalgs % 2 != 0) {
|
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2015-09-04 17:41:04 +01:00
|
|
|
num_sigalgs /= 2;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2015-09-04 17:41:04 +01:00
|
|
|
/* supported_signature_algorithms in the certificate request is
|
|
|
|
* allowed to be empty. */
|
|
|
|
if (num_sigalgs == 0) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-06-23 18:33:05 +01:00
|
|
|
/* This multiplication doesn't overflow because sizeof(uint16_t) is two
|
|
|
|
* and we just divided |num_sigalgs| by two. */
|
2016-08-17 20:29:46 +01:00
|
|
|
hs->peer_sigalgs = OPENSSL_malloc(num_sigalgs * sizeof(uint16_t));
|
|
|
|
if (hs->peer_sigalgs == NULL) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2016-08-17 20:29:46 +01:00
|
|
|
hs->num_peer_sigalgs = num_sigalgs;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2015-09-04 17:41:04 +01:00
|
|
|
CBS sigalgs;
|
|
|
|
CBS_init(&sigalgs, CBS_data(in_sigalgs), CBS_len(in_sigalgs));
|
2016-08-17 20:29:46 +01:00
|
|
|
for (size_t i = 0; i < num_sigalgs; i++) {
|
|
|
|
if (!CBS_get_u16(&sigalgs, &hs->peer_sigalgs[i])) {
|
2015-09-04 17:41:04 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-11-17 08:20:47 +00:00
|
|
|
int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2015-07-05 16:54:09 +01:00
|
|
|
CERT *cert = ssl->cert;
|
2015-09-04 17:41:04 +01:00
|
|
|
|
2016-06-29 18:16:27 +01:00
|
|
|
/* Before TLS 1.2, the signature algorithm isn't negotiated as part of the
|
|
|
|
* handshake. It is fixed at MD5-SHA1 for RSA and SHA1 for ECDSA. */
|
|
|
|
if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) {
|
2016-07-14 18:47:55 +01:00
|
|
|
int type = ssl_private_key_type(ssl);
|
|
|
|
if (type == NID_rsaEncryption) {
|
2016-07-08 23:52:59 +01:00
|
|
|
*out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
|
2016-07-14 18:47:55 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
if (ssl_is_ecdsa_key_type(type)) {
|
2016-07-08 23:52:59 +01:00
|
|
|
*out = SSL_SIGN_ECDSA_SHA1;
|
2016-07-14 18:47:55 +01:00
|
|
|
return 1;
|
2016-06-29 18:16:27 +01:00
|
|
|
}
|
2016-07-14 18:47:55 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
|
|
|
|
return 0;
|
2016-06-29 18:16:27 +01:00
|
|
|
}
|
|
|
|
|
2016-10-17 22:59:54 +01:00
|
|
|
const uint16_t *sigalgs = cert->sigalgs;
|
|
|
|
size_t num_sigalgs = cert->num_sigalgs;
|
|
|
|
if (sigalgs == NULL) {
|
|
|
|
sigalgs = kSignSignatureAlgorithms;
|
|
|
|
num_sigalgs = OPENSSL_ARRAY_SIZE(kSignSignatureAlgorithms);
|
2015-09-04 17:41:04 +01:00
|
|
|
}
|
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
const uint16_t *peer_sigalgs = hs->peer_sigalgs;
|
|
|
|
size_t num_peer_sigalgs = hs->num_peer_sigalgs;
|
|
|
|
if (num_peer_sigalgs == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
|
2016-07-08 23:52:59 +01:00
|
|
|
/* If the client didn't specify any signature_algorithms extension then
|
|
|
|
* we can assume that it supports SHA1. See
|
|
|
|
* http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
|
|
|
|
static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
|
|
|
|
SSL_SIGN_ECDSA_SHA1};
|
|
|
|
peer_sigalgs = kDefaultPeerAlgorithms;
|
2016-08-17 20:29:46 +01:00
|
|
|
num_peer_sigalgs = OPENSSL_ARRAY_SIZE(kDefaultPeerAlgorithms);
|
2016-07-08 23:52:59 +01:00
|
|
|
}
|
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
for (size_t i = 0; i < num_sigalgs; i++) {
|
2016-07-09 02:52:12 +01:00
|
|
|
uint16_t sigalg = sigalgs[i];
|
|
|
|
/* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
|
|
|
|
* negotiated. */
|
|
|
|
if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
|
|
|
|
!ssl_private_key_supports_signature_algorithm(ssl, sigalgs[i])) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2016-08-17 20:29:46 +01:00
|
|
|
for (size_t j = 0; j < num_peer_sigalgs; j++) {
|
2016-07-09 02:52:12 +01:00
|
|
|
if (sigalg == peer_sigalgs[j]) {
|
|
|
|
*out = sigalg;
|
2016-07-08 23:52:59 +01:00
|
|
|
return 1;
|
2016-06-29 18:16:27 +01:00
|
|
|
}
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-08 23:52:59 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
|
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2016-09-24 00:25:11 +01:00
|
|
|
int tls1_verify_channel_id(SSL *ssl) {
|
|
|
|
int ret = 0;
|
|
|
|
uint16_t extension_type;
|
|
|
|
CBS extension, channel_id;
|
|
|
|
|
|
|
|
/* A Channel ID handshake message is structured to contain multiple
|
|
|
|
* extensions, but the only one that can be present is Channel ID. */
|
|
|
|
CBS_init(&channel_id, ssl->init_msg, ssl->init_num);
|
|
|
|
if (!CBS_get_u16(&channel_id, &extension_type) ||
|
|
|
|
!CBS_get_u16_length_prefixed(&channel_id, &extension) ||
|
|
|
|
CBS_len(&channel_id) != 0 ||
|
|
|
|
extension_type != TLSEXT_TYPE_channel_id ||
|
|
|
|
CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
EC_GROUP *p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
|
|
|
|
if (!p256) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
EC_KEY *key = NULL;
|
|
|
|
EC_POINT *point = NULL;
|
|
|
|
BIGNUM x, y;
|
|
|
|
ECDSA_SIG sig;
|
|
|
|
BN_init(&x);
|
|
|
|
BN_init(&y);
|
|
|
|
sig.r = BN_new();
|
|
|
|
sig.s = BN_new();
|
|
|
|
if (sig.r == NULL || sig.s == NULL) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
const uint8_t *p = CBS_data(&extension);
|
|
|
|
if (BN_bin2bn(p + 0, 32, &x) == NULL ||
|
|
|
|
BN_bin2bn(p + 32, 32, &y) == NULL ||
|
|
|
|
BN_bin2bn(p + 64, 32, sig.r) == NULL ||
|
|
|
|
BN_bin2bn(p + 96, 32, sig.s) == NULL) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
point = EC_POINT_new(p256);
|
|
|
|
if (point == NULL ||
|
|
|
|
!EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
key = EC_KEY_new();
|
|
|
|
if (key == NULL ||
|
|
|
|
!EC_KEY_set_group(key, p256) ||
|
|
|
|
!EC_KEY_set_public_key(key, point)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint8_t digest[EVP_MAX_MD_SIZE];
|
|
|
|
size_t digest_len;
|
|
|
|
if (!tls1_channel_id_hash(ssl, digest, &digest_len)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
int sig_ok = ECDSA_do_verify(digest, digest_len, &sig, key);
|
|
|
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
|
|
|
sig_ok = 1;
|
|
|
|
#endif
|
|
|
|
if (!sig_ok) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
|
|
|
ssl->s3->tlsext_channel_id_valid = 0;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcpy(ssl->s3->tlsext_channel_id, p, 64);
|
2016-09-24 00:25:11 +01:00
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
err:
|
|
|
|
BN_free(&x);
|
|
|
|
BN_free(&y);
|
|
|
|
BN_free(sig.r);
|
|
|
|
BN_free(sig.s);
|
|
|
|
EC_KEY_free(key);
|
|
|
|
EC_POINT_free(point);
|
|
|
|
EC_GROUP_free(p256);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int tls1_write_channel_id(SSL *ssl, CBB *cbb) {
|
|
|
|
uint8_t digest[EVP_MAX_MD_SIZE];
|
|
|
|
size_t digest_len;
|
|
|
|
if (!tls1_channel_id_hash(ssl, digest, &digest_len)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ssl->tlsext_channel_id_private);
|
|
|
|
if (ec_key == NULL) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int ret = 0;
|
|
|
|
BIGNUM *x = BN_new();
|
|
|
|
BIGNUM *y = BN_new();
|
|
|
|
ECDSA_SIG *sig = NULL;
|
|
|
|
if (x == NULL || y == NULL ||
|
|
|
|
!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),
|
|
|
|
EC_KEY_get0_public_key(ec_key),
|
|
|
|
x, y, NULL)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
sig = ECDSA_do_sign(digest, digest_len, ec_key);
|
|
|
|
if (sig == NULL) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBB child;
|
|
|
|
if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
|
|
|
|
!CBB_add_u16_length_prefixed(cbb, &child) ||
|
|
|
|
!BN_bn2cbb_padded(&child, 32, x) ||
|
|
|
|
!BN_bn2cbb_padded(&child, 32, y) ||
|
|
|
|
!BN_bn2cbb_padded(&child, 32, sig->r) ||
|
|
|
|
!BN_bn2cbb_padded(&child, 32, sig->s) ||
|
|
|
|
!CBB_flush(cbb)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
err:
|
|
|
|
BN_free(x);
|
|
|
|
BN_free(y);
|
|
|
|
ECDSA_SIG_free(sig);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2015-08-06 16:10:51 +01:00
|
|
|
int tls1_channel_id_hash(SSL *ssl, uint8_t *out, size_t *out_len) {
|
2016-09-24 00:25:11 +01:00
|
|
|
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
|
|
|
uint8_t *msg;
|
|
|
|
size_t msg_len;
|
|
|
|
if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
|
|
|
|
ssl_cert_verify_channel_id)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
SHA256(msg, msg_len, out);
|
|
|
|
*out_len = SHA256_DIGEST_LENGTH;
|
|
|
|
OPENSSL_free(msg);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-10-20 22:07:13 +01:00
|
|
|
SHA256_CTX ctx;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
2016-10-20 22:07:13 +01:00
|
|
|
SHA256_Init(&ctx);
|
2015-08-06 16:10:51 +01:00
|
|
|
static const char kClientIDMagic[] = "TLS Channel ID signature";
|
2016-10-20 22:07:13 +01:00
|
|
|
SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));
|
2015-08-06 16:10:51 +01:00
|
|
|
|
2016-06-27 21:34:59 +01:00
|
|
|
if (ssl->session != NULL) {
|
2014-12-19 01:42:32 +00:00
|
|
|
static const char kResumptionMagic[] = "Resumption";
|
2016-10-20 22:07:13 +01:00
|
|
|
SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
|
2015-08-06 16:10:51 +01:00
|
|
|
if (ssl->session->original_handshake_hash_len == 0) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2016-10-20 22:07:13 +01:00
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2016-10-20 22:07:13 +01:00
|
|
|
SHA256_Update(&ctx, ssl->session->original_handshake_hash,
|
|
|
|
ssl->session->original_handshake_hash_len);
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
|
|
|
|
2015-08-06 16:10:51 +01:00
|
|
|
uint8_t handshake_hash[EVP_MAX_MD_SIZE];
|
|
|
|
int handshake_hash_len = tls1_handshake_digest(ssl, handshake_hash,
|
|
|
|
sizeof(handshake_hash));
|
|
|
|
if (handshake_hash_len < 0) {
|
2016-10-20 22:07:13 +01:00
|
|
|
return 0;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2016-10-20 22:07:13 +01:00
|
|
|
SHA256_Update(&ctx, handshake_hash, (size_t)handshake_hash_len);
|
|
|
|
SHA256_Final(out, &ctx);
|
|
|
|
*out_len = SHA256_DIGEST_LENGTH;
|
|
|
|
return 1;
|
2014-12-19 01:42:32 +00:00
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
/* tls1_record_handshake_hashes_for_channel_id records the current handshake
|
2016-06-27 21:34:59 +01:00
|
|
|
* hashes in |ssl->s3->new_session| so that Channel ID resumptions can sign that
|
2015-12-19 22:05:56 +00:00
|
|
|
* data. */
|
|
|
|
int tls1_record_handshake_hashes_for_channel_id(SSL *ssl) {
|
2014-12-19 01:42:32 +00:00
|
|
|
int digest_len;
|
|
|
|
/* This function should never be called for a resumed session because the
|
|
|
|
* handshake hashes that we wish to record are for the original, full
|
|
|
|
* handshake. */
|
2016-06-27 21:34:59 +01:00
|
|
|
if (ssl->session != NULL) {
|
2014-12-19 01:42:32 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
digest_len =
|
2016-06-27 21:34:59 +01:00
|
|
|
tls1_handshake_digest(
|
|
|
|
ssl, ssl->s3->new_session->original_handshake_hash,
|
|
|
|
sizeof(ssl->s3->new_session->original_handshake_hash));
|
2014-12-19 01:42:32 +00:00
|
|
|
if (digest_len < 0) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2016-12-08 03:35:24 +00:00
|
|
|
assert(sizeof(ssl->s3->new_session->original_handshake_hash) < 256);
|
|
|
|
ssl->s3->new_session->original_handshake_hash_len = (uint8_t)digest_len;
|
2014-12-19 01:42:32 +00:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
2016-09-24 00:25:11 +01:00
|
|
|
|
|
|
|
int ssl_do_channel_id_callback(SSL *ssl) {
|
|
|
|
if (ssl->tlsext_channel_id_private != NULL ||
|
|
|
|
ssl->ctx->channel_id_cb == NULL) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
EVP_PKEY *key = NULL;
|
|
|
|
ssl->ctx->channel_id_cb(ssl, &key);
|
|
|
|
if (key == NULL) {
|
|
|
|
/* The caller should try again later. */
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int ret = SSL_set1_tls_channel_id(ssl, key);
|
|
|
|
EVP_PKEY_free(key);
|
|
|
|
return ret;
|
|
|
|
}
|
2016-11-17 21:21:27 +00:00
|
|
|
|
|
|
|
int ssl_is_sct_list_valid(const CBS *contents) {
|
|
|
|
/* Shallow parse the SCT list for sanity. By the RFC
|
|
|
|
* (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
|
|
|
|
* of the SCTs may be empty. */
|
|
|
|
CBS copy = *contents;
|
|
|
|
CBS sct_list;
|
|
|
|
if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
|
|
|
|
CBS_len(©) != 0 ||
|
|
|
|
CBS_len(&sct_list) == 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (CBS_len(&sct_list) > 0) {
|
|
|
|
CBS sct;
|
|
|
|
if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
|
|
|
|
CBS_len(&sct) == 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|