ssl_tlsext.c revision 1.10
1/* $OpenBSD: ssl_tlsext.c,v 1.10 2017/08/23 15:39:38 doug Exp $ */ 2/* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19#include <openssl/ocsp.h> 20 21#include "ssl_locl.h" 22 23#include "bytestring.h" 24#include "ssl_tlsext.h" 25 26 27/* 28 * Supported Elliptic Curves - RFC 4492 section 5.1.1 29 */ 30int 31tlsext_ec_clienthello_needs(SSL *s) 32{ 33 return ssl_has_ecc_ciphers(s); 34} 35 36int 37tlsext_ec_clienthello_build(SSL *s, CBB *cbb) 38{ 39 CBB curvelist; 40 size_t curves_len; 41 int i; 42 const uint16_t *curves; 43 44 tls1_get_curvelist(s, 0, &curves, &curves_len); 45 46 if (curves_len == 0) { 47 SSLerror(s, ERR_R_INTERNAL_ERROR); 48 return 0; 49 } 50 51 if (!CBB_add_u16_length_prefixed(cbb, &curvelist)) 52 return 0; 53 54 for (i = 0; i < curves_len; i++) { 55 if (!CBB_add_u16(&curvelist, curves[i])) 56 return 0; 57 } 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63} 64 65int 66tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert) 67{ 68 CBS curvelist; 69 size_t curves_len; 70 71 if (!CBS_get_u16_length_prefixed(cbs, &curvelist)) 72 goto err; 73 if (CBS_len(cbs) != 0) 74 goto err; 75 76 curves_len = CBS_len(&curvelist); 77 if (curves_len == 0 || curves_len % 2 != 0) 78 goto err; 79 curves_len /= 2; 80 81 if (!s->internal->hit) { 82 int i; 83 uint16_t *curves; 84 85 if (SSI(s)->tlsext_supportedgroups != NULL) 86 goto err; 87 88 if ((curves = reallocarray(NULL, curves_len, 89 sizeof(uint16_t))) == NULL) { 90 *alert = TLS1_AD_INTERNAL_ERROR; 91 return 0; 92 } 93 94 for (i = 0; i < curves_len; i++) { 95 if (!CBS_get_u16(&curvelist, &curves[i])) { 96 free(curves); 97 goto err; 98 } 99 } 100 101 if (CBS_len(&curvelist) != 0) { 102 free(curves); 103 goto err; 104 } 105 106 SSI(s)->tlsext_supportedgroups = curves; 107 SSI(s)->tlsext_supportedgroups_length = curves_len; 108 } 109 110 return 1; 111 112 err: 113 *alert = TLS1_AD_DECODE_ERROR; 114 return 0; 115} 116 117/* This extension is never used by the server. */ 118int 119tlsext_ec_serverhello_needs(SSL *s) 120{ 121 return 0; 122} 123 124int 125tlsext_ec_serverhello_build(SSL *s, CBB *cbb) 126{ 127 return 0; 128} 129 130int 131tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) 132{ 133 /* 134 * Servers should not send this extension per the RFC. 135 * 136 * However, F5 sends it by mistake (case ID 492780) so we need to skip 137 * over it. This bug is from at least 2014 but as of 2017, there 138 * are still large sites with this bug in production. 139 * 140 * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server 141 */ 142 if (!CBS_skip(cbs, CBS_len(cbs))) { 143 *alert = TLS1_AD_INTERNAL_ERROR; 144 return 0; 145 } 146 147 return 1; 148} 149 150/* 151 * Supported Point Formats Extension - RFC 4492 section 5.1.2 152 */ 153static int 154tlsext_ecpf_build(SSL *s, CBB *cbb) 155{ 156 CBB ecpf; 157 size_t formats_len; 158 const uint8_t *formats; 159 160 tls1_get_formatlist(s, 0, &formats, &formats_len); 161 162 if (formats_len == 0) { 163 SSLerror(s, ERR_R_INTERNAL_ERROR); 164 return 0; 165 } 166 167 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 168 return 0; 169 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 170 return 0; 171 if (!CBB_flush(cbb)) 172 return 0; 173 174 return 1; 175} 176 177static int 178tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 179{ 180 CBS ecpf; 181 182 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 183 goto err; 184 if (CBS_len(&ecpf) == 0) 185 goto err; 186 if (CBS_len(cbs) != 0) 187 goto err; 188 189 /* Must contain uncompressed (0) */ 190 if (!CBS_contains_zero_byte(&ecpf)) { 191 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 192 goto err; 193 } 194 195 if (!s->internal->hit) { 196 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 197 &(SSI(s)->tlsext_ecpointformatlist_length))) 198 goto err; 199 } 200 201 return 1; 202 203 err: 204 *alert = TLS1_AD_INTERNAL_ERROR; 205 return 0; 206} 207 208int 209tlsext_ecpf_clienthello_needs(SSL *s) 210{ 211 return ssl_has_ecc_ciphers(s); 212} 213 214int 215tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb) 216{ 217 return tlsext_ecpf_build(s, cbb); 218} 219 220int 221tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert) 222{ 223 return tlsext_ecpf_parse(s, cbs, alert); 224} 225 226int 227tlsext_ecpf_serverhello_needs(SSL *s) 228{ 229 if (s->version == DTLS1_VERSION) 230 return 0; 231 232 return ssl_using_ecc_cipher(s); 233} 234 235int 236tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb) 237{ 238 return tlsext_ecpf_build(s, cbb); 239} 240 241int 242tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert) 243{ 244 return tlsext_ecpf_parse(s, cbs, alert); 245} 246 247/* 248 * Renegotiation Indication - RFC 5746. 249 */ 250int 251tlsext_ri_clienthello_needs(SSL *s) 252{ 253 return (s->internal->renegotiate); 254} 255 256int 257tlsext_ri_clienthello_build(SSL *s, CBB *cbb) 258{ 259 CBB reneg; 260 261 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 262 return 0; 263 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 264 S3I(s)->previous_client_finished_len)) 265 return 0; 266 if (!CBB_flush(cbb)) 267 return 0; 268 269 return 1; 270} 271 272int 273tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert) 274{ 275 CBS reneg; 276 277 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 278 goto err; 279 if (CBS_len(cbs) != 0) 280 goto err; 281 282 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 283 S3I(s)->previous_client_finished_len)) { 284 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 285 *alert = SSL_AD_HANDSHAKE_FAILURE; 286 return 0; 287 } 288 289 S3I(s)->renegotiate_seen = 1; 290 S3I(s)->send_connection_binding = 1; 291 292 return 1; 293 294 err: 295 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 296 *alert = SSL_AD_DECODE_ERROR; 297 return 0; 298} 299 300int 301tlsext_ri_serverhello_needs(SSL *s) 302{ 303 return (S3I(s)->send_connection_binding); 304} 305 306int 307tlsext_ri_serverhello_build(SSL *s, CBB *cbb) 308{ 309 CBB reneg; 310 311 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 312 return 0; 313 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 314 S3I(s)->previous_client_finished_len)) 315 return 0; 316 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 317 S3I(s)->previous_server_finished_len)) 318 return 0; 319 if (!CBB_flush(cbb)) 320 return 0; 321 322 return 1; 323} 324 325int 326tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert) 327{ 328 CBS reneg, prev_client, prev_server; 329 330 /* 331 * Ensure that the previous client and server values are both not 332 * present, or that they are both present. 333 */ 334 if ((S3I(s)->previous_client_finished_len == 0 && 335 S3I(s)->previous_server_finished_len != 0) || 336 (S3I(s)->previous_client_finished_len != 0 && 337 S3I(s)->previous_server_finished_len == 0)) { 338 *alert = TLS1_AD_INTERNAL_ERROR; 339 return 0; 340 } 341 342 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 343 goto err; 344 if (!CBS_get_bytes(&reneg, &prev_client, 345 S3I(s)->previous_client_finished_len)) 346 goto err; 347 if (!CBS_get_bytes(&reneg, &prev_server, 348 S3I(s)->previous_server_finished_len)) 349 goto err; 350 if (CBS_len(&reneg) != 0) 351 goto err; 352 if (CBS_len(cbs) != 0) 353 goto err; 354 355 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 356 S3I(s)->previous_client_finished_len)) { 357 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 358 *alert = SSL_AD_HANDSHAKE_FAILURE; 359 return 0; 360 } 361 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 362 S3I(s)->previous_server_finished_len)) { 363 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 364 *alert = SSL_AD_HANDSHAKE_FAILURE; 365 return 0; 366 } 367 368 S3I(s)->renegotiate_seen = 1; 369 S3I(s)->send_connection_binding = 1; 370 371 return 1; 372 373 err: 374 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 375 *alert = SSL_AD_DECODE_ERROR; 376 return 0; 377} 378 379/* 380 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 381 */ 382int 383tlsext_sigalgs_clienthello_needs(SSL *s) 384{ 385 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 386} 387 388int 389tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) 390{ 391 unsigned char *sigalgs_data; 392 size_t sigalgs_len; 393 CBB sigalgs; 394 395 tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len); 396 397 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 398 return 0; 399 if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) 400 return 0; 401 if (!CBB_flush(cbb)) 402 return 0; 403 404 return 1; 405} 406 407int 408tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert) 409{ 410 CBS sigalgs; 411 412 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 413 return 0; 414 415 return tls1_process_sigalgs(s, &sigalgs); 416} 417 418int 419tlsext_sigalgs_serverhello_needs(SSL *s) 420{ 421 return 0; 422} 423 424int 425tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb) 426{ 427 return 0; 428} 429 430int 431tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert) 432{ 433 /* As per the RFC, servers must not send this extension. */ 434 return 0; 435} 436 437/* 438 * Server Name Indication - RFC 6066, section 3. 439 */ 440int 441tlsext_sni_clienthello_needs(SSL *s) 442{ 443 return (s->tlsext_hostname != NULL); 444} 445 446int 447tlsext_sni_clienthello_build(SSL *s, CBB *cbb) 448{ 449 CBB server_name_list, host_name; 450 451 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 452 return 0; 453 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 454 return 0; 455 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 456 return 0; 457 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 458 strlen(s->tlsext_hostname))) 459 return 0; 460 if (!CBB_flush(cbb)) 461 return 0; 462 463 return 1; 464} 465 466int 467tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert) 468{ 469 CBS server_name_list, host_name; 470 uint8_t name_type; 471 472 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 473 goto err; 474 475 /* 476 * RFC 6066 section 3 forbids multiple host names with the same type. 477 * Additionally, only one type (host_name) is specified. 478 */ 479 if (!CBS_get_u8(&server_name_list, &name_type)) 480 goto err; 481 if (name_type != TLSEXT_NAMETYPE_host_name) 482 goto err; 483 484 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 485 goto err; 486 if (CBS_len(&host_name) == 0 || 487 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 488 CBS_contains_zero_byte(&host_name)) { 489 *alert = TLS1_AD_UNRECOGNIZED_NAME; 490 return 0; 491 } 492 493 if (s->internal->hit) { 494 if (s->session->tlsext_hostname == NULL) { 495 *alert = TLS1_AD_UNRECOGNIZED_NAME; 496 return 0; 497 } 498 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 499 strlen(s->session->tlsext_hostname))) { 500 *alert = TLS1_AD_UNRECOGNIZED_NAME; 501 return 0; 502 } 503 } else { 504 if (s->session->tlsext_hostname != NULL) 505 goto err; 506 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 507 *alert = TLS1_AD_INTERNAL_ERROR; 508 return 0; 509 } 510 } 511 512 if (CBS_len(&server_name_list) != 0) 513 goto err; 514 if (CBS_len(cbs) != 0) 515 goto err; 516 517 return 1; 518 519 err: 520 *alert = SSL_AD_DECODE_ERROR; 521 return 0; 522} 523 524int 525tlsext_sni_serverhello_needs(SSL *s) 526{ 527 return (s->session->tlsext_hostname != NULL); 528} 529 530int 531tlsext_sni_serverhello_build(SSL *s, CBB *cbb) 532{ 533 return 1; 534} 535 536int 537tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert) 538{ 539 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 540 *alert = TLS1_AD_UNRECOGNIZED_NAME; 541 return 0; 542 } 543 544 if (s->internal->hit) { 545 if (s->session->tlsext_hostname == NULL) { 546 *alert = TLS1_AD_UNRECOGNIZED_NAME; 547 return 0; 548 } 549 if (strcmp(s->tlsext_hostname, 550 s->session->tlsext_hostname) != 0) { 551 *alert = TLS1_AD_UNRECOGNIZED_NAME; 552 return 0; 553 } 554 } else { 555 if (s->session->tlsext_hostname != NULL) { 556 *alert = SSL_AD_DECODE_ERROR; 557 return 0; 558 } 559 if ((s->session->tlsext_hostname = 560 strdup(s->tlsext_hostname)) == NULL) { 561 *alert = TLS1_AD_INTERNAL_ERROR; 562 return 0; 563 } 564 } 565 566 return 1; 567} 568 569/* 570 *Certificate Status Request - RFC 6066 section 8. 571 */ 572 573int 574tlsext_ocsp_clienthello_needs(SSL *s) 575{ 576 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 577 s->version != DTLS1_VERSION); 578} 579 580int 581tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb) 582{ 583 CBB ocsp_respid_list, respid, exts; 584 unsigned char *ext_data; 585 size_t ext_len; 586 int i; 587 588 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 589 return 0; 590 if (!CBB_add_u16_length_prefixed(cbb, &ocsp_respid_list)) 591 return 0; 592 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 593 return 0; 594 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 595 unsigned char *respid_data; 596 OCSP_RESPID *id; 597 size_t id_len; 598 599 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 600 i)) == NULL) 601 return 0; 602 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 603 return 0; 604 if (!CBB_add_u16_length_prefixed(&ocsp_respid_list, &respid)) 605 return 0; 606 if (!CBB_add_space(&respid, &respid_data, id_len)) 607 return 0; 608 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 609 return 0; 610 } 611 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 612 NULL)) == -1) 613 return 0; 614 if (!CBB_add_space(&exts, &ext_data, ext_len)) 615 return 0; 616 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 617 ext_len)) 618 return 0; 619 if (!CBB_flush(cbb)) 620 return 0; 621 return 1; 622} 623 624int 625tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) 626{ 627 int failure = SSL_AD_DECODE_ERROR; 628 unsigned char *respid_data = NULL; 629 unsigned char *ext_data = NULL; 630 size_t ext_len, respid_len; 631 uint8_t status_type; 632 CBS respids, exts; 633 int ret = 0; 634 635 if (!CBS_get_u8(cbs, &status_type)) 636 goto err; 637 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 638 /* ignore unknown status types */ 639 s->tlsext_status_type = -1; 640 return 1; 641 } 642 s->tlsext_status_type = status_type; 643 if (!CBS_get_u16_length_prefixed(cbs, &respids)) 644 goto err; 645 646 /* XXX */ 647 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 648 s->internal->tlsext_ocsp_ids = NULL; 649 if (CBS_len(cbs) > 0) { 650 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 651 if (s->internal->tlsext_ocsp_ids == NULL) { 652 failure = SSL_AD_INTERNAL_ERROR; 653 goto err; 654 } 655 } 656 657 while (CBS_len(&respids) > 0) { 658 OCSP_RESPID *id = NULL; 659 660 if (!CBS_stow(cbs, &respid_data, &respid_len)) 661 goto err; 662 if ((id = d2i_OCSP_RESPID(NULL, 663 (const unsigned char **)&respid_data, respid_len)) == NULL) 664 goto err; 665 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 666 failure = SSL_AD_INTERNAL_ERROR; 667 OCSP_RESPID_free(id); 668 goto err; 669 } 670 free(respid_data); 671 respid_data = NULL; 672 } 673 674 /* Read in request_extensions */ 675 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 676 goto err; 677 if (!CBS_stow(&exts, &ext_data, &ext_len)) 678 goto err; 679 if (ext_len > 0) { 680 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 681 X509_EXTENSION_free); 682 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 683 (const unsigned char **)&ext_data, ext_len)) == NULL) 684 goto err; 685 } 686 /* should be nothing left */ 687 if (CBS_len(cbs) > 0) 688 goto err; 689 690 ret = 1; 691 err: 692 free(respid_data); 693 free(ext_data); 694 if (ret == 0) 695 *alert = failure; 696 return ret; 697} 698 699int 700tlsext_ocsp_serverhello_needs(SSL *s) 701{ 702 return s->internal->tlsext_status_expected; 703} 704 705int 706tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb) 707{ 708 return 1; 709} 710 711int 712tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert) 713{ 714 if (s->tlsext_status_type == -1) { 715 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 716 return 0; 717 } 718 /* Set flag to expect CertificateStatus message */ 719 s->internal->tlsext_status_expected = 1; 720 return 1; 721} 722 723/* 724 * SessionTicket extension - RFC 5077 section 3.2 725 */ 726int 727tlsext_sessionticket_clienthello_needs(SSL *s) 728{ 729 /* 730 * Send session ticket extension when enabled and not overridden. 731 * 732 * When renegotiating, send an empty session ticket to indicate support. 733 */ 734 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 735 return 0; 736 737 if (s->internal->new_session) 738 return 1; 739 740 if (s->internal->tlsext_session_ticket != NULL && 741 s->internal->tlsext_session_ticket->data == NULL) 742 return 0; 743 744 return 1; 745} 746 747int 748tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb) 749{ 750 /* 751 * Signal that we support session tickets by sending an empty 752 * extension when renegotiating or no session found. 753 */ 754 if (s->internal->new_session || s->session == NULL) 755 return 1; 756 757 if (s->session->tlsext_tick != NULL) { 758 /* Attempt to resume with an existing session ticket */ 759 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 760 s->session->tlsext_ticklen)) 761 return 0; 762 763 } else if (s->internal->tlsext_session_ticket != NULL) { 764 /* 765 * Attempt to resume with a custom provided session ticket set 766 * by SSL_set_session_ticket_ext(). 767 */ 768 if (s->internal->tlsext_session_ticket->length > 0) { 769 size_t ticklen = s->internal->tlsext_session_ticket->length; 770 771 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 772 return 0; 773 memcpy(s->session->tlsext_tick, 774 s->internal->tlsext_session_ticket->data, 775 ticklen); 776 s->session->tlsext_ticklen = ticklen; 777 778 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 779 s->session->tlsext_ticklen)) 780 return 0; 781 } 782 } 783 784 if (!CBB_flush(cbb)) 785 return 0; 786 787 return 1; 788} 789 790int 791tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert) 792{ 793 if (s->internal->tls_session_ticket_ext_cb) { 794 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 795 (int)CBS_len(cbs), 796 s->internal->tls_session_ticket_ext_cb_arg)) { 797 *alert = TLS1_AD_INTERNAL_ERROR; 798 return 0; 799 } 800 } 801 802 /* We need to signal that this was processed fully */ 803 if (!CBS_skip(cbs, CBS_len(cbs))) { 804 *alert = TLS1_AD_INTERNAL_ERROR; 805 return 0; 806 } 807 808 return 1; 809} 810 811int 812tlsext_sessionticket_serverhello_needs(SSL *s) 813{ 814 return (s->internal->tlsext_ticket_expected && 815 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 816} 817 818int 819tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb) 820{ 821 /* Empty ticket */ 822 823 return 1; 824} 825 826int 827tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert) 828{ 829 if (s->internal->tls_session_ticket_ext_cb) { 830 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 831 (int)CBS_len(cbs), 832 s->internal->tls_session_ticket_ext_cb_arg)) { 833 *alert = TLS1_AD_INTERNAL_ERROR; 834 return 0; 835 } 836 } 837 838 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 839 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 840 return 0; 841 } 842 843 s->internal->tlsext_ticket_expected = 1; 844 845 return 1; 846} 847 848struct tls_extension { 849 uint16_t type; 850 int (*clienthello_needs)(SSL *s); 851 int (*clienthello_build)(SSL *s, CBB *cbb); 852 int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert); 853 int (*serverhello_needs)(SSL *s); 854 int (*serverhello_build)(SSL *s, CBB *cbb); 855 int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert); 856}; 857 858static struct tls_extension tls_extensions[] = { 859 { 860 .type = TLSEXT_TYPE_server_name, 861 .clienthello_needs = tlsext_sni_clienthello_needs, 862 .clienthello_build = tlsext_sni_clienthello_build, 863 .clienthello_parse = tlsext_sni_clienthello_parse, 864 .serverhello_needs = tlsext_sni_serverhello_needs, 865 .serverhello_build = tlsext_sni_serverhello_build, 866 .serverhello_parse = tlsext_sni_serverhello_parse, 867 }, 868 { 869 .type = TLSEXT_TYPE_renegotiate, 870 .clienthello_needs = tlsext_ri_clienthello_needs, 871 .clienthello_build = tlsext_ri_clienthello_build, 872 .clienthello_parse = tlsext_ri_clienthello_parse, 873 .serverhello_needs = tlsext_ri_serverhello_needs, 874 .serverhello_build = tlsext_ri_serverhello_build, 875 .serverhello_parse = tlsext_ri_serverhello_parse, 876 }, 877 { 878 .type = TLSEXT_TYPE_status_request, 879 .clienthello_needs = tlsext_ocsp_clienthello_needs, 880 .clienthello_build = tlsext_ocsp_clienthello_build, 881 .clienthello_parse = tlsext_ocsp_clienthello_parse, 882 .serverhello_needs = tlsext_ocsp_serverhello_needs, 883 .serverhello_build = tlsext_ocsp_serverhello_build, 884 .serverhello_parse = tlsext_ocsp_serverhello_parse, 885 }, 886 { 887 .type = TLSEXT_TYPE_ec_point_formats, 888 .clienthello_needs = tlsext_ecpf_clienthello_needs, 889 .clienthello_build = tlsext_ecpf_clienthello_build, 890 .clienthello_parse = tlsext_ecpf_clienthello_parse, 891 .serverhello_needs = tlsext_ecpf_serverhello_needs, 892 .serverhello_build = tlsext_ecpf_serverhello_build, 893 .serverhello_parse = tlsext_ecpf_serverhello_parse, 894 }, 895 { 896 .type = TLSEXT_TYPE_elliptic_curves, 897 .clienthello_needs = tlsext_ec_clienthello_needs, 898 .clienthello_build = tlsext_ec_clienthello_build, 899 .clienthello_parse = tlsext_ec_clienthello_parse, 900 .serverhello_needs = tlsext_ec_serverhello_needs, 901 .serverhello_build = tlsext_ec_serverhello_build, 902 .serverhello_parse = tlsext_ec_serverhello_parse, 903 }, 904 { 905 .type = TLSEXT_TYPE_session_ticket, 906 .clienthello_needs = tlsext_sessionticket_clienthello_needs, 907 .clienthello_build = tlsext_sessionticket_clienthello_build, 908 .clienthello_parse = tlsext_sessionticket_clienthello_parse, 909 .serverhello_needs = tlsext_sessionticket_serverhello_needs, 910 .serverhello_build = tlsext_sessionticket_serverhello_build, 911 .serverhello_parse = tlsext_sessionticket_serverhello_parse, 912 }, 913 { 914 .type = TLSEXT_TYPE_signature_algorithms, 915 .clienthello_needs = tlsext_sigalgs_clienthello_needs, 916 .clienthello_build = tlsext_sigalgs_clienthello_build, 917 .clienthello_parse = tlsext_sigalgs_clienthello_parse, 918 .serverhello_needs = tlsext_sigalgs_serverhello_needs, 919 .serverhello_build = tlsext_sigalgs_serverhello_build, 920 .serverhello_parse = tlsext_sigalgs_serverhello_parse, 921 }, 922}; 923 924#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 925 926int 927tlsext_clienthello_build(SSL *s, CBB *cbb) 928{ 929 struct tls_extension *tlsext; 930 CBB extension_data; 931 size_t i; 932 933 memset(&extension_data, 0, sizeof(extension_data)); 934 935 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 936 tlsext = &tls_extensions[i]; 937 938 if (!tlsext->clienthello_needs(s)) 939 continue; 940 941 if (!CBB_add_u16(cbb, tlsext->type)) 942 return 0; 943 if (!CBB_add_u16_length_prefixed(cbb, &extension_data)) 944 return 0; 945 if (!tls_extensions[i].clienthello_build(s, &extension_data)) 946 return 0; 947 if (!CBB_flush(cbb)) 948 return 0; 949 } 950 951 return 1; 952} 953 954int 955tlsext_clienthello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert) 956{ 957 struct tls_extension *tlsext; 958 size_t i; 959 960 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 961 tlsext = &tls_extensions[i]; 962 963 if (tlsext->type != type) 964 continue; 965 if (!tlsext->clienthello_parse(s, cbs, alert)) 966 return 0; 967 if (CBS_len(cbs) != 0) { 968 *alert = SSL_AD_DECODE_ERROR; 969 return 0; 970 } 971 972 return 1; 973 } 974 975 /* Not found. */ 976 return 2; 977} 978 979int 980tlsext_serverhello_build(SSL *s, CBB *cbb) 981{ 982 struct tls_extension *tlsext; 983 CBB extension_data; 984 size_t i; 985 986 memset(&extension_data, 0, sizeof(extension_data)); 987 988 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 989 tlsext = &tls_extensions[i]; 990 991 if (!tlsext->serverhello_needs(s)) 992 continue; 993 994 if (!CBB_add_u16(cbb, tlsext->type)) 995 return 0; 996 if (!CBB_add_u16_length_prefixed(cbb, &extension_data)) 997 return 0; 998 if (!tlsext->serverhello_build(s, &extension_data)) 999 return 0; 1000 if (!CBB_flush(cbb)) 1001 return 0; 1002 } 1003 1004 return 1; 1005} 1006 1007int 1008tlsext_serverhello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert) 1009{ 1010 struct tls_extension *tlsext; 1011 size_t i; 1012 1013 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1014 tlsext = &tls_extensions[i]; 1015 1016 if (tlsext->type != type) 1017 continue; 1018 if (!tlsext->serverhello_parse(s, cbs, alert)) 1019 return 0; 1020 if (CBS_len(cbs) != 0) { 1021 *alert = SSL_AD_DECODE_ERROR; 1022 return 0; 1023 } 1024 1025 return 1; 1026 } 1027 1028 /* Not found. */ 1029 return 2; 1030} 1031