grpc 1.70.1 → 1.71.0

data/third_party/boringssl-with-bazel/src/ssl/extensions.cc

@@ -1,110 +1,16 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
+// Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <openssl/ssl.h>
 
@@ -130,6 +36,7 @@
 #include <openssl/rand.h>
 
 #include "../crypto/internal.h"
+#include "../crypto/spake2plus/internal.h"
 #include "internal.h"
 
 
@@ -214,16 +121,6 @@ static bool is_post_quantum_group(uint16_t id) {
   }
 }
 
-bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
-                           Span<const uint8_t> body) {
-  CBS cbs = body;
-  if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out) ||
-      CBS_len(&cbs) != 0) {
-    return false;
-  }
-  return true;
-}
-
 bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
                                                SSL_CLIENT_HELLO *out) {
   OPENSSL_memset(out, 0, sizeof(*out));
@@ -235,6 +132,7 @@ bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
       !CBS_get_bytes(cbs, &random, SSL3_RANDOM_SIZE) ||
       !CBS_get_u8_length_prefixed(cbs, &session_id) ||
       CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
     return false;
   }
 
@@ -246,6 +144,7 @@ bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
   if (SSL_is_dtls(out->ssl)) {
     CBS cookie;
     if (!CBS_get_u8_length_prefixed(cbs, &cookie)) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
       return false;
     }
     out->dtls_cookie = CBS_data(&cookie);
@@ -260,6 +159,7 @@ bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
       CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||
       !CBS_get_u8_length_prefixed(cbs, &compression_methods) ||
       CBS_len(&compression_methods) < 1) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
     return false;
   }
 
@@ -278,6 +178,7 @@ bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,
     CBS extensions;
     if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
         !tls1_check_duplicate_extensions(&extensions)) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
       return false;
     }
     out->extensions = CBS_data(&extensions);
@@ -535,9 +436,7 @@ static bool ext_sni_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
     if (ssl->hostname == nullptr) {
       return true;
     }
-    hostname =
-        MakeConstSpan(reinterpret_cast<const uint8_t *>(ssl->hostname.get()),
-                      strlen(ssl->hostname.get()));
+    hostname = StringAsBytes(ssl->hostname.get());
   }
 
   CBB contents, server_name_list, name;
@@ -1018,6 +917,10 @@ static bool ext_sigalgs_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
   if (hs->max_version < TLS1_2_VERSION) {
     return true;
   }
+  // In PAKE mode, signature_algorithms is not used.
+  if (hs->pake_prover != nullptr) {
+    return true;
+  }
 
   CBB contents, sigalgs_cbb;
   if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_signature_algorithms) ||
@@ -1201,8 +1104,7 @@ static bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
           ssl, &selected, &selected_len, orig_contents,
           static_cast<unsigned>(orig_len),
           ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||
-      !ssl->s3->next_proto_negotiated.CopyFrom(
-          MakeConstSpan(selected, selected_len))) {
+      !ssl->s3->next_proto_negotiated.CopyFrom(Span(selected, selected_len))) {
     *out_alert = SSL_AD_INTERNAL_ERROR;
     return false;
   }
@@ -1536,8 +1438,7 @@ bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
         *out_alert = SSL_AD_INTERNAL_ERROR;
         return false;
       }
-      if (!ssl->s3->alpn_selected.CopyFrom(
-              MakeConstSpan(selected, selected_len))) {
+      if (!ssl->s3->alpn_selected.CopyFrom(Span(selected, selected_len))) {
         *out_alert = SSL_AD_INTERNAL_ERROR;
         return false;
       }
@@ -2072,6 +1973,11 @@ static bool ext_psk_key_exchange_modes_add_clienthello(
   if (hs->max_version < TLS1_3_VERSION) {
     return true;
   }
+  // We do not support resumption with PAKEs, so do not offer any PSK key
+  // exchange modes, to signal the server not to send a ticket.
+  if (hs->pake_prover != nullptr) {
+    return true;
+  }
 
   CBB contents, ke_modes;
   if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_psk_key_exchange_modes) ||
@@ -2219,7 +2125,9 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
   hs->key_shares[1].reset();
   hs->key_share_bytes.Reset();
 
-  if (hs->max_version < TLS1_3_VERSION) {
+  // If offering a PAKE, do not set up key shares. We do not currently support
+  // clients offering both PAKE and non-PAKE modes, including resumption.
+  if (hs->max_version < TLS1_3_VERSION || hs->pake_prover) {
     return true;
   }
 
@@ -2284,7 +2192,9 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {
 static bool ext_key_share_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
                                           CBB *out_compressible,
                                           ssl_client_hello_type_t type) {
-  if (hs->max_version < TLS1_3_VERSION) {
+  // If offering a PAKE, do not set up key shares. We do not currently support
+  // clients offering both PAKE and non-PAKE modes, including resumption.
+  if (hs->max_version < TLS1_3_VERSION || hs->pake_prover) {
     return true;
   }
 
@@ -2305,6 +2215,14 @@ static bool ext_key_share_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
 bool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,
                                          Array<uint8_t> *out_secret,
                                          uint8_t *out_alert, CBS *contents) {
+  if (hs->key_shares[0] == nullptr) {
+    // If we did not offer key shares, the extension should have been rejected
+    // as unsolicited.
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+    return false;
+  }
+
   CBS ciphertext;
   uint16_t group_id;
   if (!CBS_get_u16(contents, &group_id) ||
@@ -2340,7 +2258,8 @@ bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
                                          Span<const uint8_t> *out_peer_key,
                                          uint8_t *out_alert,
                                          const SSL_CLIENT_HELLO *client_hello) {
-  // We only support connections that include an ECDHE key exchange.
+  // We only support connections that include an ECDHE key exchange, or use a
+  // PAKE.
   CBS contents;
   if (!ssl_client_hello_get_extension(client_hello, &contents,
                                       TLSEXT_TYPE_key_share)) {
@@ -2389,7 +2308,30 @@ bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
   return true;
 }
 
+bool ssl_ext_pake_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
+  if (hs->pake_share_bytes.empty()) {
+    return true;
+  }
+
+  CBB pake_ext, pake_msg;
+  if (!CBB_add_u16(out, TLSEXT_TYPE_pake) ||
+      !CBB_add_u16_length_prefixed(out, &pake_ext) ||
+      !CBB_add_u16(&pake_ext, SSL_PAKE_SPAKE2PLUSV1) ||
+      !CBB_add_u16_length_prefixed(&pake_ext, &pake_msg) ||
+      !CBB_add_bytes(&pake_msg, hs->pake_share_bytes.data(),
+                     hs->pake_share_bytes.size()) ||
+      !CBB_flush(out)) {
+    return false;
+  }
+  return true;
+}
+
 bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
+  if (hs->pake_verifier) {
+    // We don't add the key share extension if a PAKE is offered.
+    return true;
+  }
+
   CBB entry, ciphertext;
   if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||
       !CBB_add_u16_length_prefixed(out, &entry) ||
@@ -2481,6 +2423,11 @@ static bool ext_supported_groups_add_clienthello(const SSL_HANDSHAKE *hs,
                                                  CBB *out_compressible,
                                                  ssl_client_hello_type_t type) {
   const SSL *const ssl = hs->ssl;
+  // In PAKE mode, supported_groups and key_share are not used.
+  if (hs->pake_prover != nullptr) {
+    return true;
+  }
+
   CBB contents, groups_bytes;
   if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_supported_groups) ||
       !CBB_add_u16_length_prefixed(out_compressible, &contents) ||
@@ -2921,6 +2868,220 @@ static bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
   return true;
 }
 
+// PAKEs
+//
+// See
+// https://chris-wood.github.io/draft-bmw-tls-pake13/draft-bmw-tls-pake13.html
+
+bool ssl_setup_pake_shares(SSL_HANDSHAKE *hs) {
+  hs->pake_share_bytes.Reset();
+  if (hs->max_version < TLS1_3_VERSION) {
+    return true;
+  }
+
+  Array<SSL_CREDENTIAL *> creds;
+  if (!ssl_get_credential_list(hs, &creds)) {
+    return false;
+  }
+
+  if (std::none_of(creds.begin(), creds.end(), [](SSL_CREDENTIAL *cred) {
+        return cred->type == SSLCredentialType::kSPAKE2PlusV1Client;
+      })) {
+    // If there were no configured PAKE credentials, proceed without filling
+    // in the PAKE extension.
+    return true;
+  }
+
+  // We currently do not support multiple PAKE credentials, or a mix of PAKE and
+  // non-PAKE credentials.
+  if (creds.size() != 1u) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CREDENTIAL_LIST);
+    return false;
+  }
+  SSL_CREDENTIAL *cred = creds[0];
+  assert(cred->type == SSLCredentialType::kSPAKE2PlusV1Client);
+
+  hs->pake_prover = MakeUnique<spake2plus::Prover>();
+  uint8_t prover_share[spake2plus::kShareSize];
+  if (hs->pake_prover == nullptr ||
+      !hs->pake_prover->Init(cred->pake_context, cred->client_identity,
+                             cred->server_identity, cred->password_verifier_w0,
+                             cred->password_verifier_w1) ||
+      !hs->pake_prover->GenerateShare(prover_share)) {
+    return false;
+  }
+
+  hs->credential = UpRef(cred);
+
+  bssl::ScopedCBB cbb;
+  CBB shares, client_identity, server_identity, pake_message;
+  if (!CBB_init(cbb.get(), 64) ||
+      !CBB_add_u16_length_prefixed(cbb.get(), &client_identity) ||
+      !CBB_add_bytes(&client_identity, cred->client_identity.data(),
+                     cred->client_identity.size()) ||
+      !CBB_add_u16_length_prefixed(cbb.get(), &server_identity) ||
+      !CBB_add_bytes(&server_identity, cred->server_identity.data(),
+                     cred->server_identity.size()) ||
+      !CBB_add_u16_length_prefixed(cbb.get(), &shares) ||
+      !CBB_add_u16(&shares, SSL_PAKE_SPAKE2PLUSV1) ||
+      !CBB_add_u16_length_prefixed(&shares, &pake_message) ||
+      !CBB_add_bytes(&pake_message, prover_share, sizeof(prover_share))) {
+    return false;
+  }
+
+  return CBBFinishArray(cbb.get(), &hs->pake_share_bytes);
+}
+
+static bool ext_pake_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,
+                                     CBB *out_compressible,
+                                     ssl_client_hello_type_t type) {
+  if (hs->pake_share_bytes.empty()) {
+    return true;
+  }
+
+  CBB pake_share_bytes;
+  if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_pake) ||
+      !CBB_add_u16_length_prefixed(out_compressible, &pake_share_bytes) ||
+      !CBB_add_bytes(&pake_share_bytes, hs->pake_share_bytes.data(),
+                     hs->pake_share_bytes.size()) ||
+      !CBB_flush(out_compressible)) {
+    return false;
+  }
+
+  return true;
+}
+
+bool ssl_ext_pake_parse_serverhello(SSL_HANDSHAKE *hs,
+                                    Array<uint8_t> *out_secret,
+                                    uint8_t *out_alert, CBS *contents) {
+  *out_alert = SSL_AD_DECODE_ERROR;
+
+  if (!hs->pake_prover) {
+    // If we did not offer a PAKE, the extension should have been rejected as
+    // unsolicited.
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+    return false;
+  }
+
+  CBS pake_msg;
+  uint16_t named_pake;
+  if (!CBS_get_u16(contents, &named_pake) ||
+      !CBS_get_u16_length_prefixed(contents, &pake_msg) ||
+      CBS_len(contents) != 0 ||  //
+      named_pake != SSL_PAKE_SPAKE2PLUSV1) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    return false;
+  }
+
+  // Check that the server's PAKE share consists of the right number of
+  // bytes for a PAKE share and a key confirmation message.
+  if (CBS_len(&pake_msg) != spake2plus::kShareSize + spake2plus::kConfirmSize) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    *out_alert = SSL_AD_ILLEGAL_PARAMETER;
+    return false;
+  }
+  Span<const uint8_t> pake_msg_span = pake_msg;
+
+  // Releasing the result of |ComputeConfirmation| lets the client confirm one
+  // PAKE guess. If all failures are used up, no more guesses are allowed.
+  if (!hs->credential->HasPAKEAttempts()) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_PAKE_EXHAUSTED);
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+    return false;
+  }
+
+  uint8_t prover_confirm[spake2plus::kConfirmSize];
+  uint8_t prover_secret[spake2plus::kSecretSize];
+  if (!hs->pake_prover->ComputeConfirmation(
+          prover_confirm, prover_secret,
+          pake_msg_span.subspan(0, spake2plus::kShareSize),
+          pake_msg_span.subspan(spake2plus::kShareSize))) {
+    // Record a failure before releasing the answer to the client.
+    hs->credential->ClaimPAKEAttempt();
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    *out_alert = SSL_AD_ILLEGAL_PARAMETER;
+    return false;
+  }
+
+  Array<uint8_t> secret;
+  if (!secret.CopyFrom(prover_secret)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+    return false;
+  }
+
+  *out_secret = std::move(secret);
+  return true;
+}
+
+static bool ext_pake_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
+                                       CBS *contents) {
+  if (contents == nullptr) {
+    return true;
+  }
+
+  // struct {
+  //     opaque    client_identity<0..2^16-1>;
+  //     opaque    server_identity<0..2^16-1>;
+  //     PAKEShare client_shares<0..2^16-1>;
+  // } PAKEClientHello;
+  //
+  // struct {
+  //     NamedPAKE   named_pake;
+  //     opaque      pake_message<1..2^16-1>;
+  // } PAKEShare;
+
+  *out_alert = SSL_AD_DECODE_ERROR;
+  CBS client_identity, server_identity, shares;
+  if (!CBS_get_u16_length_prefixed(contents, &client_identity) ||
+      !CBS_get_u16_length_prefixed(contents, &server_identity) ||
+      !CBS_get_u16_length_prefixed(contents, &shares) ||
+      CBS_len(contents) != 0) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+    return false;
+  }
+
+  uint16_t last_named_pake = 0;
+  for (size_t i = 0; CBS_len(&shares) > 0; i++) {
+    uint16_t pake_id;
+    CBS message;
+    if (!CBS_get_u16(&shares, &pake_id) ||
+        !CBS_get_u16_length_prefixed(&shares, &message)) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      return false;
+    }
+
+    // PAKEs must be sent in strictly monotonic order.
+    if (i > 0 && last_named_pake >= pake_id) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      return false;
+    }
+    last_named_pake = pake_id;
+
+    // We only support one PAKE.
+    if (pake_id != SSL_PAKE_SPAKE2PLUSV1) {
+      continue;
+    }
+
+    // Save the PAKE share for the handshake logic to pick up later.
+    // TODO(crbug.com/391393404): It would be nice if the callback did not have
+    // to copy this.
+    hs->pake_share = MakeUnique<SSLPAKEShare>();
+    if (hs->pake_share == nullptr ||
+        !hs->pake_share->client_identity.CopyFrom(client_identity) ||
+        !hs->pake_share->server_identity.CopyFrom(server_identity) ||
+        !hs->pake_share->pake_message.CopyFrom(message)) {
+      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+      return false;
+    }
+    hs->pake_share->named_pake = pake_id;
+  }
+
+  return true;
+}
+
+
 // Application-level Protocol Settings
 //
 // https://tools.ietf.org/html/draft-vvv-tls-alps-01
@@ -3118,7 +3279,7 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
         *out_alert = SSL_AD_DECODE_ERROR;
         return false;
       }
-      if (protocol_name == MakeConstSpan(ssl->s3->alpn_selected)) {
+      if (protocol_name == Span(ssl->s3->alpn_selected)) {
         found = true;
       }
     }
@@ -3324,6 +3485,15 @@ static const struct tls_extension kExtensions[] = {
         ext_certificate_authorities_parse_clienthello,
         dont_add_serverhello,
     },
+    {
+        TLSEXT_TYPE_pake,
+        ext_pake_add_clienthello,
+        // This extension is unencrypted and so adding and parsing it from the
+        // ServerHello is handled elsewhere.
+        forbid_parse_serverhello,
+        ext_pake_parse_clienthello,
+        dont_add_serverhello,
+    },
 };
 
 #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -3770,7 +3940,7 @@ static bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs,
     if (!(hs->extensions.sent & (1u << ext_index))) {
       // If the extension was never sent then it is illegal.
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
-      ERR_add_error_dataf("extension :%u", (unsigned)type);
+      ERR_add_error_dataf("extension %u", (unsigned)type);
       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
       return false;
     }
@@ -4175,9 +4345,8 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,
     }
   }
 
-  Span<const uint16_t> sigalgs = cred->sigalgs.empty()
-                                     ? MakeConstSpan(kSignSignatureAlgorithms)
-                                     : cred->sigalgs;
+  Span<const uint16_t> sigalgs =
+      cred->sigalgs.empty() ? Span(kSignSignatureAlgorithms) : cred->sigalgs;
   for (uint16_t sigalg : sigalgs) {
     if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg,
                                      /*is_verify=*/false)) {
@@ -4384,6 +4553,19 @@ BSSL_NAMESPACE_END
 
 using namespace bssl;
 
+int SSL_parse_client_hello(const SSL *ssl, SSL_CLIENT_HELLO *out,
+                           const uint8_t *in, size_t len) {
+  CBS cbs = Span(in, len);
+  if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out)) {
+    return 0;
+  }
+  if (CBS_len(&cbs) != 0) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
+    return 0;
+  }
+  return 1;
+}
+
 int SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,
                                          uint16_t extension_type,
                                          const uint8_t **out_data,

data/third_party/boringssl-with-bazel/src/ssl/handoff.cc

@@ -1,16 +1,16 @@
-/* Copyright 2018 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2018 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <openssl/ssl.h>
 
@@ -96,7 +96,8 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
                                  s3->hs_buf->length) ||
       !serialize_features(&seq) || !CBB_flush(out) ||
       !ssl->method->get_message(ssl, &msg) ||
-      !ssl_client_hello_init(ssl, out_hello, msg.body)) {
+      !SSL_parse_client_hello(ssl, out_hello, CBS_data(&msg.body),
+                              CBS_len(&msg.body))) {
     return false;
   }
 
@@ -668,8 +669,10 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   }
   s3->session_reused = session_reused;
   hs->channel_id_negotiated = channel_id_negotiated;
-  s3->next_proto_negotiated.CopyFrom(next_proto);
-  s3->alpn_selected.CopyFrom(alpn);
+  if (!s3->next_proto_negotiated.CopyFrom(next_proto) ||
+      !s3->alpn_selected.CopyFrom(alpn)) {
+    return false;
+  }
 
   const size_t hostname_len = CBS_len(&hostname);
   if (hostname_len == 0) {