grpc 1.24.0 → 1.25.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +306 -243
- data/etc/roots.pem +0 -100
- data/include/grpc/grpc_security.h +44 -18
- data/include/grpc/impl/codegen/grpc_types.h +15 -0
- data/include/grpc/impl/codegen/port_platform.h +27 -11
- data/include/grpc/impl/codegen/sync_generic.h +1 -1
- data/src/boringssl/err_data.c +695 -650
- data/src/core/ext/filters/client_channel/client_channel.cc +257 -179
- data/src/core/ext/filters/client_channel/client_channel.h +24 -0
- data/src/core/ext/filters/client_channel/client_channel_channelz.cc +2 -3
- data/src/core/ext/filters/client_channel/client_channel_factory.h +1 -5
- data/src/core/ext/filters/client_channel/health/health_check_client.cc +18 -45
- data/src/core/ext/filters/client_channel/health/health_check_client.h +5 -13
- data/src/core/ext/filters/client_channel/http_connect_handshaker.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy.cc +2 -3
- data/src/core/ext/filters/client_channel/lb_policy.h +65 -55
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/client_load_reporting_filter.cc +14 -14
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +113 -36
- data/src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc +14 -19
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +36 -13
- data/src/core/ext/filters/client_channel/lb_policy/subchannel_list.h +3 -10
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.cc +814 -1589
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds.h +2 -5
- data/src/core/ext/filters/client_channel/lb_policy_factory.h +3 -6
- data/src/core/ext/filters/client_channel/resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver.h +8 -16
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +25 -8
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.cc +46 -12
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver.h +10 -17
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_libuv.cc +7 -8
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_posix.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +111 -44
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.cc +22 -14
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper.h +1 -1
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_wrapper_fallback.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +29 -10
- data/src/core/ext/filters/client_channel/resolver/fake/fake_resolver.cc +27 -36
- data/src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc +7 -10
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +60 -16
- data/src/core/ext/filters/client_channel/resolver_factory.h +4 -8
- data/src/core/ext/filters/client_channel/resolver_registry.cc +1 -1
- data/src/core/ext/filters/client_channel/resolver_registry.h +1 -1
- data/src/core/ext/filters/client_channel/resolver_result_parsing.cc +7 -10
- data/src/core/ext/filters/client_channel/resolving_lb_policy.cc +7 -8
- data/src/core/ext/filters/client_channel/resolving_lb_policy.h +1 -1
- data/src/core/ext/filters/client_channel/retry_throttle.cc +5 -5
- data/src/core/ext/filters/client_channel/retry_throttle.h +1 -4
- data/src/core/ext/filters/client_channel/service_config.h +8 -8
- data/src/core/ext/filters/client_channel/subchannel.cc +53 -86
- data/src/core/ext/filters/client_channel/subchannel.h +7 -9
- data/src/core/ext/filters/client_channel/subchannel_interface.h +9 -13
- data/src/core/ext/filters/client_channel/subchannel_pool_interface.h +3 -6
- data/src/core/ext/filters/client_channel/{lb_policy/xds/xds_load_balancer_api.cc → xds/xds_api.cc} +169 -52
- data/src/core/ext/filters/client_channel/xds/xds_api.h +171 -0
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.cc +450 -0
- data/src/core/ext/filters/client_channel/xds/xds_bootstrap.h +99 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel.h +8 -6
- data/src/core/ext/filters/client_channel/xds/xds_channel_args.h +26 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_channel_secure.cc +28 -11
- data/src/core/ext/filters/client_channel/xds/xds_client.cc +1413 -0
- data/src/core/ext/filters/client_channel/xds/xds_client.h +221 -0
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.cc +1 -5
- data/src/core/ext/filters/client_channel/{lb_policy/xds → xds}/xds_client_stats.h +3 -4
- data/src/core/ext/filters/deadline/deadline_filter.cc +20 -20
- data/src/core/ext/filters/http/client/http_client_filter.cc +15 -15
- data/src/core/ext/filters/http/client_authority_filter.cc +14 -14
- data/src/core/ext/filters/http/message_compress/message_compress_filter.cc +12 -12
- data/src/core/ext/filters/max_age/max_age_filter.cc +59 -50
- data/src/core/ext/filters/message_size/message_size_filter.cc +18 -18
- data/src/core/ext/filters/workarounds/workaround_cronet_compression_filter.cc +15 -14
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +233 -175
- data/src/core/ext/transport/chttp2/transport/flow_control.h +21 -24
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.cc +253 -163
- data/src/core/ext/transport/chttp2/transport/hpack_encoder.h +24 -12
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +2 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +13 -15
- data/src/core/ext/transport/chttp2/transport/writing.cc +3 -0
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -13
- data/src/core/lib/channel/channel_args.cc +16 -0
- data/src/core/lib/channel/channel_args.h +22 -0
- data/src/core/lib/channel/channelz.cc +5 -6
- data/src/core/lib/channel/channelz.h +1 -1
- data/src/core/lib/channel/connected_channel.cc +20 -20
- data/src/core/lib/channel/handshaker.h +3 -4
- data/src/core/lib/channel/handshaker_factory.h +1 -3
- data/src/core/lib/debug/trace.h +3 -2
- data/src/core/lib/gprpp/arena.cc +3 -3
- data/src/core/lib/gprpp/arena.h +2 -3
- data/src/core/lib/gprpp/inlined_vector.h +9 -0
- data/src/core/lib/gprpp/map.h +3 -501
- data/src/core/lib/gprpp/memory.h +45 -41
- data/src/core/lib/gprpp/mpscq.cc +108 -0
- data/src/core/lib/gprpp/mpscq.h +98 -0
- data/src/core/lib/gprpp/orphanable.h +6 -11
- data/src/core/lib/gprpp/ref_counted.h +25 -19
- data/src/core/lib/gprpp/set.h +33 -0
- data/src/core/lib/gprpp/thd.h +2 -4
- data/src/core/lib/http/httpcli.cc +1 -1
- data/src/core/lib/http/httpcli_security_connector.cc +15 -11
- data/src/core/lib/http/parser.cc +1 -1
- data/src/core/lib/iomgr/buffer_list.cc +4 -5
- data/src/core/lib/iomgr/buffer_list.h +5 -6
- data/src/core/lib/iomgr/call_combiner.cc +4 -5
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/cfstream_handle.h +3 -5
- data/src/core/lib/iomgr/closure.h +8 -3
- data/src/core/lib/iomgr/combiner.cc +45 -82
- data/src/core/lib/iomgr/combiner.h +32 -8
- data/src/core/lib/iomgr/endpoint_cfstream.cc +5 -3
- data/src/core/lib/iomgr/ev_epoll1_linux.cc +19 -15
- data/src/core/lib/iomgr/exec_ctx.h +4 -3
- data/src/core/lib/iomgr/executor.cc +4 -2
- data/src/core/lib/iomgr/executor.h +3 -0
- data/src/core/lib/iomgr/executor/mpmcqueue.h +3 -6
- data/src/core/lib/iomgr/executor/threadpool.cc +1 -2
- data/src/core/lib/iomgr/executor/threadpool.h +7 -11
- data/src/core/lib/iomgr/resource_quota.cc +55 -51
- data/src/core/lib/iomgr/resource_quota.h +13 -9
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +13 -0
- data/src/core/lib/iomgr/socket_utils_posix.h +4 -0
- data/src/core/lib/iomgr/tcp_client_posix.cc +4 -11
- data/src/core/lib/iomgr/tcp_custom.cc +9 -7
- data/src/core/lib/iomgr/tcp_posix.cc +20 -16
- data/src/core/lib/iomgr/tcp_server.h +1 -4
- data/src/core/lib/iomgr/tcp_server_custom.cc +5 -5
- data/src/core/lib/iomgr/tcp_server_posix.cc +1 -1
- data/src/core/lib/iomgr/tcp_server_utils_posix_common.cc +2 -11
- data/src/core/lib/iomgr/timer_custom.cc +2 -2
- data/src/core/lib/iomgr/udp_server.cc +3 -2
- data/src/core/lib/iomgr/udp_server.h +6 -12
- data/src/core/lib/json/json.h +1 -1
- data/src/core/lib/json/json_string.cc +2 -2
- data/src/core/lib/profiling/basic_timers.cc +2 -2
- data/src/core/lib/security/credentials/alts/alts_credentials.cc +2 -2
- data/src/core/lib/security/credentials/alts/grpc_alts_credentials_server_options.cc +1 -1
- data/src/core/lib/security/credentials/credentials.h +4 -20
- data/src/core/lib/security/credentials/fake/fake_credentials.cc +4 -4
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -3
- data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h +64 -0
- data/src/core/lib/security/security_connector/alts/alts_security_connector.cc +4 -4
- data/src/core/lib/security/security_connector/fake/fake_security_connector.cc +9 -7
- data/src/core/lib/security/security_connector/load_system_roots_linux.cc +2 -0
- data/src/core/lib/security/security_connector/local/local_security_connector.cc +4 -4
- data/src/core/lib/security/security_connector/security_connector.cc +1 -0
- data/src/core/lib/security/security_connector/security_connector.h +19 -17
- data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc +8 -5
- data/src/core/lib/security/security_connector/ssl_utils.cc +2 -2
- data/src/core/lib/security/security_connector/ssl_utils.h +1 -1
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc +14 -6
- data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h +4 -2
- data/src/core/lib/security/transport/client_auth_filter.cc +17 -17
- data/src/core/lib/security/transport/security_handshaker.cc +29 -13
- data/src/core/lib/security/transport/security_handshaker.h +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +14 -14
- data/src/core/lib/slice/slice.cc +2 -10
- data/src/core/lib/slice/slice_hash_table.h +4 -6
- data/src/core/lib/slice/slice_intern.cc +42 -39
- data/src/core/lib/slice/slice_internal.h +3 -3
- data/src/core/lib/slice/slice_utils.h +21 -4
- data/src/core/lib/slice/slice_weak_hash_table.h +4 -6
- data/src/core/lib/surface/call.cc +3 -3
- data/src/core/lib/surface/channel.cc +7 -0
- data/src/core/lib/surface/completion_queue.cc +12 -11
- data/src/core/lib/surface/completion_queue.h +4 -2
- data/src/core/lib/surface/init.cc +1 -0
- data/src/core/lib/surface/lame_client.cc +33 -18
- data/src/core/lib/surface/server.cc +77 -76
- data/src/core/lib/surface/version.cc +1 -1
- data/src/core/lib/transport/byte_stream.h +3 -7
- data/src/core/lib/transport/connectivity_state.cc +112 -98
- data/src/core/lib/transport/connectivity_state.h +100 -50
- data/src/core/lib/transport/static_metadata.cc +276 -288
- data/src/core/lib/transport/static_metadata.h +73 -76
- data/src/core/lib/transport/status_conversion.cc +1 -1
- data/src/core/lib/transport/status_metadata.cc +1 -1
- data/src/core/lib/transport/transport.cc +2 -2
- data/src/core/lib/transport/transport.h +12 -4
- data/src/core/lib/transport/transport_op_string.cc +14 -11
- data/src/core/tsi/alts/frame_protector/alts_unseal_privacy_integrity_crypter.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_shared_resource.cc +1 -1
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +5 -5
- data/src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc +12 -2
- data/src/core/tsi/fake_transport_security.cc +7 -5
- data/src/core/tsi/grpc_shadow_boringssl.h +2918 -2627
- data/src/core/tsi/local_transport_security.cc +8 -6
- data/src/core/tsi/ssl/session_cache/ssl_session.h +1 -3
- data/src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc +1 -2
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.cc +7 -5
- data/src/core/tsi/ssl/session_cache/ssl_session_cache.h +4 -6
- data/src/core/tsi/ssl/session_cache/ssl_session_openssl.cc +1 -2
- data/src/core/tsi/ssl_transport_security.cc +12 -12
- data/src/core/tsi/ssl_transport_security.h +2 -2
- data/src/core/tsi/transport_security_grpc.cc +7 -0
- data/src/core/tsi/transport_security_grpc.h +6 -0
- data/src/ruby/ext/grpc/extconf.rb +1 -0
- data/src/ruby/ext/grpc/rb_call.c +1 -1
- data/src/ruby/ext/grpc/rb_channel.c +1 -1
- data/src/ruby/lib/grpc/generic/bidi_call.rb +1 -1
- data/src/ruby/lib/grpc/generic/rpc_server.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/src/ruby/spec/google_rpc_status_utils_spec.rb +2 -2
- data/third_party/boringssl/crypto/asn1/a_bool.c +18 -5
- data/third_party/boringssl/crypto/asn1/a_d2i_fp.c +17 -221
- data/third_party/boringssl/crypto/asn1/a_dup.c +0 -24
- data/third_party/boringssl/crypto/asn1/a_enum.c +2 -2
- data/third_party/boringssl/crypto/asn1/a_i2d_fp.c +10 -72
- data/third_party/boringssl/crypto/asn1/a_int.c +12 -71
- data/third_party/boringssl/crypto/asn1/a_mbstr.c +110 -216
- data/third_party/boringssl/crypto/asn1/a_object.c +16 -5
- data/third_party/boringssl/crypto/asn1/a_strnid.c +1 -0
- data/third_party/boringssl/crypto/asn1/asn1_lib.c +5 -1
- data/third_party/boringssl/crypto/asn1/tasn_enc.c +3 -1
- data/third_party/boringssl/crypto/base64/base64.c +2 -2
- data/third_party/boringssl/crypto/bio/bio.c +73 -9
- data/third_party/boringssl/crypto/bio/connect.c +4 -0
- data/third_party/boringssl/crypto/bio/fd.c +4 -0
- data/third_party/boringssl/crypto/bio/file.c +5 -2
- data/third_party/boringssl/crypto/bio/socket.c +4 -0
- data/third_party/boringssl/crypto/bio/socket_helper.c +4 -0
- data/third_party/boringssl/crypto/bn_extra/convert.c +11 -7
- data/third_party/boringssl/crypto/bytestring/ber.c +8 -4
- data/third_party/boringssl/crypto/bytestring/cbb.c +19 -7
- data/third_party/boringssl/crypto/bytestring/cbs.c +28 -15
- data/third_party/boringssl/crypto/bytestring/internal.h +28 -7
- data/third_party/boringssl/crypto/bytestring/unicode.c +155 -0
- data/third_party/boringssl/crypto/chacha/chacha.c +36 -19
- data/third_party/boringssl/crypto/chacha/internal.h +45 -0
- data/third_party/boringssl/crypto/cipher_extra/cipher_extra.c +29 -0
- data/third_party/boringssl/crypto/cipher_extra/e_aesccm.c +269 -25
- data/third_party/boringssl/crypto/cipher_extra/e_aesctrhmac.c +16 -14
- data/third_party/boringssl/crypto/cipher_extra/e_aesgcmsiv.c +54 -38
- data/third_party/boringssl/crypto/cipher_extra/e_chacha20poly1305.c +133 -41
- data/third_party/boringssl/crypto/cipher_extra/e_tls.c +23 -15
- data/third_party/boringssl/crypto/cipher_extra/tls_cbc.c +24 -15
- data/third_party/boringssl/crypto/cmac/cmac.c +62 -25
- data/third_party/boringssl/crypto/conf/conf.c +7 -0
- data/third_party/boringssl/crypto/cpu-arm-linux.c +4 -148
- data/third_party/boringssl/crypto/cpu-arm-linux.h +201 -0
- data/third_party/boringssl/crypto/cpu-intel.c +45 -51
- data/third_party/boringssl/crypto/crypto.c +39 -22
- data/third_party/boringssl/crypto/curve25519/spake25519.c +1 -1
- data/third_party/boringssl/crypto/dsa/dsa.c +77 -53
- data/third_party/boringssl/crypto/ec_extra/ec_asn1.c +20 -8
- data/third_party/boringssl/crypto/ec_extra/ec_derive.c +96 -0
- data/third_party/boringssl/crypto/{ecdh/ecdh.c → ecdh_extra/ecdh_extra.c} +20 -58
- data/third_party/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c +1 -9
- data/third_party/boringssl/crypto/engine/engine.c +2 -1
- data/third_party/boringssl/crypto/err/err.c +2 -0
- data/third_party/boringssl/crypto/err/internal.h +2 -2
- data/third_party/boringssl/crypto/evp/evp.c +89 -8
- data/third_party/boringssl/crypto/evp/evp_asn1.c +56 -5
- data/third_party/boringssl/crypto/evp/evp_ctx.c +52 -14
- data/third_party/boringssl/crypto/evp/internal.h +18 -1
- data/third_party/boringssl/crypto/evp/p_dsa_asn1.c +5 -0
- data/third_party/boringssl/crypto/evp/p_ec.c +51 -3
- data/third_party/boringssl/crypto/evp/p_ec_asn1.c +6 -7
- data/third_party/boringssl/crypto/evp/p_ed25519.c +36 -3
- data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c +76 -45
- data/third_party/boringssl/crypto/evp/p_rsa.c +3 -1
- data/third_party/boringssl/crypto/evp/p_rsa_asn1.c +5 -0
- data/third_party/boringssl/crypto/evp/p_x25519.c +110 -0
- data/third_party/boringssl/crypto/evp/p_x25519_asn1.c +249 -0
- data/third_party/boringssl/crypto/evp/scrypt.c +6 -2
- data/third_party/boringssl/crypto/fipsmodule/aes/aes.c +34 -274
- data/third_party/boringssl/crypto/fipsmodule/aes/internal.h +161 -21
- data/third_party/boringssl/crypto/fipsmodule/aes/key_wrap.c +111 -13
- data/third_party/boringssl/crypto/fipsmodule/aes/mode_wrappers.c +17 -21
- data/third_party/boringssl/crypto/fipsmodule/bcm.c +119 -7
- data/third_party/boringssl/crypto/fipsmodule/bn/bn.c +19 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/cmp.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/bn/ctx.c +93 -160
- data/third_party/boringssl/crypto/fipsmodule/bn/div.c +48 -57
- data/third_party/boringssl/crypto/fipsmodule/bn/div_extra.c +87 -0
- data/third_party/boringssl/crypto/fipsmodule/bn/exponentiation.c +143 -211
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd.c +0 -305
- data/third_party/boringssl/crypto/fipsmodule/bn/gcd_extra.c +325 -0
- data/third_party/boringssl/crypto/fipsmodule/bn/internal.h +168 -50
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery.c +68 -92
- data/third_party/boringssl/crypto/fipsmodule/bn/montgomery_inv.c +7 -6
- data/third_party/boringssl/crypto/fipsmodule/bn/mul.c +11 -14
- data/third_party/boringssl/crypto/fipsmodule/bn/prime.c +358 -443
- data/third_party/boringssl/crypto/fipsmodule/bn/random.c +25 -35
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.c +20 -25
- data/third_party/boringssl/crypto/fipsmodule/bn/rsaz_exp.h +76 -5
- data/third_party/boringssl/crypto/fipsmodule/bn/shift.c +14 -14
- data/third_party/boringssl/crypto/fipsmodule/cipher/cipher.c +7 -2
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_aes.c +383 -516
- data/third_party/boringssl/crypto/fipsmodule/cipher/e_des.c +4 -0
- data/third_party/boringssl/crypto/fipsmodule/cipher/internal.h +3 -4
- data/third_party/boringssl/crypto/fipsmodule/delocate.h +3 -2
- data/third_party/boringssl/crypto/fipsmodule/digest/digest.c +32 -17
- data/third_party/boringssl/crypto/fipsmodule/digest/md32_common.h +3 -3
- data/third_party/boringssl/crypto/fipsmodule/ec/ec.c +228 -122
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_key.c +34 -8
- data/third_party/boringssl/crypto/fipsmodule/ec/ec_montgomery.c +311 -98
- data/third_party/boringssl/crypto/fipsmodule/ec/felem.c +82 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/internal.h +263 -97
- data/third_party/boringssl/crypto/fipsmodule/ec/oct.c +22 -59
- data/third_party/boringssl/crypto/fipsmodule/ec/p224-64.c +317 -234
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64-table.h +9473 -9475
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.c +313 -109
- data/third_party/boringssl/crypto/fipsmodule/ec/p256-x86_64.h +36 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/scalar.c +96 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/simple.c +126 -792
- data/third_party/boringssl/crypto/fipsmodule/ec/simple_mul.c +84 -0
- data/third_party/boringssl/crypto/fipsmodule/ec/util.c +163 -12
- data/third_party/boringssl/crypto/fipsmodule/ec/wnaf.c +84 -211
- data/third_party/boringssl/crypto/fipsmodule/ecdh/ecdh.c +122 -0
- data/third_party/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c +60 -205
- data/third_party/boringssl/crypto/fipsmodule/fips_shared_support.c +32 -0
- data/third_party/boringssl/crypto/fipsmodule/is_fips.c +2 -0
- data/third_party/boringssl/crypto/fipsmodule/md4/md4.c +3 -1
- data/third_party/boringssl/crypto/fipsmodule/md5/internal.h +37 -0
- data/third_party/boringssl/crypto/fipsmodule/md5/md5.c +11 -8
- data/third_party/boringssl/crypto/fipsmodule/modes/cbc.c +35 -79
- data/third_party/boringssl/crypto/fipsmodule/modes/cfb.c +7 -39
- data/third_party/boringssl/crypto/fipsmodule/modes/ctr.c +7 -27
- data/third_party/boringssl/crypto/fipsmodule/modes/gcm.c +123 -309
- data/third_party/boringssl/crypto/fipsmodule/modes/internal.h +189 -126
- data/third_party/boringssl/crypto/fipsmodule/modes/ofb.c +3 -2
- data/third_party/boringssl/crypto/fipsmodule/rand/ctrdrbg.c +2 -2
- data/third_party/boringssl/crypto/fipsmodule/rand/internal.h +35 -0
- data/third_party/boringssl/crypto/fipsmodule/rand/rand.c +24 -19
- data/third_party/boringssl/crypto/fipsmodule/rand/urandom.c +256 -77
- data/third_party/boringssl/crypto/fipsmodule/rsa/padding.c +10 -7
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa.c +5 -1
- data/third_party/boringssl/crypto/fipsmodule/rsa/rsa_impl.c +131 -14
- data/third_party/boringssl/crypto/fipsmodule/self_check/self_check.c +83 -10
- data/third_party/boringssl/crypto/fipsmodule/sha/internal.h +53 -0
- data/third_party/boringssl/crypto/fipsmodule/sha/sha1.c +9 -13
- data/third_party/boringssl/crypto/fipsmodule/sha/sha256.c +18 -12
- data/third_party/boringssl/crypto/fipsmodule/sha/sha512.c +95 -168
- data/third_party/boringssl/crypto/hrss/hrss.c +2201 -0
- data/third_party/boringssl/crypto/hrss/internal.h +62 -0
- data/third_party/boringssl/crypto/internal.h +95 -20
- data/third_party/boringssl/crypto/lhash/lhash.c +45 -33
- data/third_party/boringssl/crypto/mem.c +39 -2
- data/third_party/boringssl/crypto/obj/obj.c +4 -4
- data/third_party/boringssl/crypto/obj/obj_dat.h +6181 -875
- data/third_party/boringssl/crypto/pem/pem_all.c +2 -3
- data/third_party/boringssl/crypto/pem/pem_info.c +144 -162
- data/third_party/boringssl/crypto/pem/pem_lib.c +53 -52
- data/third_party/boringssl/crypto/pem/pem_pkey.c +13 -21
- data/third_party/boringssl/crypto/pkcs7/pkcs7.c +15 -22
- data/third_party/boringssl/crypto/pkcs7/pkcs7_x509.c +168 -16
- data/third_party/boringssl/crypto/pkcs8/internal.h +11 -0
- data/third_party/boringssl/crypto/pkcs8/p5_pbev2.c +24 -15
- data/third_party/boringssl/crypto/pkcs8/pkcs8.c +42 -25
- data/third_party/boringssl/crypto/pkcs8/pkcs8_x509.c +559 -43
- data/third_party/boringssl/crypto/pool/internal.h +1 -1
- data/third_party/boringssl/crypto/pool/pool.c +21 -0
- data/third_party/boringssl/crypto/rand_extra/deterministic.c +8 -0
- data/third_party/boringssl/crypto/rand_extra/fuchsia.c +1 -14
- data/third_party/boringssl/crypto/refcount_lock.c +2 -2
- data/third_party/boringssl/crypto/rsa_extra/rsa_print.c +22 -0
- data/third_party/boringssl/crypto/siphash/siphash.c +80 -0
- data/third_party/boringssl/crypto/stack/stack.c +83 -32
- data/third_party/boringssl/crypto/thread_none.c +2 -2
- data/third_party/boringssl/crypto/thread_pthread.c +2 -2
- data/third_party/boringssl/crypto/thread_win.c +38 -19
- data/third_party/boringssl/crypto/x509/a_strex.c +22 -2
- data/third_party/boringssl/crypto/x509/asn1_gen.c +2 -1
- data/third_party/boringssl/crypto/x509/by_dir.c +7 -0
- data/third_party/boringssl/crypto/x509/by_file.c +12 -10
- data/third_party/boringssl/crypto/x509/t_crl.c +5 -8
- data/third_party/boringssl/crypto/x509/t_req.c +1 -3
- data/third_party/boringssl/crypto/x509/t_x509.c +5 -8
- data/third_party/boringssl/crypto/x509/x509_cmp.c +1 -1
- data/third_party/boringssl/crypto/x509/x509_def.c +1 -1
- data/third_party/boringssl/crypto/x509/x509_lu.c +114 -5
- data/third_party/boringssl/crypto/x509/x509_req.c +20 -0
- data/third_party/boringssl/crypto/x509/x509_set.c +5 -0
- data/third_party/boringssl/crypto/x509/x509_trs.c +1 -0
- data/third_party/boringssl/crypto/x509/x509_txt.c +4 -5
- data/third_party/boringssl/crypto/x509/x509_vfy.c +145 -138
- data/third_party/boringssl/crypto/x509/x509_vpm.c +2 -0
- data/third_party/boringssl/crypto/x509/x509cset.c +40 -0
- data/third_party/boringssl/crypto/x509/x509name.c +2 -3
- data/third_party/boringssl/crypto/x509/x_all.c +109 -210
- data/third_party/boringssl/crypto/x509/x_x509.c +6 -0
- data/third_party/boringssl/crypto/x509v3/ext_dat.h +1 -3
- data/third_party/boringssl/crypto/x509v3/internal.h +56 -0
- data/third_party/boringssl/crypto/x509v3/pcy_cache.c +2 -0
- data/third_party/boringssl/crypto/x509v3/pcy_node.c +1 -0
- data/third_party/boringssl/crypto/x509v3/pcy_tree.c +4 -2
- data/third_party/boringssl/crypto/x509v3/v3_akey.c +5 -2
- data/third_party/boringssl/crypto/x509v3/v3_alt.c +19 -13
- data/third_party/boringssl/crypto/x509v3/v3_conf.c +2 -1
- data/third_party/boringssl/crypto/x509v3/v3_cpols.c +3 -2
- data/third_party/boringssl/crypto/x509v3/v3_genn.c +1 -6
- data/third_party/boringssl/crypto/x509v3/v3_lib.c +1 -0
- data/third_party/boringssl/crypto/x509v3/v3_ocsp.c +68 -0
- data/third_party/boringssl/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl/crypto/x509v3/v3_purp.c +47 -69
- data/third_party/boringssl/crypto/x509v3/v3_skey.c +5 -2
- data/third_party/boringssl/crypto/x509v3/v3_utl.c +69 -25
- data/third_party/boringssl/include/openssl/aead.h +45 -19
- data/third_party/boringssl/include/openssl/aes.h +32 -7
- data/third_party/boringssl/include/openssl/asn1.h +7 -77
- data/third_party/boringssl/include/openssl/base.h +120 -6
- data/third_party/boringssl/include/openssl/base64.h +4 -1
- data/third_party/boringssl/include/openssl/bio.h +112 -81
- data/third_party/boringssl/include/openssl/blowfish.h +3 -3
- data/third_party/boringssl/include/openssl/bn.h +55 -29
- data/third_party/boringssl/include/openssl/buf.h +2 -2
- data/third_party/boringssl/include/openssl/bytestring.h +54 -32
- data/third_party/boringssl/include/openssl/cast.h +2 -2
- data/third_party/boringssl/include/openssl/cipher.h +46 -16
- data/third_party/boringssl/include/openssl/cmac.h +6 -2
- data/third_party/boringssl/include/openssl/conf.h +3 -6
- data/third_party/boringssl/include/openssl/cpu.h +25 -9
- data/third_party/boringssl/include/openssl/crypto.h +32 -10
- data/third_party/boringssl/include/openssl/curve25519.h +4 -4
- data/third_party/boringssl/include/openssl/dh.h +3 -2
- data/third_party/boringssl/include/openssl/digest.h +21 -7
- data/third_party/boringssl/include/openssl/dsa.h +8 -2
- data/third_party/boringssl/include/openssl/e_os2.h +18 -0
- data/third_party/boringssl/include/openssl/ec.h +25 -21
- data/third_party/boringssl/include/openssl/ec_key.h +36 -8
- data/third_party/boringssl/include/openssl/ecdh.h +17 -0
- data/third_party/boringssl/include/openssl/ecdsa.h +3 -3
- data/third_party/boringssl/include/openssl/engine.h +4 -4
- data/third_party/boringssl/include/openssl/err.h +3 -0
- data/third_party/boringssl/include/openssl/evp.h +199 -42
- data/third_party/boringssl/include/openssl/hmac.h +4 -4
- data/third_party/boringssl/include/openssl/hrss.h +100 -0
- data/third_party/boringssl/include/openssl/lhash.h +131 -23
- data/third_party/boringssl/include/openssl/md4.h +6 -4
- data/third_party/boringssl/include/openssl/md5.h +6 -4
- data/third_party/boringssl/include/openssl/mem.h +6 -2
- data/third_party/boringssl/include/openssl/nid.h +3 -0
- data/third_party/boringssl/include/openssl/obj.h +3 -0
- data/third_party/boringssl/include/openssl/pem.h +102 -64
- data/third_party/boringssl/include/openssl/pkcs7.h +136 -3
- data/third_party/boringssl/include/openssl/pkcs8.h +42 -3
- data/third_party/boringssl/include/openssl/pool.h +13 -2
- data/third_party/boringssl/include/openssl/ripemd.h +5 -4
- data/third_party/boringssl/include/openssl/rsa.h +46 -15
- data/third_party/boringssl/include/openssl/sha.h +40 -28
- data/third_party/boringssl/include/openssl/siphash.h +37 -0
- data/third_party/boringssl/include/openssl/span.h +17 -9
- data/third_party/boringssl/include/openssl/ssl.h +766 -393
- data/third_party/boringssl/include/openssl/ssl3.h +4 -3
- data/third_party/boringssl/include/openssl/stack.h +134 -77
- data/third_party/boringssl/include/openssl/thread.h +1 -1
- data/third_party/boringssl/include/openssl/tls1.h +25 -9
- data/third_party/boringssl/include/openssl/type_check.h +14 -15
- data/third_party/boringssl/include/openssl/x509.h +28 -3
- data/third_party/boringssl/include/openssl/x509_vfy.h +98 -32
- data/third_party/boringssl/include/openssl/x509v3.h +17 -13
- data/third_party/boringssl/ssl/d1_both.cc +9 -18
- data/third_party/boringssl/ssl/d1_lib.cc +4 -3
- data/third_party/boringssl/ssl/d1_pkt.cc +4 -4
- data/third_party/boringssl/ssl/d1_srtp.cc +15 -15
- data/third_party/boringssl/ssl/dtls_method.cc +0 -1
- data/third_party/boringssl/ssl/dtls_record.cc +28 -28
- data/third_party/boringssl/ssl/handoff.cc +295 -91
- data/third_party/boringssl/ssl/handshake.cc +133 -72
- data/third_party/boringssl/ssl/handshake_client.cc +218 -189
- data/third_party/boringssl/ssl/handshake_server.cc +399 -272
- data/third_party/boringssl/ssl/internal.h +1413 -928
- data/third_party/boringssl/ssl/s3_both.cc +175 -36
- data/third_party/boringssl/ssl/s3_lib.cc +9 -13
- data/third_party/boringssl/ssl/s3_pkt.cc +63 -29
- data/third_party/boringssl/ssl/ssl_aead_ctx.cc +55 -35
- data/third_party/boringssl/ssl/ssl_asn1.cc +57 -73
- data/third_party/boringssl/ssl/ssl_buffer.cc +13 -12
- data/third_party/boringssl/ssl/ssl_cert.cc +313 -210
- data/third_party/boringssl/ssl/ssl_cipher.cc +159 -221
- data/third_party/boringssl/ssl/ssl_file.cc +2 -0
- data/third_party/boringssl/ssl/ssl_key_share.cc +164 -19
- data/third_party/boringssl/ssl/ssl_lib.cc +847 -555
- data/third_party/boringssl/ssl/ssl_privkey.cc +441 -111
- data/third_party/boringssl/ssl/ssl_session.cc +230 -178
- data/third_party/boringssl/ssl/ssl_transcript.cc +21 -142
- data/third_party/boringssl/ssl/ssl_versions.cc +88 -93
- data/third_party/boringssl/ssl/ssl_x509.cc +279 -218
- data/third_party/boringssl/ssl/t1_enc.cc +5 -96
- data/third_party/boringssl/ssl/t1_lib.cc +931 -678
- data/third_party/boringssl/ssl/tls13_both.cc +251 -121
- data/third_party/boringssl/ssl/tls13_client.cc +129 -73
- data/third_party/boringssl/ssl/tls13_enc.cc +350 -282
- data/third_party/boringssl/ssl/tls13_server.cc +259 -192
- data/third_party/boringssl/ssl/tls_method.cc +26 -21
- data/third_party/boringssl/ssl/tls_record.cc +42 -47
- data/third_party/boringssl/third_party/fiat/curve25519.c +261 -1324
- data/third_party/boringssl/third_party/fiat/curve25519_32.h +911 -0
- data/third_party/boringssl/third_party/fiat/curve25519_64.h +559 -0
- data/third_party/boringssl/third_party/fiat/p256.c +238 -999
- data/third_party/boringssl/third_party/fiat/p256_32.h +3226 -0
- data/third_party/boringssl/third_party/fiat/p256_64.h +1217 -0
- data/third_party/upb/upb/port_def.inc +1 -1
- data/third_party/upb/upb/table.c +2 -1
- metadata +71 -43
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_load_balancer_api.h +0 -127
- data/src/core/lib/gpr/mpscq.cc +0 -117
- data/src/core/lib/gpr/mpscq.h +0 -88
- data/src/core/lib/gprpp/abstract.h +0 -47
- data/src/core/lib/gprpp/pair.h +0 -38
- data/third_party/boringssl/crypto/cipher_extra/e_ssl3.c +0 -460
- data/third_party/boringssl/crypto/fipsmodule/modes/ccm.c +0 -256
- data/third_party/boringssl/include/openssl/lhash_macros.h +0 -174
- data/third_party/boringssl/ssl/custom_extensions.cc +0 -265
@@ -153,7 +153,7 @@
|
|
153
153
|
#include "internal.h"
|
154
154
|
|
155
155
|
|
156
|
-
|
156
|
+
BSSL_NAMESPACE_BEGIN
|
157
157
|
|
158
158
|
bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
|
159
159
|
Span<const uint8_t> secret, Span<const char> label,
|
@@ -164,56 +164,6 @@ bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
|
|
164
164
|
seed2.size());
|
165
165
|
}
|
166
166
|
|
167
|
-
static bool ssl3_prf(Span<uint8_t> out, Span<const uint8_t> secret,
|
168
|
-
Span<const char> label, Span<const uint8_t> seed1,
|
169
|
-
Span<const uint8_t> seed2) {
|
170
|
-
ScopedEVP_MD_CTX md5;
|
171
|
-
ScopedEVP_MD_CTX sha1;
|
172
|
-
uint8_t buf[16], smd[SHA_DIGEST_LENGTH];
|
173
|
-
uint8_t c = 'A';
|
174
|
-
size_t k = 0;
|
175
|
-
while (!out.empty()) {
|
176
|
-
k++;
|
177
|
-
if (k > sizeof(buf)) {
|
178
|
-
// bug: 'buf' is too small for this ciphersuite
|
179
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
180
|
-
return false;
|
181
|
-
}
|
182
|
-
|
183
|
-
for (size_t j = 0; j < k; j++) {
|
184
|
-
buf[j] = c;
|
185
|
-
}
|
186
|
-
c++;
|
187
|
-
if (!EVP_DigestInit_ex(sha1.get(), EVP_sha1(), NULL)) {
|
188
|
-
OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
|
189
|
-
return false;
|
190
|
-
}
|
191
|
-
EVP_DigestUpdate(sha1.get(), buf, k);
|
192
|
-
EVP_DigestUpdate(sha1.get(), secret.data(), secret.size());
|
193
|
-
// |label| is ignored for SSLv3.
|
194
|
-
EVP_DigestUpdate(sha1.get(), seed1.data(), seed1.size());
|
195
|
-
EVP_DigestUpdate(sha1.get(), seed2.data(), seed2.size());
|
196
|
-
EVP_DigestFinal_ex(sha1.get(), smd, NULL);
|
197
|
-
|
198
|
-
if (!EVP_DigestInit_ex(md5.get(), EVP_md5(), NULL)) {
|
199
|
-
OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
|
200
|
-
return false;
|
201
|
-
}
|
202
|
-
EVP_DigestUpdate(md5.get(), secret.data(), secret.size());
|
203
|
-
EVP_DigestUpdate(md5.get(), smd, SHA_DIGEST_LENGTH);
|
204
|
-
if (out.size() < MD5_DIGEST_LENGTH) {
|
205
|
-
EVP_DigestFinal_ex(md5.get(), smd, NULL);
|
206
|
-
OPENSSL_memcpy(out.data(), smd, out.size());
|
207
|
-
break;
|
208
|
-
}
|
209
|
-
EVP_DigestFinal_ex(md5.get(), out.data(), NULL);
|
210
|
-
out = out.subspan(MD5_DIGEST_LENGTH);
|
211
|
-
}
|
212
|
-
|
213
|
-
OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
|
214
|
-
return true;
|
215
|
-
}
|
216
|
-
|
217
167
|
static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
|
218
168
|
size_t *out_key_len, size_t *out_iv_len,
|
219
169
|
const SSL_CIPHER *cipher) {
|
@@ -318,23 +268,16 @@ int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
|
|
318
268
|
} else {
|
319
269
|
auto label =
|
320
270
|
MakeConstSpan(kMasterSecretLabel, sizeof(kMasterSecretLabel) - 1);
|
321
|
-
if (
|
322
|
-
|
323
|
-
|
324
|
-
return 0;
|
325
|
-
}
|
326
|
-
} else {
|
327
|
-
if (!tls1_prf(hs->transcript.Digest(), out_span, premaster, label,
|
328
|
-
ssl->s3->client_random, ssl->s3->server_random)) {
|
329
|
-
return 0;
|
330
|
-
}
|
271
|
+
if (!tls1_prf(hs->transcript.Digest(), out_span, premaster, label,
|
272
|
+
ssl->s3->client_random, ssl->s3->server_random)) {
|
273
|
+
return 0;
|
331
274
|
}
|
332
275
|
}
|
333
276
|
|
334
277
|
return SSL3_MASTER_SECRET_SIZE;
|
335
278
|
}
|
336
279
|
|
337
|
-
|
280
|
+
BSSL_NAMESPACE_END
|
338
281
|
|
339
282
|
using namespace bssl;
|
340
283
|
|
@@ -357,11 +300,6 @@ int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {
|
|
357
300
|
static const char kLabel[] = "key expansion";
|
358
301
|
auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
|
359
302
|
|
360
|
-
if (ssl_protocol_version(ssl) == SSL3_VERSION) {
|
361
|
-
return ssl3_prf(out_span, master_key, label, ssl->s3->server_random,
|
362
|
-
ssl->s3->client_random);
|
363
|
-
}
|
364
|
-
|
365
303
|
const EVP_MD *digest = ssl_session_get_digest(session);
|
366
304
|
return tls1_prf(digest, out_span, master_key, label, ssl->s3->server_random,
|
367
305
|
ssl->s3->client_random);
|
@@ -371,11 +309,6 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
|
|
371
309
|
const char *label, size_t label_len,
|
372
310
|
const uint8_t *context, size_t context_len,
|
373
311
|
int use_context) {
|
374
|
-
if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {
|
375
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
|
376
|
-
return 0;
|
377
|
-
}
|
378
|
-
|
379
312
|
// Exporters may be used in False Start and server 0-RTT, where the handshake
|
380
313
|
// has progressed enough. Otherwise, they may not be used during a handshake.
|
381
314
|
if (SSL_in_init(ssl) &&
|
@@ -426,27 +359,3 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
|
|
426
359
|
MakeConstSpan(session->master_key, session->master_key_length),
|
427
360
|
MakeConstSpan(label, label_len), seed, {});
|
428
361
|
}
|
429
|
-
|
430
|
-
int SSL_export_early_keying_material(
|
431
|
-
SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len,
|
432
|
-
const uint8_t *context, size_t context_len) {
|
433
|
-
if (!SSL_in_early_data(ssl) &&
|
434
|
-
(!ssl->s3->have_version ||
|
435
|
-
ssl_protocol_version(ssl) < TLS1_3_VERSION)) {
|
436
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
|
437
|
-
return 0;
|
438
|
-
}
|
439
|
-
|
440
|
-
// The early exporter only exists if we accepted early data or offered it as
|
441
|
-
// a client.
|
442
|
-
if (!SSL_in_early_data(ssl) && !SSL_early_data_accepted(ssl)) {
|
443
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_EARLY_DATA_NOT_IN_USE);
|
444
|
-
return 0;
|
445
|
-
}
|
446
|
-
|
447
|
-
return tls13_export_keying_material(
|
448
|
-
ssl, MakeSpan(out, out_len),
|
449
|
-
MakeConstSpan(ssl->s3->early_exporter_secret,
|
450
|
-
ssl->s3->early_exporter_secret_len),
|
451
|
-
MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
|
452
|
-
}
|
@@ -129,9 +129,9 @@
|
|
129
129
|
#include "../crypto/internal.h"
|
130
130
|
|
131
131
|
|
132
|
-
|
132
|
+
BSSL_NAMESPACE_BEGIN
|
133
133
|
|
134
|
-
static
|
134
|
+
static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
|
135
135
|
|
136
136
|
static int compare_uint16_t(const void *p1, const void *p2) {
|
137
137
|
uint16_t u1 = *((const uint16_t *)p1);
|
@@ -149,7 +149,7 @@ static int compare_uint16_t(const void *p1, const void *p2) {
|
|
149
149
|
// more than one extension of the same type in a ClientHello or ServerHello.
|
150
150
|
// This function does an initial scan over the extensions block to filter those
|
151
151
|
// out.
|
152
|
-
static
|
152
|
+
static bool tls1_check_duplicate_extensions(const CBS *cbs) {
|
153
153
|
// First pass: count the extensions.
|
154
154
|
size_t num_extensions = 0;
|
155
155
|
CBS extensions = *cbs;
|
@@ -159,19 +159,19 @@ static int tls1_check_duplicate_extensions(const CBS *cbs) {
|
|
159
159
|
|
160
160
|
if (!CBS_get_u16(&extensions, &type) ||
|
161
161
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
162
|
-
return
|
162
|
+
return false;
|
163
163
|
}
|
164
164
|
|
165
165
|
num_extensions++;
|
166
166
|
}
|
167
167
|
|
168
168
|
if (num_extensions == 0) {
|
169
|
-
return
|
169
|
+
return true;
|
170
170
|
}
|
171
171
|
|
172
172
|
Array<uint16_t> extension_types;
|
173
173
|
if (!extension_types.Init(num_extensions)) {
|
174
|
-
return
|
174
|
+
return false;
|
175
175
|
}
|
176
176
|
|
177
177
|
// Second pass: gather the extension types.
|
@@ -182,7 +182,7 @@ static int tls1_check_duplicate_extensions(const CBS *cbs) {
|
|
182
182
|
if (!CBS_get_u16(&extensions, &extension_types[i]) ||
|
183
183
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
184
184
|
// This should not happen.
|
185
|
-
return
|
185
|
+
return false;
|
186
186
|
}
|
187
187
|
}
|
188
188
|
assert(CBS_len(&extensions) == 0);
|
@@ -192,17 +192,21 @@ static int tls1_check_duplicate_extensions(const CBS *cbs) {
|
|
192
192
|
compare_uint16_t);
|
193
193
|
for (size_t i = 1; i < num_extensions; i++) {
|
194
194
|
if (extension_types[i - 1] == extension_types[i]) {
|
195
|
-
return
|
195
|
+
return false;
|
196
196
|
}
|
197
197
|
}
|
198
198
|
|
199
|
-
return
|
199
|
+
return true;
|
200
|
+
}
|
201
|
+
|
202
|
+
static bool is_post_quantum_group(uint16_t id) {
|
203
|
+
return id == SSL_CURVE_CECPQ2;
|
200
204
|
}
|
201
205
|
|
202
|
-
|
203
|
-
|
206
|
+
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
|
207
|
+
const SSLMessage &msg) {
|
204
208
|
OPENSSL_memset(out, 0, sizeof(*out));
|
205
|
-
out->ssl = ssl;
|
209
|
+
out->ssl = const_cast<SSL *>(ssl);
|
206
210
|
out->client_hello = CBS_data(&msg.body);
|
207
211
|
out->client_hello_len = CBS_len(&msg.body);
|
208
212
|
|
@@ -212,7 +216,7 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
212
216
|
!CBS_get_bytes(&client_hello, &random, SSL3_RANDOM_SIZE) ||
|
213
217
|
!CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
|
214
218
|
CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
215
|
-
return
|
219
|
+
return false;
|
216
220
|
}
|
217
221
|
|
218
222
|
out->random = CBS_data(&random);
|
@@ -225,7 +229,7 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
225
229
|
CBS cookie;
|
226
230
|
if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
|
227
231
|
CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
|
228
|
-
return
|
232
|
+
return false;
|
229
233
|
}
|
230
234
|
}
|
231
235
|
|
@@ -234,7 +238,7 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
234
238
|
CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
|
235
239
|
!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
|
236
240
|
CBS_len(&compression_methods) < 1) {
|
237
|
-
return
|
241
|
+
return false;
|
238
242
|
}
|
239
243
|
|
240
244
|
out->cipher_suites = CBS_data(&cipher_suites);
|
@@ -243,11 +247,11 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
243
247
|
out->compression_methods_len = CBS_len(&compression_methods);
|
244
248
|
|
245
249
|
// If the ClientHello ends here then it's valid, but doesn't have any
|
246
|
-
// extensions.
|
250
|
+
// extensions.
|
247
251
|
if (CBS_len(&client_hello) == 0) {
|
248
252
|
out->extensions = NULL;
|
249
253
|
out->extensions_len = 0;
|
250
|
-
return
|
254
|
+
return true;
|
251
255
|
}
|
252
256
|
|
253
257
|
// Extract extensions and check it is valid.
|
@@ -255,17 +259,17 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
|
|
255
259
|
if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
|
256
260
|
!tls1_check_duplicate_extensions(&extensions) ||
|
257
261
|
CBS_len(&client_hello) != 0) {
|
258
|
-
return
|
262
|
+
return false;
|
259
263
|
}
|
260
264
|
|
261
265
|
out->extensions = CBS_data(&extensions);
|
262
266
|
out->extensions_len = CBS_len(&extensions);
|
263
267
|
|
264
|
-
return
|
268
|
+
return true;
|
265
269
|
}
|
266
270
|
|
267
|
-
|
268
|
-
|
271
|
+
bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
|
272
|
+
CBS *out, uint16_t extension_type) {
|
269
273
|
CBS extensions;
|
270
274
|
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
|
271
275
|
while (CBS_len(&extensions) != 0) {
|
@@ -274,16 +278,16 @@ int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
|
|
274
278
|
CBS extension;
|
275
279
|
if (!CBS_get_u16(&extensions, &type) ||
|
276
280
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
277
|
-
return
|
281
|
+
return false;
|
278
282
|
}
|
279
283
|
|
280
284
|
if (type == extension_type) {
|
281
285
|
*out = extension;
|
282
|
-
return
|
286
|
+
return true;
|
283
287
|
}
|
284
288
|
}
|
285
289
|
|
286
|
-
return
|
290
|
+
return false;
|
287
291
|
}
|
288
292
|
|
289
293
|
static const uint16_t kDefaultGroups[] = {
|
@@ -292,15 +296,14 @@ static const uint16_t kDefaultGroups[] = {
|
|
292
296
|
SSL_CURVE_SECP384R1,
|
293
297
|
};
|
294
298
|
|
295
|
-
Span<const uint16_t> tls1_get_grouplist(const
|
296
|
-
if (
|
297
|
-
return
|
298
|
-
ssl->supported_group_list_len);
|
299
|
+
Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
|
300
|
+
if (!hs->config->supported_group_list.empty()) {
|
301
|
+
return hs->config->supported_group_list;
|
299
302
|
}
|
300
303
|
return Span<const uint16_t>(kDefaultGroups);
|
301
304
|
}
|
302
305
|
|
303
|
-
|
306
|
+
bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
|
304
307
|
SSL *const ssl = hs->ssl;
|
305
308
|
assert(ssl->server);
|
306
309
|
|
@@ -313,7 +316,7 @@ int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
|
|
313
316
|
// support our favoured group. Thus we do not special-case an emtpy
|
314
317
|
// |peer_supported_group_list|.
|
315
318
|
|
316
|
-
Span<const uint16_t> groups = tls1_get_grouplist(
|
319
|
+
Span<const uint16_t> groups = tls1_get_grouplist(hs);
|
317
320
|
Span<const uint16_t> pref, supp;
|
318
321
|
if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
|
319
322
|
pref = groups;
|
@@ -325,88 +328,85 @@ int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
|
|
325
328
|
|
326
329
|
for (uint16_t pref_group : pref) {
|
327
330
|
for (uint16_t supp_group : supp) {
|
328
|
-
if (pref_group == supp_group
|
331
|
+
if (pref_group == supp_group &&
|
332
|
+
// CECPQ2(b) doesn't fit in the u8-length-prefixed ECPoint field in
|
333
|
+
// TLS 1.2 and below.
|
334
|
+
(ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
|
335
|
+
!is_post_quantum_group(pref_group))) {
|
329
336
|
*out_group_id = pref_group;
|
330
|
-
return
|
337
|
+
return true;
|
331
338
|
}
|
332
339
|
}
|
333
340
|
}
|
334
341
|
|
335
|
-
return
|
342
|
+
return false;
|
336
343
|
}
|
337
344
|
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
return 0;
|
345
|
+
bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
|
346
|
+
Array<uint16_t> group_ids;
|
347
|
+
if (!group_ids.Init(curves.size())) {
|
348
|
+
return false;
|
343
349
|
}
|
344
350
|
|
345
|
-
for (size_t i = 0; i <
|
351
|
+
for (size_t i = 0; i < curves.size(); i++) {
|
346
352
|
if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
|
347
|
-
|
348
|
-
return 0;
|
353
|
+
return false;
|
349
354
|
}
|
350
355
|
}
|
351
356
|
|
352
|
-
|
353
|
-
|
354
|
-
*out_group_ids_len = ncurves;
|
355
|
-
|
356
|
-
return 1;
|
357
|
+
*out_group_ids = std::move(group_ids);
|
358
|
+
return true;
|
357
359
|
}
|
358
360
|
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
|
361
|
+
bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
|
362
|
+
// Count the number of curves in the list.
|
363
|
+
size_t count = 0;
|
364
|
+
const char *ptr = curves, *col;
|
365
|
+
do {
|
366
|
+
col = strchr(ptr, ':');
|
367
|
+
count++;
|
368
|
+
if (col) {
|
369
|
+
ptr = col + 1;
|
370
|
+
}
|
371
|
+
} while (col);
|
363
372
|
|
364
|
-
|
365
|
-
|
373
|
+
Array<uint16_t> group_ids;
|
374
|
+
if (!group_ids.Init(count)) {
|
375
|
+
return false;
|
376
|
+
}
|
366
377
|
|
378
|
+
size_t i = 0;
|
379
|
+
ptr = curves;
|
367
380
|
do {
|
368
381
|
col = strchr(ptr, ':');
|
369
|
-
|
370
|
-
uint16_t group_id;
|
371
|
-
if (!ssl_name_to_group_id(&group_id, ptr,
|
382
|
+
if (!ssl_name_to_group_id(&group_ids[i++], ptr,
|
372
383
|
col ? (size_t)(col - ptr) : strlen(ptr))) {
|
373
|
-
|
374
|
-
}
|
375
|
-
|
376
|
-
uint16_t *new_group_ids = (uint16_t *)OPENSSL_realloc(
|
377
|
-
group_ids, (ncurves + 1) * sizeof(uint16_t));
|
378
|
-
if (new_group_ids == NULL) {
|
379
|
-
goto err;
|
384
|
+
return false;
|
380
385
|
}
|
381
|
-
group_ids = new_group_ids;
|
382
|
-
|
383
|
-
group_ids[ncurves] = group_id;
|
384
|
-
ncurves++;
|
385
|
-
|
386
386
|
if (col) {
|
387
387
|
ptr = col + 1;
|
388
388
|
}
|
389
389
|
} while (col);
|
390
390
|
|
391
|
-
|
392
|
-
*out_group_ids = group_ids;
|
393
|
-
|
394
|
-
|
395
|
-
return 1;
|
396
|
-
|
397
|
-
err:
|
398
|
-
OPENSSL_free(group_ids);
|
399
|
-
return 0;
|
391
|
+
assert(i == count);
|
392
|
+
*out_group_ids = std::move(group_ids);
|
393
|
+
return true;
|
400
394
|
}
|
401
395
|
|
402
|
-
|
403
|
-
|
396
|
+
bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
|
397
|
+
if (is_post_quantum_group(group_id) &&
|
398
|
+
ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
|
399
|
+
// CECPQ2(b) requires TLS 1.3.
|
400
|
+
return false;
|
401
|
+
}
|
402
|
+
|
403
|
+
for (uint16_t supported : tls1_get_grouplist(hs)) {
|
404
404
|
if (supported == group_id) {
|
405
|
-
return
|
405
|
+
return true;
|
406
406
|
}
|
407
407
|
}
|
408
408
|
|
409
|
-
return
|
409
|
+
return false;
|
410
410
|
}
|
411
411
|
|
412
412
|
// kVerifySignatureAlgorithms is the default list of accepted signature
|
@@ -419,15 +419,15 @@ static const uint16_t kVerifySignatureAlgorithms[] = {
|
|
419
419
|
// List our preferred algorithms first.
|
420
420
|
SSL_SIGN_ED25519,
|
421
421
|
SSL_SIGN_ECDSA_SECP256R1_SHA256,
|
422
|
-
|
422
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA256,
|
423
423
|
SSL_SIGN_RSA_PKCS1_SHA256,
|
424
424
|
|
425
425
|
// Larger hashes are acceptable.
|
426
426
|
SSL_SIGN_ECDSA_SECP384R1_SHA384,
|
427
|
-
|
427
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA384,
|
428
428
|
SSL_SIGN_RSA_PKCS1_SHA384,
|
429
429
|
|
430
|
-
|
430
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA512,
|
431
431
|
SSL_SIGN_RSA_PKCS1_SHA512,
|
432
432
|
|
433
433
|
// For now, SHA-1 is still accepted but least preferable.
|
@@ -445,18 +445,18 @@ static const uint16_t kSignSignatureAlgorithms[] = {
|
|
445
445
|
// List our preferred algorithms first.
|
446
446
|
SSL_SIGN_ED25519,
|
447
447
|
SSL_SIGN_ECDSA_SECP256R1_SHA256,
|
448
|
-
|
448
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA256,
|
449
449
|
SSL_SIGN_RSA_PKCS1_SHA256,
|
450
450
|
|
451
451
|
// If needed, sign larger hashes.
|
452
452
|
//
|
453
453
|
// TODO(davidben): Determine which of these may be pruned.
|
454
454
|
SSL_SIGN_ECDSA_SECP384R1_SHA384,
|
455
|
-
|
455
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA384,
|
456
456
|
SSL_SIGN_RSA_PKCS1_SHA384,
|
457
457
|
|
458
458
|
SSL_SIGN_ECDSA_SECP521R1_SHA512,
|
459
|
-
|
459
|
+
SSL_SIGN_RSA_PSS_RSAE_SHA512,
|
460
460
|
SSL_SIGN_RSA_PKCS1_SHA512,
|
461
461
|
|
462
462
|
// If the peer supports nothing else, sign with SHA-1.
|
@@ -464,44 +464,77 @@ static const uint16_t kSignSignatureAlgorithms[] = {
|
|
464
464
|
SSL_SIGN_RSA_PKCS1_SHA1,
|
465
465
|
};
|
466
466
|
|
467
|
-
|
468
|
-
bool
|
469
|
-
|
470
|
-
|
471
|
-
|
472
|
-
|
467
|
+
struct SSLSignatureAlgorithmList {
|
468
|
+
bool Next(uint16_t *out) {
|
469
|
+
while (!list.empty()) {
|
470
|
+
uint16_t sigalg = list[0];
|
471
|
+
list = list.subspan(1);
|
472
|
+
if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
|
473
|
+
continue;
|
474
|
+
}
|
475
|
+
if (skip_rsa_pss_rsae && SSL_is_signature_algorithm_rsa_pss(sigalg)) {
|
476
|
+
continue;
|
477
|
+
}
|
478
|
+
*out = sigalg;
|
479
|
+
return true;
|
480
|
+
}
|
481
|
+
return false;
|
473
482
|
}
|
474
483
|
|
475
|
-
|
476
|
-
|
477
|
-
|
478
|
-
|
479
|
-
|
484
|
+
bool operator==(const SSLSignatureAlgorithmList &other) const {
|
485
|
+
SSLSignatureAlgorithmList a = *this;
|
486
|
+
SSLSignatureAlgorithmList b = other;
|
487
|
+
uint16_t a_val, b_val;
|
488
|
+
while (a.Next(&a_val)) {
|
489
|
+
if (!b.Next(&b_val) ||
|
490
|
+
a_val != b_val) {
|
491
|
+
return false;
|
492
|
+
}
|
480
493
|
}
|
494
|
+
return !b.Next(&b_val);
|
495
|
+
}
|
496
|
+
|
497
|
+
bool operator!=(const SSLSignatureAlgorithmList &other) const {
|
498
|
+
return !(*this == other);
|
499
|
+
}
|
500
|
+
|
501
|
+
Span<const uint16_t> list;
|
502
|
+
bool skip_ed25519 = false;
|
503
|
+
bool skip_rsa_pss_rsae = false;
|
504
|
+
};
|
505
|
+
|
506
|
+
static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(const SSL *ssl,
|
507
|
+
bool for_certs) {
|
508
|
+
SSLSignatureAlgorithmList ret;
|
509
|
+
if (!ssl->config->verify_sigalgs.empty()) {
|
510
|
+
ret.list = ssl->config->verify_sigalgs;
|
511
|
+
} else {
|
512
|
+
ret.list = kVerifySignatureAlgorithms;
|
513
|
+
ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
|
514
|
+
}
|
515
|
+
if (for_certs) {
|
516
|
+
ret.skip_rsa_pss_rsae = !ssl->ctx->rsa_pss_rsae_certs_enabled;
|
517
|
+
}
|
518
|
+
return ret;
|
519
|
+
}
|
520
|
+
|
521
|
+
bool tls12_add_verify_sigalgs(const SSL *ssl, CBB *out, bool for_certs) {
|
522
|
+
SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, for_certs);
|
523
|
+
uint16_t sigalg;
|
524
|
+
while (list.Next(&sigalg)) {
|
481
525
|
if (!CBB_add_u16(out, sigalg)) {
|
482
526
|
return false;
|
483
527
|
}
|
484
528
|
}
|
485
|
-
|
486
529
|
return true;
|
487
530
|
}
|
488
531
|
|
489
532
|
bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
|
490
533
|
uint16_t sigalg) {
|
491
|
-
|
492
|
-
|
493
|
-
|
494
|
-
|
495
|
-
num_sigalgs = ssl->ctx->num_verify_sigalgs;
|
496
|
-
}
|
497
|
-
|
498
|
-
for (size_t i = 0; i < num_sigalgs; i++) {
|
499
|
-
if (sigalgs == kVerifySignatureAlgorithms &&
|
500
|
-
sigalgs[i] == SSL_SIGN_ED25519 &&
|
501
|
-
!ssl->ctx->ed25519_enabled) {
|
502
|
-
continue;
|
503
|
-
}
|
504
|
-
if (sigalg == sigalgs[i]) {
|
534
|
+
SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(ssl, false);
|
535
|
+
uint16_t verify_sigalg;
|
536
|
+
while (list.Next(&verify_sigalg)) {
|
537
|
+
if (verify_sigalg == sigalg) {
|
505
538
|
return true;
|
506
539
|
}
|
507
540
|
}
|
@@ -511,6 +544,11 @@ bool tls12_check_peer_sigalg(const SSL *ssl, uint8_t *out_alert,
|
|
511
544
|
return false;
|
512
545
|
}
|
513
546
|
|
547
|
+
bool tls12_has_different_verify_sigalgs_for_certs(const SSL *ssl) {
|
548
|
+
return tls12_get_verify_sigalgs(ssl, true) !=
|
549
|
+
tls12_get_verify_sigalgs(ssl, false);
|
550
|
+
}
|
551
|
+
|
514
552
|
// tls_extension represents a TLS extension that is handled internally. The
|
515
553
|
// |init| function is called for each handshake, before any other functions of
|
516
554
|
// the extension. Then the add and parse callbacks are called as needed.
|
@@ -567,7 +605,7 @@ static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
567
605
|
|
568
606
|
static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
569
607
|
SSL *const ssl = hs->ssl;
|
570
|
-
if (ssl->
|
608
|
+
if (ssl->hostname == nullptr) {
|
571
609
|
return true;
|
572
610
|
}
|
573
611
|
|
@@ -577,8 +615,8 @@ static bool ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
577
615
|
!CBB_add_u16_length_prefixed(&contents, &server_name_list) ||
|
578
616
|
!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||
|
579
617
|
!CBB_add_u16_length_prefixed(&server_name_list, &name) ||
|
580
|
-
!CBB_add_bytes(&name, (const uint8_t *)ssl->
|
581
|
-
strlen(ssl->
|
618
|
+
!CBB_add_bytes(&name, (const uint8_t *)ssl->hostname.get(),
|
619
|
+
strlen(ssl->hostname.get())) ||
|
582
620
|
!CBB_flush(out)) {
|
583
621
|
return false;
|
584
622
|
}
|
@@ -595,45 +633,7 @@ static bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
595
633
|
|
596
634
|
static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
597
635
|
CBS *contents) {
|
598
|
-
|
599
|
-
if (contents == NULL) {
|
600
|
-
return true;
|
601
|
-
}
|
602
|
-
|
603
|
-
CBS server_name_list, host_name;
|
604
|
-
uint8_t name_type;
|
605
|
-
if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
|
606
|
-
!CBS_get_u8(&server_name_list, &name_type) ||
|
607
|
-
// Although the server_name extension was intended to be extensible to
|
608
|
-
// new name types and multiple names, OpenSSL 1.0.x had a bug which meant
|
609
|
-
// different name types will cause an error. Further, RFC 4366 originally
|
610
|
-
// defined syntax inextensibly. RFC 6066 corrected this mistake, but
|
611
|
-
// adding new name types is no longer feasible.
|
612
|
-
//
|
613
|
-
// Act as if the extensibility does not exist to simplify parsing.
|
614
|
-
!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
|
615
|
-
CBS_len(&server_name_list) != 0 ||
|
616
|
-
CBS_len(contents) != 0) {
|
617
|
-
return false;
|
618
|
-
}
|
619
|
-
|
620
|
-
if (name_type != TLSEXT_NAMETYPE_host_name ||
|
621
|
-
CBS_len(&host_name) == 0 ||
|
622
|
-
CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
|
623
|
-
CBS_contains_zero_byte(&host_name)) {
|
624
|
-
*out_alert = SSL_AD_UNRECOGNIZED_NAME;
|
625
|
-
return false;
|
626
|
-
}
|
627
|
-
|
628
|
-
// Copy the hostname as a string.
|
629
|
-
char *raw = nullptr;
|
630
|
-
if (!CBS_strdup(&host_name, &raw)) {
|
631
|
-
*out_alert = SSL_AD_INTERNAL_ERROR;
|
632
|
-
return false;
|
633
|
-
}
|
634
|
-
ssl->s3->hostname.reset(raw);
|
635
|
-
|
636
|
-
hs->should_ack_sni = true;
|
636
|
+
// SNI has already been parsed earlier in the handshake. See |extract_sni|.
|
637
637
|
return true;
|
638
638
|
}
|
639
639
|
|
@@ -823,7 +823,7 @@ static bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
823
823
|
|
824
824
|
static bool ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
825
825
|
// Extended master secret is not necessary in TLS 1.3.
|
826
|
-
if (hs->min_version >= TLS1_3_VERSION
|
826
|
+
if (hs->min_version >= TLS1_3_VERSION) {
|
827
827
|
return true;
|
828
828
|
}
|
829
829
|
|
@@ -841,7 +841,6 @@ static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
841
841
|
|
842
842
|
if (contents != NULL) {
|
843
843
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
|
844
|
-
ssl->version == SSL3_VERSION ||
|
845
844
|
CBS_len(contents) != 0) {
|
846
845
|
return false;
|
847
846
|
}
|
@@ -863,9 +862,7 @@ static bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
863
862
|
|
864
863
|
static bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
865
864
|
CBS *contents) {
|
866
|
-
|
867
|
-
if (version >= TLS1_3_VERSION ||
|
868
|
-
version == SSL3_VERSION) {
|
865
|
+
if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
|
869
866
|
return true;
|
870
867
|
}
|
871
868
|
|
@@ -907,26 +904,24 @@ static bool ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
907
904
|
return true;
|
908
905
|
}
|
909
906
|
|
910
|
-
const uint8_t
|
911
|
-
int ticket_len = 0;
|
907
|
+
Span<const uint8_t> ticket;
|
912
908
|
|
913
909
|
// Renegotiation does not participate in session resumption. However, still
|
914
910
|
// advertise the extension to avoid potentially breaking servers which carry
|
915
911
|
// over the state from the previous handshake, such as OpenSSL servers
|
916
912
|
// without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
|
917
913
|
if (!ssl->s3->initial_handshake_complete &&
|
918
|
-
ssl->session !=
|
919
|
-
ssl->session->
|
914
|
+
ssl->session != nullptr &&
|
915
|
+
!ssl->session->ticket.empty() &&
|
920
916
|
// Don't send TLS 1.3 session tickets in the ticket extension.
|
921
|
-
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
|
922
|
-
|
923
|
-
ticket_len = ssl->session->tlsext_ticklen;
|
917
|
+
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
|
918
|
+
ticket = ssl->session->ticket;
|
924
919
|
}
|
925
920
|
|
926
|
-
CBB
|
921
|
+
CBB ticket_cbb;
|
927
922
|
if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
|
928
|
-
!CBB_add_u16_length_prefixed(out, &
|
929
|
-
!CBB_add_bytes(&
|
923
|
+
!CBB_add_u16_length_prefixed(out, &ticket_cbb) ||
|
924
|
+
!CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||
|
930
925
|
!CBB_flush(out)) {
|
931
926
|
return false;
|
932
927
|
}
|
@@ -985,11 +980,23 @@ static bool ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
985
980
|
return true;
|
986
981
|
}
|
987
982
|
|
983
|
+
// Prior to TLS 1.3, there was no way to signal different signature algorithm
|
984
|
+
// preferences between the online signature and certificates. If we do not
|
985
|
+
// send the signature_algorithms_cert extension, use the potentially more
|
986
|
+
// restrictive certificate list.
|
987
|
+
//
|
988
|
+
// TODO(davidben): When TLS 1.3 is finalized, we can likely remove the TLS 1.3
|
989
|
+
// check both here and in signature_algorithms_cert. |hs->max_version| is not
|
990
|
+
// the negotiated version. Rather the expectation is that any server consuming
|
991
|
+
// signature algorithms added in TLS 1.3 will also know to look at
|
992
|
+
// signature_algorithms_cert. For now, TLS 1.3 is not quite yet final and it
|
993
|
+
// seems prudent to condition this new extension on it.
|
994
|
+
bool for_certs = hs->max_version < TLS1_3_VERSION;
|
988
995
|
CBB contents, sigalgs_cbb;
|
989
996
|
if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms) ||
|
990
997
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
991
998
|
!CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
|
992
|
-
!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||
|
999
|
+
!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, for_certs) ||
|
993
1000
|
!CBB_flush(out)) {
|
994
1001
|
return false;
|
995
1002
|
}
|
@@ -1007,7 +1014,6 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1007
1014
|
CBS supported_signature_algorithms;
|
1008
1015
|
if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||
|
1009
1016
|
CBS_len(contents) != 0 ||
|
1010
|
-
CBS_len(&supported_signature_algorithms) == 0 ||
|
1011
1017
|
!tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
|
1012
1018
|
return false;
|
1013
1019
|
}
|
@@ -1016,13 +1022,41 @@ static bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1016
1022
|
}
|
1017
1023
|
|
1018
1024
|
|
1025
|
+
// Signature Algorithms for Certificates.
|
1026
|
+
//
|
1027
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.3
|
1028
|
+
|
1029
|
+
static bool ext_sigalgs_cert_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1030
|
+
SSL *const ssl = hs->ssl;
|
1031
|
+
// If this extension is omitted, it defaults to the signature_algorithms
|
1032
|
+
// extension, so only emit it if the list is different.
|
1033
|
+
//
|
1034
|
+
// This extension is also new in TLS 1.3, so omit it if TLS 1.3 is disabled.
|
1035
|
+
// There is a corresponding version check in |ext_sigalgs_add_clienthello|.
|
1036
|
+
if (hs->max_version < TLS1_3_VERSION ||
|
1037
|
+
!tls12_has_different_verify_sigalgs_for_certs(ssl)) {
|
1038
|
+
return true;
|
1039
|
+
}
|
1040
|
+
|
1041
|
+
CBB contents, sigalgs_cbb;
|
1042
|
+
if (!CBB_add_u16(out, TLSEXT_TYPE_signature_algorithms_cert) ||
|
1043
|
+
!CBB_add_u16_length_prefixed(out, &contents) ||
|
1044
|
+
!CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||
|
1045
|
+
!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */) ||
|
1046
|
+
!CBB_flush(out)) {
|
1047
|
+
return false;
|
1048
|
+
}
|
1049
|
+
|
1050
|
+
return true;
|
1051
|
+
}
|
1052
|
+
|
1053
|
+
|
1019
1054
|
// OCSP Stapling.
|
1020
1055
|
//
|
1021
1056
|
// https://tools.ietf.org/html/rfc6066#section-8
|
1022
1057
|
|
1023
1058
|
static bool ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1024
|
-
|
1025
|
-
if (!ssl->ocsp_stapling_enabled) {
|
1059
|
+
if (!hs->config->ocsp_stapling_enabled) {
|
1026
1060
|
return true;
|
1027
1061
|
}
|
1028
1062
|
|
@@ -1086,8 +1120,7 @@ static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1086
1120
|
static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
1087
1121
|
SSL *const ssl = hs->ssl;
|
1088
1122
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
|
1089
|
-
!hs->ocsp_stapling_requested ||
|
1090
|
-
ssl->cert->ocsp_response == NULL ||
|
1123
|
+
!hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL ||
|
1091
1124
|
ssl->s3->session_reused ||
|
1092
1125
|
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
|
1093
1126
|
return true;
|
@@ -1228,8 +1261,7 @@ static bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1228
1261
|
// https://tools.ietf.org/html/rfc6962#section-3.3.1
|
1229
1262
|
|
1230
1263
|
static bool ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1231
|
-
|
1232
|
-
if (!ssl->signed_cert_timestamps_enabled) {
|
1264
|
+
if (!hs->config->signed_cert_timestamps_enabled) {
|
1233
1265
|
return true;
|
1234
1266
|
}
|
1235
1267
|
|
@@ -1256,7 +1288,7 @@ static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1256
1288
|
|
1257
1289
|
// If this is false then we should never have sent the SCT extension in the
|
1258
1290
|
// ClientHello and thus this function should never have been called.
|
1259
|
-
assert(
|
1291
|
+
assert(hs->config->signed_cert_timestamps_enabled);
|
1260
1292
|
|
1261
1293
|
if (!ssl_is_sct_list_valid(contents)) {
|
1262
1294
|
*out_alert = SSL_AD_DECODE_ERROR;
|
@@ -1269,9 +1301,8 @@ static bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1269
1301
|
//
|
1270
1302
|
// TODO(davidben): Enforce this anyway.
|
1271
1303
|
if (!ssl->s3->session_reused) {
|
1272
|
-
|
1273
|
-
|
1274
|
-
CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool);
|
1304
|
+
hs->new_session->signed_cert_timestamp_list.reset(
|
1305
|
+
CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));
|
1275
1306
|
if (hs->new_session->signed_cert_timestamp_list == nullptr) {
|
1276
1307
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1277
1308
|
return false;
|
@@ -1298,9 +1329,8 @@ static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1298
1329
|
static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
1299
1330
|
SSL *const ssl = hs->ssl;
|
1300
1331
|
// The extension shouldn't be sent when resuming sessions.
|
1301
|
-
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
|
1302
|
-
|
1303
|
-
ssl->cert->signed_cert_timestamp_list == NULL) {
|
1332
|
+
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
|
1333
|
+
hs->config->cert->signed_cert_timestamp_list == NULL) {
|
1304
1334
|
return true;
|
1305
1335
|
}
|
1306
1336
|
|
@@ -1309,8 +1339,10 @@ static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1309
1339
|
CBB_add_u16_length_prefixed(out, &contents) &&
|
1310
1340
|
CBB_add_bytes(
|
1311
1341
|
&contents,
|
1312
|
-
CRYPTO_BUFFER_data(
|
1313
|
-
|
1342
|
+
CRYPTO_BUFFER_data(
|
1343
|
+
hs->config->cert->signed_cert_timestamp_list.get()),
|
1344
|
+
CRYPTO_BUFFER_len(
|
1345
|
+
hs->config->cert->signed_cert_timestamp_list.get())) &&
|
1314
1346
|
CBB_flush(out);
|
1315
1347
|
}
|
1316
1348
|
|
@@ -1321,7 +1353,7 @@ static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1321
1353
|
|
1322
1354
|
static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1323
1355
|
SSL *const ssl = hs->ssl;
|
1324
|
-
if (
|
1356
|
+
if (hs->config->alpn_client_proto_list.empty() ||
|
1325
1357
|
ssl->s3->initial_handshake_complete) {
|
1326
1358
|
return true;
|
1327
1359
|
}
|
@@ -1330,8 +1362,8 @@ static bool ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1330
1362
|
if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||
|
1331
1363
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
1332
1364
|
!CBB_add_u16_length_prefixed(&contents, &proto_list) ||
|
1333
|
-
!CBB_add_bytes(&proto_list,
|
1334
|
-
|
1365
|
+
!CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),
|
1366
|
+
hs->config->alpn_client_proto_list.size()) ||
|
1335
1367
|
!CBB_flush(out)) {
|
1336
1368
|
return false;
|
1337
1369
|
}
|
@@ -1347,7 +1379,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1347
1379
|
}
|
1348
1380
|
|
1349
1381
|
assert(!ssl->s3->initial_handshake_complete);
|
1350
|
-
assert(
|
1382
|
+
assert(!hs->config->alpn_client_proto_list.empty());
|
1351
1383
|
|
1352
1384
|
if (hs->next_proto_neg_seen) {
|
1353
1385
|
// NPN and ALPN may not be negotiated in the same connection.
|
@@ -1368,7 +1400,7 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1368
1400
|
return false;
|
1369
1401
|
}
|
1370
1402
|
|
1371
|
-
if (!ssl_is_alpn_protocol_allowed(
|
1403
|
+
if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {
|
1372
1404
|
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
1373
1405
|
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
1374
1406
|
return false;
|
@@ -1382,20 +1414,20 @@ static bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1382
1414
|
return true;
|
1383
1415
|
}
|
1384
1416
|
|
1385
|
-
bool ssl_is_alpn_protocol_allowed(const
|
1417
|
+
bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,
|
1386
1418
|
Span<const uint8_t> protocol) {
|
1387
|
-
if (
|
1419
|
+
if (hs->config->alpn_client_proto_list.empty()) {
|
1388
1420
|
return false;
|
1389
1421
|
}
|
1390
1422
|
|
1391
|
-
if (ssl->ctx->allow_unknown_alpn_protos) {
|
1423
|
+
if (hs->ssl->ctx->allow_unknown_alpn_protos) {
|
1392
1424
|
return true;
|
1393
1425
|
}
|
1394
1426
|
|
1395
1427
|
// Check that the protocol name is one of the ones we advertised.
|
1396
|
-
CBS client_protocol_name_list
|
1397
|
-
|
1398
|
-
|
1428
|
+
CBS client_protocol_name_list =
|
1429
|
+
MakeConstSpan(hs->config->alpn_client_proto_list),
|
1430
|
+
client_protocol_name;
|
1399
1431
|
while (CBS_len(&client_protocol_name_list) > 0) {
|
1400
1432
|
if (!CBS_get_u8_length_prefixed(&client_protocol_name_list,
|
1401
1433
|
&client_protocol_name)) {
|
@@ -1454,6 +1486,11 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1454
1486
|
ssl, &selected, &selected_len, CBS_data(&protocol_name_list),
|
1455
1487
|
CBS_len(&protocol_name_list),
|
1456
1488
|
ssl->ctx->alpn_select_cb_arg) == SSL_TLSEXT_ERR_OK) {
|
1489
|
+
if (selected_len == 0) {
|
1490
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);
|
1491
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
1492
|
+
return false;
|
1493
|
+
}
|
1457
1494
|
if (!ssl->s3->alpn_selected.CopyFrom(
|
1458
1495
|
MakeConstSpan(selected, selected_len))) {
|
1459
1496
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
@@ -1490,13 +1527,12 @@ static bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1490
1527
|
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
|
1491
1528
|
|
1492
1529
|
static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
|
1493
|
-
hs->ssl->s3->
|
1530
|
+
hs->ssl->s3->channel_id_valid = false;
|
1494
1531
|
}
|
1495
1532
|
|
1496
1533
|
static bool ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1497
1534
|
SSL *const ssl = hs->ssl;
|
1498
|
-
if (!
|
1499
|
-
SSL_is_dtls(ssl)) {
|
1535
|
+
if (!hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
|
1500
1536
|
return true;
|
1501
1537
|
}
|
1502
1538
|
|
@@ -1517,13 +1553,13 @@ static bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
1517
1553
|
}
|
1518
1554
|
|
1519
1555
|
assert(!SSL_is_dtls(ssl));
|
1520
|
-
assert(
|
1556
|
+
assert(hs->config->channel_id_enabled);
|
1521
1557
|
|
1522
1558
|
if (CBS_len(contents) != 0) {
|
1523
1559
|
return false;
|
1524
1560
|
}
|
1525
1561
|
|
1526
|
-
ssl->s3->
|
1562
|
+
ssl->s3->channel_id_valid = true;
|
1527
1563
|
return true;
|
1528
1564
|
}
|
1529
1565
|
|
@@ -1531,9 +1567,7 @@ static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
1531
1567
|
uint8_t *out_alert,
|
1532
1568
|
CBS *contents) {
|
1533
1569
|
SSL *const ssl = hs->ssl;
|
1534
|
-
if (contents == NULL ||
|
1535
|
-
!ssl->tlsext_channel_id_enabled ||
|
1536
|
-
SSL_is_dtls(ssl)) {
|
1570
|
+
if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {
|
1537
1571
|
return true;
|
1538
1572
|
}
|
1539
1573
|
|
@@ -1541,13 +1575,13 @@ static bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
1541
1575
|
return false;
|
1542
1576
|
}
|
1543
1577
|
|
1544
|
-
ssl->s3->
|
1578
|
+
ssl->s3->channel_id_valid = true;
|
1545
1579
|
return true;
|
1546
1580
|
}
|
1547
1581
|
|
1548
1582
|
static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
1549
1583
|
SSL *const ssl = hs->ssl;
|
1550
|
-
if (!ssl->s3->
|
1584
|
+
if (!ssl->s3->channel_id_valid) {
|
1551
1585
|
return true;
|
1552
1586
|
}
|
1553
1587
|
|
@@ -1566,7 +1600,7 @@ static bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1566
1600
|
|
1567
1601
|
|
1568
1602
|
static void ext_srtp_init(SSL_HANDSHAKE *hs) {
|
1569
|
-
hs->ssl->srtp_profile = NULL;
|
1603
|
+
hs->ssl->s3->srtp_profile = NULL;
|
1570
1604
|
}
|
1571
1605
|
|
1572
1606
|
static bool ext_srtp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
@@ -1633,7 +1667,7 @@ static bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1633
1667
|
// offered).
|
1634
1668
|
for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
|
1635
1669
|
if (profile->id == profile_id) {
|
1636
|
-
ssl->srtp_profile = profile;
|
1670
|
+
ssl->s3->srtp_profile = profile;
|
1637
1671
|
return true;
|
1638
1672
|
}
|
1639
1673
|
}
|
@@ -1675,7 +1709,7 @@ static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1675
1709
|
}
|
1676
1710
|
|
1677
1711
|
if (server_profile->id == profile_id) {
|
1678
|
-
ssl->srtp_profile = server_profile;
|
1712
|
+
ssl->s3->srtp_profile = server_profile;
|
1679
1713
|
return true;
|
1680
1714
|
}
|
1681
1715
|
}
|
@@ -1686,7 +1720,7 @@ static bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|
1686
1720
|
|
1687
1721
|
static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
1688
1722
|
SSL *const ssl = hs->ssl;
|
1689
|
-
if (ssl->srtp_profile == NULL) {
|
1723
|
+
if (ssl->s3->srtp_profile == NULL) {
|
1690
1724
|
return true;
|
1691
1725
|
}
|
1692
1726
|
|
@@ -1694,7 +1728,7 @@ static bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1694
1728
|
if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||
|
1695
1729
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
1696
1730
|
!CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
|
1697
|
-
!CBB_add_u16(&profile_ids, ssl->srtp_profile->id) ||
|
1731
|
+
!CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
|
1698
1732
|
!CBB_add_u8(&contents, 0 /* empty MKI */) ||
|
1699
1733
|
!CBB_flush(out)) {
|
1700
1734
|
return false;
|
@@ -1722,7 +1756,7 @@ static bool ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1722
1756
|
}
|
1723
1757
|
|
1724
1758
|
static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1725
|
-
// The point format extension is
|
1759
|
+
// The point format extension is unnecessary in TLS 1.3.
|
1726
1760
|
if (hs->min_version >= TLS1_3_VERSION) {
|
1727
1761
|
return true;
|
1728
1762
|
}
|
@@ -1787,30 +1821,30 @@ static bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1787
1821
|
|
1788
1822
|
// Pre Shared Key
|
1789
1823
|
//
|
1790
|
-
// https://tools.ietf.org/html/
|
1824
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.11
|
1791
1825
|
|
1792
1826
|
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
|
1793
1827
|
SSL *const ssl = hs->ssl;
|
1794
|
-
if (hs->max_version < TLS1_3_VERSION || ssl->session ==
|
1795
|
-
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
|
1828
|
+
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
|
1829
|
+
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
|
1796
1830
|
return 0;
|
1797
1831
|
}
|
1798
1832
|
|
1799
|
-
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
|
1800
|
-
return 15 + ssl->session->
|
1833
|
+
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
|
1834
|
+
return 15 + ssl->session->ticket.size() + binder_len;
|
1801
1835
|
}
|
1802
1836
|
|
1803
1837
|
static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1804
1838
|
SSL *const ssl = hs->ssl;
|
1805
1839
|
hs->needs_psk_binder = false;
|
1806
|
-
if (hs->max_version < TLS1_3_VERSION || ssl->session ==
|
1807
|
-
ssl_session_protocol_version(ssl->session) < TLS1_3_VERSION) {
|
1840
|
+
if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||
|
1841
|
+
ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) {
|
1808
1842
|
return true;
|
1809
1843
|
}
|
1810
1844
|
|
1811
|
-
// Per
|
1812
|
-
//
|
1813
|
-
//
|
1845
|
+
// Per RFC 8446 section 4.1.4, skip offering the session if the selected
|
1846
|
+
// cipher in HelloRetryRequest does not match. This avoids performing the
|
1847
|
+
// transcript hash transformation for multiple hashes.
|
1814
1848
|
if (hs->received_hello_retry_request &&
|
1815
1849
|
ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
|
1816
1850
|
return true;
|
@@ -1824,15 +1858,15 @@ static bool ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1824
1858
|
// Fill in a placeholder zero binder of the appropriate length. It will be
|
1825
1859
|
// computed and filled in later after length prefixes are computed.
|
1826
1860
|
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
|
1827
|
-
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session));
|
1861
|
+
size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));
|
1828
1862
|
|
1829
1863
|
CBB contents, identity, ticket, binders, binder;
|
1830
1864
|
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
|
1831
1865
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
1832
1866
|
!CBB_add_u16_length_prefixed(&contents, &identity) ||
|
1833
1867
|
!CBB_add_u16_length_prefixed(&identity, &ticket) ||
|
1834
|
-
!CBB_add_bytes(&ticket, ssl->session->
|
1835
|
-
ssl->session->
|
1868
|
+
!CBB_add_bytes(&ticket, ssl->session->ticket.data(),
|
1869
|
+
ssl->session->ticket.size()) ||
|
1836
1870
|
!CBB_add_u32(&identity, obfuscated_ticket_age) ||
|
1837
1871
|
!CBB_add_u16_length_prefixed(&contents, &binders) ||
|
1838
1872
|
!CBB_add_u8_length_prefixed(&binders, &binder) ||
|
@@ -1867,7 +1901,17 @@ bool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
1867
1901
|
|
1868
1902
|
bool ssl_ext_pre_shared_key_parse_clienthello(
|
1869
1903
|
SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
|
1870
|
-
uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert,
|
1904
|
+
uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert,
|
1905
|
+
const SSL_CLIENT_HELLO *client_hello, CBS *contents) {
|
1906
|
+
// Verify that the pre_shared_key extension is the last extension in
|
1907
|
+
// ClientHello.
|
1908
|
+
if (CBS_data(contents) + CBS_len(contents) !=
|
1909
|
+
client_hello->extensions + client_hello->extensions_len) {
|
1910
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
|
1911
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
1912
|
+
return false;
|
1913
|
+
}
|
1914
|
+
|
1871
1915
|
// We only process the first PSK identity since we don't support pure PSK.
|
1872
1916
|
CBS identities, binders;
|
1873
1917
|
if (!CBS_get_u16_length_prefixed(contents, &identities) ||
|
@@ -1941,7 +1985,7 @@ bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
1941
1985
|
|
1942
1986
|
// Pre-Shared Key Exchange Modes
|
1943
1987
|
//
|
1944
|
-
// https://tools.ietf.org/html/
|
1988
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.9
|
1945
1989
|
|
1946
1990
|
static bool ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
|
1947
1991
|
CBB *out) {
|
@@ -1985,26 +2029,50 @@ static bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
1985
2029
|
|
1986
2030
|
// Early Data Indication
|
1987
2031
|
//
|
1988
|
-
// https://tools.ietf.org/html/
|
2032
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.10
|
1989
2033
|
|
1990
2034
|
static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
1991
2035
|
SSL *const ssl = hs->ssl;
|
1992
|
-
|
1993
|
-
|
1994
|
-
|
1995
|
-
|
1996
|
-
|
1997
|
-
|
1998
|
-
|
1999
|
-
|
2000
|
-
|
2001
|
-
|
2002
|
-
|
2003
|
-
|
2004
|
-
|
2036
|
+
// The second ClientHello never offers early data, and we must have already
|
2037
|
+
// filled in |early_data_reason| by this point.
|
2038
|
+
if (hs->received_hello_retry_request) {
|
2039
|
+
assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
|
2040
|
+
return true;
|
2041
|
+
}
|
2042
|
+
|
2043
|
+
if (!ssl->enable_early_data) {
|
2044
|
+
ssl->s3->early_data_reason = ssl_early_data_disabled;
|
2045
|
+
return true;
|
2046
|
+
}
|
2047
|
+
|
2048
|
+
if (hs->max_version < TLS1_3_VERSION) {
|
2049
|
+
// We discard inapplicable sessions, so this is redundant with the session
|
2050
|
+
// checks below, but we check give a more useful reason.
|
2051
|
+
ssl->s3->early_data_reason = ssl_early_data_protocol_version;
|
2052
|
+
return true;
|
2053
|
+
}
|
2054
|
+
|
2055
|
+
if (ssl->session == nullptr) {
|
2056
|
+
ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
|
2057
|
+
return true;
|
2058
|
+
}
|
2059
|
+
|
2060
|
+
if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
|
2061
|
+
ssl->session->ticket_max_early_data == 0) {
|
2062
|
+
ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
|
2005
2063
|
return true;
|
2006
2064
|
}
|
2007
2065
|
|
2066
|
+
// In case ALPN preferences changed since this session was established, avoid
|
2067
|
+
// reporting a confusing value in |SSL_get0_alpn_selected| and sending early
|
2068
|
+
// data we know will be rejected.
|
2069
|
+
if (!ssl->session->early_alpn.empty() &&
|
2070
|
+
!ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
|
2071
|
+
ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
|
2072
|
+
return true;
|
2073
|
+
}
|
2074
|
+
|
2075
|
+
// |early_data_reason| will be filled in later when the server responds.
|
2008
2076
|
hs->early_data_offered = true;
|
2009
2077
|
|
2010
2078
|
if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
|
@@ -2017,12 +2085,27 @@ static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2017
2085
|
}
|
2018
2086
|
|
2019
2087
|
static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
|
2020
|
-
uint8_t *out_alert,
|
2088
|
+
uint8_t *out_alert,
|
2089
|
+
CBS *contents) {
|
2021
2090
|
SSL *const ssl = hs->ssl;
|
2022
2091
|
if (contents == NULL) {
|
2092
|
+
if (hs->early_data_offered && !hs->received_hello_retry_request) {
|
2093
|
+
ssl->s3->early_data_reason = ssl->s3->session_reused
|
2094
|
+
? ssl_early_data_peer_declined
|
2095
|
+
: ssl_early_data_session_not_resumed;
|
2096
|
+
} else {
|
2097
|
+
// We already filled in |early_data_reason| when declining to offer 0-RTT
|
2098
|
+
// or handling the implicit HelloRetryRequest reject.
|
2099
|
+
assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
|
2100
|
+
}
|
2023
2101
|
return true;
|
2024
2102
|
}
|
2025
2103
|
|
2104
|
+
// If we received an HRR, the second ClientHello never offers early data, so
|
2105
|
+
// the extensions logic will automatically reject early data extensions as
|
2106
|
+
// unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
|
2107
|
+
assert(!hs->received_hello_retry_request);
|
2108
|
+
|
2026
2109
|
if (CBS_len(contents) != 0) {
|
2027
2110
|
*out_alert = SSL_AD_DECODE_ERROR;
|
2028
2111
|
return false;
|
@@ -2034,6 +2117,7 @@ static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2034
2117
|
return false;
|
2035
2118
|
}
|
2036
2119
|
|
2120
|
+
ssl->s3->early_data_reason = ssl_early_data_accepted;
|
2037
2121
|
ssl->s3->early_data_accepted = true;
|
2038
2122
|
return true;
|
2039
2123
|
}
|
@@ -2072,7 +2156,7 @@ static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2072
2156
|
|
2073
2157
|
// Key Share
|
2074
2158
|
//
|
2075
|
-
// https://tools.ietf.org/html/
|
2159
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.8
|
2076
2160
|
|
2077
2161
|
static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2078
2162
|
SSL *const ssl = hs->ssl;
|
@@ -2088,6 +2172,7 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2088
2172
|
}
|
2089
2173
|
|
2090
2174
|
uint16_t group_id = hs->retry_group;
|
2175
|
+
uint16_t second_group_id = 0;
|
2091
2176
|
if (hs->received_hello_retry_request) {
|
2092
2177
|
// We received a HelloRetryRequest without a new curve, so there is no new
|
2093
2178
|
// share to append. Leave |hs->key_share| as-is.
|
@@ -2111,26 +2196,45 @@ static bool ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2111
2196
|
}
|
2112
2197
|
|
2113
2198
|
// Predict the most preferred group.
|
2114
|
-
Span<const uint16_t> groups = tls1_get_grouplist(
|
2199
|
+
Span<const uint16_t> groups = tls1_get_grouplist(hs);
|
2115
2200
|
if (groups.empty()) {
|
2116
2201
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);
|
2117
2202
|
return false;
|
2118
2203
|
}
|
2119
2204
|
|
2120
2205
|
group_id = groups[0];
|
2206
|
+
|
2207
|
+
if (is_post_quantum_group(group_id) && groups.size() >= 2) {
|
2208
|
+
// CECPQ2(b) is not sent as the only initial key share. We'll include the
|
2209
|
+
// 2nd preference group too to avoid round-trips.
|
2210
|
+
second_group_id = groups[1];
|
2211
|
+
assert(second_group_id != group_id);
|
2212
|
+
}
|
2121
2213
|
}
|
2122
2214
|
|
2123
|
-
hs->key_share = SSLKeyShare::Create(group_id);
|
2124
2215
|
CBB key_exchange;
|
2125
|
-
|
2216
|
+
hs->key_shares[0] = SSLKeyShare::Create(group_id);
|
2217
|
+
if (!hs->key_shares[0] ||
|
2126
2218
|
!CBB_add_u16(&kse_bytes, group_id) ||
|
2127
2219
|
!CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
|
2128
|
-
!hs->
|
2220
|
+
!hs->key_shares[0]->Offer(&key_exchange) ||
|
2129
2221
|
!CBB_flush(&kse_bytes)) {
|
2130
2222
|
return false;
|
2131
2223
|
}
|
2132
2224
|
|
2133
|
-
|
2225
|
+
if (second_group_id != 0) {
|
2226
|
+
hs->key_shares[1] = SSLKeyShare::Create(second_group_id);
|
2227
|
+
if (!hs->key_shares[1] ||
|
2228
|
+
!CBB_add_u16(&kse_bytes, second_group_id) ||
|
2229
|
+
!CBB_add_u16_length_prefixed(&kse_bytes, &key_exchange) ||
|
2230
|
+
!hs->key_shares[1]->Offer(&key_exchange) ||
|
2231
|
+
!CBB_flush(&kse_bytes)) {
|
2232
|
+
return false;
|
2233
|
+
}
|
2234
|
+
}
|
2235
|
+
|
2236
|
+
// Save the contents of the extension to repeat it in the second
|
2237
|
+
// ClientHello.
|
2134
2238
|
if (!hs->received_hello_retry_request &&
|
2135
2239
|
!hs->key_share_bytes.CopyFrom(
|
2136
2240
|
MakeConstSpan(CBB_data(&kse_bytes), CBB_len(&kse_bytes)))) {
|
@@ -2153,19 +2257,24 @@ bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2153
2257
|
return false;
|
2154
2258
|
}
|
2155
2259
|
|
2156
|
-
|
2157
|
-
|
2158
|
-
|
2159
|
-
|
2260
|
+
SSLKeyShare *key_share = hs->key_shares[0].get();
|
2261
|
+
if (key_share->GroupID() != group_id) {
|
2262
|
+
if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {
|
2263
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
2264
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
|
2265
|
+
return false;
|
2266
|
+
}
|
2267
|
+
key_share = hs->key_shares[1].get();
|
2160
2268
|
}
|
2161
2269
|
|
2162
|
-
if (!
|
2270
|
+
if (!key_share->Finish(out_secret, out_alert, peer_key)) {
|
2163
2271
|
*out_alert = SSL_AD_INTERNAL_ERROR;
|
2164
2272
|
return false;
|
2165
2273
|
}
|
2166
2274
|
|
2167
2275
|
hs->new_session->group_id = group_id;
|
2168
|
-
hs->
|
2276
|
+
hs->key_shares[0].reset();
|
2277
|
+
hs->key_shares[1].reset();
|
2169
2278
|
return true;
|
2170
2279
|
}
|
2171
2280
|
|
@@ -2257,7 +2366,7 @@ bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2257
2366
|
|
2258
2367
|
// Supported Versions
|
2259
2368
|
//
|
2260
|
-
// https://tools.ietf.org/html/
|
2369
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.1
|
2261
2370
|
|
2262
2371
|
static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2263
2372
|
SSL *const ssl = hs->ssl;
|
@@ -2289,7 +2398,7 @@ static bool ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out)
|
|
2289
2398
|
|
2290
2399
|
// Cookie
|
2291
2400
|
//
|
2292
|
-
// https://tools.ietf.org/html/
|
2401
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.2
|
2293
2402
|
|
2294
2403
|
static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2295
2404
|
if (hs->cookie.empty()) {
|
@@ -2311,83 +2420,10 @@ static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2311
2420
|
}
|
2312
2421
|
|
2313
2422
|
|
2314
|
-
//
|
2315
|
-
//
|
2316
|
-
// Dummy post-quantum padding invovles the client (and later server) sending
|
2317
|
-
// useless, random-looking bytes in an extension in their ClientHello or
|
2318
|
-
// ServerHello. These extensions are sized to simulate a post-quantum
|
2319
|
-
// key-exchange and so enable measurement of the latency impact of the
|
2320
|
-
// additional bandwidth.
|
2321
|
-
|
2322
|
-
static bool ext_dummy_pq_padding_add(CBB *out, size_t len) {
|
2323
|
-
CBB contents;
|
2324
|
-
uint8_t *buffer;
|
2325
|
-
if (!CBB_add_u16(out, TLSEXT_TYPE_dummy_pq_padding) ||
|
2326
|
-
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2327
|
-
!CBB_add_space(&contents, &buffer, len)) {
|
2328
|
-
return false;
|
2329
|
-
}
|
2330
|
-
|
2331
|
-
// The length is used as the nonce so that different length extensions have
|
2332
|
-
// different contents. There's no reason this has to be the case, it just
|
2333
|
-
// makes things a little more obvious in a packet dump.
|
2334
|
-
uint8_t nonce[12] = {0};
|
2335
|
-
memcpy(nonce, &len, sizeof(len));
|
2336
|
-
|
2337
|
-
memset(buffer, 0, len);
|
2338
|
-
static const uint8_t kZeroKey[32] = {0};
|
2339
|
-
CRYPTO_chacha_20(buffer, buffer, len, kZeroKey, nonce, 0);
|
2340
|
-
|
2341
|
-
return CBB_flush(out);
|
2342
|
-
}
|
2343
|
-
|
2344
|
-
static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2345
|
-
const size_t len = hs->ssl->dummy_pq_padding_len;
|
2346
|
-
if (len == 0) {
|
2347
|
-
return true;
|
2348
|
-
}
|
2349
|
-
|
2350
|
-
return ext_dummy_pq_padding_add(out, len);
|
2351
|
-
}
|
2352
|
-
|
2353
|
-
static bool ext_dummy_pq_padding_parse_serverhello(SSL_HANDSHAKE *hs,
|
2354
|
-
uint8_t *out_alert,
|
2355
|
-
CBS *contents) {
|
2356
|
-
if (contents == nullptr) {
|
2357
|
-
return true;
|
2358
|
-
}
|
2359
|
-
|
2360
|
-
if (CBS_len(contents) != hs->ssl->dummy_pq_padding_len) {
|
2361
|
-
return false;
|
2362
|
-
}
|
2363
|
-
|
2364
|
-
hs->ssl->did_dummy_pq_padding = true;
|
2365
|
-
return true;
|
2366
|
-
}
|
2367
|
-
|
2368
|
-
static bool ext_dummy_pq_padding_parse_clienthello(SSL_HANDSHAKE *hs,
|
2369
|
-
uint8_t *out_alert,
|
2370
|
-
CBS *contents) {
|
2371
|
-
if (contents != nullptr &&
|
2372
|
-
0 < CBS_len(contents) && CBS_len(contents) < (1 << 12)) {
|
2373
|
-
hs->dummy_pq_padding_len = CBS_len(contents);
|
2374
|
-
}
|
2375
|
-
|
2376
|
-
return true;
|
2377
|
-
}
|
2378
|
-
|
2379
|
-
static bool ext_dummy_pq_padding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2380
|
-
if (!hs->dummy_pq_padding_len) {
|
2381
|
-
return true;
|
2382
|
-
}
|
2383
|
-
|
2384
|
-
return ext_dummy_pq_padding_add(out, hs->dummy_pq_padding_len);
|
2385
|
-
}
|
2386
|
-
|
2387
|
-
// Negotiated Groups
|
2423
|
+
// Supported Groups
|
2388
2424
|
//
|
2389
|
-
// https://tools.ietf.org/html/rfc4492#section-5.1.
|
2390
|
-
// https://tools.ietf.org/html/
|
2425
|
+
// https://tools.ietf.org/html/rfc4492#section-5.1.1
|
2426
|
+
// https://tools.ietf.org/html/rfc8446#section-4.2.7
|
2391
2427
|
|
2392
2428
|
static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2393
2429
|
SSL *const ssl = hs->ssl;
|
@@ -2405,7 +2441,11 @@ static bool ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2405
2441
|
return false;
|
2406
2442
|
}
|
2407
2443
|
|
2408
|
-
for (uint16_t group : tls1_get_grouplist(
|
2444
|
+
for (uint16_t group : tls1_get_grouplist(hs)) {
|
2445
|
+
if (is_post_quantum_group(group) &&
|
2446
|
+
hs->max_version < TLS1_3_VERSION) {
|
2447
|
+
continue;
|
2448
|
+
}
|
2409
2449
|
if (!CBB_add_u16(&groups_bytes, group)) {
|
2410
2450
|
return false;
|
2411
2451
|
}
|
@@ -2476,7 +2516,7 @@ static uint16_t kTokenBindingMinVersion = 13;
|
|
2476
2516
|
|
2477
2517
|
static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2478
2518
|
SSL *const ssl = hs->ssl;
|
2479
|
-
if (
|
2519
|
+
if (hs->config->token_binding_params.empty() || SSL_is_dtls(ssl)) {
|
2480
2520
|
return true;
|
2481
2521
|
}
|
2482
2522
|
|
@@ -2485,8 +2525,8 @@ static bool ext_token_binding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2485
2525
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2486
2526
|
!CBB_add_u16(&contents, kTokenBindingMaxVersion) ||
|
2487
2527
|
!CBB_add_u8_length_prefixed(&contents, ¶ms) ||
|
2488
|
-
!CBB_add_bytes(¶ms,
|
2489
|
-
|
2528
|
+
!CBB_add_bytes(¶ms, hs->config->token_binding_params.data(),
|
2529
|
+
hs->config->token_binding_params.size()) ||
|
2490
2530
|
!CBB_flush(out)) {
|
2491
2531
|
return false;
|
2492
2532
|
}
|
@@ -2526,10 +2566,10 @@ static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2526
2566
|
return true;
|
2527
2567
|
}
|
2528
2568
|
|
2529
|
-
for (
|
2530
|
-
if (param ==
|
2531
|
-
ssl->negotiated_token_binding_param = param;
|
2532
|
-
ssl->token_binding_negotiated = true;
|
2569
|
+
for (uint8_t config_param : hs->config->token_binding_params) {
|
2570
|
+
if (param == config_param) {
|
2571
|
+
ssl->s3->negotiated_token_binding_param = param;
|
2572
|
+
ssl->s3->token_binding_negotiated = true;
|
2533
2573
|
return true;
|
2534
2574
|
}
|
2535
2575
|
}
|
@@ -2539,15 +2579,15 @@ static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,
|
|
2539
2579
|
}
|
2540
2580
|
|
2541
2581
|
// select_tb_param looks for the first token binding param in
|
2542
|
-
// |ssl->token_binding_params| that is also in |params| and puts it in
|
2543
|
-
// |ssl->negotiated_token_binding_param|. It returns true if a token binding
|
2582
|
+
// |hs->ssl->token_binding_params| that is also in |params| and puts it in
|
2583
|
+
// |hs->ssl->negotiated_token_binding_param|. It returns true if a token binding
|
2544
2584
|
// param is found, and false otherwise.
|
2545
|
-
static bool select_tb_param(
|
2546
|
-
|
2547
|
-
|
2585
|
+
static bool select_tb_param(SSL_HANDSHAKE *hs,
|
2586
|
+
Span<const uint8_t> peer_params) {
|
2587
|
+
for (uint8_t tb_param : hs->config->token_binding_params) {
|
2548
2588
|
for (uint8_t peer_param : peer_params) {
|
2549
2589
|
if (tb_param == peer_param) {
|
2550
|
-
ssl->negotiated_token_binding_param = tb_param;
|
2590
|
+
hs->ssl->s3->negotiated_token_binding_param = tb_param;
|
2551
2591
|
return true;
|
2552
2592
|
}
|
2553
2593
|
}
|
@@ -2559,7 +2599,7 @@ static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2559
2599
|
uint8_t *out_alert,
|
2560
2600
|
CBS *contents) {
|
2561
2601
|
SSL *const ssl = hs->ssl;
|
2562
|
-
if (contents == nullptr ||
|
2602
|
+
if (contents == nullptr || hs->config->token_binding_params.empty()) {
|
2563
2603
|
return true;
|
2564
2604
|
}
|
2565
2605
|
|
@@ -2583,18 +2623,18 @@ static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2583
2623
|
// version. Otherwise, use the client's version.
|
2584
2624
|
hs->negotiated_token_binding_version =
|
2585
2625
|
std::min(version, kTokenBindingMaxVersion);
|
2586
|
-
if (!select_tb_param(
|
2626
|
+
if (!select_tb_param(hs, params)) {
|
2587
2627
|
return true;
|
2588
2628
|
}
|
2589
2629
|
|
2590
|
-
ssl->token_binding_negotiated = true;
|
2630
|
+
ssl->s3->token_binding_negotiated = true;
|
2591
2631
|
return true;
|
2592
2632
|
}
|
2593
2633
|
|
2594
2634
|
static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2595
2635
|
SSL *const ssl = hs->ssl;
|
2596
2636
|
|
2597
|
-
if (!ssl->token_binding_negotiated) {
|
2637
|
+
if (!ssl->s3->token_binding_negotiated) {
|
2598
2638
|
return true;
|
2599
2639
|
}
|
2600
2640
|
|
@@ -2603,7 +2643,7 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2603
2643
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2604
2644
|
!CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
|
2605
2645
|
!CBB_add_u8_length_prefixed(&contents, ¶ms) ||
|
2606
|
-
!CBB_add_u8(¶ms, ssl->negotiated_token_binding_param) ||
|
2646
|
+
!CBB_add_u8(¶ms, ssl->s3->negotiated_token_binding_param) ||
|
2607
2647
|
!CBB_flush(out)) {
|
2608
2648
|
return false;
|
2609
2649
|
}
|
@@ -2615,16 +2655,16 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
|
2615
2655
|
|
2616
2656
|
static bool ext_quic_transport_params_add_clienthello(SSL_HANDSHAKE *hs,
|
2617
2657
|
CBB *out) {
|
2618
|
-
|
2619
|
-
|
2658
|
+
if (hs->config->quic_transport_params.empty() ||
|
2659
|
+
hs->max_version <= TLS1_2_VERSION) {
|
2620
2660
|
return true;
|
2621
2661
|
}
|
2622
2662
|
|
2623
2663
|
CBB contents;
|
2624
2664
|
if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
|
2625
2665
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2626
|
-
!CBB_add_bytes(&contents,
|
2627
|
-
|
2666
|
+
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
2667
|
+
hs->config->quic_transport_params.size()) ||
|
2628
2668
|
!CBB_flush(out)) {
|
2629
2669
|
return false;
|
2630
2670
|
}
|
@@ -2651,7 +2691,7 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2651
2691
|
uint8_t *out_alert,
|
2652
2692
|
CBS *contents) {
|
2653
2693
|
SSL *const ssl = hs->ssl;
|
2654
|
-
if (!contents ||
|
2694
|
+
if (!contents || hs->config->quic_transport_params.empty()) {
|
2655
2695
|
return true;
|
2656
2696
|
}
|
2657
2697
|
// Ignore the extension before TLS 1.3.
|
@@ -2664,16 +2704,15 @@ static bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,
|
|
2664
2704
|
|
2665
2705
|
static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
2666
2706
|
CBB *out) {
|
2667
|
-
|
2668
|
-
if (!ssl->quic_transport_params) {
|
2707
|
+
if (hs->config->quic_transport_params.empty()) {
|
2669
2708
|
return true;
|
2670
2709
|
}
|
2671
2710
|
|
2672
2711
|
CBB contents;
|
2673
2712
|
if (!CBB_add_u16(out, TLSEXT_TYPE_quic_transport_parameters) ||
|
2674
2713
|
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2675
|
-
!CBB_add_bytes(&contents,
|
2676
|
-
|
2714
|
+
!CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),
|
2715
|
+
hs->config->quic_transport_params.size()) ||
|
2677
2716
|
!CBB_flush(out)) {
|
2678
2717
|
return false;
|
2679
2718
|
}
|
@@ -2681,50 +2720,261 @@ static bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,
|
|
2681
2720
|
return true;
|
2682
2721
|
}
|
2683
2722
|
|
2723
|
+
// Delegated credentials.
|
2724
|
+
//
|
2725
|
+
// https://tools.ietf.org/html/draft-ietf-tls-subcerts
|
2684
2726
|
|
2685
|
-
|
2686
|
-
|
2687
|
-
|
2688
|
-
|
2689
|
-
|
2690
|
-
|
2691
|
-
|
2692
|
-
|
2693
|
-
|
2694
|
-
|
2695
|
-
|
2696
|
-
|
2697
|
-
|
2698
|
-
|
2699
|
-
|
2700
|
-
|
2701
|
-
|
2702
|
-
|
2703
|
-
|
2704
|
-
|
2705
|
-
|
2706
|
-
|
2707
|
-
|
2708
|
-
|
2709
|
-
|
2710
|
-
|
2711
|
-
|
2712
|
-
|
2713
|
-
|
2714
|
-
|
2715
|
-
|
2716
|
-
|
2717
|
-
|
2718
|
-
|
2719
|
-
|
2720
|
-
|
2721
|
-
|
2722
|
-
|
2723
|
-
|
2724
|
-
|
2725
|
-
|
2727
|
+
static bool ext_delegated_credential_add_clienthello(SSL_HANDSHAKE *hs,
|
2728
|
+
CBB *out) {
|
2729
|
+
return true;
|
2730
|
+
}
|
2731
|
+
|
2732
|
+
static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,
|
2733
|
+
uint8_t *out_alert,
|
2734
|
+
CBS *contents) {
|
2735
|
+
assert(TLSEXT_TYPE_delegated_credential == 0xff02);
|
2736
|
+
// TODO: Check that the extension is empty.
|
2737
|
+
//
|
2738
|
+
// As of draft-03, the client sends an empty extension in order indicate
|
2739
|
+
// support for delegated credentials. This could change, however, since the
|
2740
|
+
// spec is not yet finalized. This assertion is here to remind us to enforce
|
2741
|
+
// this check once the extension ID is assigned.
|
2742
|
+
|
2743
|
+
if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
|
2744
|
+
// Don't use delegated credentials unless we're negotiating TLS 1.3 or
|
2745
|
+
// higher.
|
2746
|
+
return true;
|
2747
|
+
}
|
2748
|
+
|
2749
|
+
hs->delegated_credential_requested = true;
|
2750
|
+
return true;
|
2751
|
+
}
|
2752
|
+
|
2753
|
+
// Certificate compression
|
2754
|
+
|
2755
|
+
static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
|
2756
|
+
bool first = true;
|
2757
|
+
CBB contents, algs;
|
2758
|
+
|
2759
|
+
for (const auto &alg : hs->ssl->ctx->cert_compression_algs) {
|
2760
|
+
if (alg.decompress == nullptr) {
|
2761
|
+
continue;
|
2762
|
+
}
|
2763
|
+
|
2764
|
+
if (first && (!CBB_add_u16(out, TLSEXT_TYPE_cert_compression) ||
|
2765
|
+
!CBB_add_u16_length_prefixed(out, &contents) ||
|
2766
|
+
!CBB_add_u8_length_prefixed(&contents, &algs))) {
|
2767
|
+
return false;
|
2768
|
+
}
|
2769
|
+
first = false;
|
2770
|
+
if (!CBB_add_u16(&algs, alg.alg_id)) {
|
2771
|
+
return false;
|
2772
|
+
}
|
2773
|
+
}
|
2774
|
+
|
2775
|
+
return first || CBB_flush(out);
|
2776
|
+
}
|
2777
|
+
|
2778
|
+
static bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,
|
2779
|
+
uint8_t *out_alert,
|
2780
|
+
CBS *contents) {
|
2781
|
+
if (contents == nullptr) {
|
2782
|
+
return true;
|
2783
|
+
}
|
2784
|
+
|
2785
|
+
// The server may not echo this extension. Any server to client negotiation is
|
2786
|
+
// advertised in the CertificateRequest message.
|
2787
|
+
return false;
|
2788
|
+
}
|
2789
|
+
|
2790
|
+
static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,
|
2791
|
+
uint8_t *out_alert,
|
2792
|
+
CBS *contents) {
|
2793
|
+
if (contents == nullptr) {
|
2794
|
+
return true;
|
2795
|
+
}
|
2796
|
+
|
2797
|
+
const SSL_CTX *ctx = hs->ssl->ctx.get();
|
2798
|
+
const size_t num_algs = ctx->cert_compression_algs.size();
|
2799
|
+
|
2800
|
+
CBS alg_ids;
|
2801
|
+
if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
|
2802
|
+
CBS_len(contents) != 0 ||
|
2803
|
+
CBS_len(&alg_ids) == 0 ||
|
2804
|
+
CBS_len(&alg_ids) % 2 == 1) {
|
2805
|
+
return false;
|
2806
|
+
}
|
2807
|
+
|
2808
|
+
const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;
|
2809
|
+
Array<uint16_t> given_alg_ids;
|
2810
|
+
if (!given_alg_ids.Init(num_given_alg_ids)) {
|
2811
|
+
return false;
|
2812
|
+
}
|
2813
|
+
|
2814
|
+
size_t best_index = num_algs;
|
2815
|
+
size_t given_alg_idx = 0;
|
2816
|
+
|
2817
|
+
while (CBS_len(&alg_ids) > 0) {
|
2818
|
+
uint16_t alg_id;
|
2819
|
+
if (!CBS_get_u16(&alg_ids, &alg_id)) {
|
2820
|
+
return false;
|
2821
|
+
}
|
2822
|
+
|
2823
|
+
given_alg_ids[given_alg_idx++] = alg_id;
|
2824
|
+
|
2825
|
+
for (size_t i = 0; i < num_algs; i++) {
|
2826
|
+
const auto &alg = ctx->cert_compression_algs[i];
|
2827
|
+
if (alg.alg_id == alg_id && alg.compress != nullptr) {
|
2828
|
+
if (i < best_index) {
|
2829
|
+
best_index = i;
|
2830
|
+
}
|
2831
|
+
break;
|
2832
|
+
}
|
2833
|
+
}
|
2834
|
+
}
|
2835
|
+
|
2836
|
+
qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),
|
2837
|
+
compare_uint16_t);
|
2838
|
+
for (size_t i = 1; i < num_given_alg_ids; i++) {
|
2839
|
+
if (given_alg_ids[i - 1] == given_alg_ids[i]) {
|
2840
|
+
return false;
|
2841
|
+
}
|
2842
|
+
}
|
2843
|
+
|
2844
|
+
if (best_index < num_algs &&
|
2845
|
+
ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
|
2846
|
+
hs->cert_compression_negotiated = true;
|
2847
|
+
hs->cert_compression_alg_id = ctx->cert_compression_algs[best_index].alg_id;
|
2848
|
+
}
|
2849
|
+
|
2850
|
+
return true;
|
2851
|
+
}
|
2852
|
+
|
2853
|
+
static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
|
2854
|
+
return true;
|
2855
|
+
}
|
2856
|
+
|
2857
|
+
|
2858
|
+
// Post-quantum experiment signal
|
2859
|
+
//
|
2860
|
+
// This extension may be used in order to identify a control group for
|
2861
|
+
// experimenting with post-quantum key exchange algorithms.
|
2862
|
+
|
2863
|
+
static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
|
2864
|
+
CBB *out) {
|
2865
|
+
if (hs->ssl->ctx->pq_experiment_signal &&
|
2866
|
+
(!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
|
2867
|
+
!CBB_add_u16(out, 0))) {
|
2868
|
+
return false;
|
2869
|
+
}
|
2870
|
+
|
2871
|
+
return true;
|
2872
|
+
}
|
2873
|
+
|
2874
|
+
static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
|
2875
|
+
uint8_t *out_alert,
|
2876
|
+
CBS *contents) {
|
2877
|
+
if (contents == nullptr) {
|
2878
|
+
return true;
|
2879
|
+
}
|
2880
|
+
|
2881
|
+
if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
|
2882
|
+
return false;
|
2883
|
+
}
|
2884
|
+
|
2885
|
+
hs->ssl->s3->pq_experiment_signal_seen = true;
|
2886
|
+
return true;
|
2887
|
+
}
|
2888
|
+
|
2889
|
+
static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
|
2890
|
+
uint8_t *out_alert,
|
2891
|
+
CBS *contents) {
|
2892
|
+
if (contents == nullptr) {
|
2893
|
+
return true;
|
2894
|
+
}
|
2895
|
+
|
2896
|
+
if (CBS_len(contents) != 0) {
|
2897
|
+
return false;
|
2898
|
+
}
|
2899
|
+
|
2900
|
+
if (hs->ssl->ctx->pq_experiment_signal) {
|
2901
|
+
hs->ssl->s3->pq_experiment_signal_seen = true;
|
2902
|
+
}
|
2903
|
+
|
2904
|
+
return true;
|
2905
|
+
}
|
2906
|
+
|
2907
|
+
static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
|
2908
|
+
CBB *out) {
|
2909
|
+
if (hs->ssl->s3->pq_experiment_signal_seen &&
|
2910
|
+
(!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
|
2911
|
+
!CBB_add_u16(out, 0))) {
|
2912
|
+
return false;
|
2913
|
+
}
|
2914
|
+
|
2915
|
+
return true;
|
2916
|
+
}
|
2917
|
+
|
2918
|
+
// kExtensions contains all the supported extensions.
|
2919
|
+
static const struct tls_extension kExtensions[] = {
|
2920
|
+
{
|
2921
|
+
TLSEXT_TYPE_server_name,
|
2922
|
+
NULL,
|
2923
|
+
ext_sni_add_clienthello,
|
2924
|
+
ext_sni_parse_serverhello,
|
2925
|
+
ext_sni_parse_clienthello,
|
2926
|
+
ext_sni_add_serverhello,
|
2927
|
+
},
|
2928
|
+
{
|
2929
|
+
TLSEXT_TYPE_extended_master_secret,
|
2930
|
+
NULL,
|
2931
|
+
ext_ems_add_clienthello,
|
2932
|
+
ext_ems_parse_serverhello,
|
2933
|
+
ext_ems_parse_clienthello,
|
2934
|
+
ext_ems_add_serverhello,
|
2935
|
+
},
|
2936
|
+
{
|
2937
|
+
TLSEXT_TYPE_renegotiate,
|
2938
|
+
NULL,
|
2939
|
+
ext_ri_add_clienthello,
|
2940
|
+
ext_ri_parse_serverhello,
|
2941
|
+
ext_ri_parse_clienthello,
|
2942
|
+
ext_ri_add_serverhello,
|
2943
|
+
},
|
2944
|
+
{
|
2945
|
+
TLSEXT_TYPE_supported_groups,
|
2946
|
+
NULL,
|
2947
|
+
ext_supported_groups_add_clienthello,
|
2948
|
+
ext_supported_groups_parse_serverhello,
|
2949
|
+
ext_supported_groups_parse_clienthello,
|
2726
2950
|
dont_add_serverhello,
|
2727
2951
|
},
|
2952
|
+
{
|
2953
|
+
TLSEXT_TYPE_ec_point_formats,
|
2954
|
+
NULL,
|
2955
|
+
ext_ec_point_add_clienthello,
|
2956
|
+
ext_ec_point_parse_serverhello,
|
2957
|
+
ext_ec_point_parse_clienthello,
|
2958
|
+
ext_ec_point_add_serverhello,
|
2959
|
+
},
|
2960
|
+
{
|
2961
|
+
TLSEXT_TYPE_session_ticket,
|
2962
|
+
NULL,
|
2963
|
+
ext_ticket_add_clienthello,
|
2964
|
+
ext_ticket_parse_serverhello,
|
2965
|
+
// Ticket extension client parsing is handled in ssl_session.c
|
2966
|
+
ignore_parse_clienthello,
|
2967
|
+
ext_ticket_add_serverhello,
|
2968
|
+
},
|
2969
|
+
{
|
2970
|
+
TLSEXT_TYPE_application_layer_protocol_negotiation,
|
2971
|
+
NULL,
|
2972
|
+
ext_alpn_add_clienthello,
|
2973
|
+
ext_alpn_parse_serverhello,
|
2974
|
+
// ALPN is negotiated late in |ssl_negotiate_alpn|.
|
2975
|
+
ignore_parse_clienthello,
|
2976
|
+
ext_alpn_add_serverhello,
|
2977
|
+
},
|
2728
2978
|
{
|
2729
2979
|
TLSEXT_TYPE_status_request,
|
2730
2980
|
NULL,
|
@@ -2733,6 +2983,22 @@ static const struct tls_extension kExtensions[] = {
|
|
2733
2983
|
ext_ocsp_parse_clienthello,
|
2734
2984
|
ext_ocsp_add_serverhello,
|
2735
2985
|
},
|
2986
|
+
{
|
2987
|
+
TLSEXT_TYPE_signature_algorithms,
|
2988
|
+
NULL,
|
2989
|
+
ext_sigalgs_add_clienthello,
|
2990
|
+
forbid_parse_serverhello,
|
2991
|
+
ext_sigalgs_parse_clienthello,
|
2992
|
+
dont_add_serverhello,
|
2993
|
+
},
|
2994
|
+
{
|
2995
|
+
TLSEXT_TYPE_signature_algorithms_cert,
|
2996
|
+
NULL,
|
2997
|
+
ext_sigalgs_cert_add_clienthello,
|
2998
|
+
forbid_parse_serverhello,
|
2999
|
+
ignore_parse_clienthello,
|
3000
|
+
dont_add_serverhello,
|
3001
|
+
},
|
2736
3002
|
{
|
2737
3003
|
TLSEXT_TYPE_next_proto_neg,
|
2738
3004
|
NULL,
|
@@ -2749,15 +3015,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2749
3015
|
ext_sct_parse_clienthello,
|
2750
3016
|
ext_sct_add_serverhello,
|
2751
3017
|
},
|
2752
|
-
{
|
2753
|
-
TLSEXT_TYPE_application_layer_protocol_negotiation,
|
2754
|
-
NULL,
|
2755
|
-
ext_alpn_add_clienthello,
|
2756
|
-
ext_alpn_parse_serverhello,
|
2757
|
-
// ALPN is negotiated late in |ssl_negotiate_alpn|.
|
2758
|
-
ignore_parse_clienthello,
|
2759
|
-
ext_alpn_add_serverhello,
|
2760
|
-
},
|
2761
3018
|
{
|
2762
3019
|
TLSEXT_TYPE_channel_id,
|
2763
3020
|
ext_channel_id_init,
|
@@ -2774,14 +3031,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2774
3031
|
ext_srtp_parse_clienthello,
|
2775
3032
|
ext_srtp_add_serverhello,
|
2776
3033
|
},
|
2777
|
-
{
|
2778
|
-
TLSEXT_TYPE_ec_point_formats,
|
2779
|
-
NULL,
|
2780
|
-
ext_ec_point_add_clienthello,
|
2781
|
-
ext_ec_point_parse_serverhello,
|
2782
|
-
ext_ec_point_parse_clienthello,
|
2783
|
-
ext_ec_point_add_serverhello,
|
2784
|
-
},
|
2785
3034
|
{
|
2786
3035
|
TLSEXT_TYPE_key_share,
|
2787
3036
|
NULL,
|
@@ -2822,14 +3071,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2822
3071
|
ignore_parse_clienthello,
|
2823
3072
|
dont_add_serverhello,
|
2824
3073
|
},
|
2825
|
-
{
|
2826
|
-
TLSEXT_TYPE_dummy_pq_padding,
|
2827
|
-
NULL,
|
2828
|
-
ext_dummy_pq_padding_add_clienthello,
|
2829
|
-
ext_dummy_pq_padding_parse_serverhello,
|
2830
|
-
ext_dummy_pq_padding_parse_clienthello,
|
2831
|
-
ext_dummy_pq_padding_add_serverhello,
|
2832
|
-
},
|
2833
3074
|
{
|
2834
3075
|
TLSEXT_TYPE_quic_transport_parameters,
|
2835
3076
|
NULL,
|
@@ -2838,17 +3079,6 @@ static const struct tls_extension kExtensions[] = {
|
|
2838
3079
|
ext_quic_transport_params_parse_clienthello,
|
2839
3080
|
ext_quic_transport_params_add_serverhello,
|
2840
3081
|
},
|
2841
|
-
// The final extension must be non-empty. WebSphere Application Server 7.0 is
|
2842
|
-
// intolerant to the last extension being zero-length. See
|
2843
|
-
// https://crbug.com/363583.
|
2844
|
-
{
|
2845
|
-
TLSEXT_TYPE_supported_groups,
|
2846
|
-
NULL,
|
2847
|
-
ext_supported_groups_add_clienthello,
|
2848
|
-
ext_supported_groups_parse_serverhello,
|
2849
|
-
ext_supported_groups_parse_clienthello,
|
2850
|
-
dont_add_serverhello,
|
2851
|
-
},
|
2852
3082
|
{
|
2853
3083
|
TLSEXT_TYPE_token_binding,
|
2854
3084
|
NULL,
|
@@ -2857,6 +3087,30 @@ static const struct tls_extension kExtensions[] = {
|
|
2857
3087
|
ext_token_binding_parse_clienthello,
|
2858
3088
|
ext_token_binding_add_serverhello,
|
2859
3089
|
},
|
3090
|
+
{
|
3091
|
+
TLSEXT_TYPE_cert_compression,
|
3092
|
+
NULL,
|
3093
|
+
cert_compression_add_clienthello,
|
3094
|
+
cert_compression_parse_serverhello,
|
3095
|
+
cert_compression_parse_clienthello,
|
3096
|
+
cert_compression_add_serverhello,
|
3097
|
+
},
|
3098
|
+
{
|
3099
|
+
TLSEXT_TYPE_delegated_credential,
|
3100
|
+
NULL,
|
3101
|
+
ext_delegated_credential_add_clienthello,
|
3102
|
+
forbid_parse_serverhello,
|
3103
|
+
ext_delegated_credential_parse_clienthello,
|
3104
|
+
dont_add_serverhello,
|
3105
|
+
},
|
3106
|
+
{
|
3107
|
+
TLSEXT_TYPE_pq_experiment_signal,
|
3108
|
+
NULL,
|
3109
|
+
ext_pq_experiment_signal_add_clienthello,
|
3110
|
+
ext_pq_experiment_signal_parse_serverhello,
|
3111
|
+
ext_pq_experiment_signal_parse_clienthello,
|
3112
|
+
ext_pq_experiment_signal_add_serverhello,
|
3113
|
+
},
|
2860
3114
|
};
|
2861
3115
|
|
2862
3116
|
#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
|
@@ -2881,22 +3135,19 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index,
|
|
2881
3135
|
return NULL;
|
2882
3136
|
}
|
2883
3137
|
|
2884
|
-
|
3138
|
+
bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out,
|
3139
|
+
size_t header_len) {
|
2885
3140
|
SSL *const ssl = hs->ssl;
|
2886
|
-
// Don't add extensions for SSLv3 unless doing secure renegotiation.
|
2887
|
-
if (hs->client_version == SSL3_VERSION &&
|
2888
|
-
!ssl->s3->send_connection_binding) {
|
2889
|
-
return 1;
|
2890
|
-
}
|
2891
|
-
|
2892
3141
|
CBB extensions;
|
2893
3142
|
if (!CBB_add_u16_length_prefixed(out, &extensions)) {
|
2894
3143
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2895
|
-
return
|
3144
|
+
return false;
|
2896
3145
|
}
|
2897
3146
|
|
3147
|
+
// Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS
|
3148
|
+
// 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is
|
3149
|
+
// important to reset this value.
|
2898
3150
|
hs->extensions.sent = 0;
|
2899
|
-
hs->custom_extensions.sent = 0;
|
2900
3151
|
|
2901
3152
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2902
3153
|
if (kExtensions[i].init != NULL) {
|
@@ -2911,26 +3162,26 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
|
|
2911
3162
|
if (!CBB_add_u16(&extensions, grease_ext1) ||
|
2912
3163
|
!CBB_add_u16(&extensions, 0 /* zero length */)) {
|
2913
3164
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2914
|
-
return
|
3165
|
+
return false;
|
2915
3166
|
}
|
2916
3167
|
}
|
2917
3168
|
|
3169
|
+
bool last_was_empty = false;
|
2918
3170
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
2919
3171
|
const size_t len_before = CBB_len(&extensions);
|
2920
3172
|
if (!kExtensions[i].add_clienthello(hs, &extensions)) {
|
2921
3173
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);
|
2922
3174
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
2923
|
-
return
|
3175
|
+
return false;
|
2924
3176
|
}
|
2925
3177
|
|
2926
|
-
|
3178
|
+
const size_t bytes_written = CBB_len(&extensions) - len_before;
|
3179
|
+
if (bytes_written != 0) {
|
2927
3180
|
hs->extensions.sent |= (1u << i);
|
2928
3181
|
}
|
2929
|
-
|
2930
|
-
|
2931
|
-
|
2932
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2933
|
-
return 0;
|
3182
|
+
// If the difference in lengths is only four bytes then the extension had
|
3183
|
+
// an empty body.
|
3184
|
+
last_was_empty = (bytes_written == 4);
|
2934
3185
|
}
|
2935
3186
|
|
2936
3187
|
if (ssl->ctx->grease_enabled) {
|
@@ -2948,19 +3199,37 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
|
|
2948
3199
|
!CBB_add_u16(&extensions, 1 /* one byte length */) ||
|
2949
3200
|
!CBB_add_u8(&extensions, 0 /* single zero byte as contents */)) {
|
2950
3201
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2951
|
-
return
|
3202
|
+
return false;
|
2952
3203
|
}
|
3204
|
+
|
3205
|
+
last_was_empty = false;
|
2953
3206
|
}
|
2954
3207
|
|
2955
3208
|
if (!SSL_is_dtls(ssl)) {
|
2956
3209
|
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
|
2957
3210
|
header_len += 2 + CBB_len(&extensions) + psk_extension_len;
|
3211
|
+
size_t padding_len = 0;
|
3212
|
+
|
3213
|
+
// The final extension must be non-empty. WebSphere Application
|
3214
|
+
// Server 7.0 is intolerant to the last extension being zero-length. See
|
3215
|
+
// https://crbug.com/363583.
|
3216
|
+
if (last_was_empty && psk_extension_len == 0) {
|
3217
|
+
padding_len = 1;
|
3218
|
+
// The addition of the padding extension may push us into the F5 bug.
|
3219
|
+
header_len += 4 + padding_len;
|
3220
|
+
}
|
3221
|
+
|
3222
|
+
// Add padding to workaround bugs in F5 terminators. See RFC 7685.
|
3223
|
+
//
|
3224
|
+
// NB: because this code works out the length of all existing extensions
|
3225
|
+
// it MUST always appear last (save for any PSK extension).
|
2958
3226
|
if (header_len > 0xff && header_len < 0x200) {
|
2959
|
-
//
|
2960
|
-
//
|
2961
|
-
|
2962
|
-
|
2963
|
-
|
3227
|
+
// If our calculations already included a padding extension, remove that
|
3228
|
+
// factor because we're about to change its length.
|
3229
|
+
if (padding_len != 0) {
|
3230
|
+
header_len -= 4 + padding_len;
|
3231
|
+
}
|
3232
|
+
padding_len = 0x200 - header_len;
|
2964
3233
|
// Extensions take at least four bytes to encode. Always include at least
|
2965
3234
|
// one byte of data if including the extension. WebSphere Application
|
2966
3235
|
// Server 7.0 is intolerant to the last extension being zero-length. See
|
@@ -2970,13 +3239,15 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
|
|
2970
3239
|
} else {
|
2971
3240
|
padding_len = 1;
|
2972
3241
|
}
|
3242
|
+
}
|
2973
3243
|
|
3244
|
+
if (padding_len != 0) {
|
2974
3245
|
uint8_t *padding_bytes;
|
2975
3246
|
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_padding) ||
|
2976
3247
|
!CBB_add_u16(&extensions, padding_len) ||
|
2977
3248
|
!CBB_add_space(&extensions, &padding_bytes, padding_len)) {
|
2978
3249
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2979
|
-
return
|
3250
|
+
return false;
|
2980
3251
|
}
|
2981
3252
|
|
2982
3253
|
OPENSSL_memset(padding_bytes, 0, padding_len);
|
@@ -2986,7 +3257,7 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
|
|
2986
3257
|
// The PSK extension must be last, including after the padding.
|
2987
3258
|
if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
|
2988
3259
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
2989
|
-
return
|
3260
|
+
return false;
|
2990
3261
|
}
|
2991
3262
|
|
2992
3263
|
// Discard empty extensions blocks.
|
@@ -2997,7 +3268,7 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
|
|
2997
3268
|
return CBB_flush(out);
|
2998
3269
|
}
|
2999
3270
|
|
3000
|
-
|
3271
|
+
bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
|
3001
3272
|
SSL *const ssl = hs->ssl;
|
3002
3273
|
CBB extensions;
|
3003
3274
|
if (!CBB_add_u16_length_prefixed(out, &extensions)) {
|
@@ -3017,10 +3288,6 @@ int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
|
|
3017
3288
|
}
|
3018
3289
|
}
|
3019
3290
|
|
3020
|
-
if (!custom_ext_add_serverhello(hs, &extensions)) {
|
3021
|
-
goto err;
|
3022
|
-
}
|
3023
|
-
|
3024
3291
|
// Discard empty extensions blocks before TLS 1.3.
|
3025
3292
|
if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
|
3026
3293
|
CBB_len(&extensions) == 0) {
|
@@ -3031,13 +3298,12 @@ int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {
|
|
3031
3298
|
|
3032
3299
|
err:
|
3033
3300
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3034
|
-
return
|
3301
|
+
return false;
|
3035
3302
|
}
|
3036
3303
|
|
3037
|
-
static
|
3038
|
-
|
3039
|
-
|
3040
|
-
SSL *const ssl = hs->ssl;
|
3304
|
+
static bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
3305
|
+
const SSL_CLIENT_HELLO *client_hello,
|
3306
|
+
int *out_alert) {
|
3041
3307
|
for (size_t i = 0; i < kNumExtensions; i++) {
|
3042
3308
|
if (kExtensions[i].init != NULL) {
|
3043
3309
|
kExtensions[i].init(hs);
|
@@ -3045,7 +3311,6 @@ static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
3045
3311
|
}
|
3046
3312
|
|
3047
3313
|
hs->extensions.received = 0;
|
3048
|
-
hs->custom_extensions.received = 0;
|
3049
3314
|
CBS extensions;
|
3050
3315
|
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
|
3051
3316
|
while (CBS_len(&extensions) != 0) {
|
@@ -3056,24 +3321,13 @@ static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
3056
3321
|
if (!CBS_get_u16(&extensions, &type) ||
|
3057
3322
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
3058
3323
|
*out_alert = SSL_AD_DECODE_ERROR;
|
3059
|
-
return
|
3060
|
-
}
|
3061
|
-
|
3062
|
-
// RFC 5746 made the existence of extensions in SSL 3.0 somewhat
|
3063
|
-
// ambiguous. Ignore all but the renegotiation_info extension.
|
3064
|
-
if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
|
3065
|
-
continue;
|
3324
|
+
return false;
|
3066
3325
|
}
|
3067
3326
|
|
3068
3327
|
unsigned ext_index;
|
3069
3328
|
const struct tls_extension *const ext =
|
3070
3329
|
tls_extension_find(&ext_index, type);
|
3071
|
-
|
3072
3330
|
if (ext == NULL) {
|
3073
|
-
if (!custom_ext_parse_clienthello(hs, out_alert, type, &extension)) {
|
3074
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
3075
|
-
return 0;
|
3076
|
-
}
|
3077
3331
|
continue;
|
3078
3332
|
}
|
3079
3333
|
|
@@ -3083,7 +3337,7 @@ static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
3083
3337
|
*out_alert = alert;
|
3084
3338
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
3085
3339
|
ERR_add_error_dataf("extension %u", (unsigned)type);
|
3086
|
-
return
|
3340
|
+
return false;
|
3087
3341
|
}
|
3088
3342
|
}
|
3089
3343
|
|
@@ -3112,36 +3366,36 @@ static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
|
3112
3366
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
|
3113
3367
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
3114
3368
|
*out_alert = alert;
|
3115
|
-
return
|
3369
|
+
return false;
|
3116
3370
|
}
|
3117
3371
|
}
|
3118
3372
|
|
3119
|
-
return
|
3373
|
+
return true;
|
3120
3374
|
}
|
3121
3375
|
|
3122
|
-
|
3123
|
-
|
3376
|
+
bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,
|
3377
|
+
const SSL_CLIENT_HELLO *client_hello) {
|
3124
3378
|
SSL *const ssl = hs->ssl;
|
3125
3379
|
int alert = SSL_AD_DECODE_ERROR;
|
3126
|
-
if (ssl_scan_clienthello_tlsext(hs, client_hello, &alert)
|
3380
|
+
if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {
|
3127
3381
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
3128
|
-
return
|
3382
|
+
return false;
|
3129
3383
|
}
|
3130
3384
|
|
3131
|
-
if (ssl_check_clienthello_tlsext(hs)
|
3385
|
+
if (!ssl_check_clienthello_tlsext(hs)) {
|
3132
3386
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);
|
3133
|
-
return
|
3387
|
+
return false;
|
3134
3388
|
}
|
3135
3389
|
|
3136
|
-
return
|
3390
|
+
return true;
|
3137
3391
|
}
|
3138
3392
|
|
3139
|
-
static
|
3140
|
-
|
3393
|
+
static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
3394
|
+
int *out_alert) {
|
3141
3395
|
SSL *const ssl = hs->ssl;
|
3142
3396
|
// Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
|
3143
3397
|
if (CBS_len(cbs) == 0 && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
3144
|
-
return
|
3398
|
+
return true;
|
3145
3399
|
}
|
3146
3400
|
|
3147
3401
|
// Decode the extensions block and check it is valid.
|
@@ -3149,7 +3403,7 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3149
3403
|
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
|
3150
3404
|
!tls1_check_duplicate_extensions(&extensions)) {
|
3151
3405
|
*out_alert = SSL_AD_DECODE_ERROR;
|
3152
|
-
return
|
3406
|
+
return false;
|
3153
3407
|
}
|
3154
3408
|
|
3155
3409
|
uint32_t received = 0;
|
@@ -3161,7 +3415,7 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3161
3415
|
if (!CBS_get_u16(&extensions, &type) ||
|
3162
3416
|
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
|
3163
3417
|
*out_alert = SSL_AD_DECODE_ERROR;
|
3164
|
-
return
|
3418
|
+
return false;
|
3165
3419
|
}
|
3166
3420
|
|
3167
3421
|
unsigned ext_index;
|
@@ -3169,24 +3423,21 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3169
3423
|
tls_extension_find(&ext_index, type);
|
3170
3424
|
|
3171
3425
|
if (ext == NULL) {
|
3172
|
-
|
3173
|
-
|
3174
|
-
|
3175
|
-
|
3176
|
-
continue;
|
3426
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
3427
|
+
ERR_add_error_dataf("extension %u", (unsigned)type);
|
3428
|
+
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
3429
|
+
return false;
|
3177
3430
|
}
|
3178
3431
|
|
3179
3432
|
static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,
|
3180
3433
|
"too many bits");
|
3181
3434
|
|
3182
|
-
if (!(hs->extensions.sent & (1u << ext_index))
|
3183
|
-
|
3184
|
-
// If the extension was never sent then it is illegal, except for the
|
3185
|
-
// renegotiation extension which, in SSL 3.0, is signaled via SCSV.
|
3435
|
+
if (!(hs->extensions.sent & (1u << ext_index))) {
|
3436
|
+
// If the extension was never sent then it is illegal.
|
3186
3437
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
3187
3438
|
ERR_add_error_dataf("extension :%u", (unsigned)type);
|
3188
3439
|
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
|
3189
|
-
return
|
3440
|
+
return false;
|
3190
3441
|
}
|
3191
3442
|
|
3192
3443
|
received |= (1u << ext_index);
|
@@ -3196,7 +3447,7 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3196
3447
|
OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
|
3197
3448
|
ERR_add_error_dataf("extension %u", (unsigned)type);
|
3198
3449
|
*out_alert = alert;
|
3199
|
-
return
|
3450
|
+
return false;
|
3200
3451
|
}
|
3201
3452
|
}
|
3202
3453
|
|
@@ -3209,125 +3460,129 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
|
|
3209
3460
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
|
3210
3461
|
ERR_add_error_dataf("extension %u", (unsigned)kExtensions[i].value);
|
3211
3462
|
*out_alert = alert;
|
3212
|
-
return
|
3463
|
+
return false;
|
3213
3464
|
}
|
3214
3465
|
}
|
3215
3466
|
}
|
3216
3467
|
|
3217
|
-
return
|
3468
|
+
return true;
|
3218
3469
|
}
|
3219
3470
|
|
3220
|
-
static
|
3471
|
+
static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
|
3221
3472
|
SSL *const ssl = hs->ssl;
|
3222
3473
|
|
3223
|
-
if (ssl->token_binding_negotiated &&
|
3474
|
+
if (ssl->s3->token_binding_negotiated &&
|
3224
3475
|
!(SSL_get_secure_renegotiation_support(ssl) &&
|
3225
3476
|
SSL_get_extms_support(ssl))) {
|
3226
3477
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
|
3227
3478
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
3228
|
-
return
|
3479
|
+
return false;
|
3229
3480
|
}
|
3230
3481
|
|
3231
3482
|
int ret = SSL_TLSEXT_ERR_NOACK;
|
3232
3483
|
int al = SSL_AD_UNRECOGNIZED_NAME;
|
3233
3484
|
|
3234
|
-
if (ssl->ctx->
|
3235
|
-
ret = ssl->ctx->
|
3236
|
-
|
3237
|
-
|
3238
|
-
|
3239
|
-
ssl, &al, ssl->session_ctx->tlsext_servername_arg);
|
3485
|
+
if (ssl->ctx->servername_callback != 0) {
|
3486
|
+
ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);
|
3487
|
+
} else if (ssl->session_ctx->servername_callback != 0) {
|
3488
|
+
ret = ssl->session_ctx->servername_callback(
|
3489
|
+
ssl, &al, ssl->session_ctx->servername_arg);
|
3240
3490
|
}
|
3241
3491
|
|
3242
3492
|
switch (ret) {
|
3243
3493
|
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
3244
3494
|
ssl_send_alert(ssl, SSL3_AL_FATAL, al);
|
3245
|
-
return
|
3495
|
+
return false;
|
3246
3496
|
|
3247
3497
|
case SSL_TLSEXT_ERR_NOACK:
|
3248
3498
|
hs->should_ack_sni = false;
|
3249
|
-
return
|
3499
|
+
return true;
|
3250
3500
|
|
3251
3501
|
default:
|
3252
|
-
return
|
3502
|
+
return true;
|
3253
3503
|
}
|
3254
3504
|
}
|
3255
3505
|
|
3256
|
-
|
3506
|
+
bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs) {
|
3257
3507
|
SSL *const ssl = hs->ssl;
|
3258
3508
|
int alert = SSL_AD_DECODE_ERROR;
|
3259
|
-
if (ssl_scan_serverhello_tlsext(hs, cbs, &alert)
|
3509
|
+
if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {
|
3260
3510
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
3261
|
-
return
|
3511
|
+
return false;
|
3262
3512
|
}
|
3263
3513
|
|
3264
|
-
return
|
3514
|
+
return true;
|
3265
3515
|
}
|
3266
3516
|
|
3267
3517
|
static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
|
3268
|
-
uint8_t
|
3269
|
-
|
3518
|
+
Array<uint8_t> *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,
|
3519
|
+
Span<const uint8_t> ticket) {
|
3270
3520
|
size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
|
3271
3521
|
|
3272
3522
|
// Check the MAC at the end of the ticket.
|
3273
3523
|
uint8_t mac[EVP_MAX_MD_SIZE];
|
3274
3524
|
size_t mac_len = HMAC_size(hmac_ctx);
|
3275
|
-
if (
|
3525
|
+
if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
|
3276
3526
|
// The ticket must be large enough for key name, IV, data, and MAC.
|
3277
3527
|
return ssl_ticket_aead_ignore_ticket;
|
3278
3528
|
}
|
3279
|
-
|
3529
|
+
// Split the ticket into the ticket and the MAC.
|
3530
|
+
auto ticket_mac = ticket.subspan(ticket.size() - mac_len);
|
3531
|
+
ticket = ticket.subspan(0, ticket.size() - mac_len);
|
3532
|
+
HMAC_Update(hmac_ctx, ticket.data(), ticket.size());
|
3280
3533
|
HMAC_Final(hmac_ctx, mac, NULL);
|
3281
|
-
|
3282
|
-
|
3534
|
+
assert(mac_len == ticket_mac.size());
|
3535
|
+
bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;
|
3283
3536
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
3284
|
-
mac_ok =
|
3537
|
+
mac_ok = true;
|
3285
3538
|
#endif
|
3286
3539
|
if (!mac_ok) {
|
3287
3540
|
return ssl_ticket_aead_ignore_ticket;
|
3288
3541
|
}
|
3289
3542
|
|
3290
3543
|
// Decrypt the session data.
|
3291
|
-
|
3292
|
-
|
3293
|
-
|
3294
|
-
|
3295
|
-
if (!plaintext) {
|
3544
|
+
auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);
|
3545
|
+
Array<uint8_t> plaintext;
|
3546
|
+
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
3547
|
+
if (!plaintext.CopyFrom(ciphertext)) {
|
3296
3548
|
return ssl_ticket_aead_error;
|
3297
3549
|
}
|
3298
|
-
size_t plaintext_len;
|
3299
|
-
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
3300
|
-
OPENSSL_memcpy(plaintext.get(), ciphertext, ciphertext_len);
|
3301
|
-
plaintext_len = ciphertext_len;
|
3302
3550
|
#else
|
3303
|
-
if (
|
3551
|
+
if (ciphertext.size() >= INT_MAX) {
|
3304
3552
|
return ssl_ticket_aead_ignore_ticket;
|
3305
3553
|
}
|
3554
|
+
if (!plaintext.Init(ciphertext.size())) {
|
3555
|
+
return ssl_ticket_aead_error;
|
3556
|
+
}
|
3306
3557
|
int len1, len2;
|
3307
|
-
if (!EVP_DecryptUpdate(cipher_ctx, plaintext.
|
3308
|
-
(int)
|
3309
|
-
!EVP_DecryptFinal_ex(cipher_ctx, plaintext.
|
3558
|
+
if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),
|
3559
|
+
(int)ciphertext.size()) ||
|
3560
|
+
!EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {
|
3310
3561
|
ERR_clear_error();
|
3311
3562
|
return ssl_ticket_aead_ignore_ticket;
|
3312
3563
|
}
|
3313
|
-
|
3564
|
+
plaintext.Shrink(static_cast<size_t>(len1) + len2);
|
3314
3565
|
#endif
|
3315
3566
|
|
3316
|
-
*out = plaintext
|
3317
|
-
*out_len = plaintext_len;
|
3567
|
+
*out = std::move(plaintext);
|
3318
3568
|
return ssl_ticket_aead_success;
|
3319
3569
|
}
|
3320
3570
|
|
3321
3571
|
static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
|
3322
|
-
|
3323
|
-
const uint8_t
|
3324
|
-
assert(
|
3572
|
+
SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
|
3573
|
+
Span<const uint8_t> ticket) {
|
3574
|
+
assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
|
3325
3575
|
ScopedEVP_CIPHER_CTX cipher_ctx;
|
3326
3576
|
ScopedHMAC_CTX hmac_ctx;
|
3327
|
-
|
3328
|
-
|
3329
|
-
|
3330
|
-
|
3577
|
+
auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
|
3578
|
+
// The actual IV is shorter, but the length is determined by the callback's
|
3579
|
+
// chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure
|
3580
|
+
// the callback has enough.
|
3581
|
+
auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);
|
3582
|
+
int cb_ret = hs->ssl->session_ctx->ticket_key_cb(
|
3583
|
+
hs->ssl, const_cast<uint8_t *>(name.data()),
|
3584
|
+
const_cast<uint8_t *>(iv.data()), cipher_ctx.get(), hmac_ctx.get(),
|
3585
|
+
0 /* decrypt */);
|
3331
3586
|
if (cb_ret < 0) {
|
3332
3587
|
return ssl_ticket_aead_error;
|
3333
3588
|
} else if (cb_ret == 0) {
|
@@ -3337,106 +3592,102 @@ static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
|
|
3337
3592
|
} else {
|
3338
3593
|
assert(cb_ret == 1);
|
3339
3594
|
}
|
3340
|
-
return decrypt_ticket_with_cipher_ctx(out,
|
3341
|
-
|
3595
|
+
return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
|
3596
|
+
ticket);
|
3342
3597
|
}
|
3343
3598
|
|
3344
3599
|
static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
|
3345
|
-
|
3346
|
-
|
3347
|
-
|
3348
|
-
SSL_CTX *ctx = ssl->session_ctx;
|
3600
|
+
SSL_HANDSHAKE *hs, Array<uint8_t> *out, Span<const uint8_t> ticket) {
|
3601
|
+
assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
|
3602
|
+
SSL_CTX *ctx = hs->ssl->session_ctx.get();
|
3349
3603
|
|
3350
3604
|
// Rotate the ticket key if necessary.
|
3351
3605
|
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
|
3352
3606
|
return ssl_ticket_aead_error;
|
3353
3607
|
}
|
3354
3608
|
|
3609
|
+
const EVP_CIPHER *cipher = EVP_aes_128_cbc();
|
3610
|
+
auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);
|
3611
|
+
auto iv =
|
3612
|
+
ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));
|
3613
|
+
|
3355
3614
|
// Pick the matching ticket key and decrypt.
|
3356
3615
|
ScopedEVP_CIPHER_CTX cipher_ctx;
|
3357
3616
|
ScopedHMAC_CTX hmac_ctx;
|
3358
3617
|
{
|
3359
3618
|
MutexReadLock lock(&ctx->lock);
|
3360
|
-
const
|
3361
|
-
if (ctx->
|
3362
|
-
|
3363
|
-
|
3364
|
-
key = ctx->
|
3365
|
-
} else if (ctx->tlsext_ticket_key_prev &&
|
3366
|
-
!OPENSSL_memcmp(ctx->tlsext_ticket_key_prev->name, ticket,
|
3367
|
-
SSL_TICKET_KEY_NAME_LEN)) {
|
3368
|
-
key = ctx->tlsext_ticket_key_prev;
|
3619
|
+
const TicketKey *key;
|
3620
|
+
if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {
|
3621
|
+
key = ctx->ticket_key_current.get();
|
3622
|
+
} else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {
|
3623
|
+
key = ctx->ticket_key_prev.get();
|
3369
3624
|
} else {
|
3370
3625
|
return ssl_ticket_aead_ignore_ticket;
|
3371
3626
|
}
|
3372
|
-
const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
|
3373
3627
|
if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
|
3374
3628
|
tlsext_tick_md(), NULL) ||
|
3375
|
-
!EVP_DecryptInit_ex(cipher_ctx.get(),
|
3376
|
-
key->aes_key, iv)) {
|
3629
|
+
!EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
|
3630
|
+
key->aes_key, iv.data())) {
|
3377
3631
|
return ssl_ticket_aead_error;
|
3378
3632
|
}
|
3379
3633
|
}
|
3380
|
-
return decrypt_ticket_with_cipher_ctx(out,
|
3381
|
-
|
3634
|
+
return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),
|
3635
|
+
ticket);
|
3382
3636
|
}
|
3383
3637
|
|
3384
3638
|
static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
|
3385
|
-
|
3386
|
-
const uint8_t
|
3387
|
-
uint8_t
|
3388
|
-
if (plaintext
|
3639
|
+
SSL_HANDSHAKE *hs, Array<uint8_t> *out, bool *out_renew_ticket,
|
3640
|
+
Span<const uint8_t> ticket) {
|
3641
|
+
Array<uint8_t> plaintext;
|
3642
|
+
if (!plaintext.Init(ticket.size())) {
|
3389
3643
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
3390
3644
|
return ssl_ticket_aead_error;
|
3391
3645
|
}
|
3392
3646
|
|
3393
3647
|
size_t plaintext_len;
|
3394
3648
|
const enum ssl_ticket_aead_result_t result =
|
3395
|
-
ssl->session_ctx->ticket_aead_method->open(
|
3396
|
-
ssl, plaintext, &plaintext_len,
|
3397
|
-
|
3398
|
-
if (result
|
3399
|
-
|
3400
|
-
plaintext = NULL;
|
3401
|
-
*out_len = plaintext_len;
|
3649
|
+
hs->ssl->session_ctx->ticket_aead_method->open(
|
3650
|
+
hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),
|
3651
|
+
ticket.data(), ticket.size());
|
3652
|
+
if (result != ssl_ticket_aead_success) {
|
3653
|
+
return result;
|
3402
3654
|
}
|
3403
3655
|
|
3404
|
-
|
3405
|
-
|
3656
|
+
plaintext.Shrink(plaintext_len);
|
3657
|
+
*out = std::move(plaintext);
|
3658
|
+
return ssl_ticket_aead_success;
|
3406
3659
|
}
|
3407
3660
|
|
3408
3661
|
enum ssl_ticket_aead_result_t ssl_process_ticket(
|
3409
|
-
|
3410
|
-
|
3411
|
-
|
3662
|
+
SSL_HANDSHAKE *hs, UniquePtr<SSL_SESSION> *out_session,
|
3663
|
+
bool *out_renew_ticket, Span<const uint8_t> ticket,
|
3664
|
+
Span<const uint8_t> session_id) {
|
3412
3665
|
*out_renew_ticket = false;
|
3413
3666
|
out_session->reset();
|
3414
3667
|
|
3415
|
-
if ((SSL_get_options(ssl) & SSL_OP_NO_TICKET) ||
|
3416
|
-
|
3668
|
+
if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||
|
3669
|
+
session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
3417
3670
|
return ssl_ticket_aead_ignore_ticket;
|
3418
3671
|
}
|
3419
3672
|
|
3420
|
-
uint8_t
|
3421
|
-
size_t plaintext_len;
|
3673
|
+
Array<uint8_t> plaintext;
|
3422
3674
|
enum ssl_ticket_aead_result_t result;
|
3423
|
-
if (ssl->session_ctx->ticket_aead_method != NULL) {
|
3424
|
-
result = ssl_decrypt_ticket_with_method(
|
3425
|
-
|
3675
|
+
if (hs->ssl->session_ctx->ticket_aead_method != NULL) {
|
3676
|
+
result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,
|
3677
|
+
ticket);
|
3426
3678
|
} else {
|
3427
|
-
// Ensure there is room for the key name and the largest IV
|
3428
|
-
//
|
3429
|
-
//
|
3430
|
-
//
|
3431
|
-
if (
|
3679
|
+
// Ensure there is room for the key name and the largest IV |ticket_key_cb|
|
3680
|
+
// may try to consume. The real limit may be lower, but the maximum IV
|
3681
|
+
// length should be well under the minimum size for the session material and
|
3682
|
+
// HMAC.
|
3683
|
+
if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
|
3432
3684
|
return ssl_ticket_aead_ignore_ticket;
|
3433
3685
|
}
|
3434
|
-
if (ssl->session_ctx->
|
3435
|
-
result =
|
3436
|
-
|
3686
|
+
if (hs->ssl->session_ctx->ticket_key_cb != NULL) {
|
3687
|
+
result =
|
3688
|
+
ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);
|
3437
3689
|
} else {
|
3438
|
-
result = ssl_decrypt_ticket_with_ticket_keys(
|
3439
|
-
ssl, &plaintext, &plaintext_len, ticket, ticket_len);
|
3690
|
+
result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);
|
3440
3691
|
}
|
3441
3692
|
}
|
3442
3693
|
|
@@ -3445,10 +3696,8 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
3445
3696
|
}
|
3446
3697
|
|
3447
3698
|
// Decode the session.
|
3448
|
-
UniquePtr<SSL_SESSION> session(
|
3449
|
-
|
3450
|
-
OPENSSL_free(plaintext);
|
3451
|
-
|
3699
|
+
UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
|
3700
|
+
plaintext.data(), plaintext.size(), hs->ssl->ctx.get()));
|
3452
3701
|
if (!session) {
|
3453
3702
|
ERR_clear_error(); // Don't leave an error on the queue.
|
3454
3703
|
return ssl_ticket_aead_ignore_ticket;
|
@@ -3456,8 +3705,8 @@ enum ssl_ticket_aead_result_t ssl_process_ticket(
|
|
3456
3705
|
|
3457
3706
|
// Copy the client's session ID into the new session, to denote the ticket has
|
3458
3707
|
// been accepted.
|
3459
|
-
OPENSSL_memcpy(session->session_id, session_id,
|
3460
|
-
session->session_id_length =
|
3708
|
+
OPENSSL_memcpy(session->session_id, session_id.data(), session_id.size());
|
3709
|
+
session->session_id_length = session_id.size();
|
3461
3710
|
|
3462
3711
|
*out_session = std::move(session);
|
3463
3712
|
return ssl_ticket_aead_success;
|
@@ -3469,7 +3718,10 @@ bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
|
|
3469
3718
|
return true;
|
3470
3719
|
}
|
3471
3720
|
|
3472
|
-
|
3721
|
+
// In all contexts, the signature algorithms list may not be empty. (It may be
|
3722
|
+
// omitted by clients in TLS 1.2, but then the entire extension is omitted.)
|
3723
|
+
return CBS_len(in_sigalgs) != 0 &&
|
3724
|
+
parse_u16_array(in_sigalgs, &hs->peer_sigalgs);
|
3473
3725
|
}
|
3474
3726
|
|
3475
3727
|
bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
|
@@ -3487,7 +3739,8 @@ bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
|
|
3487
3739
|
|
3488
3740
|
bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
3489
3741
|
SSL *const ssl = hs->ssl;
|
3490
|
-
CERT *cert =
|
3742
|
+
CERT *cert = hs->config->cert.get();
|
3743
|
+
DC *dc = cert->dc.get();
|
3491
3744
|
|
3492
3745
|
// Before TLS 1.2, the signature algorithm isn't negotiated as part of the
|
3493
3746
|
// handshake.
|
@@ -3500,19 +3753,13 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
|
3500
3753
|
}
|
3501
3754
|
|
3502
3755
|
Span<const uint16_t> sigalgs = kSignSignatureAlgorithms;
|
3503
|
-
if (
|
3504
|
-
sigalgs = MakeConstSpan(
|
3756
|
+
if (ssl_signing_with_dc(hs)) {
|
3757
|
+
sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1);
|
3758
|
+
} else if (!cert->sigalgs.empty()) {
|
3759
|
+
sigalgs = cert->sigalgs;
|
3505
3760
|
}
|
3506
3761
|
|
3507
|
-
Span<const uint16_t> peer_sigalgs = hs
|
3508
|
-
if (peer_sigalgs.empty() && ssl_protocol_version(ssl) < TLS1_3_VERSION) {
|
3509
|
-
// If the client didn't specify any signature_algorithms extension then
|
3510
|
-
// we can assume that it supports SHA1. See
|
3511
|
-
// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
|
3512
|
-
static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
|
3513
|
-
SSL_SIGN_ECDSA_SHA1};
|
3514
|
-
peer_sigalgs = kDefaultPeerAlgorithms;
|
3515
|
-
}
|
3762
|
+
Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
|
3516
3763
|
|
3517
3764
|
for (uint16_t sigalg : sigalgs) {
|
3518
3765
|
// SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
|
@@ -3534,7 +3781,20 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
|
|
3534
3781
|
return false;
|
3535
3782
|
}
|
3536
3783
|
|
3537
|
-
|
3784
|
+
Span<const uint16_t> tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) {
|
3785
|
+
Span<const uint16_t> peer_sigalgs = hs->peer_sigalgs;
|
3786
|
+
if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
|
3787
|
+
// If the client didn't specify any signature_algorithms extension then
|
3788
|
+
// we can assume that it supports SHA1. See
|
3789
|
+
// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
|
3790
|
+
static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
|
3791
|
+
SSL_SIGN_ECDSA_SHA1};
|
3792
|
+
peer_sigalgs = kDefaultPeerAlgorithms;
|
3793
|
+
}
|
3794
|
+
return peer_sigalgs;
|
3795
|
+
}
|
3796
|
+
|
3797
|
+
bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
3538
3798
|
SSL *const ssl = hs->ssl;
|
3539
3799
|
// A Channel ID handshake message is structured to contain multiple
|
3540
3800
|
// extensions, but the only one that can be present is Channel ID.
|
@@ -3547,19 +3807,19 @@ int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
|
3547
3807
|
CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
|
3548
3808
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
3549
3809
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
3550
|
-
return
|
3810
|
+
return false;
|
3551
3811
|
}
|
3552
3812
|
|
3553
3813
|
UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
|
3554
3814
|
if (!p256) {
|
3555
3815
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
|
3556
|
-
return
|
3816
|
+
return false;
|
3557
3817
|
}
|
3558
3818
|
|
3559
3819
|
UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
|
3560
3820
|
UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
|
3561
3821
|
if (!sig || !x || !y) {
|
3562
|
-
return
|
3822
|
+
return false;
|
3563
3823
|
}
|
3564
3824
|
|
3565
3825
|
const uint8_t *p = CBS_data(&extension);
|
@@ -3567,7 +3827,7 @@ int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
|
3567
3827
|
BN_bin2bn(p + 32, 32, y.get()) == NULL ||
|
3568
3828
|
BN_bin2bn(p + 64, 32, sig->r) == NULL ||
|
3569
3829
|
BN_bin2bn(p + 96, 32, sig->s) == NULL) {
|
3570
|
-
return
|
3830
|
+
return false;
|
3571
3831
|
}
|
3572
3832
|
|
3573
3833
|
UniquePtr<EC_KEY> key(EC_KEY_new());
|
@@ -3577,40 +3837,39 @@ int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
|
|
3577
3837
|
y.get(), nullptr) ||
|
3578
3838
|
!EC_KEY_set_group(key.get(), p256.get()) ||
|
3579
3839
|
!EC_KEY_set_public_key(key.get(), point.get())) {
|
3580
|
-
return
|
3840
|
+
return false;
|
3581
3841
|
}
|
3582
3842
|
|
3583
3843
|
uint8_t digest[EVP_MAX_MD_SIZE];
|
3584
3844
|
size_t digest_len;
|
3585
3845
|
if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
|
3586
|
-
return
|
3846
|
+
return false;
|
3587
3847
|
}
|
3588
3848
|
|
3589
|
-
|
3849
|
+
bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());
|
3590
3850
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
3591
|
-
sig_ok =
|
3851
|
+
sig_ok = true;
|
3592
3852
|
ERR_clear_error();
|
3593
3853
|
#endif
|
3594
3854
|
if (!sig_ok) {
|
3595
3855
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
|
3596
3856
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
3597
|
-
ssl->s3->
|
3598
|
-
return
|
3857
|
+
ssl->s3->channel_id_valid = false;
|
3858
|
+
return false;
|
3599
3859
|
}
|
3600
3860
|
|
3601
|
-
OPENSSL_memcpy(ssl->s3->
|
3602
|
-
return
|
3861
|
+
OPENSSL_memcpy(ssl->s3->channel_id, p, 64);
|
3862
|
+
return true;
|
3603
3863
|
}
|
3604
3864
|
|
3605
3865
|
bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
|
3606
|
-
SSL *const ssl = hs->ssl;
|
3607
3866
|
uint8_t digest[EVP_MAX_MD_SIZE];
|
3608
3867
|
size_t digest_len;
|
3609
3868
|
if (!tls1_channel_id_hash(hs, digest, &digest_len)) {
|
3610
3869
|
return false;
|
3611
3870
|
}
|
3612
3871
|
|
3613
|
-
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(
|
3872
|
+
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());
|
3614
3873
|
if (ec_key == nullptr) {
|
3615
3874
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3616
3875
|
return false;
|
@@ -3643,17 +3902,17 @@ bool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {
|
|
3643
3902
|
return true;
|
3644
3903
|
}
|
3645
3904
|
|
3646
|
-
|
3905
|
+
bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
|
3647
3906
|
SSL *const ssl = hs->ssl;
|
3648
3907
|
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
|
3649
3908
|
Array<uint8_t> msg;
|
3650
3909
|
if (!tls13_get_cert_verify_signature_input(hs, &msg,
|
3651
3910
|
ssl_cert_verify_channel_id)) {
|
3652
|
-
return
|
3911
|
+
return false;
|
3653
3912
|
}
|
3654
3913
|
SHA256(msg.data(), msg.size(), out);
|
3655
3914
|
*out_len = SHA256_DIGEST_LENGTH;
|
3656
|
-
return
|
3915
|
+
return true;
|
3657
3916
|
}
|
3658
3917
|
|
3659
3918
|
SHA256_CTX ctx;
|
@@ -3667,7 +3926,7 @@ int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
|
|
3667
3926
|
SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));
|
3668
3927
|
if (ssl->session->original_handshake_hash_len == 0) {
|
3669
3928
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
3670
|
-
return
|
3929
|
+
return false;
|
3671
3930
|
}
|
3672
3931
|
SHA256_Update(&ctx, ssl->session->original_handshake_hash,
|
3673
3932
|
ssl->session->original_handshake_hash_len);
|
@@ -3676,24 +3935,21 @@ int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {
|
|
3676
3935
|
uint8_t hs_hash[EVP_MAX_MD_SIZE];
|
3677
3936
|
size_t hs_hash_len;
|
3678
3937
|
if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {
|
3679
|
-
return
|
3938
|
+
return false;
|
3680
3939
|
}
|
3681
3940
|
SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);
|
3682
3941
|
SHA256_Final(out, &ctx);
|
3683
3942
|
*out_len = SHA256_DIGEST_LENGTH;
|
3684
|
-
return
|
3943
|
+
return true;
|
3685
3944
|
}
|
3686
3945
|
|
3687
|
-
|
3688
|
-
// hashes in |hs->new_session| so that Channel ID resumptions can sign that
|
3689
|
-
// data.
|
3690
|
-
int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
|
3946
|
+
bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
|
3691
3947
|
SSL *const ssl = hs->ssl;
|
3692
3948
|
// This function should never be called for a resumed session because the
|
3693
3949
|
// handshake hashes that we wish to record are for the original, full
|
3694
3950
|
// handshake.
|
3695
3951
|
if (ssl->session != NULL) {
|
3696
|
-
return
|
3952
|
+
return false;
|
3697
3953
|
}
|
3698
3954
|
|
3699
3955
|
static_assert(
|
@@ -3703,35 +3959,34 @@ int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
|
|
3703
3959
|
size_t digest_len;
|
3704
3960
|
if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
|
3705
3961
|
&digest_len)) {
|
3706
|
-
return
|
3962
|
+
return false;
|
3707
3963
|
}
|
3708
3964
|
|
3709
3965
|
static_assert(EVP_MAX_MD_SIZE <= 0xff,
|
3710
3966
|
"EVP_MAX_MD_SIZE does not fit in uint8_t");
|
3711
3967
|
hs->new_session->original_handshake_hash_len = (uint8_t)digest_len;
|
3712
3968
|
|
3713
|
-
return
|
3969
|
+
return true;
|
3714
3970
|
}
|
3715
3971
|
|
3716
|
-
|
3717
|
-
if (
|
3718
|
-
ssl->ctx->channel_id_cb == NULL) {
|
3719
|
-
return
|
3972
|
+
bool ssl_do_channel_id_callback(SSL_HANDSHAKE *hs) {
|
3973
|
+
if (hs->config->channel_id_private != NULL ||
|
3974
|
+
hs->ssl->ctx->channel_id_cb == NULL) {
|
3975
|
+
return true;
|
3720
3976
|
}
|
3721
3977
|
|
3722
3978
|
EVP_PKEY *key = NULL;
|
3723
|
-
ssl->ctx->channel_id_cb(ssl, &key);
|
3979
|
+
hs->ssl->ctx->channel_id_cb(hs->ssl, &key);
|
3724
3980
|
if (key == NULL) {
|
3725
3981
|
// The caller should try again later.
|
3726
|
-
return
|
3982
|
+
return true;
|
3727
3983
|
}
|
3728
3984
|
|
3729
|
-
|
3730
|
-
|
3731
|
-
return ret;
|
3985
|
+
UniquePtr<EVP_PKEY> free_key(key);
|
3986
|
+
return SSL_set1_tls_channel_id(hs->ssl, key);
|
3732
3987
|
}
|
3733
3988
|
|
3734
|
-
|
3989
|
+
bool ssl_is_sct_list_valid(const CBS *contents) {
|
3735
3990
|
// Shallow parse the SCT list for sanity. By the RFC
|
3736
3991
|
// (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
|
3737
3992
|
// of the SCTs may be empty.
|
@@ -3740,21 +3995,21 @@ int ssl_is_sct_list_valid(const CBS *contents) {
|
|
3740
3995
|
if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
|
3741
3996
|
CBS_len(©) != 0 ||
|
3742
3997
|
CBS_len(&sct_list) == 0) {
|
3743
|
-
return
|
3998
|
+
return false;
|
3744
3999
|
}
|
3745
4000
|
|
3746
4001
|
while (CBS_len(&sct_list) > 0) {
|
3747
4002
|
CBS sct;
|
3748
4003
|
if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
|
3749
4004
|
CBS_len(&sct) == 0) {
|
3750
|
-
return
|
4005
|
+
return false;
|
3751
4006
|
}
|
3752
4007
|
}
|
3753
4008
|
|
3754
|
-
return
|
4009
|
+
return true;
|
3755
4010
|
}
|
3756
4011
|
|
3757
|
-
|
4012
|
+
BSSL_NAMESPACE_END
|
3758
4013
|
|
3759
4014
|
using namespace bssl;
|
3760
4015
|
|
@@ -3776,8 +4031,6 @@ void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
|
|
3776
4031
|
ctx->ed25519_enabled = !!enabled;
|
3777
4032
|
}
|
3778
4033
|
|
3779
|
-
|
3780
|
-
|
3781
|
-
return extension_value == TLSEXT_TYPE_padding ||
|
3782
|
-
tls_extension_find(&index, extension_value) != NULL;
|
4034
|
+
void SSL_CTX_set_rsa_pss_rsae_certs_enabled(SSL_CTX *ctx, int enabled) {
|
4035
|
+
ctx->rsa_pss_rsae_certs_enabled = !!enabled;
|
3783
4036
|
}
|