Randomize the order of TLS extensions

On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.

Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.

This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045

Input & ok jsing

1 files changed, 6 insertions, 1 deletions

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index de4ef3fb5e..68e60a5481 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.308 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.309 2023/04/23 18:51:53 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -302,6 +302,9 @@ SSL_new(SSL_CTX *ctx)
         CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
         s->initial_ctx = ctx;
 
+        if (!tlsext_randomize_build_order(s))
+                goto err;
+
         if (ctx->tlsext_ecpointformatlist != NULL) {
                 s->tlsext_ecpointformatlist =
                     calloc(ctx->tlsext_ecpointformatlist_length,
@@ -550,6 +553,8 @@ SSL_free(SSL *s)
 
         ssl_cert_free(s->cert);
 
+        free(s->tlsext_build_order);
+
         free(s->tlsext_hostname);
         SSL_CTX_free(s->initial_ctx);