1/* $OpenBSD: ssl_tlsext.c,v 1.151 2024/06/25 05:46:48 tb Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019, 2024 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/socket.h> 21 22#include <arpa/inet.h> 23#include <netinet/in.h> 24 25#include <ctype.h> 26 27#include <openssl/ocsp.h> 28#include <openssl/opensslconf.h> 29 30#include "bytestring.h" 31#include "ssl_local.h" 32#include "ssl_sigalgs.h" 33#include "ssl_tlsext.h" 34 35#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 36#define TLSEXT_MAX_SUPPORTED_GROUPS 64 37 38/* 39 * Supported Application-Layer Protocol Negotiation - RFC 7301 40 */ 41 42static int 43tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 44{ 45 /* ALPN protos have been specified and this is the initial handshake */ 46 return s->alpn_client_proto_list != NULL && 47 s->s3->hs.finished_len == 0; 48} 49 50static int 51tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 52{ 53 CBB protolist; 54 55 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 56 return 0; 57 58 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, 59 s->alpn_client_proto_list_len)) 60 return 0; 61 62 if (!CBB_flush(cbb)) 63 return 0; 64 65 return 1; 66} 67 68int 69tlsext_alpn_check_format(CBS *cbs) 70{ 71 CBS proto_name_list; 72 73 if (CBS_len(cbs) == 0) 74 return 0; 75 76 CBS_dup(cbs, &proto_name_list); 77 while (CBS_len(&proto_name_list) > 0) { 78 CBS proto_name; 79 80 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 81 return 0; 82 if (CBS_len(&proto_name) == 0) 83 return 0; 84 } 85 86 return 1; 87} 88 89static int 90tlsext_alpn_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 91{ 92 CBS alpn, selected_cbs; 93 const unsigned char *selected; 94 unsigned char selected_len; 95 int r; 96 97 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 98 return 0; 99 if (!tlsext_alpn_check_format(&alpn)) 100 return 0; 101 102 if (s->ctx->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 113 114 if (r == SSL_TLSEXT_ERR_OK) { 115 CBS_init(&selected_cbs, selected, selected_len); 116 117 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 118 &s->s3->alpn_selected_len)) { 119 *alert = SSL_AD_INTERNAL_ERROR; 120 return 0; 121 } 122 123 return 1; 124 } 125 126 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 127 if (r == SSL_TLSEXT_ERR_NOACK) 128 return 1; 129 130 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 131 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 132 133 return 0; 134} 135 136static int 137tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 138{ 139 return s->s3->alpn_selected != NULL; 140} 141 142static int 143tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 144{ 145 CBB list, selected; 146 147 if (!CBB_add_u16_length_prefixed(cbb, &list)) 148 return 0; 149 150 if (!CBB_add_u8_length_prefixed(&list, &selected)) 151 return 0; 152 153 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 154 s->s3->alpn_selected_len)) 155 return 0; 156 157 if (!CBB_flush(cbb)) 158 return 0; 159 160 return 1; 161} 162 163static int 164tlsext_alpn_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 165{ 166 CBS list, proto; 167 168 if (s->alpn_client_proto_list == NULL) { 169 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 170 return 0; 171 } 172 173 if (!CBS_get_u16_length_prefixed(cbs, &list)) 174 return 0; 175 176 if (!CBS_get_u8_length_prefixed(&list, &proto)) 177 return 0; 178 179 if (CBS_len(&list) != 0) 180 return 0; 181 if (CBS_len(&proto) == 0) 182 return 0; 183 184 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 185 return 0; 186 187 return 1; 188} 189 190/* 191 * Supported Groups - RFC 7919 section 2 192 */ 193static int 194tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 195{ 196 return ssl_has_ecc_ciphers(s) || 197 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 198} 199 200static int 201tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 202{ 203 const uint16_t *groups; 204 size_t groups_len; 205 CBB grouplist; 206 int i; 207 208 tls1_get_group_list(s, 0, &groups, &groups_len); 209 if (groups_len == 0) { 210 SSLerror(s, ERR_R_INTERNAL_ERROR); 211 return 0; 212 } 213 214 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 215 return 0; 216 217 for (i = 0; i < groups_len; i++) { 218 if (!ssl_security_supported_group(s, groups[i])) 219 continue; 220 if (!CBB_add_u16(&grouplist, groups[i])) 221 return 0; 222 } 223 224 if (!CBB_flush(cbb)) 225 return 0; 226 227 return 1; 228} 229 230static int 231tlsext_supportedgroups_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 232 int *alert) 233{ 234 uint16_t *groups = NULL; 235 size_t groups_len; 236 CBS grouplist; 237 int i, j; 238 int ret = 0; 239 240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 241 goto err; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 goto err; 246 groups_len /= 2; 247 248 if (groups_len > TLSEXT_MAX_SUPPORTED_GROUPS) 249 goto err; 250 251 if (s->hit) 252 goto done; 253 254 if (s->s3->hs.tls13.hrr) { 255 if (s->session->tlsext_supportedgroups == NULL) { 256 *alert = SSL_AD_HANDSHAKE_FAILURE; 257 return 0; 258 } 259 260 /* 261 * The ClientHello extension hashing ensures that the client 262 * did not change its list of supported groups. 263 */ 264 265 goto done; 266 } 267 268 if (s->session->tlsext_supportedgroups != NULL) 269 goto err; /* XXX internal error? */ 270 271 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 272 *alert = SSL_AD_INTERNAL_ERROR; 273 goto err; 274 } 275 276 for (i = 0; i < groups_len; i++) { 277 if (!CBS_get_u16(&grouplist, &groups[i])) 278 goto err; 279 /* 280 * Do not allow duplicate groups to be sent. This is not 281 * currently specified in RFC 8446 or earlier, but there is no 282 * legitimate justification for this to occur in TLS 1.2 or TLS 283 * 1.3. 284 */ 285 for (j = 0; j < i; j++) { 286 if (groups[i] == groups[j]) { 287 *alert = SSL_AD_ILLEGAL_PARAMETER; 288 goto err; 289 } 290 } 291 } 292 293 if (CBS_len(&grouplist) != 0) 294 goto err; 295 296 s->session->tlsext_supportedgroups = groups; 297 s->session->tlsext_supportedgroups_length = groups_len; 298 groups = NULL; 299 300 301 done: 302 ret = 1; 303 304 err: 305 free(groups); 306 307 return ret; 308} 309 310/* This extension is never used by the server. */ 311static int 312tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 313{ 314 return 0; 315} 316 317static int 318tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 319{ 320 return 0; 321} 322 323static int 324tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 325 int *alert) 326{ 327 /* 328 * This extension is only allowed in TLSv1.3 encrypted extensions. 329 * It is not permitted in a ServerHello in any version of TLS. 330 */ 331 if (msg_type != SSL_TLSEXT_MSG_EE) 332 return 0; 333 334 /* 335 * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but 336 * clients must not act on it during the handshake. This allows servers 337 * to advertise their preferences for subsequent handshakes. We ignore 338 * this complication. 339 */ 340 if (!CBS_skip(cbs, CBS_len(cbs))) { 341 *alert = SSL_AD_INTERNAL_ERROR; 342 return 0; 343 } 344 345 return 1; 346} 347 348/* 349 * Supported Point Formats Extension - RFC 4492 section 5.1.2 350 */ 351static int 352tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 353{ 354 CBB ecpf; 355 size_t formats_len; 356 const uint8_t *formats; 357 358 tls1_get_formatlist(s, 0, &formats, &formats_len); 359 360 if (formats_len == 0) { 361 SSLerror(s, ERR_R_INTERNAL_ERROR); 362 return 0; 363 } 364 365 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 366 return 0; 367 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 368 return 0; 369 if (!CBB_flush(cbb)) 370 return 0; 371 372 return 1; 373} 374 375static int 376tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 377{ 378 CBS ecpf; 379 380 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 381 return 0; 382 if (CBS_len(&ecpf) == 0) 383 return 0; 384 385 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 386 if (!CBS_contains_zero_byte(&ecpf)) { 387 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 388 *alert = SSL_AD_ILLEGAL_PARAMETER; 389 return 0; 390 } 391 392 if (!s->hit) { 393 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 394 &(s->session->tlsext_ecpointformatlist_length))) { 395 *alert = SSL_AD_INTERNAL_ERROR; 396 return 0; 397 } 398 } 399 400 return 1; 401} 402 403static int 404tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 405{ 406 return ssl_has_ecc_ciphers(s); 407} 408 409static int 410tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 411{ 412 return tlsext_ecpf_build(s, msg_type, cbb); 413} 414 415static int 416tlsext_ecpf_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 417{ 418 return tlsext_ecpf_process(s, msg_type, cbs, alert); 419} 420 421static int 422tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 423{ 424 return ssl_using_ecc_cipher(s); 425} 426 427static int 428tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 429{ 430 return tlsext_ecpf_build(s, msg_type, cbb); 431} 432 433static int 434tlsext_ecpf_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 435{ 436 return tlsext_ecpf_process(s, msg_type, cbs, alert); 437} 438 439/* 440 * Renegotiation Indication - RFC 5746. 441 */ 442static int 443tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 444{ 445 return (s->renegotiate); 446} 447 448static int 449tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 450{ 451 CBB reneg; 452 453 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 454 return 0; 455 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 456 s->s3->previous_client_finished_len)) 457 return 0; 458 if (!CBB_flush(cbb)) 459 return 0; 460 461 return 1; 462} 463 464static int 465tlsext_ri_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 466{ 467 CBS reneg; 468 469 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 470 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 471 return 0; 472 } 473 474 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 475 s->s3->previous_client_finished_len)) { 476 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 477 *alert = SSL_AD_HANDSHAKE_FAILURE; 478 return 0; 479 } 480 481 s->s3->renegotiate_seen = 1; 482 s->s3->send_connection_binding = 1; 483 484 return 1; 485} 486 487static int 488tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 489{ 490 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 491 s->s3->send_connection_binding); 492} 493 494static int 495tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 496{ 497 CBB reneg; 498 499 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 500 return 0; 501 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 502 s->s3->previous_client_finished_len)) 503 return 0; 504 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 505 s->s3->previous_server_finished_len)) 506 return 0; 507 if (!CBB_flush(cbb)) 508 return 0; 509 510 return 1; 511} 512 513static int 514tlsext_ri_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 515{ 516 CBS reneg, prev_client, prev_server; 517 518 /* 519 * Ensure that the previous client and server values are both not 520 * present, or that they are both present. 521 */ 522 if ((s->s3->previous_client_finished_len == 0 && 523 s->s3->previous_server_finished_len != 0) || 524 (s->s3->previous_client_finished_len != 0 && 525 s->s3->previous_server_finished_len == 0)) { 526 *alert = SSL_AD_INTERNAL_ERROR; 527 return 0; 528 } 529 530 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 531 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 532 return 0; 533 } 534 if (!CBS_get_bytes(&reneg, &prev_client, 535 s->s3->previous_client_finished_len)) { 536 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 537 return 0; 538 } 539 if (!CBS_get_bytes(&reneg, &prev_server, 540 s->s3->previous_server_finished_len)) { 541 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 542 return 0; 543 } 544 if (CBS_len(&reneg) != 0) { 545 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 546 return 0; 547 } 548 549 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 550 s->s3->previous_client_finished_len)) { 551 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 552 *alert = SSL_AD_HANDSHAKE_FAILURE; 553 return 0; 554 } 555 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 556 s->s3->previous_server_finished_len)) { 557 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 558 *alert = SSL_AD_HANDSHAKE_FAILURE; 559 return 0; 560 } 561 562 s->s3->renegotiate_seen = 1; 563 s->s3->send_connection_binding = 1; 564 565 return 1; 566} 567 568/* 569 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 570 */ 571static int 572tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 573{ 574 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 575} 576 577static int 578tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 579{ 580 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 581 CBB sigalgs; 582 583 if (msg_type == SSL_TLSEXT_MSG_CH) 584 tls_version = s->s3->hs.our_min_tls_version; 585 586 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 587 return 0; 588 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 589 return 0; 590 if (!CBB_flush(cbb)) 591 return 0; 592 593 return 1; 594} 595 596static int 597tlsext_sigalgs_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 598{ 599 CBS sigalgs; 600 601 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 602 return 0; 603 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 604 return 0; 605 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 606 return 0; 607 608 return 1; 609} 610 611static int 612tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 613{ 614 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 615} 616 617static int 618tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 619{ 620 CBB sigalgs; 621 622 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 623 return 0; 624 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 625 SSL_get_security_level(s))) 626 return 0; 627 if (!CBB_flush(cbb)) 628 return 0; 629 630 return 1; 631} 632 633static int 634tlsext_sigalgs_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 635{ 636 CBS sigalgs; 637 638 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 639 return 0; 640 641 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 642 return 0; 643 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 644 return 0; 645 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 646 return 0; 647 648 return 1; 649} 650 651/* 652 * Server Name Indication - RFC 6066, section 3. 653 */ 654static int 655tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 656{ 657 return (s->tlsext_hostname != NULL); 658} 659 660static int 661tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 662{ 663 CBB server_name_list, host_name; 664 665 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 666 return 0; 667 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 668 return 0; 669 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 670 return 0; 671 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 672 strlen(s->tlsext_hostname))) 673 return 0; 674 if (!CBB_flush(cbb)) 675 return 0; 676 677 return 1; 678} 679 680static int 681tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 682{ 683 union { 684 struct in_addr ip4; 685 struct in6_addr ip6; 686 } addrbuf; 687 char *hostname = NULL; 688 689 *is_ip = 0; 690 691 if (!CBS_strdup(cbs, &hostname)) 692 return 0; 693 694 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 695 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 696 *is_ip = 1; 697 698 free(hostname); 699 700 return 1; 701} 702 703/* 704 * Validate that the CBS contains only a hostname consisting of RFC 5890 705 * compliant A-labels (see RFC 6066 section 3). Not a complete check 706 * since we don't parse punycode to verify its validity but limits to 707 * correct structure and character set. 708 */ 709int 710tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 711{ 712 uint8_t prev, c = 0; 713 int component = 0; 714 CBS hostname; 715 716 *is_ip = 0; 717 718 CBS_dup(cbs, &hostname); 719 720 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 721 return 0; 722 723 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 724 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 725 return 0; 726 if (*is_ip) 727 return 0; 728 729 while (CBS_len(&hostname) > 0) { 730 prev = c; 731 if (!CBS_get_u8(&hostname, &c)) 732 return 0; 733 /* Everything has to be ASCII, with no NUL byte. */ 734 if (!isascii(c) || c == '\0') 735 return 0; 736 /* It must be alphanumeric, a '-', or a '.' */ 737 if (!isalnum(c) && c != '-' && c != '.') 738 return 0; 739 /* '-' and '.' must not start a component or be at the end. */ 740 if (component == 0 || CBS_len(&hostname) == 0) { 741 if (c == '-' || c == '.') 742 return 0; 743 } 744 if (c == '.') { 745 /* Components can not end with a dash. */ 746 if (prev == '-') 747 return 0; 748 /* Start new component */ 749 component = 0; 750 continue; 751 } 752 /* Components must be 63 chars or less. */ 753 if (++component > 63) 754 return 0; 755 } 756 757 return 1; 758} 759 760static int 761tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 762{ 763 CBS server_name_list, host_name; 764 uint8_t name_type; 765 int is_ip; 766 767 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 768 goto err; 769 770 if (!CBS_get_u8(&server_name_list, &name_type)) 771 goto err; 772 773 /* 774 * RFC 6066 section 3, only one type (host_name) is specified. 775 * We do not tolerate unknown types, neither does BoringSSL. 776 * other implementations appear more tolerant. 777 */ 778 if (name_type != TLSEXT_NAMETYPE_host_name) { 779 *alert = SSL_AD_ILLEGAL_PARAMETER; 780 goto err; 781 } 782 783 /* 784 * RFC 6066 section 3 specifies a host name must be at least 1 byte 785 * so 0 length is a decode error. 786 */ 787 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 788 goto err; 789 if (CBS_len(&host_name) < 1) 790 goto err; 791 792 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 793 /* 794 * Various pieces of software have been known to set the SNI 795 * host name to an IP address, even though that violates the 796 * RFC. If this is the case, pretend the SNI extension does 797 * not exist. 798 */ 799 if (is_ip) 800 goto done; 801 802 *alert = SSL_AD_ILLEGAL_PARAMETER; 803 goto err; 804 } 805 806 if (s->hit || s->s3->hs.tls13.hrr) { 807 if (s->session->tlsext_hostname == NULL) { 808 *alert = SSL_AD_UNRECOGNIZED_NAME; 809 goto err; 810 } 811 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 812 strlen(s->session->tlsext_hostname))) { 813 *alert = SSL_AD_UNRECOGNIZED_NAME; 814 goto err; 815 } 816 } else { 817 if (s->session->tlsext_hostname != NULL) 818 goto err; 819 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 820 *alert = SSL_AD_INTERNAL_ERROR; 821 goto err; 822 } 823 } 824 825 done: 826 /* 827 * RFC 6066 section 3 forbids multiple host names with the same type, 828 * therefore we allow only one entry. 829 */ 830 if (CBS_len(&server_name_list) != 0) { 831 *alert = SSL_AD_ILLEGAL_PARAMETER; 832 goto err; 833 } 834 835 return 1; 836 837 err: 838 return 0; 839} 840 841static int 842tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 843{ 844 if (s->hit) 845 return 0; 846 847 return (s->session->tlsext_hostname != NULL); 848} 849 850static int 851tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 852{ 853 return 1; 854} 855 856static int 857tlsext_sni_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 858{ 859 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 860 *alert = SSL_AD_UNRECOGNIZED_NAME; 861 return 0; 862 } 863 864 if (s->hit) { 865 if (s->session->tlsext_hostname == NULL) { 866 *alert = SSL_AD_UNRECOGNIZED_NAME; 867 return 0; 868 } 869 if (strcmp(s->tlsext_hostname, 870 s->session->tlsext_hostname) != 0) { 871 *alert = SSL_AD_UNRECOGNIZED_NAME; 872 return 0; 873 } 874 } else { 875 if (s->session->tlsext_hostname != NULL) 876 return 0; 877 if ((s->session->tlsext_hostname = 878 strdup(s->tlsext_hostname)) == NULL) { 879 *alert = SSL_AD_INTERNAL_ERROR; 880 return 0; 881 } 882 } 883 884 return 1; 885} 886 887/* 888 * Certificate Status Request - RFC 6066 section 8. 889 */ 890 891static int 892tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 893{ 894 if (msg_type != SSL_TLSEXT_MSG_CH) 895 return 0; 896 897 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 898} 899 900static int 901tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 902{ 903 CBB respid_list, respid, exts; 904 unsigned char *ext_data; 905 size_t ext_len; 906 int i; 907 908 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 909 return 0; 910 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 911 return 0; 912 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 913 unsigned char *respid_data; 914 OCSP_RESPID *id; 915 size_t id_len; 916 917 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, 918 i)) == NULL) 919 return 0; 920 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 921 return 0; 922 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 923 return 0; 924 if (!CBB_add_space(&respid, &respid_data, id_len)) 925 return 0; 926 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 927 return 0; 928 } 929 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 930 return 0; 931 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, 932 NULL)) == -1) 933 return 0; 934 if (!CBB_add_space(&exts, &ext_data, ext_len)) 935 return 0; 936 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != 937 ext_len)) 938 return 0; 939 if (!CBB_flush(cbb)) 940 return 0; 941 return 1; 942} 943 944static int 945tlsext_ocsp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 946{ 947 int alert_desc = SSL_AD_DECODE_ERROR; 948 CBS respid_list, respid, exts; 949 const unsigned char *p; 950 uint8_t status_type; 951 int ret = 0; 952 953 if (msg_type != SSL_TLSEXT_MSG_CH) 954 goto err; 955 956 if (!CBS_get_u8(cbs, &status_type)) 957 goto err; 958 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 959 /* ignore unknown status types */ 960 s->tlsext_status_type = -1; 961 962 if (!CBS_skip(cbs, CBS_len(cbs))) { 963 *alert = SSL_AD_INTERNAL_ERROR; 964 return 0; 965 } 966 return 1; 967 } 968 s->tlsext_status_type = status_type; 969 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 970 goto err; 971 972 /* XXX */ 973 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 974 s->tlsext_ocsp_ids = NULL; 975 if (CBS_len(&respid_list) > 0) { 976 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 977 if (s->tlsext_ocsp_ids == NULL) { 978 alert_desc = SSL_AD_INTERNAL_ERROR; 979 goto err; 980 } 981 } 982 983 while (CBS_len(&respid_list) > 0) { 984 OCSP_RESPID *id; 985 986 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 987 goto err; 988 p = CBS_data(&respid); 989 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 990 goto err; 991 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 992 alert_desc = SSL_AD_INTERNAL_ERROR; 993 OCSP_RESPID_free(id); 994 goto err; 995 } 996 } 997 998 /* Read in request_extensions */ 999 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1000 goto err; 1001 if (CBS_len(&exts) > 0) { 1002 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1003 X509_EXTENSION_free); 1004 p = CBS_data(&exts); 1005 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1006 &p, CBS_len(&exts))) == NULL) 1007 goto err; 1008 } 1009 1010 ret = 1; 1011 err: 1012 if (ret == 0) 1013 *alert = alert_desc; 1014 return ret; 1015} 1016 1017static int 1018tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1019{ 1020 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1021 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1022 s->ctx->tlsext_status_cb != NULL) { 1023 s->tlsext_status_expected = 0; 1024 if (s->ctx->tlsext_status_cb(s, 1025 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1026 s->tlsext_ocsp_resp_len > 0) 1027 s->tlsext_status_expected = 1; 1028 } 1029 return s->tlsext_status_expected; 1030} 1031 1032static int 1033tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1034{ 1035 CBB ocsp_response; 1036 1037 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1038 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1039 return 0; 1040 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1041 return 0; 1042 if (!CBB_add_bytes(&ocsp_response, 1043 s->tlsext_ocsp_resp, 1044 s->tlsext_ocsp_resp_len)) 1045 return 0; 1046 if (!CBB_flush(cbb)) 1047 return 0; 1048 } 1049 return 1; 1050} 1051 1052static int 1053tlsext_ocsp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1054{ 1055 uint8_t status_type; 1056 CBS response; 1057 1058 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1059 if (msg_type == SSL_TLSEXT_MSG_CR) { 1060 /* 1061 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1062 * response with an empty status_request. 1063 */ 1064 if (CBS_len(cbs) == 0) 1065 return 1; 1066 1067 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1068 return 0; 1069 } 1070 if (!CBS_get_u8(cbs, &status_type)) { 1071 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1072 return 0; 1073 } 1074 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1075 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1076 return 0; 1077 } 1078 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1079 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1080 return 0; 1081 } 1082 if (CBS_len(&response) > 65536) { 1083 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1084 return 0; 1085 } 1086 if (!CBS_stow(&response, &s->tlsext_ocsp_resp, 1087 &s->tlsext_ocsp_resp_len)) { 1088 *alert = SSL_AD_INTERNAL_ERROR; 1089 return 0; 1090 } 1091 } else { 1092 if (s->tlsext_status_type == -1) { 1093 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1094 return 0; 1095 } 1096 /* Set flag to expect CertificateStatus message */ 1097 s->tlsext_status_expected = 1; 1098 } 1099 return 1; 1100} 1101 1102/* 1103 * SessionTicket extension - RFC 5077 section 3.2 1104 */ 1105static int 1106tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1107{ 1108 /* 1109 * Send session ticket extension when enabled and not overridden. 1110 * 1111 * When renegotiating, send an empty session ticket to indicate support. 1112 */ 1113 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1114 return 0; 1115 1116 if (!ssl_security_tickets(s)) 1117 return 0; 1118 1119 if (s->new_session) 1120 return 1; 1121 1122 if (s->tlsext_session_ticket != NULL && 1123 s->tlsext_session_ticket->data == NULL) 1124 return 0; 1125 1126 return 1; 1127} 1128 1129static int 1130tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1131{ 1132 /* 1133 * Signal that we support session tickets by sending an empty 1134 * extension when renegotiating or no session found. 1135 */ 1136 if (s->new_session || s->session == NULL) 1137 return 1; 1138 1139 if (s->session->tlsext_tick != NULL) { 1140 /* Attempt to resume with an existing session ticket */ 1141 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1142 s->session->tlsext_ticklen)) 1143 return 0; 1144 1145 } else if (s->tlsext_session_ticket != NULL) { 1146 /* 1147 * Attempt to resume with a custom provided session ticket set 1148 * by SSL_set_session_ticket_ext(). 1149 */ 1150 if (s->tlsext_session_ticket->length > 0) { 1151 size_t ticklen = s->tlsext_session_ticket->length; 1152 1153 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1154 return 0; 1155 memcpy(s->session->tlsext_tick, 1156 s->tlsext_session_ticket->data, 1157 ticklen); 1158 s->session->tlsext_ticklen = ticklen; 1159 1160 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1161 s->session->tlsext_ticklen)) 1162 return 0; 1163 } 1164 } 1165 1166 if (!CBB_flush(cbb)) 1167 return 0; 1168 1169 return 1; 1170} 1171 1172static int 1173tlsext_sessionticket_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1174 int *alert) 1175{ 1176 if (s->tls_session_ticket_ext_cb) { 1177 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1178 (int)CBS_len(cbs), 1179 s->tls_session_ticket_ext_cb_arg)) { 1180 *alert = SSL_AD_INTERNAL_ERROR; 1181 return 0; 1182 } 1183 } 1184 1185 /* We need to signal that this was processed fully */ 1186 if (!CBS_skip(cbs, CBS_len(cbs))) { 1187 *alert = SSL_AD_INTERNAL_ERROR; 1188 return 0; 1189 } 1190 1191 return 1; 1192} 1193 1194static int 1195tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1196{ 1197 return (s->tlsext_ticket_expected && 1198 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1199 ssl_security_tickets(s)); 1200} 1201 1202static int 1203tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1204{ 1205 /* Empty ticket */ 1206 return 1; 1207} 1208 1209static int 1210tlsext_sessionticket_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1211 int *alert) 1212{ 1213 if (s->tls_session_ticket_ext_cb) { 1214 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1215 (int)CBS_len(cbs), 1216 s->tls_session_ticket_ext_cb_arg)) { 1217 *alert = SSL_AD_INTERNAL_ERROR; 1218 return 0; 1219 } 1220 } 1221 1222 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1223 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1224 return 0; 1225 } 1226 1227 s->tlsext_ticket_expected = 1; 1228 1229 return 1; 1230} 1231 1232/* 1233 * DTLS extension for SRTP key establishment - RFC 5764 1234 */ 1235 1236#ifndef OPENSSL_NO_SRTP 1237 1238static int 1239tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1240{ 1241 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1242} 1243 1244static int 1245tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1246{ 1247 CBB profiles, mki; 1248 int ct, i; 1249 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1250 const SRTP_PROTECTION_PROFILE *prof; 1251 1252 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1253 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1254 return 0; 1255 } 1256 1257 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1258 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1259 return 0; 1260 } 1261 1262 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1263 return 0; 1264 1265 for (i = 0; i < ct; i++) { 1266 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1267 return 0; 1268 if (!CBB_add_u16(&profiles, prof->id)) 1269 return 0; 1270 } 1271 1272 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1273 return 0; 1274 1275 if (!CBB_flush(cbb)) 1276 return 0; 1277 1278 return 1; 1279} 1280 1281static int 1282tlsext_srtp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1283{ 1284 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1285 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1286 int i, j; 1287 int ret; 1288 uint16_t id; 1289 CBS profiles, mki; 1290 1291 ret = 0; 1292 1293 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1294 goto err; 1295 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1296 goto err; 1297 1298 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1299 goto err; 1300 1301 while (CBS_len(&profiles) > 0) { 1302 if (!CBS_get_u16(&profiles, &id)) 1303 goto err; 1304 1305 if (!srtp_find_profile_by_num(id, &cprof)) { 1306 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1307 goto err; 1308 } 1309 } 1310 1311 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1312 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1313 goto done; 1314 } 1315 1316 /* 1317 * Per RFC 5764 section 4.1.1 1318 * 1319 * Find the server preferred profile using the client's list. 1320 * 1321 * The server MUST send a profile if it sends the use_srtp 1322 * extension. If one is not found, it should fall back to the 1323 * negotiated DTLS cipher suite or return a DTLS alert. 1324 */ 1325 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1326 goto err; 1327 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1328 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1329 goto err; 1330 1331 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1332 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1333 == NULL) 1334 goto err; 1335 1336 if (cprof->id == sprof->id) { 1337 s->srtp_profile = sprof; 1338 ret = 1; 1339 goto done; 1340 } 1341 } 1342 } 1343 1344 /* If we didn't find anything, fall back to the negotiated */ 1345 ret = 1; 1346 goto done; 1347 1348 err: 1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1350 1351 done: 1352 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1353 return ret; 1354} 1355 1356static int 1357tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1358{ 1359 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1360} 1361 1362static int 1363tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1364{ 1365 SRTP_PROTECTION_PROFILE *profile; 1366 CBB srtp, mki; 1367 1368 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1369 return 0; 1370 1371 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1372 return 0; 1373 1374 if (!CBB_add_u16(&srtp, profile->id)) 1375 return 0; 1376 1377 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1378 return 0; 1379 1380 if (!CBB_flush(cbb)) 1381 return 0; 1382 1383 return 1; 1384} 1385 1386static int 1387tlsext_srtp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1388{ 1389 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1390 const SRTP_PROTECTION_PROFILE *prof; 1391 int i; 1392 uint16_t id; 1393 CBS profile_ids, mki; 1394 1395 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1396 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1397 return 0; 1398 } 1399 1400 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1401 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1402 return 0; 1403 } 1404 1405 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1406 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1407 *alert = SSL_AD_ILLEGAL_PARAMETER; 1408 return 0; 1409 } 1410 1411 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1412 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1413 return 0; 1414 } 1415 1416 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1417 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1418 == NULL) { 1419 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1420 return 0; 1421 } 1422 1423 if (prof->id == id) { 1424 s->srtp_profile = prof; 1425 return 1; 1426 } 1427 } 1428 1429 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1430 1431 return 0; 1432} 1433 1434#endif /* OPENSSL_NO_SRTP */ 1435 1436/* 1437 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1438 */ 1439static int 1440tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1441{ 1442 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1443} 1444 1445static int 1446tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1447{ 1448 CBB client_shares, key_exchange; 1449 1450 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1451 return 0; 1452 1453 if (!CBB_add_u16(&client_shares, 1454 tls_key_share_group(s->s3->hs.key_share))) 1455 return 0; 1456 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1457 return 0; 1458 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1459 return 0; 1460 1461 if (!CBB_flush(cbb)) 1462 return 0; 1463 1464 return 1; 1465} 1466 1467static int 1468tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1469{ 1470 const uint16_t *client_groups = NULL, *server_groups = NULL; 1471 size_t client_groups_len = 0, server_groups_len = 0; 1472 size_t i, j, client_groups_index; 1473 int preferred_group_found = 0; 1474 int decode_error; 1475 uint16_t client_preferred_group = 0; 1476 uint16_t group; 1477 CBS client_shares, key_exchange; 1478 1479 /* 1480 * RFC 8446 section 4.2.8: 1481 * 1482 * Each KeyShareEntry value MUST correspond to a group offered in the 1483 * "supported_groups" extension and MUST appear in the same order. 1484 * However, the values MAY be a non-contiguous subset of the 1485 * "supported_groups". 1486 */ 1487 1488 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) { 1489 *alert = SSL_AD_ILLEGAL_PARAMETER; 1490 return 0; 1491 } 1492 if (!tlsext_extension_processed(s, TLSEXT_TYPE_supported_groups)) { 1493 *alert = SSL_AD_INTERNAL_ERROR; 1494 return 0; 1495 } 1496 1497 if (s->s3->hs.tls13.hrr) { 1498 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1499 return 0; 1500 1501 /* Unpack client share. */ 1502 if (!CBS_get_u16(&client_shares, &group)) 1503 return 0; 1504 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1505 return 0; 1506 1507 /* There should only be one share. */ 1508 if (CBS_len(&client_shares) != 0) 1509 return 0; 1510 1511 if (group != s->s3->hs.tls13.server_group) { 1512 *alert = SSL_AD_ILLEGAL_PARAMETER; 1513 return 0; 1514 } 1515 1516 if (s->s3->hs.key_share != NULL) { 1517 *alert = SSL_AD_INTERNAL_ERROR; 1518 return 0; 1519 } 1520 1521 /* Decode and store the selected key share. */ 1522 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1523 *alert = SSL_AD_INTERNAL_ERROR; 1524 return 0; 1525 } 1526 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1527 &key_exchange, &decode_error, NULL)) { 1528 if (!decode_error) 1529 *alert = SSL_AD_INTERNAL_ERROR; 1530 return 0; 1531 } 1532 1533 return 1; 1534 } 1535 1536 /* 1537 * XXX similar to tls1_get_supported_group, but client pref 1538 * only - consider deduping later. 1539 */ 1540 /* 1541 * We are now assured of at least one client group. 1542 * Get the client and server group preference orders. 1543 */ 1544 tls1_get_group_list(s, 0, &server_groups, &server_groups_len); 1545 tls1_get_group_list(s, 1, &client_groups, &client_groups_len); 1546 1547 /* 1548 * Find the group that is most preferred by the client that 1549 * we also support. 1550 */ 1551 for (i = 0; i < client_groups_len && !preferred_group_found; i++) { 1552 if (!ssl_security_supported_group(s, client_groups[i])) 1553 continue; 1554 for (j = 0; j < server_groups_len; j++) { 1555 if (server_groups[j] == client_groups[i]) { 1556 client_preferred_group = client_groups[i]; 1557 preferred_group_found = 1; 1558 break; 1559 } 1560 } 1561 } 1562 1563 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1564 return 0; 1565 1566 client_groups_index = 0; 1567 while (CBS_len(&client_shares) > 0) { 1568 int client_sent_group; 1569 1570 /* Unpack client share. */ 1571 if (!CBS_get_u16(&client_shares, &group)) 1572 return 0; 1573 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1574 return 0; 1575 1576 /* 1577 * Ensure the client share group was sent in supported groups, 1578 * and was sent in the same order as supported groups. The 1579 * supported groups has already been checked for duplicates. 1580 */ 1581 client_sent_group = 0; 1582 while (client_groups_index < client_groups_len) { 1583 if (group == client_groups[client_groups_index++]) { 1584 client_sent_group = 1; 1585 break; 1586 } 1587 } 1588 if (!client_sent_group) { 1589 *alert = SSL_AD_ILLEGAL_PARAMETER; 1590 return 0; 1591 } 1592 1593 /* 1594 * Ignore this client share if we're using earlier than TLSv1.3 1595 * or we've already selected a key share. 1596 */ 1597 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1598 continue; 1599 if (s->s3->hs.key_share != NULL) 1600 continue; 1601 1602 /* 1603 * Ignore this client share if it is not for the most client 1604 * preferred supported group. This avoids a potential downgrade 1605 * situation where the client sends a client share for something 1606 * less preferred, and we choose to to use it instead of 1607 * requesting the more preferred group. 1608 */ 1609 if (!preferred_group_found || group != client_preferred_group) 1610 continue; 1611 1612 /* Decode and store the selected key share. */ 1613 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1614 *alert = SSL_AD_INTERNAL_ERROR; 1615 return 0; 1616 } 1617 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1618 &key_exchange, &decode_error, NULL)) { 1619 if (!decode_error) 1620 *alert = SSL_AD_INTERNAL_ERROR; 1621 return 0; 1622 } 1623 } 1624 1625 return 1; 1626} 1627 1628static int 1629tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1630{ 1631 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1632 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1633} 1634 1635static int 1636tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1637{ 1638 CBB key_exchange; 1639 1640 /* In the case of a HRR, we only send the server selected group. */ 1641 if (s->s3->hs.tls13.hrr) { 1642 if (s->s3->hs.tls13.server_group == 0) 1643 return 0; 1644 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1645 } 1646 1647 if (s->s3->hs.key_share == NULL) 1648 return 0; 1649 1650 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1651 return 0; 1652 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1653 return 0; 1654 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1655 return 0; 1656 1657 if (!CBB_flush(cbb)) 1658 return 0; 1659 1660 return 1; 1661} 1662 1663static int 1664tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1665{ 1666 CBS key_exchange; 1667 int decode_error; 1668 uint16_t group; 1669 1670 /* Unpack server share. */ 1671 if (!CBS_get_u16(cbs, &group)) 1672 return 0; 1673 1674 if (CBS_len(cbs) == 0) { 1675 /* HRR does not include an actual key share, only the group. */ 1676 if (msg_type != SSL_TLSEXT_MSG_HRR) 1677 return 0; 1678 1679 s->s3->hs.tls13.server_group = group; 1680 return 1; 1681 } 1682 1683 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1684 return 0; 1685 1686 if (s->s3->hs.key_share == NULL) { 1687 *alert = SSL_AD_INTERNAL_ERROR; 1688 return 0; 1689 } 1690 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1691 *alert = SSL_AD_INTERNAL_ERROR; 1692 return 0; 1693 } 1694 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1695 &key_exchange, &decode_error, NULL)) { 1696 if (!decode_error) 1697 *alert = SSL_AD_INTERNAL_ERROR; 1698 return 0; 1699 } 1700 1701 return 1; 1702} 1703 1704/* 1705 * Supported Versions - RFC 8446 section 4.2.1. 1706 */ 1707static int 1708tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1709{ 1710 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1711} 1712 1713static int 1714tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1715{ 1716 uint16_t max, min; 1717 uint16_t version; 1718 CBB versions; 1719 1720 max = s->s3->hs.our_max_tls_version; 1721 min = s->s3->hs.our_min_tls_version; 1722 1723 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1724 return 0; 1725 1726 /* XXX - fix, but contiguous for now... */ 1727 for (version = max; version >= min; version--) { 1728 if (!CBB_add_u16(&versions, version)) 1729 return 0; 1730 } 1731 1732 if (!CBB_flush(cbb)) 1733 return 0; 1734 1735 return 1; 1736} 1737 1738static int 1739tlsext_versions_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1740{ 1741 CBS versions; 1742 uint16_t version; 1743 uint16_t max, min; 1744 uint16_t matched_version = 0; 1745 1746 max = s->s3->hs.our_max_tls_version; 1747 min = s->s3->hs.our_min_tls_version; 1748 1749 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1750 return 0; 1751 1752 while (CBS_len(&versions) > 0) { 1753 if (!CBS_get_u16(&versions, &version)) 1754 return 0; 1755 /* 1756 * XXX What is below implements client preference, and 1757 * ignores any server preference entirely. 1758 */ 1759 if (matched_version == 0 && version >= min && version <= max) 1760 matched_version = version; 1761 } 1762 1763 if (matched_version > 0) { 1764 /* XXX - this should be stored for later processing. */ 1765 s->version = matched_version; 1766 return 1; 1767 } 1768 1769 *alert = SSL_AD_PROTOCOL_VERSION; 1770 return 0; 1771} 1772 1773static int 1774tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1775{ 1776 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1777} 1778 1779static int 1780tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1781{ 1782 return CBB_add_u16(cbb, TLS1_3_VERSION); 1783} 1784 1785static int 1786tlsext_versions_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1787{ 1788 uint16_t selected_version; 1789 1790 if (!CBS_get_u16(cbs, &selected_version)) 1791 return 0; 1792 1793 /* XXX - need to fix for DTLS 1.3 */ 1794 if (selected_version < TLS1_3_VERSION) { 1795 *alert = SSL_AD_ILLEGAL_PARAMETER; 1796 return 0; 1797 } 1798 1799 /* XXX test between min and max once initialization code goes in */ 1800 s->s3->hs.tls13.server_version = selected_version; 1801 1802 return 1; 1803} 1804 1805 1806/* 1807 * Cookie - RFC 8446 section 4.2.2. 1808 */ 1809 1810static int 1811tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1812{ 1813 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1814 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1815} 1816 1817static int 1818tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1819{ 1820 CBB cookie; 1821 1822 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1823 return 0; 1824 1825 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1826 s->s3->hs.tls13.cookie_len)) 1827 return 0; 1828 1829 if (!CBB_flush(cbb)) 1830 return 0; 1831 1832 return 1; 1833} 1834 1835static int 1836tlsext_cookie_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1837{ 1838 CBS cookie; 1839 1840 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1841 return 0; 1842 1843 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1844 return 0; 1845 1846 /* 1847 * Check provided cookie value against what server previously 1848 * sent - client *MUST* send the same cookie with new CR after 1849 * a cookie is sent by the server with an HRR. 1850 */ 1851 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1852 s->s3->hs.tls13.cookie_len)) { 1853 /* XXX special cookie mismatch alert? */ 1854 *alert = SSL_AD_ILLEGAL_PARAMETER; 1855 return 0; 1856 } 1857 1858 return 1; 1859} 1860 1861static int 1862tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1863{ 1864 /* 1865 * Server needs to set cookie value in tls13 handshake 1866 * in order to send one, should only be sent with HRR. 1867 */ 1868 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1869 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1870} 1871 1872static int 1873tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1874{ 1875 CBB cookie; 1876 1877 /* XXX deduplicate with client code */ 1878 1879 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1880 return 0; 1881 1882 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1883 s->s3->hs.tls13.cookie_len)) 1884 return 0; 1885 1886 if (!CBB_flush(cbb)) 1887 return 0; 1888 1889 return 1; 1890} 1891 1892static int 1893tlsext_cookie_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1894{ 1895 CBS cookie; 1896 1897 /* 1898 * XXX This currently assumes we will not get a second 1899 * HRR from a server with a cookie to process after accepting 1900 * one from the server in the same handshake 1901 */ 1902 if (s->s3->hs.tls13.cookie != NULL || 1903 s->s3->hs.tls13.cookie_len != 0) { 1904 *alert = SSL_AD_ILLEGAL_PARAMETER; 1905 return 0; 1906 } 1907 1908 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1909 return 0; 1910 1911 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1912 &s->s3->hs.tls13.cookie_len)) 1913 return 0; 1914 1915 return 1; 1916} 1917 1918/* 1919 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1920 */ 1921 1922static int 1923tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1924{ 1925 return (s->s3->hs.tls13.use_psk_dhe_ke && 1926 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1927} 1928 1929static int 1930tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1931{ 1932 CBB ke_modes; 1933 1934 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1935 return 0; 1936 1937 /* Only indicate support for PSK with DHE key establishment. */ 1938 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1939 return 0; 1940 1941 if (!CBB_flush(cbb)) 1942 return 0; 1943 1944 return 1; 1945} 1946 1947static int 1948tlsext_psk_kex_modes_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1949 int *alert) 1950{ 1951 CBS ke_modes; 1952 uint8_t ke_mode; 1953 1954 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1955 return 0; 1956 1957 while (CBS_len(&ke_modes) > 0) { 1958 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1959 return 0; 1960 1961 if (ke_mode == TLS13_PSK_DHE_KE) 1962 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1963 } 1964 1965 return 1; 1966} 1967 1968static int 1969tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1970{ 1971 /* Servers MUST NOT send this extension. */ 1972 return 0; 1973} 1974 1975static int 1976tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1977{ 1978 return 0; 1979} 1980 1981static int 1982tlsext_psk_kex_modes_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1983 int *alert) 1984{ 1985 return 0; 1986} 1987 1988/* 1989 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1990 */ 1991 1992static int 1993tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1994{ 1995 return 0; 1996} 1997 1998static int 1999tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2000{ 2001 return 0; 2002} 2003 2004static int 2005tlsext_psk_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2006{ 2007 return CBS_skip(cbs, CBS_len(cbs)); 2008} 2009 2010static int 2011tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 2012{ 2013 return 0; 2014} 2015 2016static int 2017tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2018{ 2019 return 0; 2020} 2021 2022static int 2023tlsext_psk_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2024{ 2025 return CBS_skip(cbs, CBS_len(cbs)); 2026} 2027 2028/* 2029 * QUIC transport parameters extension - RFC 9001 section 8.2. 2030 */ 2031 2032static int 2033tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 2034{ 2035 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2036} 2037 2038static int 2039tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 2040 CBB *cbb) 2041{ 2042 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2043 s->quic_transport_params_len)) 2044 return 0; 2045 2046 return 1; 2047} 2048 2049static int 2050tlsext_quic_transport_parameters_client_process(SSL *s, uint16_t msg_type, 2051 CBS *cbs, int *alert) 2052{ 2053 if (!SSL_is_quic(s)) { 2054 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2055 return 0; 2056 } 2057 2058 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2059 &s->s3->peer_quic_transport_params_len)) 2060 return 0; 2061 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2062 return 0; 2063 2064 return 1; 2065} 2066 2067static int 2068tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 2069{ 2070 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2071} 2072 2073static int 2074tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 2075 CBB *cbb) 2076{ 2077 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2078 s->quic_transport_params_len)) 2079 return 0; 2080 2081 return 1; 2082} 2083 2084static int 2085tlsext_quic_transport_parameters_server_process(SSL *s, uint16_t msg_type, 2086 CBS *cbs, int *alert) 2087{ 2088 if (!SSL_is_quic(s)) { 2089 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2090 return 0; 2091 } 2092 2093 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2094 &s->s3->peer_quic_transport_params_len)) 2095 return 0; 2096 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2097 return 0; 2098 2099 return 1; 2100} 2101 2102struct tls_extension_funcs { 2103 int (*needs)(SSL *s, uint16_t msg_type); 2104 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2105 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2106}; 2107 2108struct tls_extension { 2109 uint16_t type; 2110 uint16_t messages; 2111 struct tls_extension_funcs client; 2112 struct tls_extension_funcs server; 2113}; 2114 2115/* 2116 * TLS extensions (in processing order). 2117 */ 2118static const struct tls_extension tls_extensions[] = { 2119 { 2120 .type = TLSEXT_TYPE_supported_versions, 2121 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2122 SSL_TLSEXT_MSG_HRR, 2123 .client = { 2124 .needs = tlsext_versions_client_needs, 2125 .build = tlsext_versions_client_build, 2126 .process = tlsext_versions_client_process, 2127 }, 2128 .server = { 2129 .needs = tlsext_versions_server_needs, 2130 .build = tlsext_versions_server_build, 2131 .process = tlsext_versions_server_process, 2132 }, 2133 }, 2134 { 2135 .type = TLSEXT_TYPE_supported_groups, 2136 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2137 .client = { 2138 .needs = tlsext_supportedgroups_client_needs, 2139 .build = tlsext_supportedgroups_client_build, 2140 .process = tlsext_supportedgroups_client_process, 2141 }, 2142 .server = { 2143 .needs = tlsext_supportedgroups_server_needs, 2144 .build = tlsext_supportedgroups_server_build, 2145 .process = tlsext_supportedgroups_server_process, 2146 }, 2147 }, 2148 { 2149 .type = TLSEXT_TYPE_key_share, 2150 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2151 SSL_TLSEXT_MSG_HRR, 2152 .client = { 2153 .needs = tlsext_keyshare_client_needs, 2154 .build = tlsext_keyshare_client_build, 2155 .process = tlsext_keyshare_client_process, 2156 }, 2157 .server = { 2158 .needs = tlsext_keyshare_server_needs, 2159 .build = tlsext_keyshare_server_build, 2160 .process = tlsext_keyshare_server_process, 2161 }, 2162 }, 2163 { 2164 .type = TLSEXT_TYPE_server_name, 2165 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2166 .client = { 2167 .needs = tlsext_sni_client_needs, 2168 .build = tlsext_sni_client_build, 2169 .process = tlsext_sni_client_process, 2170 }, 2171 .server = { 2172 .needs = tlsext_sni_server_needs, 2173 .build = tlsext_sni_server_build, 2174 .process = tlsext_sni_server_process, 2175 }, 2176 }, 2177 { 2178 .type = TLSEXT_TYPE_renegotiate, 2179 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2180 .client = { 2181 .needs = tlsext_ri_client_needs, 2182 .build = tlsext_ri_client_build, 2183 .process = tlsext_ri_client_process, 2184 }, 2185 .server = { 2186 .needs = tlsext_ri_server_needs, 2187 .build = tlsext_ri_server_build, 2188 .process = tlsext_ri_server_process, 2189 }, 2190 }, 2191 { 2192 .type = TLSEXT_TYPE_status_request, 2193 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2194 SSL_TLSEXT_MSG_CT, 2195 .client = { 2196 .needs = tlsext_ocsp_client_needs, 2197 .build = tlsext_ocsp_client_build, 2198 .process = tlsext_ocsp_client_process, 2199 }, 2200 .server = { 2201 .needs = tlsext_ocsp_server_needs, 2202 .build = tlsext_ocsp_server_build, 2203 .process = tlsext_ocsp_server_process, 2204 }, 2205 }, 2206 { 2207 .type = TLSEXT_TYPE_ec_point_formats, 2208 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2209 .client = { 2210 .needs = tlsext_ecpf_client_needs, 2211 .build = tlsext_ecpf_client_build, 2212 .process = tlsext_ecpf_client_process, 2213 }, 2214 .server = { 2215 .needs = tlsext_ecpf_server_needs, 2216 .build = tlsext_ecpf_server_build, 2217 .process = tlsext_ecpf_server_process, 2218 }, 2219 }, 2220 { 2221 .type = TLSEXT_TYPE_session_ticket, 2222 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2223 .client = { 2224 .needs = tlsext_sessionticket_client_needs, 2225 .build = tlsext_sessionticket_client_build, 2226 .process = tlsext_sessionticket_client_process, 2227 }, 2228 .server = { 2229 .needs = tlsext_sessionticket_server_needs, 2230 .build = tlsext_sessionticket_server_build, 2231 .process = tlsext_sessionticket_server_process, 2232 }, 2233 }, 2234 { 2235 .type = TLSEXT_TYPE_signature_algorithms, 2236 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2237 .client = { 2238 .needs = tlsext_sigalgs_client_needs, 2239 .build = tlsext_sigalgs_client_build, 2240 .process = tlsext_sigalgs_client_process, 2241 }, 2242 .server = { 2243 .needs = tlsext_sigalgs_server_needs, 2244 .build = tlsext_sigalgs_server_build, 2245 .process = tlsext_sigalgs_server_process, 2246 }, 2247 }, 2248 { 2249 .type = TLSEXT_TYPE_alpn, 2250 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2251 .client = { 2252 .needs = tlsext_alpn_client_needs, 2253 .build = tlsext_alpn_client_build, 2254 .process = tlsext_alpn_client_process, 2255 }, 2256 .server = { 2257 .needs = tlsext_alpn_server_needs, 2258 .build = tlsext_alpn_server_build, 2259 .process = tlsext_alpn_server_process, 2260 }, 2261 }, 2262 { 2263 .type = TLSEXT_TYPE_cookie, 2264 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2265 .client = { 2266 .needs = tlsext_cookie_client_needs, 2267 .build = tlsext_cookie_client_build, 2268 .process = tlsext_cookie_client_process, 2269 }, 2270 .server = { 2271 .needs = tlsext_cookie_server_needs, 2272 .build = tlsext_cookie_server_build, 2273 .process = tlsext_cookie_server_process, 2274 }, 2275 }, 2276#ifndef OPENSSL_NO_SRTP 2277 { 2278 .type = TLSEXT_TYPE_use_srtp, 2279 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2280 SSL_TLSEXT_MSG_EE, 2281 .client = { 2282 .needs = tlsext_srtp_client_needs, 2283 .build = tlsext_srtp_client_build, 2284 .process = tlsext_srtp_client_process, 2285 }, 2286 .server = { 2287 .needs = tlsext_srtp_server_needs, 2288 .build = tlsext_srtp_server_build, 2289 .process = tlsext_srtp_server_process, 2290 }, 2291 }, 2292#endif /* OPENSSL_NO_SRTP */ 2293 { 2294 .type = TLSEXT_TYPE_quic_transport_parameters, 2295 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2296 .client = { 2297 .needs = tlsext_quic_transport_parameters_client_needs, 2298 .build = tlsext_quic_transport_parameters_client_build, 2299 .process = tlsext_quic_transport_parameters_client_process, 2300 }, 2301 .server = { 2302 .needs = tlsext_quic_transport_parameters_server_needs, 2303 .build = tlsext_quic_transport_parameters_server_build, 2304 .process = tlsext_quic_transport_parameters_server_process, 2305 }, 2306 }, 2307 { 2308 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2309 .messages = SSL_TLSEXT_MSG_CH, 2310 .client = { 2311 .needs = tlsext_psk_kex_modes_client_needs, 2312 .build = tlsext_psk_kex_modes_client_build, 2313 .process = tlsext_psk_kex_modes_client_process, 2314 }, 2315 .server = { 2316 .needs = tlsext_psk_kex_modes_server_needs, 2317 .build = tlsext_psk_kex_modes_server_build, 2318 .process = tlsext_psk_kex_modes_server_process, 2319 }, 2320 }, 2321 { 2322 .type = TLSEXT_TYPE_pre_shared_key, 2323 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2324 .client = { 2325 .needs = tlsext_psk_client_needs, 2326 .build = tlsext_psk_client_build, 2327 .process = tlsext_psk_client_process, 2328 }, 2329 .server = { 2330 .needs = tlsext_psk_server_needs, 2331 .build = tlsext_psk_server_build, 2332 .process = tlsext_psk_server_process, 2333 }, 2334 }, 2335}; 2336 2337#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2338 2339/* Ensure that extensions fit in a uint32_t bitmask. */ 2340CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2341 2342struct tlsext_data { 2343 CBS extensions[N_TLS_EXTENSIONS]; 2344}; 2345 2346static struct tlsext_data * 2347tlsext_data_new(void) 2348{ 2349 return calloc(1, sizeof(struct tlsext_data)); 2350} 2351 2352static void 2353tlsext_data_free(struct tlsext_data *td) 2354{ 2355 freezero(td, sizeof(*td)); 2356} 2357 2358uint16_t 2359tls_extension_type(const struct tls_extension *extension) 2360{ 2361 return extension->type; 2362} 2363 2364const struct tls_extension * 2365tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2366{ 2367 size_t i; 2368 2369 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2370 if (tls_extensions[i].type == type) { 2371 *tls_extensions_idx = i; 2372 return &tls_extensions[i]; 2373 } 2374 } 2375 2376 return NULL; 2377} 2378 2379int 2380tlsext_extension_seen(SSL *s, uint16_t type) 2381{ 2382 size_t idx; 2383 2384 if (tls_extension_find(type, &idx) == NULL) 2385 return 0; 2386 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2387} 2388 2389int 2390tlsext_extension_processed(SSL *s, uint16_t type) 2391{ 2392 size_t idx; 2393 2394 if (tls_extension_find(type, &idx) == NULL) 2395 return 0; 2396 return ((s->s3->hs.extensions_processed & (1 << idx)) != 0); 2397} 2398 2399const struct tls_extension_funcs * 2400tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2401{ 2402 if (is_server) 2403 return &tlsext->server; 2404 2405 return &tlsext->client; 2406} 2407 2408int 2409tlsext_randomize_build_order(SSL *s) 2410{ 2411 const struct tls_extension *psk_ext; 2412 size_t idx, new_idx, psk_idx; 2413 size_t alpn_idx = 0, sni_idx = 0; 2414 2415 free(s->tlsext_build_order); 2416 s->tlsext_build_order_len = 0; 2417 2418 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2419 N_TLS_EXTENSIONS)) == NULL) 2420 return 0; 2421 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2422 2423 /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */ 2424 if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key, 2425 &psk_idx)) == NULL) 2426 return 0; 2427 s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext; 2428 2429 /* Fisher-Yates shuffle with PSK fixed. */ 2430 for (idx = 0; idx < N_TLS_EXTENSIONS - 1; idx++) { 2431 new_idx = arc4random_uniform(idx + 1); 2432 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; 2433 s->tlsext_build_order[new_idx] = &tls_extensions[idx]; 2434 } 2435 2436 /* 2437 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN 2438 * for clients so that virtual host setups work correctly. 2439 */ 2440 2441 if (s->server) 2442 return 1; 2443 2444 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2445 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) 2446 alpn_idx = idx; 2447 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) 2448 sni_idx = idx; 2449 } 2450 if (alpn_idx < sni_idx) { 2451 const struct tls_extension *tmp; 2452 2453 tmp = s->tlsext_build_order[alpn_idx]; 2454 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; 2455 s->tlsext_build_order[sni_idx] = tmp; 2456 } 2457 2458 return 1; 2459} 2460 2461int 2462tlsext_linearize_build_order(SSL *s) 2463{ 2464 size_t idx; 2465 2466 free(s->tlsext_build_order); 2467 s->tlsext_build_order_len = 0; 2468 2469 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2470 N_TLS_EXTENSIONS)) == NULL) 2471 return 0; 2472 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2473 2474 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) 2475 s->tlsext_build_order[idx] = &tls_extensions[idx]; 2476 2477 return 1; 2478} 2479 2480static int 2481tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2482{ 2483 const struct tls_extension_funcs *ext; 2484 const struct tls_extension *tlsext; 2485 CBB extensions, extension_data; 2486 int extensions_present = 0; 2487 uint16_t tls_version; 2488 size_t i; 2489 2490 tls_version = ssl_effective_tls_version(s); 2491 2492 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2493 return 0; 2494 2495 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2496 tlsext = s->tlsext_build_order[i]; 2497 ext = tlsext_funcs(tlsext, is_server); 2498 2499 /* RFC 8446 Section 4.2 */ 2500 if (tls_version >= TLS1_3_VERSION && 2501 !(tlsext->messages & msg_type)) 2502 continue; 2503 2504 if (!ext->needs(s, msg_type)) 2505 continue; 2506 2507 if (!CBB_add_u16(&extensions, tlsext->type)) 2508 return 0; 2509 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2510 return 0; 2511 2512 if (!ext->build(s, msg_type, &extension_data)) 2513 return 0; 2514 2515 extensions_present = 1; 2516 } 2517 2518 if (!extensions_present && 2519 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2520 CBB_discard_child(cbb); 2521 2522 if (!CBB_flush(cbb)) 2523 return 0; 2524 2525 return 1; 2526} 2527 2528int 2529tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2530{ 2531 /* 2532 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2533 * cookie may be added, padding may be removed. 2534 */ 2535 struct tls13_ctx *ctx = s->tls13; 2536 2537 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2538 type == TLSEXT_TYPE_padding) 2539 return 1; 2540 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2541 sizeof(type))) 2542 return 0; 2543 /* 2544 * key_share data may be changed, and pre_shared_key data may 2545 * be changed. 2546 */ 2547 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2548 return 1; 2549 if (!tls13_clienthello_hash_update(ctx, cbs)) 2550 return 0; 2551 2552 return 1; 2553} 2554 2555static int 2556tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2557 CBS *cbs, int *alert) 2558{ 2559 const struct tls_extension *tlsext; 2560 CBS extensions, extension_data; 2561 uint16_t type; 2562 size_t idx; 2563 uint16_t tls_version; 2564 int alert_desc; 2565 2566 tls_version = ssl_effective_tls_version(s); 2567 2568 s->s3->hs.extensions_seen = 0; 2569 2570 /* An empty extensions block is valid. */ 2571 if (CBS_len(cbs) == 0) 2572 return 1; 2573 2574 alert_desc = SSL_AD_DECODE_ERROR; 2575 2576 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2577 goto err; 2578 2579 while (CBS_len(&extensions) > 0) { 2580 if (!CBS_get_u16(&extensions, &type)) 2581 goto err; 2582 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2583 goto err; 2584 2585 if (s->tlsext_debug_cb != NULL) 2586 s->tlsext_debug_cb(s, !is_server, type, 2587 (unsigned char *)CBS_data(&extension_data), 2588 CBS_len(&extension_data), 2589 s->tlsext_debug_arg); 2590 2591 /* Unknown extensions are ignored. */ 2592 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2593 continue; 2594 2595 if (tls_version >= TLS1_3_VERSION && is_server && 2596 msg_type == SSL_TLSEXT_MSG_CH) { 2597 if (!tlsext_clienthello_hash_extension(s, type, 2598 &extension_data)) 2599 goto err; 2600 } 2601 2602 /* RFC 8446 Section 4.2 */ 2603 if (tls_version >= TLS1_3_VERSION && 2604 !(tlsext->messages & msg_type)) { 2605 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2606 goto err; 2607 } 2608 2609 /* Check for duplicate known extensions. */ 2610 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2611 goto err; 2612 s->s3->hs.extensions_seen |= (1 << idx); 2613 2614 CBS_dup(&extension_data, &td->extensions[idx]); 2615 } 2616 2617 return 1; 2618 2619 err: 2620 *alert = alert_desc; 2621 2622 return 0; 2623} 2624 2625static int 2626tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2627 int *alert) 2628{ 2629 const struct tls_extension_funcs *ext; 2630 const struct tls_extension *tlsext; 2631 int alert_desc; 2632 size_t idx; 2633 2634 alert_desc = SSL_AD_DECODE_ERROR; 2635 2636 s->s3->hs.extensions_processed = 0; 2637 2638 /* Run processing for present TLS extensions, in a defined order. */ 2639 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2640 tlsext = &tls_extensions[idx]; 2641 if ((s->s3->hs.extensions_seen & (1 << idx)) == 0) 2642 continue; 2643 ext = tlsext_funcs(tlsext, is_server); 2644 if (ext->process == NULL) 2645 continue; 2646 if (!ext->process(s, msg_type, &td->extensions[idx], &alert_desc)) 2647 goto err; 2648 2649 if (CBS_len(&td->extensions[idx]) != 0) 2650 goto err; 2651 2652 s->s3->hs.extensions_processed |= (1 << idx); 2653 } 2654 2655 return 1; 2656 2657 err: 2658 *alert = alert_desc; 2659 2660 return 0; 2661} 2662 2663static void 2664tlsext_server_reset_state(SSL *s) 2665{ 2666 s->tlsext_status_type = -1; 2667 s->s3->renegotiate_seen = 0; 2668 free(s->s3->alpn_selected); 2669 s->s3->alpn_selected = NULL; 2670 s->s3->alpn_selected_len = 0; 2671 s->srtp_profile = NULL; 2672} 2673 2674int 2675tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2676{ 2677 return tlsext_build(s, 1, msg_type, cbb); 2678} 2679 2680int 2681tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2682{ 2683 struct tlsext_data *td; 2684 int ret = 0; 2685 2686 if ((td = tlsext_data_new()) == NULL) 2687 goto err; 2688 2689 /* XXX - this should be done by the caller... */ 2690 if (msg_type == SSL_TLSEXT_MSG_CH) 2691 tlsext_server_reset_state(s); 2692 2693 if (!tlsext_parse(s, td, 1, msg_type, cbs, alert)) 2694 goto err; 2695 if (!tlsext_process(s, td, 1, msg_type, alert)) 2696 goto err; 2697 2698 ret = 1; 2699 2700 err: 2701 tlsext_data_free(td); 2702 2703 return ret; 2704} 2705 2706static void 2707tlsext_client_reset_state(SSL *s) 2708{ 2709 s->s3->renegotiate_seen = 0; 2710 free(s->s3->alpn_selected); 2711 s->s3->alpn_selected = NULL; 2712 s->s3->alpn_selected_len = 0; 2713} 2714 2715int 2716tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2717{ 2718 return tlsext_build(s, 0, msg_type, cbb); 2719} 2720 2721int 2722tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2723{ 2724 struct tlsext_data *td; 2725 int ret = 0; 2726 2727 if ((td = tlsext_data_new()) == NULL) 2728 goto err; 2729 2730 /* XXX - this should be done by the caller... */ 2731 if (msg_type == SSL_TLSEXT_MSG_SH) 2732 tlsext_client_reset_state(s); 2733 2734 if (!tlsext_parse(s, td, 0, msg_type, cbs, alert)) 2735 goto err; 2736 if (!tlsext_process(s, td, 0, msg_type, alert)) 2737 goto err; 2738 2739 ret = 1; 2740 2741 err: 2742 tlsext_data_free(td); 2743 2744 return ret; 2745} 2746