ssl_tlsext.c revision 1.120
1/* $OpenBSD: ssl_tlsext.c,v 1.120 2022/07/17 14:41:27 jsing Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/socket.h> 21 22#include <arpa/inet.h> 23#include <netinet/in.h> 24 25#include <ctype.h> 26 27#include <openssl/ocsp.h> 28#include <openssl/opensslconf.h> 29 30#include "bytestring.h" 31#include "ssl_locl.h" 32#include "ssl_sigalgs.h" 33#include "ssl_tlsext.h" 34 35/* 36 * Supported Application-Layer Protocol Negotiation - RFC 7301 37 */ 38 39int 40tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 41{ 42 /* ALPN protos have been specified and this is the initial handshake */ 43 return s->internal->alpn_client_proto_list != NULL && 44 s->s3->hs.finished_len == 0; 45} 46 47int 48tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 49{ 50 CBB protolist; 51 52 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 53 return 0; 54 55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 56 s->internal->alpn_client_proto_list_len)) 57 return 0; 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63} 64 65int 66tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 67{ 68 CBS proto_name_list, alpn; 69 const unsigned char *selected; 70 unsigned char selected_len; 71 int r; 72 73 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 74 goto err; 75 if (CBS_len(&alpn) < 2) 76 goto err; 77 if (CBS_len(cbs) != 0) 78 goto err; 79 80 CBS_dup(&alpn, &proto_name_list); 81 while (CBS_len(&proto_name_list) > 0) { 82 CBS proto_name; 83 84 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 85 goto err; 86 if (CBS_len(&proto_name) == 0) 87 goto err; 88 } 89 90 if (s->ctx->internal->alpn_select_cb == NULL) 91 return 1; 92 93 /* 94 * XXX - A few things should be considered here: 95 * 1. Ensure that the same protocol is selected on session resumption. 96 * 2. Should the callback be called even if no ALPN extension was sent? 97 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 98 */ 99 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 100 CBS_data(&alpn), CBS_len(&alpn), 101 s->ctx->internal->alpn_select_cb_arg); 102 103 if (r == SSL_TLSEXT_ERR_OK) { 104 free(s->s3->alpn_selected); 105 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 106 s->s3->alpn_selected_len = 0; 107 *alert = SSL_AD_INTERNAL_ERROR; 108 return 0; 109 } 110 memcpy(s->s3->alpn_selected, selected, selected_len); 111 s->s3->alpn_selected_len = selected_len; 112 113 return 1; 114 } 115 116 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 117 if (r == SSL_TLSEXT_ERR_NOACK) 118 return 1; 119 120 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 121 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 122 123 return 0; 124 125 err: 126 *alert = SSL_AD_DECODE_ERROR; 127 return 0; 128} 129 130int 131tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 132{ 133 return s->s3->alpn_selected != NULL; 134} 135 136int 137tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 138{ 139 CBB list, selected; 140 141 if (!CBB_add_u16_length_prefixed(cbb, &list)) 142 return 0; 143 144 if (!CBB_add_u8_length_prefixed(&list, &selected)) 145 return 0; 146 147 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 148 s->s3->alpn_selected_len)) 149 return 0; 150 151 if (!CBB_flush(cbb)) 152 return 0; 153 154 return 1; 155} 156 157int 158tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 159{ 160 CBS list, proto; 161 162 if (s->internal->alpn_client_proto_list == NULL) { 163 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 164 return 0; 165 } 166 167 if (!CBS_get_u16_length_prefixed(cbs, &list)) 168 goto err; 169 if (CBS_len(cbs) != 0) 170 goto err; 171 172 if (!CBS_get_u8_length_prefixed(&list, &proto)) 173 goto err; 174 175 if (CBS_len(&list) != 0) 176 goto err; 177 if (CBS_len(&proto) == 0) 178 goto err; 179 180 if (!CBS_stow(&proto, &(s->s3->alpn_selected), 181 &(s->s3->alpn_selected_len))) 182 goto err; 183 184 return 1; 185 186 err: 187 *alert = SSL_AD_DECODE_ERROR; 188 return 0; 189} 190 191/* 192 * Supported Groups - RFC 7919 section 2 193 */ 194int 195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 196{ 197 return ssl_has_ecc_ciphers(s) || 198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 199} 200 201int 202tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 203{ 204 const uint16_t *groups; 205 size_t groups_len; 206 CBB grouplist; 207 int i; 208 209 tls1_get_group_list(s, 0, &groups, &groups_len); 210 if (groups_len == 0) { 211 SSLerror(s, ERR_R_INTERNAL_ERROR); 212 return 0; 213 } 214 215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 216 return 0; 217 218 for (i = 0; i < groups_len; i++) { 219 if (!ssl_security_supported_group(s, groups[i])) 220 continue; 221 if (!CBB_add_u16(&grouplist, groups[i])) 222 return 0; 223 } 224 225 if (!CBB_flush(cbb)) 226 return 0; 227 228 return 1; 229} 230 231int 232tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 233 int *alert) 234{ 235 CBS grouplist; 236 size_t groups_len; 237 238 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 239 goto err; 240 if (CBS_len(cbs) != 0) 241 goto err; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 goto err; 246 groups_len /= 2; 247 248 if (!s->internal->hit) { 249 uint16_t *groups; 250 int i; 251 252 if (s->s3->hs.tls13.hrr) { 253 if (s->session->tlsext_supportedgroups == NULL) { 254 *alert = SSL_AD_HANDSHAKE_FAILURE; 255 return 0; 256 } 257 /* 258 * In the case of TLSv1.3 the client cannot change 259 * the supported groups. 260 */ 261 if (groups_len != s->session->tlsext_supportedgroups_length) { 262 *alert = SSL_AD_ILLEGAL_PARAMETER; 263 return 0; 264 } 265 for (i = 0; i < groups_len; i++) { 266 uint16_t group; 267 268 if (!CBS_get_u16(&grouplist, &group)) 269 goto err; 270 if (s->session->tlsext_supportedgroups[i] != group) { 271 *alert = SSL_AD_ILLEGAL_PARAMETER; 272 return 0; 273 } 274 } 275 276 return 1; 277 } 278 279 if (s->session->tlsext_supportedgroups != NULL) 280 goto err; 281 282 if ((groups = reallocarray(NULL, groups_len, 283 sizeof(uint16_t))) == NULL) { 284 *alert = SSL_AD_INTERNAL_ERROR; 285 return 0; 286 } 287 288 for (i = 0; i < groups_len; i++) { 289 if (!CBS_get_u16(&grouplist, &groups[i])) { 290 free(groups); 291 goto err; 292 } 293 } 294 295 if (CBS_len(&grouplist) != 0) { 296 free(groups); 297 goto err; 298 } 299 300 s->session->tlsext_supportedgroups = groups; 301 s->session->tlsext_supportedgroups_length = groups_len; 302 } 303 304 return 1; 305 306 err: 307 *alert = SSL_AD_DECODE_ERROR; 308 return 0; 309} 310 311/* This extension is never used by the server. */ 312int 313tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 314{ 315 return 0; 316} 317 318int 319tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 320{ 321 return 0; 322} 323 324int 325tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 326 int *alert) 327{ 328 /* 329 * Servers should not send this extension per the RFC. 330 * 331 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 332 * from at least 2014 but as of 2017, there are still large sites with 333 * this unpatched in production. As a result, we need to currently skip 334 * over the extension and ignore its content: 335 * 336 * https://support.f5.com/csp/article/K37345003 337 */ 338 if (!CBS_skip(cbs, CBS_len(cbs))) { 339 *alert = SSL_AD_INTERNAL_ERROR; 340 return 0; 341 } 342 343 return 1; 344} 345 346/* 347 * Supported Point Formats Extension - RFC 4492 section 5.1.2 348 */ 349static int 350tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 351{ 352 CBB ecpf; 353 size_t formats_len; 354 const uint8_t *formats; 355 356 tls1_get_formatlist(s, 0, &formats, &formats_len); 357 358 if (formats_len == 0) { 359 SSLerror(s, ERR_R_INTERNAL_ERROR); 360 return 0; 361 } 362 363 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 364 return 0; 365 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 366 return 0; 367 if (!CBB_flush(cbb)) 368 return 0; 369 370 return 1; 371} 372 373static int 374tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 375{ 376 CBS ecpf; 377 378 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 379 return 0; 380 if (CBS_len(&ecpf) == 0) 381 return 0; 382 if (CBS_len(cbs) != 0) 383 return 0; 384 385 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 386 if (!CBS_contains_zero_byte(&ecpf)) { 387 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 388 *alert = SSL_AD_ILLEGAL_PARAMETER; 389 return 0; 390 } 391 392 if (!s->internal->hit) { 393 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 394 &(s->session->tlsext_ecpointformatlist_length))) { 395 *alert = SSL_AD_INTERNAL_ERROR; 396 return 0; 397 } 398 } 399 400 return 1; 401} 402 403int 404tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 405{ 406 return ssl_has_ecc_ciphers(s); 407} 408 409int 410tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 411{ 412 return tlsext_ecpf_build(s, msg_type, cbb); 413} 414 415int 416tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 417{ 418 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 419} 420 421int 422tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 423{ 424 return ssl_using_ecc_cipher(s); 425} 426 427int 428tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 429{ 430 return tlsext_ecpf_build(s, msg_type, cbb); 431} 432 433int 434tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 435{ 436 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 437} 438 439/* 440 * Renegotiation Indication - RFC 5746. 441 */ 442int 443tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 444{ 445 return (s->internal->renegotiate); 446} 447 448int 449tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 450{ 451 CBB reneg; 452 453 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 454 return 0; 455 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 456 s->s3->previous_client_finished_len)) 457 return 0; 458 if (!CBB_flush(cbb)) 459 return 0; 460 461 return 1; 462} 463 464int 465tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 466{ 467 CBS reneg; 468 469 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 470 goto err; 471 if (CBS_len(cbs) != 0) 472 goto err; 473 474 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 475 s->s3->previous_client_finished_len)) { 476 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 477 *alert = SSL_AD_HANDSHAKE_FAILURE; 478 return 0; 479 } 480 481 s->s3->renegotiate_seen = 1; 482 s->s3->send_connection_binding = 1; 483 484 return 1; 485 486 err: 487 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 488 *alert = SSL_AD_DECODE_ERROR; 489 return 0; 490} 491 492int 493tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 494{ 495 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 496 s->s3->send_connection_binding); 497} 498 499int 500tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 501{ 502 CBB reneg; 503 504 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 505 return 0; 506 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 507 s->s3->previous_client_finished_len)) 508 return 0; 509 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 510 s->s3->previous_server_finished_len)) 511 return 0; 512 if (!CBB_flush(cbb)) 513 return 0; 514 515 return 1; 516} 517 518int 519tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 520{ 521 CBS reneg, prev_client, prev_server; 522 523 /* 524 * Ensure that the previous client and server values are both not 525 * present, or that they are both present. 526 */ 527 if ((s->s3->previous_client_finished_len == 0 && 528 s->s3->previous_server_finished_len != 0) || 529 (s->s3->previous_client_finished_len != 0 && 530 s->s3->previous_server_finished_len == 0)) { 531 *alert = SSL_AD_INTERNAL_ERROR; 532 return 0; 533 } 534 535 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 536 goto err; 537 if (!CBS_get_bytes(&reneg, &prev_client, 538 s->s3->previous_client_finished_len)) 539 goto err; 540 if (!CBS_get_bytes(&reneg, &prev_server, 541 s->s3->previous_server_finished_len)) 542 goto err; 543 if (CBS_len(&reneg) != 0) 544 goto err; 545 if (CBS_len(cbs) != 0) 546 goto err; 547 548 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 549 s->s3->previous_client_finished_len)) { 550 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 551 *alert = SSL_AD_HANDSHAKE_FAILURE; 552 return 0; 553 } 554 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 555 s->s3->previous_server_finished_len)) { 556 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 557 *alert = SSL_AD_HANDSHAKE_FAILURE; 558 return 0; 559 } 560 561 s->s3->renegotiate_seen = 1; 562 s->s3->send_connection_binding = 1; 563 564 return 1; 565 566 err: 567 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 568 *alert = SSL_AD_DECODE_ERROR; 569 return 0; 570} 571 572/* 573 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 574 */ 575int 576tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 577{ 578 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 579} 580 581int 582tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 583{ 584 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 585 CBB sigalgs; 586 587 if (msg_type == SSL_TLSEXT_MSG_CH) 588 tls_version = s->s3->hs.our_min_tls_version; 589 590 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 591 return 0; 592 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 593 return 0; 594 if (!CBB_flush(cbb)) 595 return 0; 596 597 return 1; 598} 599 600int 601tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 602{ 603 CBS sigalgs; 604 605 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 606 return 0; 607 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 608 return 0; 609 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 610 return 0; 611 612 return 1; 613} 614 615int 616tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 617{ 618 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 619} 620 621int 622tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 623{ 624 CBB sigalgs; 625 626 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 627 return 0; 628 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 629 SSL_get_security_level(s))) 630 return 0; 631 if (!CBB_flush(cbb)) 632 return 0; 633 634 return 1; 635} 636 637int 638tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 639{ 640 CBS sigalgs; 641 642 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 643 return 0; 644 645 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 646 return 0; 647 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 648 return 0; 649 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 650 return 0; 651 652 return 1; 653} 654 655/* 656 * Server Name Indication - RFC 6066, section 3. 657 */ 658int 659tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 660{ 661 return (s->tlsext_hostname != NULL); 662} 663 664int 665tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 666{ 667 CBB server_name_list, host_name; 668 669 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 670 return 0; 671 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 672 return 0; 673 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 674 return 0; 675 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 676 strlen(s->tlsext_hostname))) 677 return 0; 678 if (!CBB_flush(cbb)) 679 return 0; 680 681 return 1; 682} 683 684static int 685tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 686{ 687 union { 688 struct in_addr ip4; 689 struct in6_addr ip6; 690 } addrbuf; 691 char *hostname = NULL; 692 693 *is_ip = 0; 694 695 if (!CBS_strdup(cbs, &hostname)) 696 return 0; 697 698 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 699 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 700 *is_ip = 1; 701 702 free(hostname); 703 704 return 1; 705} 706 707/* 708 * Validate that the CBS contains only a hostname consisting of RFC 5890 709 * compliant A-labels (see RFC 6066 section 3). Not a complete check 710 * since we don't parse punycode to verify its validity but limits to 711 * correct structure and character set. 712 */ 713int 714tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 715{ 716 uint8_t prev, c = 0; 717 int component = 0; 718 CBS hostname; 719 720 *is_ip = 0; 721 722 CBS_dup(cbs, &hostname); 723 724 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 725 return 0; 726 727 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 728 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 729 return 0; 730 if (*is_ip) 731 return 0; 732 733 while (CBS_len(&hostname) > 0) { 734 prev = c; 735 if (!CBS_get_u8(&hostname, &c)) 736 return 0; 737 /* Everything has to be ASCII, with no NUL byte. */ 738 if (!isascii(c) || c == '\0') 739 return 0; 740 /* It must be alphanumeric, a '-', or a '.' */ 741 if (!isalnum(c) && c != '-' && c != '.') 742 return 0; 743 /* '-' and '.' must not start a component or be at the end. */ 744 if (component == 0 || CBS_len(&hostname) == 0) { 745 if (c == '-' || c == '.') 746 return 0; 747 } 748 if (c == '.') { 749 /* Components can not end with a dash. */ 750 if (prev == '-') 751 return 0; 752 /* Start new component */ 753 component = 0; 754 continue; 755 } 756 /* Components must be 63 chars or less. */ 757 if (++component > 63) 758 return 0; 759 } 760 761 return 1; 762} 763 764int 765tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 766{ 767 CBS server_name_list, host_name; 768 uint8_t name_type; 769 int is_ip; 770 771 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 772 goto err; 773 774 if (!CBS_get_u8(&server_name_list, &name_type)) 775 goto err; 776 777 /* 778 * RFC 6066 section 3, only one type (host_name) is specified. 779 * We do not tolerate unknown types, neither does BoringSSL. 780 * other implementations appear more tolerant. 781 */ 782 if (name_type != TLSEXT_NAMETYPE_host_name) { 783 *alert = SSL_AD_ILLEGAL_PARAMETER; 784 goto err; 785 } 786 787 /* 788 * RFC 6066 section 3 specifies a host name must be at least 1 byte 789 * so 0 length is a decode error. 790 */ 791 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 792 goto err; 793 if (CBS_len(&host_name) < 1) 794 goto err; 795 796 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 797 /* 798 * Various pieces of software have been known to set the SNI 799 * host name to an IP address, even though that violates the 800 * RFC. If this is the case, pretend the SNI extension does 801 * not exist. 802 */ 803 if (is_ip) 804 goto done; 805 806 *alert = SSL_AD_ILLEGAL_PARAMETER; 807 goto err; 808 } 809 810 if (s->internal->hit || s->s3->hs.tls13.hrr) { 811 if (s->session->tlsext_hostname == NULL) { 812 *alert = SSL_AD_UNRECOGNIZED_NAME; 813 goto err; 814 } 815 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 816 strlen(s->session->tlsext_hostname))) { 817 *alert = SSL_AD_UNRECOGNIZED_NAME; 818 goto err; 819 } 820 } else { 821 if (s->session->tlsext_hostname != NULL) 822 goto err; 823 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 824 *alert = SSL_AD_INTERNAL_ERROR; 825 goto err; 826 } 827 } 828 829 done: 830 /* 831 * RFC 6066 section 3 forbids multiple host names with the same type, 832 * therefore we allow only one entry. 833 */ 834 if (CBS_len(&server_name_list) != 0) { 835 *alert = SSL_AD_ILLEGAL_PARAMETER; 836 goto err; 837 } 838 if (CBS_len(cbs) != 0) 839 goto err; 840 841 return 1; 842 843 err: 844 return 0; 845} 846 847int 848tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 849{ 850 if (s->internal->hit) 851 return 0; 852 853 return (s->session->tlsext_hostname != NULL); 854} 855 856int 857tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 858{ 859 return 1; 860} 861 862int 863tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 864{ 865 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 866 *alert = SSL_AD_UNRECOGNIZED_NAME; 867 return 0; 868 } 869 870 if (s->internal->hit) { 871 if (s->session->tlsext_hostname == NULL) { 872 *alert = SSL_AD_UNRECOGNIZED_NAME; 873 return 0; 874 } 875 if (strcmp(s->tlsext_hostname, 876 s->session->tlsext_hostname) != 0) { 877 *alert = SSL_AD_UNRECOGNIZED_NAME; 878 return 0; 879 } 880 } else { 881 if (s->session->tlsext_hostname != NULL) { 882 *alert = SSL_AD_DECODE_ERROR; 883 return 0; 884 } 885 if ((s->session->tlsext_hostname = 886 strdup(s->tlsext_hostname)) == NULL) { 887 *alert = SSL_AD_INTERNAL_ERROR; 888 return 0; 889 } 890 } 891 892 return 1; 893} 894 895 896/* 897 * Certificate Status Request - RFC 6066 section 8. 898 */ 899 900int 901tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 902{ 903 if (msg_type != SSL_TLSEXT_MSG_CH) 904 return 0; 905 906 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 907} 908 909int 910tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 911{ 912 CBB respid_list, respid, exts; 913 unsigned char *ext_data; 914 size_t ext_len; 915 int i; 916 917 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 918 return 0; 919 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 920 return 0; 921 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 922 unsigned char *respid_data; 923 OCSP_RESPID *id; 924 size_t id_len; 925 926 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 927 i)) == NULL) 928 return 0; 929 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 930 return 0; 931 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 932 return 0; 933 if (!CBB_add_space(&respid, &respid_data, id_len)) 934 return 0; 935 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 936 return 0; 937 } 938 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 939 return 0; 940 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 941 NULL)) == -1) 942 return 0; 943 if (!CBB_add_space(&exts, &ext_data, ext_len)) 944 return 0; 945 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 946 ext_len)) 947 return 0; 948 if (!CBB_flush(cbb)) 949 return 0; 950 return 1; 951} 952 953int 954tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 955{ 956 int alert_desc = SSL_AD_DECODE_ERROR; 957 CBS respid_list, respid, exts; 958 const unsigned char *p; 959 uint8_t status_type; 960 int ret = 0; 961 962 if (msg_type != SSL_TLSEXT_MSG_CH) 963 goto err; 964 965 if (!CBS_get_u8(cbs, &status_type)) 966 goto err; 967 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 968 /* ignore unknown status types */ 969 s->tlsext_status_type = -1; 970 971 if (!CBS_skip(cbs, CBS_len(cbs))) { 972 *alert = SSL_AD_INTERNAL_ERROR; 973 return 0; 974 } 975 return 1; 976 } 977 s->tlsext_status_type = status_type; 978 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 979 goto err; 980 981 /* XXX */ 982 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 983 s->internal->tlsext_ocsp_ids = NULL; 984 if (CBS_len(&respid_list) > 0) { 985 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 986 if (s->internal->tlsext_ocsp_ids == NULL) { 987 alert_desc = SSL_AD_INTERNAL_ERROR; 988 goto err; 989 } 990 } 991 992 while (CBS_len(&respid_list) > 0) { 993 OCSP_RESPID *id; 994 995 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 996 goto err; 997 p = CBS_data(&respid); 998 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 999 goto err; 1000 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 1001 alert_desc = SSL_AD_INTERNAL_ERROR; 1002 OCSP_RESPID_free(id); 1003 goto err; 1004 } 1005 } 1006 1007 /* Read in request_extensions */ 1008 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1009 goto err; 1010 if (CBS_len(&exts) > 0) { 1011 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 1012 X509_EXTENSION_free); 1013 p = CBS_data(&exts); 1014 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1015 &p, CBS_len(&exts))) == NULL) 1016 goto err; 1017 } 1018 1019 /* should be nothing left */ 1020 if (CBS_len(cbs) > 0) 1021 goto err; 1022 1023 ret = 1; 1024 err: 1025 if (ret == 0) 1026 *alert = alert_desc; 1027 return ret; 1028} 1029 1030int 1031tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1032{ 1033 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1034 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1035 s->ctx->internal->tlsext_status_cb != NULL) { 1036 s->internal->tlsext_status_expected = 0; 1037 if (s->ctx->internal->tlsext_status_cb(s, 1038 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1039 s->internal->tlsext_ocsp_resp_len > 0) 1040 s->internal->tlsext_status_expected = 1; 1041 } 1042 return s->internal->tlsext_status_expected; 1043} 1044 1045int 1046tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1047{ 1048 CBB ocsp_response; 1049 1050 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1051 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1052 return 0; 1053 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1054 return 0; 1055 if (!CBB_add_bytes(&ocsp_response, 1056 s->internal->tlsext_ocsp_resp, 1057 s->internal->tlsext_ocsp_resp_len)) 1058 return 0; 1059 if (!CBB_flush(cbb)) 1060 return 0; 1061 } 1062 return 1; 1063} 1064 1065int 1066tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1067{ 1068 uint8_t status_type; 1069 CBS response; 1070 1071 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1072 if (msg_type == SSL_TLSEXT_MSG_CR) { 1073 /* 1074 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1075 * response with an empty status_request. 1076 */ 1077 if (CBS_len(cbs) == 0) 1078 return 1; 1079 1080 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1081 return 0; 1082 } 1083 if (!CBS_get_u8(cbs, &status_type)) { 1084 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1085 return 0; 1086 } 1087 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1088 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1089 return 0; 1090 } 1091 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1092 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1093 return 0; 1094 } 1095 if (CBS_len(&response) > 65536) { 1096 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1097 return 0; 1098 } 1099 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1100 &s->internal->tlsext_ocsp_resp_len)) { 1101 *alert = SSL_AD_INTERNAL_ERROR; 1102 return 0; 1103 } 1104 } else { 1105 if (s->tlsext_status_type == -1) { 1106 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1107 return 0; 1108 } 1109 /* Set flag to expect CertificateStatus message */ 1110 s->internal->tlsext_status_expected = 1; 1111 } 1112 return 1; 1113} 1114 1115/* 1116 * SessionTicket extension - RFC 5077 section 3.2 1117 */ 1118int 1119tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1120{ 1121 /* 1122 * Send session ticket extension when enabled and not overridden. 1123 * 1124 * When renegotiating, send an empty session ticket to indicate support. 1125 */ 1126 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1127 return 0; 1128 1129 if (!ssl_security_tickets(s)) 1130 return 0; 1131 1132 if (s->internal->new_session) 1133 return 1; 1134 1135 if (s->internal->tlsext_session_ticket != NULL && 1136 s->internal->tlsext_session_ticket->data == NULL) 1137 return 0; 1138 1139 return 1; 1140} 1141 1142int 1143tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1144{ 1145 /* 1146 * Signal that we support session tickets by sending an empty 1147 * extension when renegotiating or no session found. 1148 */ 1149 if (s->internal->new_session || s->session == NULL) 1150 return 1; 1151 1152 if (s->session->tlsext_tick != NULL) { 1153 /* Attempt to resume with an existing session ticket */ 1154 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1155 s->session->tlsext_ticklen)) 1156 return 0; 1157 1158 } else if (s->internal->tlsext_session_ticket != NULL) { 1159 /* 1160 * Attempt to resume with a custom provided session ticket set 1161 * by SSL_set_session_ticket_ext(). 1162 */ 1163 if (s->internal->tlsext_session_ticket->length > 0) { 1164 size_t ticklen = s->internal->tlsext_session_ticket->length; 1165 1166 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1167 return 0; 1168 memcpy(s->session->tlsext_tick, 1169 s->internal->tlsext_session_ticket->data, 1170 ticklen); 1171 s->session->tlsext_ticklen = ticklen; 1172 1173 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1174 s->session->tlsext_ticklen)) 1175 return 0; 1176 } 1177 } 1178 1179 if (!CBB_flush(cbb)) 1180 return 0; 1181 1182 return 1; 1183} 1184 1185int 1186tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1187 int *alert) 1188{ 1189 if (s->internal->tls_session_ticket_ext_cb) { 1190 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1191 (int)CBS_len(cbs), 1192 s->internal->tls_session_ticket_ext_cb_arg)) { 1193 *alert = SSL_AD_INTERNAL_ERROR; 1194 return 0; 1195 } 1196 } 1197 1198 /* We need to signal that this was processed fully */ 1199 if (!CBS_skip(cbs, CBS_len(cbs))) { 1200 *alert = SSL_AD_INTERNAL_ERROR; 1201 return 0; 1202 } 1203 1204 return 1; 1205} 1206 1207int 1208tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1209{ 1210 return (s->internal->tlsext_ticket_expected && 1211 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1212 ssl_security_tickets(s)); 1213} 1214 1215int 1216tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1217{ 1218 /* Empty ticket */ 1219 return 1; 1220} 1221 1222int 1223tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1224 int *alert) 1225{ 1226 if (s->internal->tls_session_ticket_ext_cb) { 1227 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1228 (int)CBS_len(cbs), 1229 s->internal->tls_session_ticket_ext_cb_arg)) { 1230 *alert = SSL_AD_INTERNAL_ERROR; 1231 return 0; 1232 } 1233 } 1234 1235 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1236 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1237 return 0; 1238 } 1239 1240 s->internal->tlsext_ticket_expected = 1; 1241 1242 return 1; 1243} 1244 1245/* 1246 * DTLS extension for SRTP key establishment - RFC 5764 1247 */ 1248 1249#ifndef OPENSSL_NO_SRTP 1250 1251int 1252tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1253{ 1254 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1255} 1256 1257int 1258tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1259{ 1260 CBB profiles, mki; 1261 int ct, i; 1262 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1263 const SRTP_PROTECTION_PROFILE *prof; 1264 1265 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1266 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1267 return 0; 1268 } 1269 1270 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1271 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1272 return 0; 1273 } 1274 1275 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1276 return 0; 1277 1278 for (i = 0; i < ct; i++) { 1279 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1280 return 0; 1281 if (!CBB_add_u16(&profiles, prof->id)) 1282 return 0; 1283 } 1284 1285 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1286 return 0; 1287 1288 if (!CBB_flush(cbb)) 1289 return 0; 1290 1291 return 1; 1292} 1293 1294int 1295tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1296{ 1297 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1298 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1299 int i, j; 1300 int ret; 1301 uint16_t id; 1302 CBS profiles, mki; 1303 1304 ret = 0; 1305 1306 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1307 goto err; 1308 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1309 goto err; 1310 1311 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1312 goto err; 1313 1314 while (CBS_len(&profiles) > 0) { 1315 if (!CBS_get_u16(&profiles, &id)) 1316 goto err; 1317 1318 if (!srtp_find_profile_by_num(id, &cprof)) { 1319 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1320 goto err; 1321 } 1322 } 1323 1324 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1325 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1326 *alert = SSL_AD_DECODE_ERROR; 1327 goto done; 1328 } 1329 if (CBS_len(cbs) != 0) 1330 goto err; 1331 1332 /* 1333 * Per RFC 5764 section 4.1.1 1334 * 1335 * Find the server preferred profile using the client's list. 1336 * 1337 * The server MUST send a profile if it sends the use_srtp 1338 * extension. If one is not found, it should fall back to the 1339 * negotiated DTLS cipher suite or return a DTLS alert. 1340 */ 1341 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1342 goto err; 1343 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1344 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1345 == NULL) 1346 goto err; 1347 1348 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1349 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1350 == NULL) 1351 goto err; 1352 1353 if (cprof->id == sprof->id) { 1354 s->internal->srtp_profile = sprof; 1355 ret = 1; 1356 goto done; 1357 } 1358 } 1359 } 1360 1361 /* If we didn't find anything, fall back to the negotiated */ 1362 ret = 1; 1363 goto done; 1364 1365 err: 1366 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1367 *alert = SSL_AD_DECODE_ERROR; 1368 1369 done: 1370 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1371 return ret; 1372} 1373 1374int 1375tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1376{ 1377 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1378} 1379 1380int 1381tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1382{ 1383 SRTP_PROTECTION_PROFILE *profile; 1384 CBB srtp, mki; 1385 1386 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1387 return 0; 1388 1389 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1390 return 0; 1391 1392 if (!CBB_add_u16(&srtp, profile->id)) 1393 return 0; 1394 1395 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1396 return 0; 1397 1398 if (!CBB_flush(cbb)) 1399 return 0; 1400 1401 return 1; 1402} 1403 1404int 1405tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1406{ 1407 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1408 const SRTP_PROTECTION_PROFILE *prof; 1409 int i; 1410 uint16_t id; 1411 CBS profile_ids, mki; 1412 1413 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1414 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1415 goto err; 1416 } 1417 1418 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1419 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1420 goto err; 1421 } 1422 1423 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1424 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1425 *alert = SSL_AD_ILLEGAL_PARAMETER; 1426 return 0; 1427 } 1428 1429 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1430 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1431 goto err; 1432 } 1433 1434 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1435 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1436 == NULL) { 1437 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1438 goto err; 1439 } 1440 1441 if (prof->id == id) { 1442 s->internal->srtp_profile = prof; 1443 return 1; 1444 } 1445 } 1446 1447 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1448 err: 1449 *alert = SSL_AD_DECODE_ERROR; 1450 return 0; 1451} 1452 1453#endif /* OPENSSL_NO_SRTP */ 1454 1455/* 1456 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1457 */ 1458int 1459tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1460{ 1461 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1462} 1463 1464int 1465tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1466{ 1467 CBB client_shares, key_exchange; 1468 1469 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1470 return 0; 1471 1472 if (!CBB_add_u16(&client_shares, 1473 tls_key_share_group(s->s3->hs.key_share))) 1474 return 0; 1475 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1476 return 0; 1477 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1478 return 0; 1479 1480 if (!CBB_flush(cbb)) 1481 return 0; 1482 1483 return 1; 1484} 1485 1486int 1487tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1488{ 1489 CBS client_shares, key_exchange; 1490 int decode_error; 1491 uint16_t group; 1492 1493 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1494 return 0; 1495 1496 while (CBS_len(&client_shares) > 0) { 1497 1498 /* Unpack client share. */ 1499 if (!CBS_get_u16(&client_shares, &group)) 1500 return 0; 1501 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1502 return 0; 1503 1504 /* 1505 * XXX - check key exchange against supported groups from client. 1506 * XXX - check that groups only appear once. 1507 */ 1508 1509 /* 1510 * Ignore this client share if we're using earlier than TLSv1.3 1511 * or we've already selected a key share. 1512 */ 1513 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1514 continue; 1515 if (s->s3->hs.key_share != NULL) 1516 continue; 1517 1518 /* XXX - consider implementing server preference. */ 1519 if (!tls1_check_group(s, group)) 1520 continue; 1521 1522 /* Decode and store the selected key share. */ 1523 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1524 *alert = SSL_AD_INTERNAL_ERROR; 1525 return 0; 1526 } 1527 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1528 &key_exchange, &decode_error, NULL)) { 1529 if (!decode_error) 1530 *alert = SSL_AD_INTERNAL_ERROR; 1531 return 0; 1532 } 1533 } 1534 1535 return 1; 1536} 1537 1538int 1539tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1540{ 1541 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1542 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1543} 1544 1545int 1546tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1547{ 1548 CBB key_exchange; 1549 1550 /* In the case of a HRR, we only send the server selected group. */ 1551 if (s->s3->hs.tls13.hrr) { 1552 if (s->s3->hs.tls13.server_group == 0) 1553 return 0; 1554 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1555 } 1556 1557 if (s->s3->hs.key_share == NULL) 1558 return 0; 1559 1560 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1561 return 0; 1562 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1563 return 0; 1564 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1565 return 0; 1566 1567 if (!CBB_flush(cbb)) 1568 return 0; 1569 1570 return 1; 1571} 1572 1573int 1574tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1575{ 1576 CBS key_exchange; 1577 int decode_error; 1578 uint16_t group; 1579 1580 /* Unpack server share. */ 1581 if (!CBS_get_u16(cbs, &group)) 1582 return 0; 1583 1584 if (CBS_len(cbs) == 0) { 1585 /* HRR does not include an actual key share, only the group. */ 1586 if (msg_type != SSL_TLSEXT_MSG_HRR) 1587 return 0; 1588 1589 s->s3->hs.tls13.server_group = group; 1590 return 1; 1591 } 1592 1593 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1594 return 0; 1595 1596 if (s->s3->hs.key_share == NULL) { 1597 *alert = SSL_AD_INTERNAL_ERROR; 1598 return 0; 1599 } 1600 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1601 *alert = SSL_AD_INTERNAL_ERROR; 1602 return 0; 1603 } 1604 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1605 &key_exchange, &decode_error, NULL)) { 1606 if (!decode_error) 1607 *alert = SSL_AD_INTERNAL_ERROR; 1608 return 0; 1609 } 1610 1611 return 1; 1612} 1613 1614/* 1615 * Supported Versions - RFC 8446 section 4.2.1. 1616 */ 1617int 1618tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1619{ 1620 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1621} 1622 1623int 1624tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1625{ 1626 uint16_t max, min; 1627 uint16_t version; 1628 CBB versions; 1629 1630 max = s->s3->hs.our_max_tls_version; 1631 min = s->s3->hs.our_min_tls_version; 1632 1633 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1634 return 0; 1635 1636 /* XXX - fix, but contiguous for now... */ 1637 for (version = max; version >= min; version--) { 1638 if (!CBB_add_u16(&versions, version)) 1639 return 0; 1640 } 1641 1642 if (!CBB_flush(cbb)) 1643 return 0; 1644 1645 return 1; 1646} 1647 1648int 1649tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1650{ 1651 CBS versions; 1652 uint16_t version; 1653 uint16_t max, min; 1654 uint16_t matched_version = 0; 1655 1656 max = s->s3->hs.our_max_tls_version; 1657 min = s->s3->hs.our_min_tls_version; 1658 1659 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1660 goto err; 1661 1662 while (CBS_len(&versions) > 0) { 1663 if (!CBS_get_u16(&versions, &version)) 1664 goto err; 1665 /* 1666 * XXX What is below implements client preference, and 1667 * ignores any server preference entirely. 1668 */ 1669 if (matched_version == 0 && version >= min && version <= max) 1670 matched_version = version; 1671 } 1672 1673 if (matched_version > 0) { 1674 /* XXX - this should be stored for later processing. */ 1675 s->version = matched_version; 1676 return 1; 1677 } 1678 1679 *alert = SSL_AD_PROTOCOL_VERSION; 1680 return 0; 1681 1682 err: 1683 *alert = SSL_AD_DECODE_ERROR; 1684 return 0; 1685} 1686 1687int 1688tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1689{ 1690 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1691} 1692 1693int 1694tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1695{ 1696 return CBB_add_u16(cbb, TLS1_3_VERSION); 1697} 1698 1699int 1700tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1701{ 1702 uint16_t selected_version; 1703 1704 if (!CBS_get_u16(cbs, &selected_version)) { 1705 *alert = SSL_AD_DECODE_ERROR; 1706 return 0; 1707 } 1708 1709 /* XXX - need to fix for DTLS 1.3 */ 1710 if (selected_version < TLS1_3_VERSION) { 1711 *alert = SSL_AD_ILLEGAL_PARAMETER; 1712 return 0; 1713 } 1714 1715 /* XXX test between min and max once initialization code goes in */ 1716 s->s3->hs.tls13.server_version = selected_version; 1717 1718 return 1; 1719} 1720 1721 1722/* 1723 * Cookie - RFC 8446 section 4.2.2. 1724 */ 1725 1726int 1727tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1728{ 1729 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1730 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1731} 1732 1733int 1734tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1735{ 1736 CBB cookie; 1737 1738 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1739 return 0; 1740 1741 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1742 s->s3->hs.tls13.cookie_len)) 1743 return 0; 1744 1745 if (!CBB_flush(cbb)) 1746 return 0; 1747 1748 return 1; 1749} 1750 1751int 1752tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1753{ 1754 CBS cookie; 1755 1756 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1757 goto err; 1758 1759 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1760 goto err; 1761 1762 /* 1763 * Check provided cookie value against what server previously 1764 * sent - client *MUST* send the same cookie with new CR after 1765 * a cookie is sent by the server with an HRR. 1766 */ 1767 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1768 s->s3->hs.tls13.cookie_len)) { 1769 /* XXX special cookie mismatch alert? */ 1770 *alert = SSL_AD_ILLEGAL_PARAMETER; 1771 return 0; 1772 } 1773 1774 return 1; 1775 1776 err: 1777 *alert = SSL_AD_DECODE_ERROR; 1778 return 0; 1779} 1780 1781int 1782tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1783{ 1784 /* 1785 * Server needs to set cookie value in tls13 handshake 1786 * in order to send one, should only be sent with HRR. 1787 */ 1788 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1789 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1790} 1791 1792int 1793tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1794{ 1795 CBB cookie; 1796 1797 /* XXX deduplicate with client code */ 1798 1799 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1800 return 0; 1801 1802 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1803 s->s3->hs.tls13.cookie_len)) 1804 return 0; 1805 1806 if (!CBB_flush(cbb)) 1807 return 0; 1808 1809 return 1; 1810} 1811 1812int 1813tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1814{ 1815 CBS cookie; 1816 1817 /* 1818 * XXX This currently assumes we will not get a second 1819 * HRR from a server with a cookie to process after accepting 1820 * one from the server in the same handshake 1821 */ 1822 if (s->s3->hs.tls13.cookie != NULL || 1823 s->s3->hs.tls13.cookie_len != 0) { 1824 *alert = SSL_AD_ILLEGAL_PARAMETER; 1825 return 0; 1826 } 1827 1828 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1829 goto err; 1830 1831 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1832 &s->s3->hs.tls13.cookie_len)) 1833 goto err; 1834 1835 return 1; 1836 1837 err: 1838 *alert = SSL_AD_DECODE_ERROR; 1839 return 0; 1840} 1841 1842/* 1843 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1844 */ 1845 1846int 1847tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1848{ 1849 return (s->s3->hs.tls13.use_psk_dhe_ke && 1850 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1851} 1852 1853int 1854tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1855{ 1856 CBB ke_modes; 1857 1858 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1859 return 0; 1860 1861 /* Only indicate support for PSK with DHE key establishment. */ 1862 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1863 return 0; 1864 1865 if (!CBB_flush(cbb)) 1866 return 0; 1867 1868 return 1; 1869} 1870 1871int 1872tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1873 int *alert) 1874{ 1875 CBS ke_modes; 1876 uint8_t ke_mode; 1877 1878 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1879 return 0; 1880 1881 while (CBS_len(&ke_modes) > 0) { 1882 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1883 return 0; 1884 1885 if (ke_mode == TLS13_PSK_DHE_KE) 1886 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1887 } 1888 1889 return 1; 1890} 1891 1892int 1893tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1894{ 1895 /* Servers MUST NOT send this extension. */ 1896 return 0; 1897} 1898 1899int 1900tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1901{ 1902 return 0; 1903} 1904 1905int 1906tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1907 int *alert) 1908{ 1909 return 0; 1910} 1911 1912/* 1913 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1914 */ 1915 1916int 1917tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1918{ 1919 return 0; 1920} 1921 1922int 1923tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1924{ 1925 return 0; 1926} 1927 1928int 1929tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1930{ 1931 return CBS_skip(cbs, CBS_len(cbs)); 1932} 1933 1934int 1935tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1936{ 1937 return 0; 1938} 1939 1940int 1941tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1942{ 1943 return 0; 1944} 1945 1946int 1947tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1948{ 1949 return CBS_skip(cbs, CBS_len(cbs)); 1950} 1951 1952/* 1953 * QUIC transport parameters extension. 1954 */ 1955 1956int 1957tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1958{ 1959 return (s->internal->quic_transport_params_len > 0 && 1960 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1961} 1962 1963int 1964tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 1965 CBB *cbb) 1966{ 1967 CBB contents; 1968 1969 if (!CBB_add_u16_length_prefixed(cbb, &contents)) 1970 return 0; 1971 1972 if (!CBB_add_bytes(&contents, s->internal->quic_transport_params, 1973 s->internal->quic_transport_params_len)) 1974 return 0; 1975 1976 if (!CBB_flush(cbb)) 1977 return 0; 1978 1979 return 1; 1980} 1981 1982int 1983tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, 1984 CBS *cbs, int *alert) 1985{ 1986 CBS transport_data; 1987 1988 /* QUIC requires TLS 1.3. */ 1989 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) { 1990 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1991 return 0; 1992 } 1993 1994 if (!CBS_get_u16_length_prefixed(cbs, &transport_data)) 1995 return 0; 1996 1997 if (!CBS_stow(&transport_data, &s->s3->peer_quic_transport_params, 1998 &s->s3->peer_quic_transport_params_len)) 1999 return 0; 2000 2001 return 1; 2002} 2003 2004int 2005tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 2006{ 2007 return s->internal->quic_transport_params_len > 0; 2008} 2009 2010int 2011tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 2012 CBB *cbb) 2013{ 2014 CBB contents; 2015 2016 if (!CBB_add_u16_length_prefixed(cbb, &contents)) 2017 return 0; 2018 2019 if (!CBB_add_bytes(&contents, s->internal->quic_transport_params, 2020 s->internal->quic_transport_params_len)) 2021 return 0; 2022 2023 if (!CBB_flush(cbb)) 2024 return 0; 2025 2026 return 1; 2027} 2028 2029int 2030tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, 2031 CBS *cbs, int *alert) 2032{ 2033 CBS transport_data; 2034 2035 /* 2036 * Ignore this extension if we don't have configured quic transport data 2037 * or if we are not TLS 1.3. 2038 */ 2039 if (s->internal->quic_transport_params_len == 0 || 2040 ssl_effective_tls_version(s) < TLS1_3_VERSION) { 2041 if (!CBS_skip(cbs, CBS_len(cbs))) { 2042 *alert = SSL_AD_INTERNAL_ERROR; 2043 return 0; 2044 } 2045 return 1; 2046 } 2047 2048 if (!CBS_get_u16_length_prefixed(cbs, &transport_data)) 2049 return 0; 2050 2051 if (!CBS_stow(&transport_data, &s->s3->peer_quic_transport_params, 2052 &s->s3->peer_quic_transport_params_len)) 2053 return 0; 2054 2055 return 1; 2056} 2057 2058struct tls_extension_funcs { 2059 int (*needs)(SSL *s, uint16_t msg_type); 2060 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2061 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2062}; 2063 2064struct tls_extension { 2065 uint16_t type; 2066 uint16_t messages; 2067 struct tls_extension_funcs client; 2068 struct tls_extension_funcs server; 2069}; 2070 2071static const struct tls_extension tls_extensions[] = { 2072 { 2073 .type = TLSEXT_TYPE_supported_versions, 2074 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2075 SSL_TLSEXT_MSG_HRR, 2076 .client = { 2077 .needs = tlsext_versions_client_needs, 2078 .build = tlsext_versions_client_build, 2079 .parse = tlsext_versions_client_parse, 2080 }, 2081 .server = { 2082 .needs = tlsext_versions_server_needs, 2083 .build = tlsext_versions_server_build, 2084 .parse = tlsext_versions_server_parse, 2085 }, 2086 }, 2087 { 2088 .type = TLSEXT_TYPE_key_share, 2089 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2090 SSL_TLSEXT_MSG_HRR, 2091 .client = { 2092 .needs = tlsext_keyshare_client_needs, 2093 .build = tlsext_keyshare_client_build, 2094 .parse = tlsext_keyshare_client_parse, 2095 }, 2096 .server = { 2097 .needs = tlsext_keyshare_server_needs, 2098 .build = tlsext_keyshare_server_build, 2099 .parse = tlsext_keyshare_server_parse, 2100 }, 2101 }, 2102 { 2103 .type = TLSEXT_TYPE_server_name, 2104 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2105 .client = { 2106 .needs = tlsext_sni_client_needs, 2107 .build = tlsext_sni_client_build, 2108 .parse = tlsext_sni_client_parse, 2109 }, 2110 .server = { 2111 .needs = tlsext_sni_server_needs, 2112 .build = tlsext_sni_server_build, 2113 .parse = tlsext_sni_server_parse, 2114 }, 2115 }, 2116 { 2117 .type = TLSEXT_TYPE_renegotiate, 2118 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2119 .client = { 2120 .needs = tlsext_ri_client_needs, 2121 .build = tlsext_ri_client_build, 2122 .parse = tlsext_ri_client_parse, 2123 }, 2124 .server = { 2125 .needs = tlsext_ri_server_needs, 2126 .build = tlsext_ri_server_build, 2127 .parse = tlsext_ri_server_parse, 2128 }, 2129 }, 2130 { 2131 .type = TLSEXT_TYPE_status_request, 2132 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2133 SSL_TLSEXT_MSG_CT, 2134 .client = { 2135 .needs = tlsext_ocsp_client_needs, 2136 .build = tlsext_ocsp_client_build, 2137 .parse = tlsext_ocsp_client_parse, 2138 }, 2139 .server = { 2140 .needs = tlsext_ocsp_server_needs, 2141 .build = tlsext_ocsp_server_build, 2142 .parse = tlsext_ocsp_server_parse, 2143 }, 2144 }, 2145 { 2146 .type = TLSEXT_TYPE_ec_point_formats, 2147 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2148 .client = { 2149 .needs = tlsext_ecpf_client_needs, 2150 .build = tlsext_ecpf_client_build, 2151 .parse = tlsext_ecpf_client_parse, 2152 }, 2153 .server = { 2154 .needs = tlsext_ecpf_server_needs, 2155 .build = tlsext_ecpf_server_build, 2156 .parse = tlsext_ecpf_server_parse, 2157 }, 2158 }, 2159 { 2160 .type = TLSEXT_TYPE_supported_groups, 2161 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2162 .client = { 2163 .needs = tlsext_supportedgroups_client_needs, 2164 .build = tlsext_supportedgroups_client_build, 2165 .parse = tlsext_supportedgroups_client_parse, 2166 }, 2167 .server = { 2168 .needs = tlsext_supportedgroups_server_needs, 2169 .build = tlsext_supportedgroups_server_build, 2170 .parse = tlsext_supportedgroups_server_parse, 2171 }, 2172 }, 2173 { 2174 .type = TLSEXT_TYPE_session_ticket, 2175 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2176 .client = { 2177 .needs = tlsext_sessionticket_client_needs, 2178 .build = tlsext_sessionticket_client_build, 2179 .parse = tlsext_sessionticket_client_parse, 2180 }, 2181 .server = { 2182 .needs = tlsext_sessionticket_server_needs, 2183 .build = tlsext_sessionticket_server_build, 2184 .parse = tlsext_sessionticket_server_parse, 2185 }, 2186 }, 2187 { 2188 .type = TLSEXT_TYPE_signature_algorithms, 2189 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2190 .client = { 2191 .needs = tlsext_sigalgs_client_needs, 2192 .build = tlsext_sigalgs_client_build, 2193 .parse = tlsext_sigalgs_client_parse, 2194 }, 2195 .server = { 2196 .needs = tlsext_sigalgs_server_needs, 2197 .build = tlsext_sigalgs_server_build, 2198 .parse = tlsext_sigalgs_server_parse, 2199 }, 2200 }, 2201 { 2202 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 2203 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2204 .client = { 2205 .needs = tlsext_alpn_client_needs, 2206 .build = tlsext_alpn_client_build, 2207 .parse = tlsext_alpn_client_parse, 2208 }, 2209 .server = { 2210 .needs = tlsext_alpn_server_needs, 2211 .build = tlsext_alpn_server_build, 2212 .parse = tlsext_alpn_server_parse, 2213 }, 2214 }, 2215 { 2216 .type = TLSEXT_TYPE_cookie, 2217 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2218 .client = { 2219 .needs = tlsext_cookie_client_needs, 2220 .build = tlsext_cookie_client_build, 2221 .parse = tlsext_cookie_client_parse, 2222 }, 2223 .server = { 2224 .needs = tlsext_cookie_server_needs, 2225 .build = tlsext_cookie_server_build, 2226 .parse = tlsext_cookie_server_parse, 2227 }, 2228 }, 2229#ifndef OPENSSL_NO_SRTP 2230 { 2231 .type = TLSEXT_TYPE_use_srtp, 2232 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2233 SSL_TLSEXT_MSG_EE, 2234 .client = { 2235 .needs = tlsext_srtp_client_needs, 2236 .build = tlsext_srtp_client_build, 2237 .parse = tlsext_srtp_client_parse, 2238 }, 2239 .server = { 2240 .needs = tlsext_srtp_server_needs, 2241 .build = tlsext_srtp_server_build, 2242 .parse = tlsext_srtp_server_parse, 2243 }, 2244 }, 2245#endif /* OPENSSL_NO_SRTP */ 2246 { 2247 .type = TLSEXT_TYPE_quic_transport_parameters, 2248 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2249 .client = { 2250 .needs = tlsext_quic_transport_parameters_client_needs, 2251 .build = tlsext_quic_transport_parameters_client_build, 2252 .parse = tlsext_quic_transport_parameters_client_parse, 2253 }, 2254 .server = { 2255 .needs = tlsext_quic_transport_parameters_server_needs, 2256 .build = tlsext_quic_transport_parameters_server_build, 2257 .parse = tlsext_quic_transport_parameters_server_parse, 2258 }, 2259 }, 2260 { 2261 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2262 .messages = SSL_TLSEXT_MSG_CH, 2263 .client = { 2264 .needs = tlsext_psk_kex_modes_client_needs, 2265 .build = tlsext_psk_kex_modes_client_build, 2266 .parse = tlsext_psk_kex_modes_client_parse, 2267 }, 2268 .server = { 2269 .needs = tlsext_psk_kex_modes_server_needs, 2270 .build = tlsext_psk_kex_modes_server_build, 2271 .parse = tlsext_psk_kex_modes_server_parse, 2272 }, 2273 }, 2274 { 2275 /* MUST be last extension in CH per RFC 8446 section 4.2. */ 2276 2277 .type = TLSEXT_TYPE_pre_shared_key, 2278 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2279 .client = { 2280 .needs = tlsext_psk_client_needs, 2281 .build = tlsext_psk_client_build, 2282 .parse = tlsext_psk_client_parse, 2283 }, 2284 .server = { 2285 .needs = tlsext_psk_server_needs, 2286 .build = tlsext_psk_server_build, 2287 .parse = tlsext_psk_server_parse, 2288 }, 2289 }, 2290}; 2291 2292#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2293 2294/* Ensure that extensions fit in a uint32_t bitmask. */ 2295CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2296 2297const struct tls_extension * 2298tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2299{ 2300 size_t i; 2301 2302 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2303 if (tls_extensions[i].type == type) { 2304 *tls_extensions_idx = i; 2305 return &tls_extensions[i]; 2306 } 2307 } 2308 2309 return NULL; 2310} 2311 2312int 2313tlsext_extension_seen(SSL *s, uint16_t type) 2314{ 2315 size_t idx; 2316 2317 if (tls_extension_find(type, &idx) == NULL) 2318 return 0; 2319 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2320} 2321 2322static const struct tls_extension_funcs * 2323tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2324{ 2325 if (is_server) 2326 return &tlsext->server; 2327 2328 return &tlsext->client; 2329} 2330 2331static int 2332tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2333{ 2334 const struct tls_extension_funcs *ext; 2335 const struct tls_extension *tlsext; 2336 CBB extensions, extension_data; 2337 int extensions_present = 0; 2338 uint16_t tls_version; 2339 size_t i; 2340 2341 tls_version = ssl_effective_tls_version(s); 2342 2343 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2344 return 0; 2345 2346 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2347 tlsext = &tls_extensions[i]; 2348 ext = tlsext_funcs(tlsext, is_server); 2349 2350 /* RFC 8446 Section 4.2 */ 2351 if (tls_version >= TLS1_3_VERSION && 2352 !(tlsext->messages & msg_type)) 2353 continue; 2354 2355 if (!ext->needs(s, msg_type)) 2356 continue; 2357 2358 if (!CBB_add_u16(&extensions, tlsext->type)) 2359 return 0; 2360 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2361 return 0; 2362 2363 if (!ext->build(s, msg_type, &extension_data)) 2364 return 0; 2365 2366 extensions_present = 1; 2367 } 2368 2369 if (!extensions_present && 2370 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2371 CBB_discard_child(cbb); 2372 2373 if (!CBB_flush(cbb)) 2374 return 0; 2375 2376 return 1; 2377} 2378 2379int 2380tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2381{ 2382 /* 2383 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2384 * cookie may be added, padding may be removed. 2385 */ 2386 struct tls13_ctx *ctx = s->internal->tls13; 2387 2388 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2389 type == TLSEXT_TYPE_padding) 2390 return 1; 2391 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2392 sizeof(type))) 2393 return 0; 2394 /* 2395 * key_share data may be changed, and pre_shared_key data may 2396 * be changed 2397 */ 2398 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2399 return 1; 2400 if (!tls13_clienthello_hash_update(ctx, cbs)) 2401 return 0; 2402 2403 return 1; 2404} 2405 2406static int 2407tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2408{ 2409 const struct tls_extension_funcs *ext; 2410 const struct tls_extension *tlsext; 2411 CBS extensions, extension_data; 2412 uint16_t type; 2413 size_t idx; 2414 uint16_t tls_version; 2415 int alert_desc; 2416 2417 tls_version = ssl_effective_tls_version(s); 2418 2419 s->s3->hs.extensions_seen = 0; 2420 2421 /* An empty extensions block is valid. */ 2422 if (CBS_len(cbs) == 0) 2423 return 1; 2424 2425 alert_desc = SSL_AD_DECODE_ERROR; 2426 2427 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2428 goto err; 2429 2430 while (CBS_len(&extensions) > 0) { 2431 if (!CBS_get_u16(&extensions, &type)) 2432 goto err; 2433 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2434 goto err; 2435 2436 if (s->internal->tlsext_debug_cb != NULL) 2437 s->internal->tlsext_debug_cb(s, !is_server, type, 2438 (unsigned char *)CBS_data(&extension_data), 2439 CBS_len(&extension_data), 2440 s->internal->tlsext_debug_arg); 2441 2442 /* Unknown extensions are ignored. */ 2443 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2444 continue; 2445 2446 if (tls_version >= TLS1_3_VERSION && is_server && 2447 msg_type == SSL_TLSEXT_MSG_CH) { 2448 if (!tlsext_clienthello_hash_extension(s, type, 2449 &extension_data)) 2450 goto err; 2451 } 2452 2453 /* RFC 8446 Section 4.2 */ 2454 if (tls_version >= TLS1_3_VERSION && 2455 !(tlsext->messages & msg_type)) { 2456 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2457 goto err; 2458 } 2459 2460 /* Check for duplicate known extensions. */ 2461 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2462 goto err; 2463 s->s3->hs.extensions_seen |= (1 << idx); 2464 2465 ext = tlsext_funcs(tlsext, is_server); 2466 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2467 goto err; 2468 2469 if (CBS_len(&extension_data) != 0) 2470 goto err; 2471 } 2472 2473 return 1; 2474 2475 err: 2476 *alert = alert_desc; 2477 2478 return 0; 2479} 2480 2481static void 2482tlsext_server_reset_state(SSL *s) 2483{ 2484 s->tlsext_status_type = -1; 2485 s->s3->renegotiate_seen = 0; 2486 free(s->s3->alpn_selected); 2487 s->s3->alpn_selected = NULL; 2488 s->s3->alpn_selected_len = 0; 2489 s->internal->srtp_profile = NULL; 2490} 2491 2492int 2493tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2494{ 2495 return tlsext_build(s, 1, msg_type, cbb); 2496} 2497 2498int 2499tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2500{ 2501 /* XXX - this should be done by the caller... */ 2502 if (msg_type == SSL_TLSEXT_MSG_CH) 2503 tlsext_server_reset_state(s); 2504 2505 return tlsext_parse(s, 1, msg_type, cbs, alert); 2506} 2507 2508static void 2509tlsext_client_reset_state(SSL *s) 2510{ 2511 s->s3->renegotiate_seen = 0; 2512 free(s->s3->alpn_selected); 2513 s->s3->alpn_selected = NULL; 2514 s->s3->alpn_selected_len = 0; 2515} 2516 2517int 2518tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2519{ 2520 return tlsext_build(s, 0, msg_type, cbb); 2521} 2522 2523int 2524tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2525{ 2526 /* XXX - this should be done by the caller... */ 2527 if (msg_type == SSL_TLSEXT_MSG_SH) 2528 tlsext_client_reset_state(s); 2529 2530 return tlsext_parse(s, 0, msg_type, cbs, alert); 2531} 2532