ssl_tlsext.c revision 1.101
1/* $OpenBSD: ssl_tlsext.c,v 1.101 2021/11/01 16:37:17 jsing Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/socket.h> 21 22#include <arpa/inet.h> 23#include <netinet/in.h> 24 25#include <ctype.h> 26 27#include <openssl/ocsp.h> 28#include <openssl/opensslconf.h> 29 30#include "bytestring.h" 31#include "ssl_locl.h" 32#include "ssl_sigalgs.h" 33#include "ssl_tlsext.h" 34 35/* 36 * Supported Application-Layer Protocol Negotiation - RFC 7301 37 */ 38 39int 40tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 41{ 42 /* ALPN protos have been specified and this is the initial handshake */ 43 return s->internal->alpn_client_proto_list != NULL && 44 S3I(s)->hs.finished_len == 0; 45} 46 47int 48tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 49{ 50 CBB protolist; 51 52 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 53 return 0; 54 55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 56 s->internal->alpn_client_proto_list_len)) 57 return 0; 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63} 64 65int 66tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 67{ 68 CBS proto_name_list, alpn; 69 const unsigned char *selected; 70 unsigned char selected_len; 71 int r; 72 73 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 74 goto err; 75 if (CBS_len(&alpn) < 2) 76 goto err; 77 if (CBS_len(cbs) != 0) 78 goto err; 79 80 CBS_dup(&alpn, &proto_name_list); 81 while (CBS_len(&proto_name_list) > 0) { 82 CBS proto_name; 83 84 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 85 goto err; 86 if (CBS_len(&proto_name) == 0) 87 goto err; 88 } 89 90 if (s->ctx->internal->alpn_select_cb == NULL) 91 return 1; 92 93 /* 94 * XXX - A few things should be considered here: 95 * 1. Ensure that the same protocol is selected on session resumption. 96 * 2. Should the callback be called even if no ALPN extension was sent? 97 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 98 */ 99 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 100 CBS_data(&alpn), CBS_len(&alpn), 101 s->ctx->internal->alpn_select_cb_arg); 102 103 if (r == SSL_TLSEXT_ERR_OK) { 104 free(S3I(s)->alpn_selected); 105 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 106 S3I(s)->alpn_selected_len = 0; 107 *alert = SSL_AD_INTERNAL_ERROR; 108 return 0; 109 } 110 memcpy(S3I(s)->alpn_selected, selected, selected_len); 111 S3I(s)->alpn_selected_len = selected_len; 112 113 return 1; 114 } 115 116 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 117 if (r == SSL_TLSEXT_ERR_NOACK) 118 return 1; 119 120 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 121 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 122 123 return 0; 124 125 err: 126 *alert = SSL_AD_DECODE_ERROR; 127 return 0; 128} 129 130int 131tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 132{ 133 return S3I(s)->alpn_selected != NULL; 134} 135 136int 137tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 138{ 139 CBB list, selected; 140 141 if (!CBB_add_u16_length_prefixed(cbb, &list)) 142 return 0; 143 144 if (!CBB_add_u8_length_prefixed(&list, &selected)) 145 return 0; 146 147 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 148 S3I(s)->alpn_selected_len)) 149 return 0; 150 151 if (!CBB_flush(cbb)) 152 return 0; 153 154 return 1; 155} 156 157int 158tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 159{ 160 CBS list, proto; 161 162 if (s->internal->alpn_client_proto_list == NULL) { 163 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 164 return 0; 165 } 166 167 if (!CBS_get_u16_length_prefixed(cbs, &list)) 168 goto err; 169 if (CBS_len(cbs) != 0) 170 goto err; 171 172 if (!CBS_get_u8_length_prefixed(&list, &proto)) 173 goto err; 174 175 if (CBS_len(&list) != 0) 176 goto err; 177 if (CBS_len(&proto) == 0) 178 goto err; 179 180 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 181 &(S3I(s)->alpn_selected_len))) 182 goto err; 183 184 return 1; 185 186 err: 187 *alert = SSL_AD_DECODE_ERROR; 188 return 0; 189} 190 191/* 192 * Supported Groups - RFC 7919 section 2 193 */ 194int 195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 196{ 197 return ssl_has_ecc_ciphers(s) || 198 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 199} 200 201int 202tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 203{ 204 const uint16_t *groups; 205 size_t groups_len; 206 CBB grouplist; 207 int i; 208 209 tls1_get_group_list(s, 0, &groups, &groups_len); 210 if (groups_len == 0) { 211 SSLerror(s, ERR_R_INTERNAL_ERROR); 212 return 0; 213 } 214 215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 216 return 0; 217 218 for (i = 0; i < groups_len; i++) { 219 if (!CBB_add_u16(&grouplist, groups[i])) 220 return 0; 221 } 222 223 if (!CBB_flush(cbb)) 224 return 0; 225 226 return 1; 227} 228 229int 230tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 231 int *alert) 232{ 233 CBS grouplist; 234 size_t groups_len; 235 236 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 237 goto err; 238 if (CBS_len(cbs) != 0) 239 goto err; 240 241 groups_len = CBS_len(&grouplist); 242 if (groups_len == 0 || groups_len % 2 != 0) 243 goto err; 244 groups_len /= 2; 245 246 if (!s->internal->hit) { 247 uint16_t *groups; 248 int i; 249 250 if (S3I(s)->hs.tls13.hrr) { 251 if (s->session->tlsext_supportedgroups == NULL) { 252 *alert = SSL_AD_HANDSHAKE_FAILURE; 253 return 0; 254 } 255 /* 256 * In the case of TLSv1.3 the client cannot change 257 * the supported groups. 258 */ 259 if (groups_len != s->session->tlsext_supportedgroups_length) { 260 *alert = SSL_AD_ILLEGAL_PARAMETER; 261 return 0; 262 } 263 for (i = 0; i < groups_len; i++) { 264 uint16_t group; 265 266 if (!CBS_get_u16(&grouplist, &group)) 267 goto err; 268 if (s->session->tlsext_supportedgroups[i] != group) { 269 *alert = SSL_AD_ILLEGAL_PARAMETER; 270 return 0; 271 } 272 } 273 274 return 1; 275 } 276 277 if (s->session->tlsext_supportedgroups != NULL) 278 goto err; 279 280 if ((groups = reallocarray(NULL, groups_len, 281 sizeof(uint16_t))) == NULL) { 282 *alert = SSL_AD_INTERNAL_ERROR; 283 return 0; 284 } 285 286 for (i = 0; i < groups_len; i++) { 287 if (!CBS_get_u16(&grouplist, &groups[i])) { 288 free(groups); 289 goto err; 290 } 291 } 292 293 if (CBS_len(&grouplist) != 0) { 294 free(groups); 295 goto err; 296 } 297 298 s->session->tlsext_supportedgroups = groups; 299 s->session->tlsext_supportedgroups_length = groups_len; 300 } 301 302 return 1; 303 304 err: 305 *alert = SSL_AD_DECODE_ERROR; 306 return 0; 307} 308 309/* This extension is never used by the server. */ 310int 311tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 312{ 313 return 0; 314} 315 316int 317tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 318{ 319 return 0; 320} 321 322int 323tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 324 int *alert) 325{ 326 /* 327 * Servers should not send this extension per the RFC. 328 * 329 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 330 * from at least 2014 but as of 2017, there are still large sites with 331 * this unpatched in production. As a result, we need to currently skip 332 * over the extension and ignore its content: 333 * 334 * https://support.f5.com/csp/article/K37345003 335 */ 336 if (!CBS_skip(cbs, CBS_len(cbs))) { 337 *alert = SSL_AD_INTERNAL_ERROR; 338 return 0; 339 } 340 341 return 1; 342} 343 344/* 345 * Supported Point Formats Extension - RFC 4492 section 5.1.2 346 */ 347static int 348tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 349{ 350 CBB ecpf; 351 size_t formats_len; 352 const uint8_t *formats; 353 354 tls1_get_formatlist(s, 0, &formats, &formats_len); 355 356 if (formats_len == 0) { 357 SSLerror(s, ERR_R_INTERNAL_ERROR); 358 return 0; 359 } 360 361 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 362 return 0; 363 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 364 return 0; 365 if (!CBB_flush(cbb)) 366 return 0; 367 368 return 1; 369} 370 371static int 372tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 373{ 374 CBS ecpf; 375 376 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 377 return 0; 378 if (CBS_len(&ecpf) == 0) 379 return 0; 380 if (CBS_len(cbs) != 0) 381 return 0; 382 383 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 384 if (!CBS_contains_zero_byte(&ecpf)) { 385 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 386 *alert = SSL_AD_ILLEGAL_PARAMETER; 387 return 0; 388 } 389 390 if (!s->internal->hit) { 391 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 392 &(s->session->tlsext_ecpointformatlist_length))) { 393 *alert = SSL_AD_INTERNAL_ERROR; 394 return 0; 395 } 396 } 397 398 return 1; 399} 400 401int 402tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 403{ 404 return ssl_has_ecc_ciphers(s); 405} 406 407int 408tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 409{ 410 return tlsext_ecpf_build(s, msg_type, cbb); 411} 412 413int 414tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 415{ 416 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 417} 418 419int 420tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 421{ 422 return ssl_using_ecc_cipher(s); 423} 424 425int 426tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 427{ 428 return tlsext_ecpf_build(s, msg_type, cbb); 429} 430 431int 432tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 433{ 434 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 435} 436 437/* 438 * Renegotiation Indication - RFC 5746. 439 */ 440int 441tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 442{ 443 return (s->internal->renegotiate); 444} 445 446int 447tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 448{ 449 CBB reneg; 450 451 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 452 return 0; 453 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 454 S3I(s)->previous_client_finished_len)) 455 return 0; 456 if (!CBB_flush(cbb)) 457 return 0; 458 459 return 1; 460} 461 462int 463tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 464{ 465 CBS reneg; 466 467 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 468 goto err; 469 if (CBS_len(cbs) != 0) 470 goto err; 471 472 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 473 S3I(s)->previous_client_finished_len)) { 474 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 475 *alert = SSL_AD_HANDSHAKE_FAILURE; 476 return 0; 477 } 478 479 S3I(s)->renegotiate_seen = 1; 480 S3I(s)->send_connection_binding = 1; 481 482 return 1; 483 484 err: 485 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 486 *alert = SSL_AD_DECODE_ERROR; 487 return 0; 488} 489 490int 491tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 492{ 493 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && 494 S3I(s)->send_connection_binding); 495} 496 497int 498tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 499{ 500 CBB reneg; 501 502 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 503 return 0; 504 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 505 S3I(s)->previous_client_finished_len)) 506 return 0; 507 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 508 S3I(s)->previous_server_finished_len)) 509 return 0; 510 if (!CBB_flush(cbb)) 511 return 0; 512 513 return 1; 514} 515 516int 517tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 518{ 519 CBS reneg, prev_client, prev_server; 520 521 /* 522 * Ensure that the previous client and server values are both not 523 * present, or that they are both present. 524 */ 525 if ((S3I(s)->previous_client_finished_len == 0 && 526 S3I(s)->previous_server_finished_len != 0) || 527 (S3I(s)->previous_client_finished_len != 0 && 528 S3I(s)->previous_server_finished_len == 0)) { 529 *alert = SSL_AD_INTERNAL_ERROR; 530 return 0; 531 } 532 533 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 534 goto err; 535 if (!CBS_get_bytes(&reneg, &prev_client, 536 S3I(s)->previous_client_finished_len)) 537 goto err; 538 if (!CBS_get_bytes(&reneg, &prev_server, 539 S3I(s)->previous_server_finished_len)) 540 goto err; 541 if (CBS_len(&reneg) != 0) 542 goto err; 543 if (CBS_len(cbs) != 0) 544 goto err; 545 546 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 547 S3I(s)->previous_client_finished_len)) { 548 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 549 *alert = SSL_AD_HANDSHAKE_FAILURE; 550 return 0; 551 } 552 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 553 S3I(s)->previous_server_finished_len)) { 554 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 555 *alert = SSL_AD_HANDSHAKE_FAILURE; 556 return 0; 557 } 558 559 S3I(s)->renegotiate_seen = 1; 560 S3I(s)->send_connection_binding = 1; 561 562 return 1; 563 564 err: 565 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 566 *alert = SSL_AD_DECODE_ERROR; 567 return 0; 568} 569 570/* 571 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 572 */ 573int 574tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 575{ 576 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); 577} 578 579int 580tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 581{ 582 uint16_t tls_version = S3I(s)->hs.negotiated_tls_version; 583 CBB sigalgs; 584 585 if (msg_type == SSL_TLSEXT_MSG_CH) 586 tls_version = S3I(s)->hs.our_min_tls_version; 587 588 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 589 return 0; 590 if (!ssl_sigalgs_build(tls_version, &sigalgs)) 591 return 0; 592 if (!CBB_flush(cbb)) 593 return 0; 594 595 return 1; 596} 597 598int 599tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 600{ 601 CBS sigalgs; 602 603 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 604 return 0; 605 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 606 return 0; 607 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 608 return 0; 609 610 return 1; 611} 612 613int 614tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 615{ 616 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 617} 618 619int 620tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 621{ 622 CBB sigalgs; 623 624 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 625 return 0; 626 if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs)) 627 return 0; 628 if (!CBB_flush(cbb)) 629 return 0; 630 631 return 1; 632} 633 634int 635tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 636{ 637 CBS sigalgs; 638 639 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 640 return 0; 641 642 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 643 return 0; 644 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 645 return 0; 646 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 647 return 0; 648 649 return 1; 650} 651 652/* 653 * Server Name Indication - RFC 6066, section 3. 654 */ 655int 656tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 657{ 658 return (s->tlsext_hostname != NULL); 659} 660 661int 662tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 663{ 664 CBB server_name_list, host_name; 665 666 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 667 return 0; 668 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 669 return 0; 670 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 671 return 0; 672 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 673 strlen(s->tlsext_hostname))) 674 return 0; 675 if (!CBB_flush(cbb)) 676 return 0; 677 678 return 1; 679} 680 681static int 682tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 683{ 684 union { 685 struct in_addr ip4; 686 struct in6_addr ip6; 687 } addrbuf; 688 char *hostname = NULL; 689 690 *is_ip = 0; 691 692 if (!CBS_strdup(cbs, &hostname)) 693 return 0; 694 695 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 696 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 697 *is_ip = 1; 698 699 free(hostname); 700 701 return 1; 702} 703 704/* 705 * Validate that the CBS contains only a hostname consisting of RFC 5890 706 * compliant A-labels (see RFC 6066 section 3). Not a complete check 707 * since we don't parse punycode to verify its validity but limits to 708 * correct structure and character set. 709 */ 710int 711tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 712{ 713 uint8_t prev, c = 0; 714 int component = 0; 715 CBS hostname; 716 717 CBS_dup(cbs, &hostname); 718 719 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 720 return 0; 721 722 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 723 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 724 return 0; 725 if (*is_ip) 726 return 0; 727 728 while (CBS_len(&hostname) > 0) { 729 prev = c; 730 if (!CBS_get_u8(&hostname, &c)) 731 return 0; 732 /* Everything has to be ASCII, with no NUL byte. */ 733 if (!isascii(c) || c == '\0') 734 return 0; 735 /* It must be alphanumeric, a '-', or a '.' */ 736 if (!isalnum(c) && c != '-' && c != '.') 737 return 0; 738 /* '-' and '.' must not start a component or be at the end. */ 739 if (component == 0 || CBS_len(&hostname) == 0) { 740 if (c == '-' || c == '.') 741 return 0; 742 } 743 if (c == '.') { 744 /* Components can not end with a dash. */ 745 if (prev == '-') 746 return 0; 747 /* Start new component */ 748 component = 0; 749 continue; 750 } 751 /* Components must be 63 chars or less. */ 752 if (++component > 63) 753 return 0; 754 } 755 756 return 1; 757} 758 759int 760tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 761{ 762 CBS server_name_list, host_name; 763 uint8_t name_type; 764 int is_ip; 765 766 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 767 goto err; 768 769 if (!CBS_get_u8(&server_name_list, &name_type)) 770 goto err; 771 772 /* 773 * RFC 6066 section 3, only one type (host_name) is specified. 774 * We do not tolerate unknown types, neither does BoringSSL. 775 * other implementations appear more tolerant. 776 */ 777 if (name_type != TLSEXT_NAMETYPE_host_name) { 778 *alert = SSL_AD_ILLEGAL_PARAMETER; 779 goto err; 780 } 781 782 /* 783 * RFC 6066 section 3 specifies a host name must be at least 1 byte 784 * so 0 length is a decode error. 785 */ 786 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 787 goto err; 788 if (CBS_len(&host_name) < 1) 789 goto err; 790 791 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 792 /* 793 * Various pieces of software have been known to set the SNI 794 * host name to an IP address, even though that violates the 795 * RFC. If this is the case, pretend the SNI extension does 796 * not exist. 797 */ 798 if (is_ip) 799 goto done; 800 801 *alert = SSL_AD_ILLEGAL_PARAMETER; 802 goto err; 803 } 804 805 if (s->internal->hit || S3I(s)->hs.tls13.hrr) { 806 if (s->session->tlsext_hostname == NULL) { 807 *alert = SSL_AD_UNRECOGNIZED_NAME; 808 goto err; 809 } 810 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 811 strlen(s->session->tlsext_hostname))) { 812 *alert = SSL_AD_UNRECOGNIZED_NAME; 813 goto err; 814 } 815 } else { 816 if (s->session->tlsext_hostname != NULL) 817 goto err; 818 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 819 *alert = SSL_AD_INTERNAL_ERROR; 820 goto err; 821 } 822 } 823 824 done: 825 /* 826 * RFC 6066 section 3 forbids multiple host names with the same type, 827 * therefore we allow only one entry. 828 */ 829 if (CBS_len(&server_name_list) != 0) { 830 *alert = SSL_AD_ILLEGAL_PARAMETER; 831 goto err; 832 } 833 if (CBS_len(cbs) != 0) 834 goto err; 835 836 return 1; 837 838 err: 839 return 0; 840} 841 842int 843tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 844{ 845 if (s->internal->hit) 846 return 0; 847 848 return (s->session->tlsext_hostname != NULL); 849} 850 851int 852tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 853{ 854 return 1; 855} 856 857int 858tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 859{ 860 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 861 *alert = SSL_AD_UNRECOGNIZED_NAME; 862 return 0; 863 } 864 865 if (s->internal->hit) { 866 if (s->session->tlsext_hostname == NULL) { 867 *alert = SSL_AD_UNRECOGNIZED_NAME; 868 return 0; 869 } 870 if (strcmp(s->tlsext_hostname, 871 s->session->tlsext_hostname) != 0) { 872 *alert = SSL_AD_UNRECOGNIZED_NAME; 873 return 0; 874 } 875 } else { 876 if (s->session->tlsext_hostname != NULL) { 877 *alert = SSL_AD_DECODE_ERROR; 878 return 0; 879 } 880 if ((s->session->tlsext_hostname = 881 strdup(s->tlsext_hostname)) == NULL) { 882 *alert = SSL_AD_INTERNAL_ERROR; 883 return 0; 884 } 885 } 886 887 return 1; 888} 889 890 891/* 892 * Certificate Status Request - RFC 6066 section 8. 893 */ 894 895int 896tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 897{ 898 if (msg_type != SSL_TLSEXT_MSG_CH) 899 return 0; 900 901 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 902} 903 904int 905tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 906{ 907 CBB respid_list, respid, exts; 908 unsigned char *ext_data; 909 size_t ext_len; 910 int i; 911 912 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 913 return 0; 914 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 915 return 0; 916 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 917 unsigned char *respid_data; 918 OCSP_RESPID *id; 919 size_t id_len; 920 921 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 922 i)) == NULL) 923 return 0; 924 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 925 return 0; 926 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 927 return 0; 928 if (!CBB_add_space(&respid, &respid_data, id_len)) 929 return 0; 930 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 931 return 0; 932 } 933 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 934 return 0; 935 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 936 NULL)) == -1) 937 return 0; 938 if (!CBB_add_space(&exts, &ext_data, ext_len)) 939 return 0; 940 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 941 ext_len)) 942 return 0; 943 if (!CBB_flush(cbb)) 944 return 0; 945 return 1; 946} 947 948int 949tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 950{ 951 int alert_desc = SSL_AD_DECODE_ERROR; 952 CBS respid_list, respid, exts; 953 const unsigned char *p; 954 uint8_t status_type; 955 int ret = 0; 956 957 if (msg_type != SSL_TLSEXT_MSG_CH) 958 goto err; 959 960 if (!CBS_get_u8(cbs, &status_type)) 961 goto err; 962 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 963 /* ignore unknown status types */ 964 s->tlsext_status_type = -1; 965 966 if (!CBS_skip(cbs, CBS_len(cbs))) { 967 *alert = SSL_AD_INTERNAL_ERROR; 968 return 0; 969 } 970 return 1; 971 } 972 s->tlsext_status_type = status_type; 973 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 974 goto err; 975 976 /* XXX */ 977 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 978 s->internal->tlsext_ocsp_ids = NULL; 979 if (CBS_len(&respid_list) > 0) { 980 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 981 if (s->internal->tlsext_ocsp_ids == NULL) { 982 alert_desc = SSL_AD_INTERNAL_ERROR; 983 goto err; 984 } 985 } 986 987 while (CBS_len(&respid_list) > 0) { 988 OCSP_RESPID *id; 989 990 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 991 goto err; 992 p = CBS_data(&respid); 993 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 994 goto err; 995 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 996 alert_desc = SSL_AD_INTERNAL_ERROR; 997 OCSP_RESPID_free(id); 998 goto err; 999 } 1000 } 1001 1002 /* Read in request_extensions */ 1003 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1004 goto err; 1005 if (CBS_len(&exts) > 0) { 1006 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 1007 X509_EXTENSION_free); 1008 p = CBS_data(&exts); 1009 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1010 &p, CBS_len(&exts))) == NULL) 1011 goto err; 1012 } 1013 1014 /* should be nothing left */ 1015 if (CBS_len(cbs) > 0) 1016 goto err; 1017 1018 ret = 1; 1019 err: 1020 if (ret == 0) 1021 *alert = alert_desc; 1022 return ret; 1023} 1024 1025int 1026tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1027{ 1028 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 1029 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1030 s->ctx->internal->tlsext_status_cb != NULL) { 1031 s->internal->tlsext_status_expected = 0; 1032 if (s->ctx->internal->tlsext_status_cb(s, 1033 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1034 s->internal->tlsext_ocsp_resp_len > 0) 1035 s->internal->tlsext_status_expected = 1; 1036 } 1037 return s->internal->tlsext_status_expected; 1038} 1039 1040int 1041tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1042{ 1043 CBB ocsp_response; 1044 1045 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1046 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1047 return 0; 1048 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1049 return 0; 1050 if (!CBB_add_bytes(&ocsp_response, 1051 s->internal->tlsext_ocsp_resp, 1052 s->internal->tlsext_ocsp_resp_len)) 1053 return 0; 1054 if (!CBB_flush(cbb)) 1055 return 0; 1056 } 1057 return 1; 1058} 1059 1060int 1061tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1062{ 1063 uint8_t status_type; 1064 CBS response; 1065 1066 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1067 if (msg_type == SSL_TLSEXT_MSG_CR) { 1068 /* 1069 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1070 * response with an empty status_request. 1071 */ 1072 if (CBS_len(cbs) == 0) 1073 return 1; 1074 1075 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1076 return 0; 1077 } 1078 if (!CBS_get_u8(cbs, &status_type)) { 1079 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1080 return 0; 1081 } 1082 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1083 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1084 return 0; 1085 } 1086 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1087 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1088 return 0; 1089 } 1090 if (CBS_len(&response) > 65536) { 1091 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1092 return 0; 1093 } 1094 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1095 &s->internal->tlsext_ocsp_resp_len)) { 1096 *alert = SSL_AD_INTERNAL_ERROR; 1097 return 0; 1098 } 1099 } else { 1100 if (s->tlsext_status_type == -1) { 1101 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1102 return 0; 1103 } 1104 /* Set flag to expect CertificateStatus message */ 1105 s->internal->tlsext_status_expected = 1; 1106 } 1107 return 1; 1108} 1109 1110/* 1111 * SessionTicket extension - RFC 5077 section 3.2 1112 */ 1113int 1114tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1115{ 1116 /* 1117 * Send session ticket extension when enabled and not overridden. 1118 * 1119 * When renegotiating, send an empty session ticket to indicate support. 1120 */ 1121 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1122 return 0; 1123 1124 if (s->internal->new_session) 1125 return 1; 1126 1127 if (s->internal->tlsext_session_ticket != NULL && 1128 s->internal->tlsext_session_ticket->data == NULL) 1129 return 0; 1130 1131 return 1; 1132} 1133 1134int 1135tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1136{ 1137 /* 1138 * Signal that we support session tickets by sending an empty 1139 * extension when renegotiating or no session found. 1140 */ 1141 if (s->internal->new_session || s->session == NULL) 1142 return 1; 1143 1144 if (s->session->tlsext_tick != NULL) { 1145 /* Attempt to resume with an existing session ticket */ 1146 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1147 s->session->tlsext_ticklen)) 1148 return 0; 1149 1150 } else if (s->internal->tlsext_session_ticket != NULL) { 1151 /* 1152 * Attempt to resume with a custom provided session ticket set 1153 * by SSL_set_session_ticket_ext(). 1154 */ 1155 if (s->internal->tlsext_session_ticket->length > 0) { 1156 size_t ticklen = s->internal->tlsext_session_ticket->length; 1157 1158 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1159 return 0; 1160 memcpy(s->session->tlsext_tick, 1161 s->internal->tlsext_session_ticket->data, 1162 ticklen); 1163 s->session->tlsext_ticklen = ticklen; 1164 1165 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1166 s->session->tlsext_ticklen)) 1167 return 0; 1168 } 1169 } 1170 1171 if (!CBB_flush(cbb)) 1172 return 0; 1173 1174 return 1; 1175} 1176 1177int 1178tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1179 int *alert) 1180{ 1181 if (s->internal->tls_session_ticket_ext_cb) { 1182 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1183 (int)CBS_len(cbs), 1184 s->internal->tls_session_ticket_ext_cb_arg)) { 1185 *alert = SSL_AD_INTERNAL_ERROR; 1186 return 0; 1187 } 1188 } 1189 1190 /* We need to signal that this was processed fully */ 1191 if (!CBS_skip(cbs, CBS_len(cbs))) { 1192 *alert = SSL_AD_INTERNAL_ERROR; 1193 return 0; 1194 } 1195 1196 return 1; 1197} 1198 1199int 1200tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1201{ 1202 return (s->internal->tlsext_ticket_expected && 1203 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1204} 1205 1206int 1207tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1208{ 1209 /* Empty ticket */ 1210 return 1; 1211} 1212 1213int 1214tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1215 int *alert) 1216{ 1217 if (s->internal->tls_session_ticket_ext_cb) { 1218 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1219 (int)CBS_len(cbs), 1220 s->internal->tls_session_ticket_ext_cb_arg)) { 1221 *alert = SSL_AD_INTERNAL_ERROR; 1222 return 0; 1223 } 1224 } 1225 1226 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1227 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1228 return 0; 1229 } 1230 1231 s->internal->tlsext_ticket_expected = 1; 1232 1233 return 1; 1234} 1235 1236/* 1237 * DTLS extension for SRTP key establishment - RFC 5764 1238 */ 1239 1240#ifndef OPENSSL_NO_SRTP 1241 1242int 1243tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1244{ 1245 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1246} 1247 1248int 1249tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1250{ 1251 CBB profiles, mki; 1252 int ct, i; 1253 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1254 const SRTP_PROTECTION_PROFILE *prof; 1255 1256 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1257 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1258 return 0; 1259 } 1260 1261 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1262 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1263 return 0; 1264 } 1265 1266 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1267 return 0; 1268 1269 for (i = 0; i < ct; i++) { 1270 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1271 return 0; 1272 if (!CBB_add_u16(&profiles, prof->id)) 1273 return 0; 1274 } 1275 1276 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1277 return 0; 1278 1279 if (!CBB_flush(cbb)) 1280 return 0; 1281 1282 return 1; 1283} 1284 1285int 1286tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1287{ 1288 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1289 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1290 int i, j; 1291 int ret; 1292 uint16_t id; 1293 CBS profiles, mki; 1294 1295 ret = 0; 1296 1297 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1298 goto err; 1299 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1300 goto err; 1301 1302 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1303 goto err; 1304 1305 while (CBS_len(&profiles) > 0) { 1306 if (!CBS_get_u16(&profiles, &id)) 1307 goto err; 1308 1309 if (!srtp_find_profile_by_num(id, &cprof)) { 1310 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1311 goto err; 1312 } 1313 } 1314 1315 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1316 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1317 *alert = SSL_AD_DECODE_ERROR; 1318 goto done; 1319 } 1320 if (CBS_len(cbs) != 0) 1321 goto err; 1322 1323 /* 1324 * Per RFC 5764 section 4.1.1 1325 * 1326 * Find the server preferred profile using the client's list. 1327 * 1328 * The server MUST send a profile if it sends the use_srtp 1329 * extension. If one is not found, it should fall back to the 1330 * negotiated DTLS cipher suite or return a DTLS alert. 1331 */ 1332 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1333 goto err; 1334 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1335 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1336 == NULL) 1337 goto err; 1338 1339 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1340 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1341 == NULL) 1342 goto err; 1343 1344 if (cprof->id == sprof->id) { 1345 s->internal->srtp_profile = sprof; 1346 ret = 1; 1347 goto done; 1348 } 1349 } 1350 } 1351 1352 /* If we didn't find anything, fall back to the negotiated */ 1353 ret = 1; 1354 goto done; 1355 1356 err: 1357 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1358 *alert = SSL_AD_DECODE_ERROR; 1359 1360 done: 1361 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1362 return ret; 1363} 1364 1365int 1366tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1367{ 1368 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1369} 1370 1371int 1372tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1373{ 1374 SRTP_PROTECTION_PROFILE *profile; 1375 CBB srtp, mki; 1376 1377 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1378 return 0; 1379 1380 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1381 return 0; 1382 1383 if (!CBB_add_u16(&srtp, profile->id)) 1384 return 0; 1385 1386 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1387 return 0; 1388 1389 if (!CBB_flush(cbb)) 1390 return 0; 1391 1392 return 1; 1393} 1394 1395int 1396tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1397{ 1398 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1399 const SRTP_PROTECTION_PROFILE *prof; 1400 int i; 1401 uint16_t id; 1402 CBS profile_ids, mki; 1403 1404 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1405 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1406 goto err; 1407 } 1408 1409 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1410 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1411 goto err; 1412 } 1413 1414 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1415 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1416 *alert = SSL_AD_ILLEGAL_PARAMETER; 1417 return 0; 1418 } 1419 1420 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1421 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1422 goto err; 1423 } 1424 1425 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1426 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1427 == NULL) { 1428 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1429 goto err; 1430 } 1431 1432 if (prof->id == id) { 1433 s->internal->srtp_profile = prof; 1434 return 1; 1435 } 1436 } 1437 1438 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1439 err: 1440 *alert = SSL_AD_DECODE_ERROR; 1441 return 0; 1442} 1443 1444#endif /* OPENSSL_NO_SRTP */ 1445 1446/* 1447 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1448 */ 1449int 1450tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1451{ 1452 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1453} 1454 1455int 1456tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1457{ 1458 CBB client_shares; 1459 1460 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1461 return 0; 1462 1463 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, 1464 &client_shares)) 1465 return 0; 1466 1467 if (!CBB_flush(cbb)) 1468 return 0; 1469 1470 return 1; 1471} 1472 1473int 1474tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1475{ 1476 CBS client_shares, key_exchange; 1477 uint16_t group; 1478 1479 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1480 goto err; 1481 1482 while (CBS_len(&client_shares) > 0) { 1483 1484 /* Unpack client share. */ 1485 if (!CBS_get_u16(&client_shares, &group)) 1486 goto err; 1487 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1488 return 0; 1489 1490 /* 1491 * XXX - check key exchange against supported groups from client. 1492 * XXX - check that groups only appear once. 1493 */ 1494 1495 /* 1496 * Ignore this client share if we're using earlier than TLSv1.3 1497 * or we've already selected a key share. 1498 */ 1499 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) 1500 continue; 1501 if (S3I(s)->hs.tls13.key_share != NULL) 1502 continue; 1503 1504 /* XXX - consider implementing server preference. */ 1505 if (!tls1_check_curve(s, group)) 1506 continue; 1507 1508 /* Decode and store the selected key share. */ 1509 S3I(s)->hs.tls13.key_share = tls13_key_share_new(group); 1510 if (S3I(s)->hs.tls13.key_share == NULL) 1511 goto err; 1512 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, 1513 group, &key_exchange)) 1514 goto err; 1515 } 1516 1517 return 1; 1518 1519 err: 1520 *alert = SSL_AD_DECODE_ERROR; 1521 return 0; 1522} 1523 1524int 1525tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1526{ 1527 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 1528 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1529} 1530 1531int 1532tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1533{ 1534 /* In the case of a HRR, we only send the server selected group. */ 1535 if (S3I(s)->hs.tls13.hrr) { 1536 if (S3I(s)->hs.tls13.server_group == 0) 1537 return 0; 1538 return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); 1539 } 1540 1541 if (S3I(s)->hs.tls13.key_share == NULL) 1542 return 0; 1543 1544 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb)) 1545 return 0; 1546 1547 return 1; 1548} 1549 1550int 1551tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1552{ 1553 CBS key_exchange; 1554 uint16_t group; 1555 1556 /* Unpack server share. */ 1557 if (!CBS_get_u16(cbs, &group)) 1558 goto err; 1559 1560 if (CBS_len(cbs) == 0) { 1561 /* HRR does not include an actual key share. */ 1562 /* XXX - we should know that we are in a HRR... */ 1563 S3I(s)->hs.tls13.server_group = group; 1564 return 1; 1565 } 1566 1567 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1568 return 0; 1569 1570 if (S3I(s)->hs.tls13.key_share == NULL) 1571 return 0; 1572 1573 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, 1574 group, &key_exchange)) 1575 goto err; 1576 1577 return 1; 1578 1579 err: 1580 *alert = SSL_AD_DECODE_ERROR; 1581 return 0; 1582} 1583 1584/* 1585 * Supported Versions - RFC 8446 section 4.2.1. 1586 */ 1587int 1588tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1589{ 1590 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1591} 1592 1593int 1594tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1595{ 1596 uint16_t max, min; 1597 uint16_t version; 1598 CBB versions; 1599 1600 max = S3I(s)->hs.our_max_tls_version; 1601 min = S3I(s)->hs.our_min_tls_version; 1602 1603 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1604 return 0; 1605 1606 /* XXX - fix, but contiguous for now... */ 1607 for (version = max; version >= min; version--) { 1608 if (!CBB_add_u16(&versions, version)) 1609 return 0; 1610 } 1611 1612 if (!CBB_flush(cbb)) 1613 return 0; 1614 1615 return 1; 1616} 1617 1618int 1619tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1620{ 1621 CBS versions; 1622 uint16_t version; 1623 uint16_t max, min; 1624 uint16_t matched_version = 0; 1625 1626 max = S3I(s)->hs.our_max_tls_version; 1627 min = S3I(s)->hs.our_min_tls_version; 1628 1629 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1630 goto err; 1631 1632 while (CBS_len(&versions) > 0) { 1633 if (!CBS_get_u16(&versions, &version)) 1634 goto err; 1635 /* 1636 * XXX What is below implements client preference, and 1637 * ignores any server preference entirely. 1638 */ 1639 if (matched_version == 0 && version >= min && version <= max) 1640 matched_version = version; 1641 } 1642 1643 if (matched_version > 0) { 1644 /* XXX - this should be stored for later processing. */ 1645 s->version = matched_version; 1646 return 1; 1647 } 1648 1649 *alert = SSL_AD_PROTOCOL_VERSION; 1650 return 0; 1651 1652 err: 1653 *alert = SSL_AD_DECODE_ERROR; 1654 return 0; 1655} 1656 1657int 1658tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1659{ 1660 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 1661} 1662 1663int 1664tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1665{ 1666 return CBB_add_u16(cbb, TLS1_3_VERSION); 1667} 1668 1669int 1670tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1671{ 1672 uint16_t selected_version; 1673 1674 if (!CBS_get_u16(cbs, &selected_version)) { 1675 *alert = SSL_AD_DECODE_ERROR; 1676 return 0; 1677 } 1678 1679 /* XXX - need to fix for DTLS 1.3 */ 1680 if (selected_version < TLS1_3_VERSION) { 1681 *alert = SSL_AD_ILLEGAL_PARAMETER; 1682 return 0; 1683 } 1684 1685 /* XXX test between min and max once initialization code goes in */ 1686 S3I(s)->hs.tls13.server_version = selected_version; 1687 1688 return 1; 1689} 1690 1691 1692/* 1693 * Cookie - RFC 8446 section 4.2.2. 1694 */ 1695 1696int 1697tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1698{ 1699 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1700 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1701} 1702 1703int 1704tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1705{ 1706 CBB cookie; 1707 1708 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1709 return 0; 1710 1711 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1712 S3I(s)->hs.tls13.cookie_len)) 1713 return 0; 1714 1715 if (!CBB_flush(cbb)) 1716 return 0; 1717 1718 return 1; 1719} 1720 1721int 1722tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1723{ 1724 CBS cookie; 1725 1726 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1727 goto err; 1728 1729 if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) 1730 goto err; 1731 1732 /* 1733 * Check provided cookie value against what server previously 1734 * sent - client *MUST* send the same cookie with new CR after 1735 * a cookie is sent by the server with an HRR. 1736 */ 1737 if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, 1738 S3I(s)->hs.tls13.cookie_len)) { 1739 /* XXX special cookie mismatch alert? */ 1740 *alert = SSL_AD_ILLEGAL_PARAMETER; 1741 return 0; 1742 } 1743 1744 return 1; 1745 1746 err: 1747 *alert = SSL_AD_DECODE_ERROR; 1748 return 0; 1749} 1750 1751int 1752tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1753{ 1754 /* 1755 * Server needs to set cookie value in tls13 handshake 1756 * in order to send one, should only be sent with HRR. 1757 */ 1758 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1759 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1760} 1761 1762int 1763tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1764{ 1765 CBB cookie; 1766 1767 /* XXX deduplicate with client code */ 1768 1769 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1770 return 0; 1771 1772 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1773 S3I(s)->hs.tls13.cookie_len)) 1774 return 0; 1775 1776 if (!CBB_flush(cbb)) 1777 return 0; 1778 1779 return 1; 1780} 1781 1782int 1783tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1784{ 1785 CBS cookie; 1786 1787 /* 1788 * XXX This currently assumes we will not get a second 1789 * HRR from a server with a cookie to process after accepting 1790 * one from the server in the same handshake 1791 */ 1792 if (S3I(s)->hs.tls13.cookie != NULL || 1793 S3I(s)->hs.tls13.cookie_len != 0) { 1794 *alert = SSL_AD_ILLEGAL_PARAMETER; 1795 return 0; 1796 } 1797 1798 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1799 goto err; 1800 1801 if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, 1802 &S3I(s)->hs.tls13.cookie_len)) 1803 goto err; 1804 1805 return 1; 1806 1807 err: 1808 *alert = SSL_AD_DECODE_ERROR; 1809 return 0; 1810} 1811 1812struct tls_extension_funcs { 1813 int (*needs)(SSL *s, uint16_t msg_type); 1814 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1815 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1816}; 1817 1818struct tls_extension { 1819 uint16_t type; 1820 uint16_t messages; 1821 struct tls_extension_funcs client; 1822 struct tls_extension_funcs server; 1823}; 1824 1825static const struct tls_extension tls_extensions[] = { 1826 { 1827 .type = TLSEXT_TYPE_supported_versions, 1828 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1829 SSL_TLSEXT_MSG_HRR, 1830 .client = { 1831 .needs = tlsext_versions_client_needs, 1832 .build = tlsext_versions_client_build, 1833 .parse = tlsext_versions_client_parse, 1834 }, 1835 .server = { 1836 .needs = tlsext_versions_server_needs, 1837 .build = tlsext_versions_server_build, 1838 .parse = tlsext_versions_server_parse, 1839 }, 1840 }, 1841 { 1842 .type = TLSEXT_TYPE_key_share, 1843 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1844 SSL_TLSEXT_MSG_HRR, 1845 .client = { 1846 .needs = tlsext_keyshare_client_needs, 1847 .build = tlsext_keyshare_client_build, 1848 .parse = tlsext_keyshare_client_parse, 1849 }, 1850 .server = { 1851 .needs = tlsext_keyshare_server_needs, 1852 .build = tlsext_keyshare_server_build, 1853 .parse = tlsext_keyshare_server_parse, 1854 }, 1855 }, 1856 { 1857 .type = TLSEXT_TYPE_server_name, 1858 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1859 .client = { 1860 .needs = tlsext_sni_client_needs, 1861 .build = tlsext_sni_client_build, 1862 .parse = tlsext_sni_client_parse, 1863 }, 1864 .server = { 1865 .needs = tlsext_sni_server_needs, 1866 .build = tlsext_sni_server_build, 1867 .parse = tlsext_sni_server_parse, 1868 }, 1869 }, 1870 { 1871 .type = TLSEXT_TYPE_renegotiate, 1872 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1873 .client = { 1874 .needs = tlsext_ri_client_needs, 1875 .build = tlsext_ri_client_build, 1876 .parse = tlsext_ri_client_parse, 1877 }, 1878 .server = { 1879 .needs = tlsext_ri_server_needs, 1880 .build = tlsext_ri_server_build, 1881 .parse = tlsext_ri_server_parse, 1882 }, 1883 }, 1884 { 1885 .type = TLSEXT_TYPE_status_request, 1886 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1887 SSL_TLSEXT_MSG_CT, 1888 .client = { 1889 .needs = tlsext_ocsp_client_needs, 1890 .build = tlsext_ocsp_client_build, 1891 .parse = tlsext_ocsp_client_parse, 1892 }, 1893 .server = { 1894 .needs = tlsext_ocsp_server_needs, 1895 .build = tlsext_ocsp_server_build, 1896 .parse = tlsext_ocsp_server_parse, 1897 }, 1898 }, 1899 { 1900 .type = TLSEXT_TYPE_ec_point_formats, 1901 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1902 .client = { 1903 .needs = tlsext_ecpf_client_needs, 1904 .build = tlsext_ecpf_client_build, 1905 .parse = tlsext_ecpf_client_parse, 1906 }, 1907 .server = { 1908 .needs = tlsext_ecpf_server_needs, 1909 .build = tlsext_ecpf_server_build, 1910 .parse = tlsext_ecpf_server_parse, 1911 }, 1912 }, 1913 { 1914 .type = TLSEXT_TYPE_supported_groups, 1915 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1916 .client = { 1917 .needs = tlsext_supportedgroups_client_needs, 1918 .build = tlsext_supportedgroups_client_build, 1919 .parse = tlsext_supportedgroups_client_parse, 1920 }, 1921 .server = { 1922 .needs = tlsext_supportedgroups_server_needs, 1923 .build = tlsext_supportedgroups_server_build, 1924 .parse = tlsext_supportedgroups_server_parse, 1925 }, 1926 }, 1927 { 1928 .type = TLSEXT_TYPE_session_ticket, 1929 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1930 .client = { 1931 .needs = tlsext_sessionticket_client_needs, 1932 .build = tlsext_sessionticket_client_build, 1933 .parse = tlsext_sessionticket_client_parse, 1934 }, 1935 .server = { 1936 .needs = tlsext_sessionticket_server_needs, 1937 .build = tlsext_sessionticket_server_build, 1938 .parse = tlsext_sessionticket_server_parse, 1939 }, 1940 }, 1941 { 1942 .type = TLSEXT_TYPE_signature_algorithms, 1943 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1944 .client = { 1945 .needs = tlsext_sigalgs_client_needs, 1946 .build = tlsext_sigalgs_client_build, 1947 .parse = tlsext_sigalgs_client_parse, 1948 }, 1949 .server = { 1950 .needs = tlsext_sigalgs_server_needs, 1951 .build = tlsext_sigalgs_server_build, 1952 .parse = tlsext_sigalgs_server_parse, 1953 }, 1954 }, 1955 { 1956 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1957 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1958 .client = { 1959 .needs = tlsext_alpn_client_needs, 1960 .build = tlsext_alpn_client_build, 1961 .parse = tlsext_alpn_client_parse, 1962 }, 1963 .server = { 1964 .needs = tlsext_alpn_server_needs, 1965 .build = tlsext_alpn_server_build, 1966 .parse = tlsext_alpn_server_parse, 1967 }, 1968 }, 1969 { 1970 .type = TLSEXT_TYPE_cookie, 1971 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1972 .client = { 1973 .needs = tlsext_cookie_client_needs, 1974 .build = tlsext_cookie_client_build, 1975 .parse = tlsext_cookie_client_parse, 1976 }, 1977 .server = { 1978 .needs = tlsext_cookie_server_needs, 1979 .build = tlsext_cookie_server_build, 1980 .parse = tlsext_cookie_server_parse, 1981 }, 1982 }, 1983#ifndef OPENSSL_NO_SRTP 1984 { 1985 .type = TLSEXT_TYPE_use_srtp, 1986 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1987 SSL_TLSEXT_MSG_EE, 1988 .client = { 1989 .needs = tlsext_srtp_client_needs, 1990 .build = tlsext_srtp_client_build, 1991 .parse = tlsext_srtp_client_parse, 1992 }, 1993 .server = { 1994 .needs = tlsext_srtp_server_needs, 1995 .build = tlsext_srtp_server_build, 1996 .parse = tlsext_srtp_server_parse, 1997 }, 1998 } 1999#endif /* OPENSSL_NO_SRTP */ 2000}; 2001 2002#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2003 2004/* Ensure that extensions fit in a uint32_t bitmask. */ 2005CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2006 2007const struct tls_extension * 2008tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2009{ 2010 size_t i; 2011 2012 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2013 if (tls_extensions[i].type == type) { 2014 *tls_extensions_idx = i; 2015 return &tls_extensions[i]; 2016 } 2017 } 2018 2019 return NULL; 2020} 2021 2022int 2023tlsext_extension_seen(SSL *s, uint16_t type) 2024{ 2025 size_t idx; 2026 2027 if (tls_extension_find(type, &idx) == NULL) 2028 return 0; 2029 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 2030} 2031 2032static const struct tls_extension_funcs * 2033tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2034{ 2035 if (is_server) 2036 return &tlsext->server; 2037 2038 return &tlsext->client; 2039} 2040 2041static int 2042tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2043{ 2044 const struct tls_extension_funcs *ext; 2045 const struct tls_extension *tlsext; 2046 CBB extensions, extension_data; 2047 int extensions_present = 0; 2048 uint16_t tls_version; 2049 size_t i; 2050 2051 tls_version = ssl_effective_tls_version(s); 2052 2053 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2054 return 0; 2055 2056 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2057 tlsext = &tls_extensions[i]; 2058 ext = tlsext_funcs(tlsext, is_server); 2059 2060 /* RFC 8446 Section 4.2 */ 2061 if (tls_version >= TLS1_3_VERSION && 2062 !(tlsext->messages & msg_type)) 2063 continue; 2064 2065 if (!ext->needs(s, msg_type)) 2066 continue; 2067 2068 if (!CBB_add_u16(&extensions, tlsext->type)) 2069 return 0; 2070 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2071 return 0; 2072 2073 if (!ext->build(s, msg_type, &extension_data)) 2074 return 0; 2075 2076 extensions_present = 1; 2077 } 2078 2079 if (!extensions_present && 2080 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2081 CBB_discard_child(cbb); 2082 2083 if (!CBB_flush(cbb)) 2084 return 0; 2085 2086 return 1; 2087} 2088 2089int 2090tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2091{ 2092 /* 2093 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2094 * cookie may be added, padding may be removed. 2095 */ 2096 struct tls13_ctx *ctx = s->internal->tls13; 2097 2098 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2099 type == TLSEXT_TYPE_padding) 2100 return 1; 2101 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2102 sizeof(type))) 2103 return 0; 2104 /* 2105 * key_share data may be changed, and pre_shared_key data may 2106 * be changed 2107 */ 2108 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2109 return 1; 2110 if (!tls13_clienthello_hash_update(ctx, cbs)) 2111 return 0; 2112 2113 return 1; 2114} 2115 2116static int 2117tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2118{ 2119 const struct tls_extension_funcs *ext; 2120 const struct tls_extension *tlsext; 2121 CBS extensions, extension_data; 2122 uint16_t type; 2123 size_t idx; 2124 uint16_t tls_version; 2125 int alert_desc; 2126 2127 tls_version = ssl_effective_tls_version(s); 2128 2129 S3I(s)->hs.extensions_seen = 0; 2130 2131 /* An empty extensions block is valid. */ 2132 if (CBS_len(cbs) == 0) 2133 return 1; 2134 2135 alert_desc = SSL_AD_DECODE_ERROR; 2136 2137 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2138 goto err; 2139 2140 while (CBS_len(&extensions) > 0) { 2141 if (!CBS_get_u16(&extensions, &type)) 2142 goto err; 2143 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2144 goto err; 2145 2146 if (s->internal->tlsext_debug_cb != NULL) 2147 s->internal->tlsext_debug_cb(s, !is_server, type, 2148 (unsigned char *)CBS_data(&extension_data), 2149 CBS_len(&extension_data), 2150 s->internal->tlsext_debug_arg); 2151 2152 /* Unknown extensions are ignored. */ 2153 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2154 continue; 2155 2156 if (tls_version >= TLS1_3_VERSION && is_server && 2157 msg_type == SSL_TLSEXT_MSG_CH) { 2158 if (!tlsext_clienthello_hash_extension(s, type, 2159 &extension_data)) 2160 goto err; 2161 } 2162 2163 /* RFC 8446 Section 4.2 */ 2164 if (tls_version >= TLS1_3_VERSION && 2165 !(tlsext->messages & msg_type)) { 2166 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2167 goto err; 2168 } 2169 2170 /* Check for duplicate known extensions. */ 2171 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2172 goto err; 2173 S3I(s)->hs.extensions_seen |= (1 << idx); 2174 2175 ext = tlsext_funcs(tlsext, is_server); 2176 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2177 goto err; 2178 2179 if (CBS_len(&extension_data) != 0) 2180 goto err; 2181 } 2182 2183 return 1; 2184 2185 err: 2186 *alert = alert_desc; 2187 2188 return 0; 2189} 2190 2191static void 2192tlsext_server_reset_state(SSL *s) 2193{ 2194 s->tlsext_status_type = -1; 2195 S3I(s)->renegotiate_seen = 0; 2196 free(S3I(s)->alpn_selected); 2197 S3I(s)->alpn_selected = NULL; 2198 S3I(s)->alpn_selected_len = 0; 2199 s->internal->srtp_profile = NULL; 2200} 2201 2202int 2203tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2204{ 2205 return tlsext_build(s, 1, msg_type, cbb); 2206} 2207 2208int 2209tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2210{ 2211 /* XXX - this should be done by the caller... */ 2212 if (msg_type == SSL_TLSEXT_MSG_CH) 2213 tlsext_server_reset_state(s); 2214 2215 return tlsext_parse(s, 1, msg_type, cbs, alert); 2216} 2217 2218static void 2219tlsext_client_reset_state(SSL *s) 2220{ 2221 S3I(s)->renegotiate_seen = 0; 2222 free(S3I(s)->alpn_selected); 2223 S3I(s)->alpn_selected = NULL; 2224 S3I(s)->alpn_selected_len = 0; 2225} 2226 2227int 2228tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2229{ 2230 return tlsext_build(s, 0, msg_type, cbb); 2231} 2232 2233int 2234tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2235{ 2236 /* XXX - this should be done by the caller... */ 2237 if (msg_type == SSL_TLSEXT_MSG_SH) 2238 tlsext_client_reset_state(s); 2239 2240 return tlsext_parse(s, 0, msg_type, cbs, alert); 2241} 2242