grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
|
@@ -31,12 +31,6 @@
|
|
|
31
31
|
#include "internal.h"
|
|
32
32
|
|
|
33
33
|
|
|
34
|
-
#if defined(OPENSSL_MSAN)
|
|
35
|
-
#define NO_SANITIZE_MEMORY __attribute__((no_sanitize("memory")))
|
|
36
|
-
#else
|
|
37
|
-
#define NO_SANITIZE_MEMORY
|
|
38
|
-
#endif
|
|
39
|
-
|
|
40
34
|
BSSL_NAMESPACE_BEGIN
|
|
41
35
|
|
|
42
36
|
// ECH reuses the extension code point for the version number.
|
|
@@ -84,16 +78,71 @@ static bool ssl_client_hello_write_without_extensions(
|
|
|
84
78
|
return true;
|
|
85
79
|
}
|
|
86
80
|
|
|
81
|
+
static bool is_valid_client_hello_inner(SSL *ssl, uint8_t *out_alert,
|
|
82
|
+
Span<const uint8_t> body) {
|
|
83
|
+
// See draft-ietf-tls-esni-13, section 7.1.
|
|
84
|
+
SSL_CLIENT_HELLO client_hello;
|
|
85
|
+
CBS extension;
|
|
86
|
+
if (!ssl_client_hello_init(ssl, &client_hello, body) ||
|
|
87
|
+
!ssl_client_hello_get_extension(&client_hello, &extension,
|
|
88
|
+
TLSEXT_TYPE_encrypted_client_hello) ||
|
|
89
|
+
CBS_len(&extension) != 1 || //
|
|
90
|
+
CBS_data(&extension)[0] != ECH_CLIENT_INNER ||
|
|
91
|
+
!ssl_client_hello_get_extension(&client_hello, &extension,
|
|
92
|
+
TLSEXT_TYPE_supported_versions)) {
|
|
93
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
94
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_CLIENT_HELLO_INNER);
|
|
95
|
+
return false;
|
|
96
|
+
}
|
|
97
|
+
// Parse supported_versions and reject TLS versions prior to TLS 1.3. Older
|
|
98
|
+
// versions are incompatible with ECH.
|
|
99
|
+
CBS versions;
|
|
100
|
+
if (!CBS_get_u8_length_prefixed(&extension, &versions) ||
|
|
101
|
+
CBS_len(&extension) != 0 || //
|
|
102
|
+
CBS_len(&versions) == 0) {
|
|
103
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
104
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
105
|
+
return false;
|
|
106
|
+
}
|
|
107
|
+
while (CBS_len(&versions) != 0) {
|
|
108
|
+
uint16_t version;
|
|
109
|
+
if (!CBS_get_u16(&versions, &version)) {
|
|
110
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
111
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
112
|
+
return false;
|
|
113
|
+
}
|
|
114
|
+
if (version == SSL3_VERSION || version == TLS1_VERSION ||
|
|
115
|
+
version == TLS1_1_VERSION || version == TLS1_2_VERSION ||
|
|
116
|
+
version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
|
|
117
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
118
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_CLIENT_HELLO_INNER);
|
|
119
|
+
return false;
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
return true;
|
|
123
|
+
}
|
|
124
|
+
|
|
87
125
|
bool ssl_decode_client_hello_inner(
|
|
88
126
|
SSL *ssl, uint8_t *out_alert, Array<uint8_t> *out_client_hello_inner,
|
|
89
127
|
Span<const uint8_t> encoded_client_hello_inner,
|
|
90
128
|
const SSL_CLIENT_HELLO *client_hello_outer) {
|
|
91
129
|
SSL_CLIENT_HELLO client_hello_inner;
|
|
92
|
-
|
|
93
|
-
|
|
130
|
+
CBS cbs = encoded_client_hello_inner;
|
|
131
|
+
if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs,
|
|
132
|
+
&client_hello_inner)) {
|
|
94
133
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
95
134
|
return false;
|
|
96
135
|
}
|
|
136
|
+
// The remaining data is padding.
|
|
137
|
+
uint8_t padding;
|
|
138
|
+
while (CBS_get_u8(&cbs, &padding)) {
|
|
139
|
+
if (padding != 0) {
|
|
140
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
141
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
142
|
+
return false;
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
|
|
97
146
|
// TLS 1.3 ClientHellos must have extensions, and EncodedClientHelloInners use
|
|
98
147
|
// ClientHelloOuter's session_id.
|
|
99
148
|
if (client_hello_inner.extensions_len == 0 ||
|
|
@@ -106,120 +155,84 @@ bool ssl_decode_client_hello_inner(
|
|
|
106
155
|
|
|
107
156
|
// Begin serializing a message containing the ClientHelloInner in |cbb|.
|
|
108
157
|
ScopedCBB cbb;
|
|
109
|
-
CBB body,
|
|
158
|
+
CBB body, extensions_cbb;
|
|
110
159
|
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||
|
|
111
160
|
!ssl_client_hello_write_without_extensions(&client_hello_inner, &body) ||
|
|
112
|
-
!CBB_add_u16_length_prefixed(&body, &
|
|
161
|
+
!CBB_add_u16_length_prefixed(&body, &extensions_cbb)) {
|
|
113
162
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
114
163
|
return false;
|
|
115
164
|
}
|
|
116
165
|
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
// MSan's libc interceptors do not handle |bsearch|. See b/182583130.
|
|
126
|
-
auto compare_extension = [](const void *a, const void *b)
|
|
127
|
-
NO_SANITIZE_MEMORY -> int {
|
|
128
|
-
const Extension *extension_a = reinterpret_cast<const Extension *>(a);
|
|
129
|
-
const Extension *extension_b = reinterpret_cast<const Extension *>(b);
|
|
130
|
-
if (extension_a->extension < extension_b->extension) {
|
|
131
|
-
return -1;
|
|
132
|
-
} else if (extension_a->extension > extension_b->extension) {
|
|
133
|
-
return 1;
|
|
134
|
-
}
|
|
135
|
-
return 0;
|
|
136
|
-
};
|
|
137
|
-
GrowableArray<Extension> sorted_extensions;
|
|
138
|
-
CBS unsorted_extensions(MakeConstSpan(client_hello_outer->extensions,
|
|
139
|
-
client_hello_outer->extensions_len));
|
|
140
|
-
while (CBS_len(&unsorted_extensions) > 0) {
|
|
141
|
-
Extension extension;
|
|
142
|
-
CBS extension_body;
|
|
143
|
-
if (!CBS_get_u16(&unsorted_extensions, &extension.extension) ||
|
|
144
|
-
!CBS_get_u16_length_prefixed(&unsorted_extensions, &extension_body)) {
|
|
166
|
+
auto inner_extensions = MakeConstSpan(client_hello_inner.extensions,
|
|
167
|
+
client_hello_inner.extensions_len);
|
|
168
|
+
CBS ext_list_wrapper;
|
|
169
|
+
if (!ssl_client_hello_get_extension(&client_hello_inner, &ext_list_wrapper,
|
|
170
|
+
TLSEXT_TYPE_ech_outer_extensions)) {
|
|
171
|
+
// No ech_outer_extensions. Copy everything.
|
|
172
|
+
if (!CBB_add_bytes(&extensions_cbb, inner_extensions.data(),
|
|
173
|
+
inner_extensions.size())) {
|
|
145
174
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
146
175
|
return false;
|
|
147
176
|
}
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
CBS inner_extensions(MakeConstSpan(client_hello_inner.extensions,
|
|
158
|
-
client_hello_inner.extensions_len));
|
|
159
|
-
while (CBS_len(&inner_extensions) > 0) {
|
|
160
|
-
uint16_t extension_id;
|
|
161
|
-
CBS extension_body;
|
|
162
|
-
if (!CBS_get_u16(&inner_extensions, &extension_id) ||
|
|
163
|
-
!CBS_get_u16_length_prefixed(&inner_extensions, &extension_body)) {
|
|
164
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
177
|
+
} else {
|
|
178
|
+
const size_t offset = CBS_data(&ext_list_wrapper) - inner_extensions.data();
|
|
179
|
+
auto inner_extensions_before =
|
|
180
|
+
inner_extensions.subspan(0, offset - 4 /* extension header */);
|
|
181
|
+
auto inner_extensions_after =
|
|
182
|
+
inner_extensions.subspan(offset + CBS_len(&ext_list_wrapper));
|
|
183
|
+
if (!CBB_add_bytes(&extensions_cbb, inner_extensions_before.data(),
|
|
184
|
+
inner_extensions_before.size())) {
|
|
185
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
165
186
|
return false;
|
|
166
187
|
}
|
|
167
|
-
if (extension_id != TLSEXT_TYPE_ech_outer_extensions) {
|
|
168
|
-
if (!CBB_add_u16(&extensions, extension_id) ||
|
|
169
|
-
!CBB_add_u16(&extensions, CBS_len(&extension_body)) ||
|
|
170
|
-
!CBB_add_bytes(&extensions, CBS_data(&extension_body),
|
|
171
|
-
CBS_len(&extension_body))) {
|
|
172
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
173
|
-
return false;
|
|
174
|
-
}
|
|
175
|
-
continue;
|
|
176
|
-
}
|
|
177
188
|
|
|
178
|
-
//
|
|
179
|
-
CBS
|
|
180
|
-
if (!CBS_get_u8_length_prefixed(&
|
|
181
|
-
CBS_len(&
|
|
189
|
+
// Expand ech_outer_extensions. See draft-ietf-tls-esni-13, Appendix B.
|
|
190
|
+
CBS ext_list;
|
|
191
|
+
if (!CBS_get_u8_length_prefixed(&ext_list_wrapper, &ext_list) ||
|
|
192
|
+
CBS_len(&ext_list) == 0 || CBS_len(&ext_list_wrapper) != 0) {
|
|
182
193
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
183
194
|
return false;
|
|
184
195
|
}
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
if (
|
|
192
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
196
|
+
CBS outer_extensions;
|
|
197
|
+
CBS_init(&outer_extensions, client_hello_outer->extensions,
|
|
198
|
+
client_hello_outer->extensions_len);
|
|
199
|
+
while (CBS_len(&ext_list) != 0) {
|
|
200
|
+
// Find the next extension to copy.
|
|
201
|
+
uint16_t want;
|
|
202
|
+
if (!CBS_get_u16(&ext_list, &want)) {
|
|
193
203
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
194
204
|
return false;
|
|
195
205
|
}
|
|
196
|
-
//
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
206
|
+
// Seek to |want| in |outer_extensions|. |ext_list| is required to match
|
|
207
|
+
// ClientHelloOuter in order.
|
|
208
|
+
uint16_t found;
|
|
209
|
+
CBS ext_body;
|
|
210
|
+
do {
|
|
211
|
+
if (CBS_len(&outer_extensions) == 0) {
|
|
212
|
+
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
213
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTER_EXTENSION_NOT_FOUND);
|
|
214
|
+
return false;
|
|
215
|
+
}
|
|
216
|
+
if (!CBS_get_u16(&outer_extensions, &found) ||
|
|
217
|
+
!CBS_get_u16_length_prefixed(&outer_extensions, &ext_body)) {
|
|
218
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
219
|
+
return false;
|
|
220
|
+
}
|
|
221
|
+
} while (found != want);
|
|
222
|
+
// Copy the extension.
|
|
223
|
+
if (!CBB_add_u16(&extensions_cbb, found) ||
|
|
224
|
+
!CBB_add_u16(&extensions_cbb, CBS_len(&ext_body)) ||
|
|
225
|
+
!CBB_add_bytes(&extensions_cbb, CBS_data(&ext_body),
|
|
226
|
+
CBS_len(&ext_body))) {
|
|
204
227
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
205
228
|
return false;
|
|
206
229
|
}
|
|
230
|
+
}
|
|
207
231
|
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
return false;
|
|
213
|
-
}
|
|
214
|
-
result->copied = true;
|
|
215
|
-
|
|
216
|
-
if (!CBB_add_u16(&extensions, extension_needed) ||
|
|
217
|
-
!CBB_add_u16(&extensions, result->body.size()) ||
|
|
218
|
-
!CBB_add_bytes(&extensions, result->body.data(),
|
|
219
|
-
result->body.size())) {
|
|
220
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
221
|
-
return false;
|
|
222
|
-
}
|
|
232
|
+
if (!CBB_add_bytes(&extensions_cbb, inner_extensions_after.data(),
|
|
233
|
+
inner_extensions_after.size())) {
|
|
234
|
+
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
235
|
+
return false;
|
|
223
236
|
}
|
|
224
237
|
}
|
|
225
238
|
if (!CBB_flush(&body)) {
|
|
@@ -227,46 +240,10 @@ bool ssl_decode_client_hello_inner(
|
|
|
227
240
|
return false;
|
|
228
241
|
}
|
|
229
242
|
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
if (!ssl_client_hello_init(ssl, &client_hello_inner,
|
|
233
|
-
MakeConstSpan(CBB_data(&body), CBB_len(&body))) ||
|
|
234
|
-
!ssl_client_hello_get_extension(&client_hello_inner, &extension,
|
|
235
|
-
TLSEXT_TYPE_ech_is_inner) ||
|
|
236
|
-
CBS_len(&extension) != 0 ||
|
|
237
|
-
ssl_client_hello_get_extension(&client_hello_inner, &extension,
|
|
238
|
-
TLSEXT_TYPE_encrypted_client_hello) ||
|
|
239
|
-
!ssl_client_hello_get_extension(&client_hello_inner, &extension,
|
|
240
|
-
TLSEXT_TYPE_supported_versions)) {
|
|
241
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
242
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_CLIENT_HELLO_INNER);
|
|
243
|
-
return false;
|
|
244
|
-
}
|
|
245
|
-
// Parse supported_versions and reject TLS versions prior to TLS 1.3. Older
|
|
246
|
-
// versions are incompatible with ECH.
|
|
247
|
-
CBS versions;
|
|
248
|
-
if (!CBS_get_u8_length_prefixed(&extension, &versions) ||
|
|
249
|
-
CBS_len(&extension) != 0 || //
|
|
250
|
-
CBS_len(&versions) == 0) {
|
|
251
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
|
252
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
243
|
+
if (!is_valid_client_hello_inner(
|
|
244
|
+
ssl, out_alert, MakeConstSpan(CBB_data(&body), CBB_len(&body)))) {
|
|
253
245
|
return false;
|
|
254
246
|
}
|
|
255
|
-
while (CBS_len(&versions) != 0) {
|
|
256
|
-
uint16_t version;
|
|
257
|
-
if (!CBS_get_u16(&versions, &version)) {
|
|
258
|
-
*out_alert = SSL_AD_DECODE_ERROR;
|
|
259
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
260
|
-
return false;
|
|
261
|
-
}
|
|
262
|
-
if (version == SSL3_VERSION || version == TLS1_VERSION ||
|
|
263
|
-
version == TLS1_1_VERSION || version == TLS1_2_VERSION ||
|
|
264
|
-
version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
|
|
265
|
-
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
|
266
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_CLIENT_HELLO_INNER);
|
|
267
|
-
return false;
|
|
268
|
-
}
|
|
269
|
-
}
|
|
270
247
|
|
|
271
248
|
if (!ssl->method->finish_message(ssl, cbb.get(), out_client_hello_inner)) {
|
|
272
249
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
@@ -275,56 +252,31 @@ bool ssl_decode_client_hello_inner(
|
|
|
275
252
|
return true;
|
|
276
253
|
}
|
|
277
254
|
|
|
278
|
-
bool ssl_client_hello_decrypt(
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
Span<const uint8_t> enc, Span<const uint8_t> payload) {
|
|
255
|
+
bool ssl_client_hello_decrypt(EVP_HPKE_CTX *hpke_ctx, Array<uint8_t> *out,
|
|
256
|
+
bool *out_is_decrypt_error,
|
|
257
|
+
const SSL_CLIENT_HELLO *client_hello_outer,
|
|
258
|
+
Span<const uint8_t> payload) {
|
|
283
259
|
*out_is_decrypt_error = false;
|
|
284
260
|
|
|
285
|
-
//
|
|
286
|
-
//
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
if (!
|
|
290
|
-
|
|
291
|
-
!CBB_add_u16(aad.get(), aead_id) ||
|
|
292
|
-
!CBB_add_u8(aad.get(), config_id) ||
|
|
293
|
-
!CBB_add_u16_length_prefixed(aad.get(), &enc_cbb) ||
|
|
294
|
-
!CBB_add_bytes(&enc_cbb, enc.data(), enc.size()) ||
|
|
295
|
-
!CBB_add_u24_length_prefixed(aad.get(), &outer_hello_cbb) ||
|
|
296
|
-
!ssl_client_hello_write_without_extensions(client_hello_outer,
|
|
297
|
-
&outer_hello_cbb) ||
|
|
298
|
-
!CBB_add_u16_length_prefixed(&outer_hello_cbb, &extensions_cbb)) {
|
|
299
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
261
|
+
// The ClientHelloOuterAAD is |client_hello_outer| with |payload| (which must
|
|
262
|
+
// point within |client_hello_outer->extensions|) replaced with zeros. See
|
|
263
|
+
// draft-ietf-tls-esni-13, section 5.2.
|
|
264
|
+
Array<uint8_t> aad;
|
|
265
|
+
if (!aad.CopyFrom(MakeConstSpan(client_hello_outer->client_hello,
|
|
266
|
+
client_hello_outer->client_hello_len))) {
|
|
300
267
|
return false;
|
|
301
268
|
}
|
|
302
269
|
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
if (extension_id == TLSEXT_TYPE_encrypted_client_hello) {
|
|
314
|
-
continue;
|
|
315
|
-
}
|
|
316
|
-
if (!CBB_add_u16(&extensions_cbb, extension_id) ||
|
|
317
|
-
!CBB_add_u16(&extensions_cbb, CBS_len(&extension_body)) ||
|
|
318
|
-
!CBB_add_bytes(&extensions_cbb, CBS_data(&extension_body),
|
|
319
|
-
CBS_len(&extension_body))) {
|
|
320
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
321
|
-
return false;
|
|
322
|
-
}
|
|
323
|
-
}
|
|
324
|
-
if (!CBB_flush(aad.get())) {
|
|
325
|
-
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
326
|
-
return false;
|
|
327
|
-
}
|
|
270
|
+
// We assert with |uintptr_t| because the comparison would be UB if they
|
|
271
|
+
// didn't alias.
|
|
272
|
+
assert(reinterpret_cast<uintptr_t>(client_hello_outer->extensions) <=
|
|
273
|
+
reinterpret_cast<uintptr_t>(payload.data()));
|
|
274
|
+
assert(reinterpret_cast<uintptr_t>(client_hello_outer->extensions +
|
|
275
|
+
client_hello_outer->extensions_len) >=
|
|
276
|
+
reinterpret_cast<uintptr_t>(payload.data() + payload.size()));
|
|
277
|
+
Span<uint8_t> payload_aad = MakeSpan(aad).subspan(
|
|
278
|
+
payload.data() - client_hello_outer->client_hello, payload.size());
|
|
279
|
+
OPENSSL_memset(payload_aad.data(), 0, payload_aad.size());
|
|
328
280
|
|
|
329
281
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
|
330
282
|
// In fuzzer mode, disable encryption to improve coverage. We reserve a short
|
|
@@ -336,124 +288,75 @@ bool ssl_client_hello_decrypt(
|
|
|
336
288
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
|
337
289
|
return false;
|
|
338
290
|
}
|
|
339
|
-
if (!
|
|
291
|
+
if (!out->CopyFrom(payload)) {
|
|
340
292
|
return false;
|
|
341
293
|
}
|
|
342
294
|
#else
|
|
343
|
-
// Attempt to decrypt into |
|
|
344
|
-
if (!
|
|
295
|
+
// Attempt to decrypt into |out|.
|
|
296
|
+
if (!out->Init(payload.size())) {
|
|
345
297
|
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
|
|
346
298
|
return false;
|
|
347
299
|
}
|
|
348
|
-
size_t
|
|
349
|
-
if (!EVP_HPKE_CTX_open(hpke_ctx,
|
|
350
|
-
|
|
351
|
-
|
|
352
|
-
payload.size(), CBB_data(aad.get()),
|
|
353
|
-
CBB_len(aad.get()))) {
|
|
300
|
+
size_t len;
|
|
301
|
+
if (!EVP_HPKE_CTX_open(hpke_ctx, out->data(), &len, out->size(),
|
|
302
|
+
payload.data(), payload.size(), aad.data(),
|
|
303
|
+
aad.size())) {
|
|
354
304
|
*out_is_decrypt_error = true;
|
|
355
305
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
|
|
356
306
|
return false;
|
|
357
307
|
}
|
|
358
|
-
|
|
308
|
+
out->Shrink(len);
|
|
359
309
|
#endif
|
|
360
310
|
return true;
|
|
361
311
|
}
|
|
362
312
|
|
|
363
|
-
static bool
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
369
|
-
|
|
370
|
-
in = in.subspan(1);
|
|
371
|
-
base = 8;
|
|
372
|
-
}
|
|
373
|
-
*out = 0;
|
|
374
|
-
for (uint8_t c : in) {
|
|
375
|
-
uint32_t d;
|
|
376
|
-
if ('0' <= c && c <= '9') {
|
|
377
|
-
d = c - '0';
|
|
378
|
-
} else if ('a' <= c && c <= 'f') {
|
|
379
|
-
d = c - 'a' + 10;
|
|
380
|
-
} else if ('A' <= c && c <= 'F') {
|
|
381
|
-
d = c - 'A' + 10;
|
|
382
|
-
} else {
|
|
383
|
-
return false;
|
|
384
|
-
}
|
|
385
|
-
if (d >= base ||
|
|
386
|
-
*out > UINT32_MAX / base) {
|
|
387
|
-
return false;
|
|
388
|
-
}
|
|
389
|
-
*out *= base;
|
|
390
|
-
if (*out > UINT32_MAX - d) {
|
|
313
|
+
static bool is_hex_component(Span<const uint8_t> in) {
|
|
314
|
+
if (in.size() < 2 || in[0] != '0' || (in[1] != 'x' && in[1] != 'X')) {
|
|
315
|
+
return false;
|
|
316
|
+
}
|
|
317
|
+
for (uint8_t b : in.subspan(2)) {
|
|
318
|
+
if (!('0' <= b && b <= '9') && !('a' <= b && b <= 'f') &&
|
|
319
|
+
!('A' <= b && b <= 'F')) {
|
|
391
320
|
return false;
|
|
392
321
|
}
|
|
393
|
-
*out += d;
|
|
394
322
|
}
|
|
395
323
|
return true;
|
|
396
324
|
}
|
|
397
325
|
|
|
398
|
-
static bool
|
|
399
|
-
|
|
400
|
-
uint32_t numbers[4];
|
|
401
|
-
size_t num_numbers = 0;
|
|
402
|
-
while (!in.empty()) {
|
|
403
|
-
if (num_numbers == 4) {
|
|
404
|
-
// Too many components.
|
|
405
|
-
return false;
|
|
406
|
-
}
|
|
407
|
-
// Find the next dot-separated component.
|
|
408
|
-
auto dot = std::find(in.begin(), in.end(), '.');
|
|
409
|
-
if (dot == in.begin()) {
|
|
410
|
-
// Empty components are not allowed.
|
|
411
|
-
return false;
|
|
412
|
-
}
|
|
413
|
-
Span<const uint8_t> component;
|
|
414
|
-
if (dot == in.end()) {
|
|
415
|
-
component = in;
|
|
416
|
-
in = Span<const uint8_t>();
|
|
417
|
-
} else {
|
|
418
|
-
component = in.subspan(0, dot - in.begin());
|
|
419
|
-
in = in.subspan(dot - in.begin() + 1); // Skip the dot.
|
|
420
|
-
}
|
|
421
|
-
if (!parse_ipv4_number(component, &numbers[num_numbers])) {
|
|
422
|
-
return false;
|
|
423
|
-
}
|
|
424
|
-
num_numbers++;
|
|
425
|
-
}
|
|
426
|
-
if (num_numbers == 0) {
|
|
326
|
+
static bool is_decimal_component(Span<const uint8_t> in) {
|
|
327
|
+
if (in.empty()) {
|
|
427
328
|
return false;
|
|
428
329
|
}
|
|
429
|
-
for (
|
|
430
|
-
if (
|
|
330
|
+
for (uint8_t b : in) {
|
|
331
|
+
if (!('0' <= b && b <= '9')) {
|
|
431
332
|
return false;
|
|
432
333
|
}
|
|
433
334
|
}
|
|
434
|
-
return
|
|
435
|
-
numbers[num_numbers - 1] < 1u << (8 * (5 - num_numbers));
|
|
335
|
+
return true;
|
|
436
336
|
}
|
|
437
337
|
|
|
438
338
|
bool ssl_is_valid_ech_public_name(Span<const uint8_t> public_name) {
|
|
439
|
-
// See draft-ietf-tls-esni-
|
|
339
|
+
// See draft-ietf-tls-esni-13, Section 4 and RFC 5890, Section 2.3.1. The
|
|
440
340
|
// public name must be a dot-separated sequence of LDH labels and not begin or
|
|
441
341
|
// end with a dot.
|
|
442
|
-
auto
|
|
443
|
-
if (
|
|
342
|
+
auto remaining = public_name;
|
|
343
|
+
if (remaining.empty()) {
|
|
444
344
|
return false;
|
|
445
345
|
}
|
|
446
|
-
|
|
346
|
+
Span<const uint8_t> last;
|
|
347
|
+
while (!remaining.empty()) {
|
|
447
348
|
// Find the next dot-separated component.
|
|
448
|
-
auto dot = std::find(
|
|
349
|
+
auto dot = std::find(remaining.begin(), remaining.end(), '.');
|
|
449
350
|
Span<const uint8_t> component;
|
|
450
|
-
if (dot ==
|
|
451
|
-
component =
|
|
452
|
-
|
|
351
|
+
if (dot == remaining.end()) {
|
|
352
|
+
component = remaining;
|
|
353
|
+
last = component;
|
|
354
|
+
remaining = Span<const uint8_t>();
|
|
453
355
|
} else {
|
|
454
|
-
component =
|
|
455
|
-
|
|
456
|
-
|
|
356
|
+
component = remaining.subspan(0, dot - remaining.begin());
|
|
357
|
+
// Skip the dot.
|
|
358
|
+
remaining = remaining.subspan(dot - remaining.begin() + 1);
|
|
359
|
+
if (remaining.empty()) {
|
|
457
360
|
// Trailing dots are not allowed.
|
|
458
361
|
return false;
|
|
459
362
|
}
|
|
@@ -472,7 +375,15 @@ bool ssl_is_valid_ech_public_name(Span<const uint8_t> public_name) {
|
|
|
472
375
|
}
|
|
473
376
|
}
|
|
474
377
|
|
|
475
|
-
|
|
378
|
+
// The WHATWG URL parser additionally does not allow any DNS names that end in
|
|
379
|
+
// a numeric component. See:
|
|
380
|
+
// https://url.spec.whatwg.org/#concept-host-parser
|
|
381
|
+
// https://url.spec.whatwg.org/#ends-in-a-number-checker
|
|
382
|
+
//
|
|
383
|
+
// The WHATWG parser is formulated in terms of parsing decimal, octal, and
|
|
384
|
+
// hex, along with a separate ASCII digits check. The ASCII digits check
|
|
385
|
+
// subsumes the decimal and octal check, so we only need to check two cases.
|
|
386
|
+
return !is_hex_component(last) && !is_decimal_component(last);
|
|
476
387
|
}
|
|
477
388
|
|
|
478
389
|
static bool parse_ech_config(CBS *cbs, ECHConfig *out, bool *out_supported,
|
|
@@ -508,8 +419,8 @@ static bool parse_ech_config(CBS *cbs, ECHConfig *out, bool *out_supported,
|
|
|
508
419
|
CBS_len(&public_key) == 0 ||
|
|
509
420
|
!CBS_get_u16_length_prefixed(&contents, &cipher_suites) ||
|
|
510
421
|
CBS_len(&cipher_suites) == 0 || CBS_len(&cipher_suites) % 4 != 0 ||
|
|
511
|
-
!
|
|
512
|
-
!
|
|
422
|
+
!CBS_get_u8(&contents, &out->maximum_name_length) ||
|
|
423
|
+
!CBS_get_u8_length_prefixed(&contents, &public_name) ||
|
|
513
424
|
CBS_len(&public_name) == 0 ||
|
|
514
425
|
!CBS_get_u16_length_prefixed(&contents, &extensions) ||
|
|
515
426
|
CBS_len(&contents) != 0) {
|
|
@@ -773,15 +684,6 @@ static size_t aead_overhead(const EVP_HPKE_AEAD *aead) {
|
|
|
773
684
|
#endif
|
|
774
685
|
}
|
|
775
686
|
|
|
776
|
-
static size_t compute_extension_length(const EVP_HPKE_AEAD *aead,
|
|
777
|
-
size_t enc_len, size_t in_len) {
|
|
778
|
-
size_t ret = 4; // HpkeSymmetricCipherSuite cipher_suite
|
|
779
|
-
ret++; // uint8 config_id
|
|
780
|
-
ret += 2 + enc_len; // opaque enc<1..2^16-1>
|
|
781
|
-
ret += 2 + in_len + aead_overhead(aead); // opaque payload<1..2^16-1>
|
|
782
|
-
return ret;
|
|
783
|
-
}
|
|
784
|
-
|
|
785
687
|
// random_size returns a random value between |min| and |max|, inclusive.
|
|
786
688
|
static size_t random_size(size_t min, size_t max) {
|
|
787
689
|
assert(min < max);
|
|
@@ -814,38 +716,32 @@ static bool setup_ech_grease(SSL_HANDSHAKE *hs) {
|
|
|
814
716
|
// 2+32+1+2 version, random, legacy_session_id, legacy_compression_methods
|
|
815
717
|
// 2+4*2 cipher_suites (three TLS 1.3 ciphers, GREASE)
|
|
816
718
|
// 2 extensions prefix
|
|
817
|
-
//
|
|
719
|
+
// 5 inner encrypted_client_hello
|
|
818
720
|
// 4+1+2*2 supported_versions (TLS 1.3, GREASE)
|
|
819
721
|
// 4+1+10*2 outer_extensions (key_share, sigalgs, sct, alpn,
|
|
820
722
|
// supported_groups, status_request, psk_key_exchange_modes,
|
|
821
723
|
// compress_certificate, GREASE x2)
|
|
822
724
|
//
|
|
823
725
|
// The server_name extension has an overhead of 9 bytes. For now, arbitrarily
|
|
824
|
-
// estimate maximum_name_length to be between 32 and 100 bytes.
|
|
825
|
-
//
|
|
826
|
-
|
|
827
|
-
|
|
828
|
-
// https://github.com/tlswg/draft-ietf-tls-esni/issues/433
|
|
829
|
-
const size_t overhead = aead_overhead(aead);
|
|
830
|
-
const size_t in_len = random_size(128, 196);
|
|
831
|
-
const size_t extension_len =
|
|
832
|
-
compute_extension_length(aead, sizeof(enc), in_len);
|
|
726
|
+
// estimate maximum_name_length to be between 32 and 100 bytes. Then round up
|
|
727
|
+
// to a multiple of 32, to match draft-ietf-tls-esni-13, section 6.1.3.
|
|
728
|
+
const size_t payload_len =
|
|
729
|
+
32 * random_size(128 / 32, 224 / 32) + aead_overhead(aead);
|
|
833
730
|
bssl::ScopedCBB cbb;
|
|
834
731
|
CBB enc_cbb, payload_cbb;
|
|
835
732
|
uint8_t *payload;
|
|
836
|
-
if (!CBB_init(cbb.get(),
|
|
733
|
+
if (!CBB_init(cbb.get(), 256) ||
|
|
837
734
|
!CBB_add_u16(cbb.get(), kdf_id) ||
|
|
838
735
|
!CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) ||
|
|
839
736
|
!CBB_add_u8(cbb.get(), config_id) ||
|
|
840
737
|
!CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) ||
|
|
841
738
|
!CBB_add_bytes(&enc_cbb, enc, sizeof(enc)) ||
|
|
842
739
|
!CBB_add_u16_length_prefixed(cbb.get(), &payload_cbb) ||
|
|
843
|
-
!CBB_add_space(&payload_cbb, &payload,
|
|
844
|
-
!RAND_bytes(payload,
|
|
845
|
-
!CBBFinishArray(cbb.get(), &hs->
|
|
740
|
+
!CBB_add_space(&payload_cbb, &payload, payload_len) ||
|
|
741
|
+
!RAND_bytes(payload, payload_len) ||
|
|
742
|
+
!CBBFinishArray(cbb.get(), &hs->ech_client_outer)) {
|
|
846
743
|
return false;
|
|
847
744
|
}
|
|
848
|
-
assert(hs->ech_client_bytes.size() == extension_len);
|
|
849
745
|
return true;
|
|
850
746
|
}
|
|
851
747
|
|
|
@@ -856,22 +752,22 @@ bool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span<const uint8_t> enc) {
|
|
|
856
752
|
}
|
|
857
753
|
|
|
858
754
|
// Construct ClientHelloInner and EncodedClientHelloInner. See
|
|
859
|
-
// draft-ietf-tls-esni-
|
|
860
|
-
|
|
755
|
+
// draft-ietf-tls-esni-13, sections 5.1 and 6.1.
|
|
756
|
+
ScopedCBB cbb, encoded_cbb;
|
|
861
757
|
CBB body;
|
|
862
758
|
bool needs_psk_binder;
|
|
863
|
-
|
|
759
|
+
Array<uint8_t> hello_inner;
|
|
864
760
|
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||
|
|
865
|
-
!CBB_init(
|
|
761
|
+
!CBB_init(encoded_cbb.get(), 256) ||
|
|
866
762
|
!ssl_write_client_hello_without_extensions(hs, &body,
|
|
867
763
|
ssl_client_hello_inner,
|
|
868
764
|
/*empty_session_id=*/false) ||
|
|
869
|
-
!ssl_write_client_hello_without_extensions(hs,
|
|
765
|
+
!ssl_write_client_hello_without_extensions(hs, encoded_cbb.get(),
|
|
870
766
|
ssl_client_hello_inner,
|
|
871
767
|
/*empty_session_id=*/true) ||
|
|
872
|
-
!ssl_add_clienthello_tlsext(hs, &body,
|
|
873
|
-
|
|
874
|
-
|
|
768
|
+
!ssl_add_clienthello_tlsext(hs, &body, encoded_cbb.get(),
|
|
769
|
+
&needs_psk_binder, ssl_client_hello_inner,
|
|
770
|
+
CBB_len(&body)) ||
|
|
875
771
|
!ssl->method->finish_message(ssl, cbb.get(), &hello_inner)) {
|
|
876
772
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
877
773
|
return false;
|
|
@@ -884,13 +780,12 @@ bool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span<const uint8_t> enc) {
|
|
|
884
780
|
return false;
|
|
885
781
|
}
|
|
886
782
|
// Also update the EncodedClientHelloInner.
|
|
887
|
-
|
|
888
|
-
|
|
889
|
-
|
|
890
|
-
|
|
891
|
-
|
|
892
|
-
|
|
893
|
-
hello_inner.data() + hello_inner.size() - binder_len,
|
|
783
|
+
auto encoded_binder =
|
|
784
|
+
MakeSpan(const_cast<uint8_t *>(CBB_data(encoded_cbb.get())),
|
|
785
|
+
CBB_len(encoded_cbb.get()))
|
|
786
|
+
.last(binder_len);
|
|
787
|
+
auto hello_inner_binder = MakeConstSpan(hello_inner).last(binder_len);
|
|
788
|
+
OPENSSL_memcpy(encoded_binder.data(), hello_inner_binder.data(),
|
|
894
789
|
binder_len);
|
|
895
790
|
}
|
|
896
791
|
|
|
@@ -898,74 +793,82 @@ bool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span<const uint8_t> enc) {
|
|
|
898
793
|
return false;
|
|
899
794
|
}
|
|
900
795
|
|
|
901
|
-
//
|
|
902
|
-
|
|
903
|
-
|
|
904
|
-
|
|
796
|
+
// Pad the EncodedClientHelloInner. See draft-ietf-tls-esni-13, section 6.1.3.
|
|
797
|
+
size_t padding_len = 0;
|
|
798
|
+
size_t maximum_name_length = hs->selected_ech_config->maximum_name_length;
|
|
799
|
+
if (ssl->hostname) {
|
|
800
|
+
size_t hostname_len = strlen(ssl->hostname.get());
|
|
801
|
+
if (hostname_len <= maximum_name_length) {
|
|
802
|
+
padding_len = maximum_name_length - hostname_len;
|
|
803
|
+
}
|
|
804
|
+
} else {
|
|
805
|
+
// No SNI. Pad up to |maximum_name_length|, including server_name extension
|
|
806
|
+
// overhead.
|
|
807
|
+
padding_len = 9 + maximum_name_length;
|
|
808
|
+
}
|
|
809
|
+
// Pad the whole thing to a multiple of 32 bytes.
|
|
810
|
+
padding_len += 31 - ((CBB_len(encoded_cbb.get()) + padding_len - 1) % 32);
|
|
811
|
+
Array<uint8_t> encoded;
|
|
812
|
+
if (!CBB_add_zeros(encoded_cbb.get(), padding_len) ||
|
|
813
|
+
!CBBFinishArray(encoded_cbb.get(), &encoded)) {
|
|
814
|
+
return false;
|
|
815
|
+
}
|
|
816
|
+
|
|
817
|
+
// Encrypt |encoded|. See draft-ietf-tls-esni-13, section 6.1.1. First,
|
|
818
|
+
// assemble the extension with a placeholder value for ClientHelloOuterAAD.
|
|
819
|
+
// See draft-ietf-tls-esni-13, section 5.2.
|
|
905
820
|
const EVP_HPKE_KDF *kdf = EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get());
|
|
906
821
|
const EVP_HPKE_AEAD *aead = EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get());
|
|
907
|
-
|
|
908
|
-
|
|
822
|
+
size_t payload_len = encoded.size() + aead_overhead(aead);
|
|
823
|
+
CBB enc_cbb, payload_cbb;
|
|
824
|
+
if (!CBB_init(cbb.get(), 256) ||
|
|
825
|
+
!CBB_add_u16(cbb.get(), EVP_HPKE_KDF_id(kdf)) ||
|
|
826
|
+
!CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) ||
|
|
827
|
+
!CBB_add_u8(cbb.get(), hs->selected_ech_config->config_id) ||
|
|
828
|
+
!CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) ||
|
|
829
|
+
!CBB_add_bytes(&enc_cbb, enc.data(), enc.size()) ||
|
|
830
|
+
!CBB_add_u16_length_prefixed(cbb.get(), &payload_cbb) ||
|
|
831
|
+
!CBB_add_zeros(&payload_cbb, payload_len) ||
|
|
832
|
+
!CBBFinishArray(cbb.get(), &hs->ech_client_outer)) {
|
|
833
|
+
return false;
|
|
834
|
+
}
|
|
835
|
+
|
|
836
|
+
// Construct ClientHelloOuterAAD.
|
|
837
|
+
// TODO(https://crbug.com/boringssl/275): This ends up constructing the
|
|
838
|
+
// ClientHelloOuter twice. Instead, reuse |aad| for the ClientHello, now that
|
|
839
|
+
// draft-12 made the length prefixes match.
|
|
909
840
|
bssl::ScopedCBB aad;
|
|
910
|
-
CBB outer_hello;
|
|
911
|
-
CBB enc_cbb;
|
|
912
841
|
if (!CBB_init(aad.get(), 256) ||
|
|
913
|
-
!
|
|
914
|
-
!CBB_add_u16(aad.get(), EVP_HPKE_AEAD_id(aead)) ||
|
|
915
|
-
!CBB_add_u8(aad.get(), hs->selected_ech_config->config_id) ||
|
|
916
|
-
!CBB_add_u16_length_prefixed(aad.get(), &enc_cbb) ||
|
|
917
|
-
!CBB_add_bytes(&enc_cbb, enc.data(), enc.size()) ||
|
|
918
|
-
!CBB_add_u24_length_prefixed(aad.get(), &outer_hello) ||
|
|
919
|
-
!ssl_write_client_hello_without_extensions(hs, &outer_hello,
|
|
842
|
+
!ssl_write_client_hello_without_extensions(hs, aad.get(),
|
|
920
843
|
ssl_client_hello_outer,
|
|
921
844
|
/*empty_session_id=*/false) ||
|
|
922
|
-
!ssl_add_clienthello_tlsext(hs,
|
|
845
|
+
!ssl_add_clienthello_tlsext(hs, aad.get(), /*out_encoded=*/nullptr,
|
|
923
846
|
&needs_psk_binder, ssl_client_hello_outer,
|
|
924
|
-
CBB_len(
|
|
925
|
-
/*omit_ech_len=*/4 + extension_len) ||
|
|
926
|
-
!CBB_flush(aad.get())) {
|
|
847
|
+
CBB_len(aad.get()))) {
|
|
927
848
|
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
|
|
928
849
|
return false;
|
|
929
850
|
}
|
|
851
|
+
|
|
930
852
|
// ClientHelloOuter may not require a PSK binder. Otherwise, we have a
|
|
931
853
|
// circular dependency.
|
|
932
854
|
assert(!needs_psk_binder);
|
|
933
855
|
|
|
934
|
-
|
|
935
|
-
|
|
936
|
-
!CBB_add_u16(cbb.get(), EVP_HPKE_KDF_id(kdf)) ||
|
|
937
|
-
!CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) ||
|
|
938
|
-
!CBB_add_u8(cbb.get(), hs->selected_ech_config->config_id) ||
|
|
939
|
-
!CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) ||
|
|
940
|
-
!CBB_add_bytes(&enc_cbb, enc.data(), enc.size()) ||
|
|
941
|
-
!CBB_add_u16_length_prefixed(cbb.get(), &payload_cbb)) {
|
|
942
|
-
return false;
|
|
943
|
-
}
|
|
856
|
+
// Replace the payload in |hs->ech_client_outer| with the encrypted value.
|
|
857
|
+
auto payload_span = MakeSpan(hs->ech_client_outer).last(payload_len);
|
|
944
858
|
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
|
|
945
859
|
// In fuzzer mode, the server expects a cleartext payload.
|
|
946
|
-
|
|
947
|
-
|
|
948
|
-
return false;
|
|
949
|
-
}
|
|
860
|
+
assert(payload_span.size() == encoded.size());
|
|
861
|
+
OPENSSL_memcpy(payload_span.data(), encoded.data(), encoded.size());
|
|
950
862
|
#else
|
|
951
|
-
|
|
952
|
-
|
|
953
|
-
|
|
954
|
-
if (!CBB_reserve(&payload_cbb, &payload, payload_len) ||
|
|
955
|
-
!EVP_HPKE_CTX_seal(hs->ech_hpke_ctx.get(), payload, &payload_len,
|
|
956
|
-
payload_len, CBB_data(encoded.get()),
|
|
957
|
-
CBB_len(encoded.get()), CBB_data(aad.get()),
|
|
863
|
+
if (!EVP_HPKE_CTX_seal(hs->ech_hpke_ctx.get(), payload_span.data(),
|
|
864
|
+
&payload_len, payload_span.size(), encoded.data(),
|
|
865
|
+
encoded.size(), CBB_data(aad.get()),
|
|
958
866
|
CBB_len(aad.get())) ||
|
|
959
|
-
|
|
867
|
+
payload_len != payload_span.size()) {
|
|
960
868
|
return false;
|
|
961
869
|
}
|
|
962
870
|
#endif // BORINGSSL_UNSAFE_FUZZER_MODE
|
|
963
|
-
if (!CBBFinishArray(cbb.get(), &hs->ech_client_bytes)) {
|
|
964
|
-
return false;
|
|
965
|
-
}
|
|
966
871
|
|
|
967
|
-
// The |aad| calculation relies on |extension_length| being correct.
|
|
968
|
-
assert(hs->ech_client_bytes.size() == extension_len);
|
|
969
872
|
return true;
|
|
970
873
|
}
|
|
971
874
|
|
|
@@ -1045,7 +948,13 @@ int SSL_marshal_ech_config(uint8_t **out, size_t *out_len, uint8_t config_id,
|
|
|
1045
948
|
return 0;
|
|
1046
949
|
}
|
|
1047
950
|
|
|
1048
|
-
//
|
|
951
|
+
// The maximum name length is encoded in one byte.
|
|
952
|
+
if (max_name_len > 0xff) {
|
|
953
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
|
|
954
|
+
return 0;
|
|
955
|
+
}
|
|
956
|
+
|
|
957
|
+
// See draft-ietf-tls-esni-13, section 4.
|
|
1049
958
|
ScopedCBB cbb;
|
|
1050
959
|
CBB contents, child;
|
|
1051
960
|
uint8_t *public_key;
|
|
@@ -1066,8 +975,8 @@ int SSL_marshal_ech_config(uint8_t **out, size_t *out_len, uint8_t config_id,
|
|
|
1066
975
|
!CBB_add_u16(&child, EVP_HPKE_AES_128_GCM) ||
|
|
1067
976
|
!CBB_add_u16(&child, EVP_HPKE_HKDF_SHA256) ||
|
|
1068
977
|
!CBB_add_u16(&child, EVP_HPKE_CHACHA20_POLY1305) ||
|
|
1069
|
-
!
|
|
1070
|
-
!
|
|
978
|
+
!CBB_add_u8(&contents, max_name_len) ||
|
|
979
|
+
!CBB_add_u8_length_prefixed(&contents, &child) ||
|
|
1071
980
|
!CBB_add_bytes(&child, public_name_u8.data(), public_name_u8.size()) ||
|
|
1072
981
|
// TODO(https://crbug.com/boringssl/275): Reserve some GREASE extensions
|
|
1073
982
|
// and include some.
|