ssl_tlsext.c revision 1.123
1/* $OpenBSD: ssl_tlsext.c,v 1.123 2022/07/20 14:14:34 tb Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/socket.h> 21 22#include <arpa/inet.h> 23#include <netinet/in.h> 24 25#include <ctype.h> 26 27#include <openssl/ocsp.h> 28#include <openssl/opensslconf.h> 29 30#include "bytestring.h" 31#include "ssl_locl.h" 32#include "ssl_sigalgs.h" 33#include "ssl_tlsext.h" 34 35/* 36 * Supported Application-Layer Protocol Negotiation - RFC 7301 37 */ 38 39int 40tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 41{ 42 /* ALPN protos have been specified and this is the initial handshake */ 43 return s->internal->alpn_client_proto_list != NULL && 44 s->s3->hs.finished_len == 0; 45} 46 47int 48tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 49{ 50 CBB protolist; 51 52 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 53 return 0; 54 55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 56 s->internal->alpn_client_proto_list_len)) 57 return 0; 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63} 64 65int 66tlsext_alpn_check_format(CBS *cbs) 67{ 68 CBS proto_name_list; 69 70 if (CBS_len(cbs) == 0) 71 return 0; 72 73 CBS_dup(cbs, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 return 0; 79 if (CBS_len(&proto_name) == 0) 80 return 0; 81 } 82 83 return 1; 84} 85 86int 87tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 88{ 89 CBS alpn; 90 const unsigned char *selected; 91 unsigned char selected_len; 92 int r; 93 94 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 95 goto err; 96 if (CBS_len(cbs) != 0) 97 goto err; 98 99 if (!tlsext_alpn_check_format(&alpn)) 100 goto err; 101 102 if (s->ctx->internal->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), 113 s->ctx->internal->alpn_select_cb_arg); 114 115 if (r == SSL_TLSEXT_ERR_OK) { 116 CBS cbs; 117 118 CBS_init(&cbs, selected, selected_len); 119 120 if (!CBS_stow(&cbs, &s->s3->alpn_selected, 121 &s->s3->alpn_selected_len)) { 122 *alert = SSL_AD_INTERNAL_ERROR; 123 return 0; 124 } 125 126 return 1; 127 } 128 129 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 130 if (r == SSL_TLSEXT_ERR_NOACK) 131 return 1; 132 133 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 134 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 135 136 return 0; 137 138 err: 139 *alert = SSL_AD_DECODE_ERROR; 140 return 0; 141} 142 143int 144tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 145{ 146 return s->s3->alpn_selected != NULL; 147} 148 149int 150tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 151{ 152 CBB list, selected; 153 154 if (!CBB_add_u16_length_prefixed(cbb, &list)) 155 return 0; 156 157 if (!CBB_add_u8_length_prefixed(&list, &selected)) 158 return 0; 159 160 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 161 s->s3->alpn_selected_len)) 162 return 0; 163 164 if (!CBB_flush(cbb)) 165 return 0; 166 167 return 1; 168} 169 170int 171tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 172{ 173 CBS list, proto; 174 175 if (s->internal->alpn_client_proto_list == NULL) { 176 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 177 return 0; 178 } 179 180 if (!CBS_get_u16_length_prefixed(cbs, &list)) 181 goto err; 182 if (CBS_len(cbs) != 0) 183 goto err; 184 185 if (!CBS_get_u8_length_prefixed(&list, &proto)) 186 goto err; 187 188 if (CBS_len(&list) != 0) 189 goto err; 190 if (CBS_len(&proto) == 0) 191 goto err; 192 193 if (!CBS_stow(&proto, &(s->s3->alpn_selected), 194 &(s->s3->alpn_selected_len))) 195 goto err; 196 197 return 1; 198 199 err: 200 *alert = SSL_AD_DECODE_ERROR; 201 return 0; 202} 203 204/* 205 * Supported Groups - RFC 7919 section 2 206 */ 207int 208tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 209{ 210 return ssl_has_ecc_ciphers(s) || 211 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 212} 213 214int 215tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 216{ 217 const uint16_t *groups; 218 size_t groups_len; 219 CBB grouplist; 220 int i; 221 222 tls1_get_group_list(s, 0, &groups, &groups_len); 223 if (groups_len == 0) { 224 SSLerror(s, ERR_R_INTERNAL_ERROR); 225 return 0; 226 } 227 228 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 229 return 0; 230 231 for (i = 0; i < groups_len; i++) { 232 if (!ssl_security_supported_group(s, groups[i])) 233 continue; 234 if (!CBB_add_u16(&grouplist, groups[i])) 235 return 0; 236 } 237 238 if (!CBB_flush(cbb)) 239 return 0; 240 241 return 1; 242} 243 244int 245tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 246 int *alert) 247{ 248 CBS grouplist; 249 size_t groups_len; 250 251 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 252 goto err; 253 if (CBS_len(cbs) != 0) 254 goto err; 255 256 groups_len = CBS_len(&grouplist); 257 if (groups_len == 0 || groups_len % 2 != 0) 258 goto err; 259 groups_len /= 2; 260 261 if (!s->internal->hit) { 262 uint16_t *groups; 263 int i; 264 265 if (s->s3->hs.tls13.hrr) { 266 if (s->session->tlsext_supportedgroups == NULL) { 267 *alert = SSL_AD_HANDSHAKE_FAILURE; 268 return 0; 269 } 270 /* 271 * In the case of TLSv1.3 the client cannot change 272 * the supported groups. 273 */ 274 if (groups_len != s->session->tlsext_supportedgroups_length) { 275 *alert = SSL_AD_ILLEGAL_PARAMETER; 276 return 0; 277 } 278 for (i = 0; i < groups_len; i++) { 279 uint16_t group; 280 281 if (!CBS_get_u16(&grouplist, &group)) 282 goto err; 283 if (s->session->tlsext_supportedgroups[i] != group) { 284 *alert = SSL_AD_ILLEGAL_PARAMETER; 285 return 0; 286 } 287 } 288 289 return 1; 290 } 291 292 if (s->session->tlsext_supportedgroups != NULL) 293 goto err; 294 295 if ((groups = reallocarray(NULL, groups_len, 296 sizeof(uint16_t))) == NULL) { 297 *alert = SSL_AD_INTERNAL_ERROR; 298 return 0; 299 } 300 301 for (i = 0; i < groups_len; i++) { 302 if (!CBS_get_u16(&grouplist, &groups[i])) { 303 free(groups); 304 goto err; 305 } 306 } 307 308 if (CBS_len(&grouplist) != 0) { 309 free(groups); 310 goto err; 311 } 312 313 s->session->tlsext_supportedgroups = groups; 314 s->session->tlsext_supportedgroups_length = groups_len; 315 } 316 317 return 1; 318 319 err: 320 *alert = SSL_AD_DECODE_ERROR; 321 return 0; 322} 323 324/* This extension is never used by the server. */ 325int 326tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 327{ 328 return 0; 329} 330 331int 332tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 333{ 334 return 0; 335} 336 337int 338tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 339 int *alert) 340{ 341 /* 342 * Servers should not send this extension per the RFC. 343 * 344 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 345 * from at least 2014 but as of 2017, there are still large sites with 346 * this unpatched in production. As a result, we need to currently skip 347 * over the extension and ignore its content: 348 * 349 * https://support.f5.com/csp/article/K37345003 350 */ 351 if (!CBS_skip(cbs, CBS_len(cbs))) { 352 *alert = SSL_AD_INTERNAL_ERROR; 353 return 0; 354 } 355 356 return 1; 357} 358 359/* 360 * Supported Point Formats Extension - RFC 4492 section 5.1.2 361 */ 362static int 363tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 364{ 365 CBB ecpf; 366 size_t formats_len; 367 const uint8_t *formats; 368 369 tls1_get_formatlist(s, 0, &formats, &formats_len); 370 371 if (formats_len == 0) { 372 SSLerror(s, ERR_R_INTERNAL_ERROR); 373 return 0; 374 } 375 376 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 377 return 0; 378 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 379 return 0; 380 if (!CBB_flush(cbb)) 381 return 0; 382 383 return 1; 384} 385 386static int 387tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 388{ 389 CBS ecpf; 390 391 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 392 return 0; 393 if (CBS_len(&ecpf) == 0) 394 return 0; 395 if (CBS_len(cbs) != 0) 396 return 0; 397 398 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 399 if (!CBS_contains_zero_byte(&ecpf)) { 400 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 401 *alert = SSL_AD_ILLEGAL_PARAMETER; 402 return 0; 403 } 404 405 if (!s->internal->hit) { 406 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 407 &(s->session->tlsext_ecpointformatlist_length))) { 408 *alert = SSL_AD_INTERNAL_ERROR; 409 return 0; 410 } 411 } 412 413 return 1; 414} 415 416int 417tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 418{ 419 return ssl_has_ecc_ciphers(s); 420} 421 422int 423tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 424{ 425 return tlsext_ecpf_build(s, msg_type, cbb); 426} 427 428int 429tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 430{ 431 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 432} 433 434int 435tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 436{ 437 return ssl_using_ecc_cipher(s); 438} 439 440int 441tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 442{ 443 return tlsext_ecpf_build(s, msg_type, cbb); 444} 445 446int 447tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 448{ 449 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 450} 451 452/* 453 * Renegotiation Indication - RFC 5746. 454 */ 455int 456tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 457{ 458 return (s->internal->renegotiate); 459} 460 461int 462tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 463{ 464 CBB reneg; 465 466 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 467 return 0; 468 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 469 s->s3->previous_client_finished_len)) 470 return 0; 471 if (!CBB_flush(cbb)) 472 return 0; 473 474 return 1; 475} 476 477int 478tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 479{ 480 CBS reneg; 481 482 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 483 goto err; 484 if (CBS_len(cbs) != 0) 485 goto err; 486 487 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 488 s->s3->previous_client_finished_len)) { 489 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 490 *alert = SSL_AD_HANDSHAKE_FAILURE; 491 return 0; 492 } 493 494 s->s3->renegotiate_seen = 1; 495 s->s3->send_connection_binding = 1; 496 497 return 1; 498 499 err: 500 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 501 *alert = SSL_AD_DECODE_ERROR; 502 return 0; 503} 504 505int 506tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 507{ 508 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 509 s->s3->send_connection_binding); 510} 511 512int 513tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 514{ 515 CBB reneg; 516 517 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 518 return 0; 519 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 520 s->s3->previous_client_finished_len)) 521 return 0; 522 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 523 s->s3->previous_server_finished_len)) 524 return 0; 525 if (!CBB_flush(cbb)) 526 return 0; 527 528 return 1; 529} 530 531int 532tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 533{ 534 CBS reneg, prev_client, prev_server; 535 536 /* 537 * Ensure that the previous client and server values are both not 538 * present, or that they are both present. 539 */ 540 if ((s->s3->previous_client_finished_len == 0 && 541 s->s3->previous_server_finished_len != 0) || 542 (s->s3->previous_client_finished_len != 0 && 543 s->s3->previous_server_finished_len == 0)) { 544 *alert = SSL_AD_INTERNAL_ERROR; 545 return 0; 546 } 547 548 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 549 goto err; 550 if (!CBS_get_bytes(&reneg, &prev_client, 551 s->s3->previous_client_finished_len)) 552 goto err; 553 if (!CBS_get_bytes(&reneg, &prev_server, 554 s->s3->previous_server_finished_len)) 555 goto err; 556 if (CBS_len(&reneg) != 0) 557 goto err; 558 if (CBS_len(cbs) != 0) 559 goto err; 560 561 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 562 s->s3->previous_client_finished_len)) { 563 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 564 *alert = SSL_AD_HANDSHAKE_FAILURE; 565 return 0; 566 } 567 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 568 s->s3->previous_server_finished_len)) { 569 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 570 *alert = SSL_AD_HANDSHAKE_FAILURE; 571 return 0; 572 } 573 574 s->s3->renegotiate_seen = 1; 575 s->s3->send_connection_binding = 1; 576 577 return 1; 578 579 err: 580 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 581 *alert = SSL_AD_DECODE_ERROR; 582 return 0; 583} 584 585/* 586 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 587 */ 588int 589tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 590{ 591 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 592} 593 594int 595tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 596{ 597 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 598 CBB sigalgs; 599 600 if (msg_type == SSL_TLSEXT_MSG_CH) 601 tls_version = s->s3->hs.our_min_tls_version; 602 603 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 604 return 0; 605 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 606 return 0; 607 if (!CBB_flush(cbb)) 608 return 0; 609 610 return 1; 611} 612 613int 614tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 615{ 616 CBS sigalgs; 617 618 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 619 return 0; 620 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 621 return 0; 622 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 623 return 0; 624 625 return 1; 626} 627 628int 629tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 630{ 631 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 632} 633 634int 635tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 636{ 637 CBB sigalgs; 638 639 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 640 return 0; 641 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 642 SSL_get_security_level(s))) 643 return 0; 644 if (!CBB_flush(cbb)) 645 return 0; 646 647 return 1; 648} 649 650int 651tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 652{ 653 CBS sigalgs; 654 655 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 656 return 0; 657 658 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 659 return 0; 660 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 661 return 0; 662 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 663 return 0; 664 665 return 1; 666} 667 668/* 669 * Server Name Indication - RFC 6066, section 3. 670 */ 671int 672tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 673{ 674 return (s->tlsext_hostname != NULL); 675} 676 677int 678tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 679{ 680 CBB server_name_list, host_name; 681 682 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 683 return 0; 684 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 685 return 0; 686 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 687 return 0; 688 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 689 strlen(s->tlsext_hostname))) 690 return 0; 691 if (!CBB_flush(cbb)) 692 return 0; 693 694 return 1; 695} 696 697static int 698tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 699{ 700 union { 701 struct in_addr ip4; 702 struct in6_addr ip6; 703 } addrbuf; 704 char *hostname = NULL; 705 706 *is_ip = 0; 707 708 if (!CBS_strdup(cbs, &hostname)) 709 return 0; 710 711 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 712 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 713 *is_ip = 1; 714 715 free(hostname); 716 717 return 1; 718} 719 720/* 721 * Validate that the CBS contains only a hostname consisting of RFC 5890 722 * compliant A-labels (see RFC 6066 section 3). Not a complete check 723 * since we don't parse punycode to verify its validity but limits to 724 * correct structure and character set. 725 */ 726int 727tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 728{ 729 uint8_t prev, c = 0; 730 int component = 0; 731 CBS hostname; 732 733 *is_ip = 0; 734 735 CBS_dup(cbs, &hostname); 736 737 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 738 return 0; 739 740 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 741 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 742 return 0; 743 if (*is_ip) 744 return 0; 745 746 while (CBS_len(&hostname) > 0) { 747 prev = c; 748 if (!CBS_get_u8(&hostname, &c)) 749 return 0; 750 /* Everything has to be ASCII, with no NUL byte. */ 751 if (!isascii(c) || c == '\0') 752 return 0; 753 /* It must be alphanumeric, a '-', or a '.' */ 754 if (!isalnum(c) && c != '-' && c != '.') 755 return 0; 756 /* '-' and '.' must not start a component or be at the end. */ 757 if (component == 0 || CBS_len(&hostname) == 0) { 758 if (c == '-' || c == '.') 759 return 0; 760 } 761 if (c == '.') { 762 /* Components can not end with a dash. */ 763 if (prev == '-') 764 return 0; 765 /* Start new component */ 766 component = 0; 767 continue; 768 } 769 /* Components must be 63 chars or less. */ 770 if (++component > 63) 771 return 0; 772 } 773 774 return 1; 775} 776 777int 778tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 779{ 780 CBS server_name_list, host_name; 781 uint8_t name_type; 782 int is_ip; 783 784 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 785 goto err; 786 787 if (!CBS_get_u8(&server_name_list, &name_type)) 788 goto err; 789 790 /* 791 * RFC 6066 section 3, only one type (host_name) is specified. 792 * We do not tolerate unknown types, neither does BoringSSL. 793 * other implementations appear more tolerant. 794 */ 795 if (name_type != TLSEXT_NAMETYPE_host_name) { 796 *alert = SSL_AD_ILLEGAL_PARAMETER; 797 goto err; 798 } 799 800 /* 801 * RFC 6066 section 3 specifies a host name must be at least 1 byte 802 * so 0 length is a decode error. 803 */ 804 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 805 goto err; 806 if (CBS_len(&host_name) < 1) 807 goto err; 808 809 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 810 /* 811 * Various pieces of software have been known to set the SNI 812 * host name to an IP address, even though that violates the 813 * RFC. If this is the case, pretend the SNI extension does 814 * not exist. 815 */ 816 if (is_ip) 817 goto done; 818 819 *alert = SSL_AD_ILLEGAL_PARAMETER; 820 goto err; 821 } 822 823 if (s->internal->hit || s->s3->hs.tls13.hrr) { 824 if (s->session->tlsext_hostname == NULL) { 825 *alert = SSL_AD_UNRECOGNIZED_NAME; 826 goto err; 827 } 828 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 829 strlen(s->session->tlsext_hostname))) { 830 *alert = SSL_AD_UNRECOGNIZED_NAME; 831 goto err; 832 } 833 } else { 834 if (s->session->tlsext_hostname != NULL) 835 goto err; 836 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 837 *alert = SSL_AD_INTERNAL_ERROR; 838 goto err; 839 } 840 } 841 842 done: 843 /* 844 * RFC 6066 section 3 forbids multiple host names with the same type, 845 * therefore we allow only one entry. 846 */ 847 if (CBS_len(&server_name_list) != 0) { 848 *alert = SSL_AD_ILLEGAL_PARAMETER; 849 goto err; 850 } 851 if (CBS_len(cbs) != 0) 852 goto err; 853 854 return 1; 855 856 err: 857 return 0; 858} 859 860int 861tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 862{ 863 if (s->internal->hit) 864 return 0; 865 866 return (s->session->tlsext_hostname != NULL); 867} 868 869int 870tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 871{ 872 return 1; 873} 874 875int 876tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 877{ 878 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 879 *alert = SSL_AD_UNRECOGNIZED_NAME; 880 return 0; 881 } 882 883 if (s->internal->hit) { 884 if (s->session->tlsext_hostname == NULL) { 885 *alert = SSL_AD_UNRECOGNIZED_NAME; 886 return 0; 887 } 888 if (strcmp(s->tlsext_hostname, 889 s->session->tlsext_hostname) != 0) { 890 *alert = SSL_AD_UNRECOGNIZED_NAME; 891 return 0; 892 } 893 } else { 894 if (s->session->tlsext_hostname != NULL) { 895 *alert = SSL_AD_DECODE_ERROR; 896 return 0; 897 } 898 if ((s->session->tlsext_hostname = 899 strdup(s->tlsext_hostname)) == NULL) { 900 *alert = SSL_AD_INTERNAL_ERROR; 901 return 0; 902 } 903 } 904 905 return 1; 906} 907 908 909/* 910 * Certificate Status Request - RFC 6066 section 8. 911 */ 912 913int 914tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 915{ 916 if (msg_type != SSL_TLSEXT_MSG_CH) 917 return 0; 918 919 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 920} 921 922int 923tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 924{ 925 CBB respid_list, respid, exts; 926 unsigned char *ext_data; 927 size_t ext_len; 928 int i; 929 930 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 931 return 0; 932 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 933 return 0; 934 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 935 unsigned char *respid_data; 936 OCSP_RESPID *id; 937 size_t id_len; 938 939 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 940 i)) == NULL) 941 return 0; 942 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 943 return 0; 944 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 945 return 0; 946 if (!CBB_add_space(&respid, &respid_data, id_len)) 947 return 0; 948 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 949 return 0; 950 } 951 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 952 return 0; 953 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 954 NULL)) == -1) 955 return 0; 956 if (!CBB_add_space(&exts, &ext_data, ext_len)) 957 return 0; 958 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 959 ext_len)) 960 return 0; 961 if (!CBB_flush(cbb)) 962 return 0; 963 return 1; 964} 965 966int 967tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 968{ 969 int alert_desc = SSL_AD_DECODE_ERROR; 970 CBS respid_list, respid, exts; 971 const unsigned char *p; 972 uint8_t status_type; 973 int ret = 0; 974 975 if (msg_type != SSL_TLSEXT_MSG_CH) 976 goto err; 977 978 if (!CBS_get_u8(cbs, &status_type)) 979 goto err; 980 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 981 /* ignore unknown status types */ 982 s->tlsext_status_type = -1; 983 984 if (!CBS_skip(cbs, CBS_len(cbs))) { 985 *alert = SSL_AD_INTERNAL_ERROR; 986 return 0; 987 } 988 return 1; 989 } 990 s->tlsext_status_type = status_type; 991 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 992 goto err; 993 994 /* XXX */ 995 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 996 s->internal->tlsext_ocsp_ids = NULL; 997 if (CBS_len(&respid_list) > 0) { 998 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 999 if (s->internal->tlsext_ocsp_ids == NULL) { 1000 alert_desc = SSL_AD_INTERNAL_ERROR; 1001 goto err; 1002 } 1003 } 1004 1005 while (CBS_len(&respid_list) > 0) { 1006 OCSP_RESPID *id; 1007 1008 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 1009 goto err; 1010 p = CBS_data(&respid); 1011 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 1012 goto err; 1013 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 1014 alert_desc = SSL_AD_INTERNAL_ERROR; 1015 OCSP_RESPID_free(id); 1016 goto err; 1017 } 1018 } 1019 1020 /* Read in request_extensions */ 1021 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1022 goto err; 1023 if (CBS_len(&exts) > 0) { 1024 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 1025 X509_EXTENSION_free); 1026 p = CBS_data(&exts); 1027 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1028 &p, CBS_len(&exts))) == NULL) 1029 goto err; 1030 } 1031 1032 /* should be nothing left */ 1033 if (CBS_len(cbs) > 0) 1034 goto err; 1035 1036 ret = 1; 1037 err: 1038 if (ret == 0) 1039 *alert = alert_desc; 1040 return ret; 1041} 1042 1043int 1044tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1045{ 1046 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1047 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1048 s->ctx->internal->tlsext_status_cb != NULL) { 1049 s->internal->tlsext_status_expected = 0; 1050 if (s->ctx->internal->tlsext_status_cb(s, 1051 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1052 s->internal->tlsext_ocsp_resp_len > 0) 1053 s->internal->tlsext_status_expected = 1; 1054 } 1055 return s->internal->tlsext_status_expected; 1056} 1057 1058int 1059tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1060{ 1061 CBB ocsp_response; 1062 1063 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1064 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1065 return 0; 1066 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1067 return 0; 1068 if (!CBB_add_bytes(&ocsp_response, 1069 s->internal->tlsext_ocsp_resp, 1070 s->internal->tlsext_ocsp_resp_len)) 1071 return 0; 1072 if (!CBB_flush(cbb)) 1073 return 0; 1074 } 1075 return 1; 1076} 1077 1078int 1079tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1080{ 1081 uint8_t status_type; 1082 CBS response; 1083 1084 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1085 if (msg_type == SSL_TLSEXT_MSG_CR) { 1086 /* 1087 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1088 * response with an empty status_request. 1089 */ 1090 if (CBS_len(cbs) == 0) 1091 return 1; 1092 1093 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1094 return 0; 1095 } 1096 if (!CBS_get_u8(cbs, &status_type)) { 1097 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1098 return 0; 1099 } 1100 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1101 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1102 return 0; 1103 } 1104 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1105 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1106 return 0; 1107 } 1108 if (CBS_len(&response) > 65536) { 1109 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1110 return 0; 1111 } 1112 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1113 &s->internal->tlsext_ocsp_resp_len)) { 1114 *alert = SSL_AD_INTERNAL_ERROR; 1115 return 0; 1116 } 1117 } else { 1118 if (s->tlsext_status_type == -1) { 1119 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1120 return 0; 1121 } 1122 /* Set flag to expect CertificateStatus message */ 1123 s->internal->tlsext_status_expected = 1; 1124 } 1125 return 1; 1126} 1127 1128/* 1129 * SessionTicket extension - RFC 5077 section 3.2 1130 */ 1131int 1132tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1133{ 1134 /* 1135 * Send session ticket extension when enabled and not overridden. 1136 * 1137 * When renegotiating, send an empty session ticket to indicate support. 1138 */ 1139 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1140 return 0; 1141 1142 if (!ssl_security_tickets(s)) 1143 return 0; 1144 1145 if (s->internal->new_session) 1146 return 1; 1147 1148 if (s->internal->tlsext_session_ticket != NULL && 1149 s->internal->tlsext_session_ticket->data == NULL) 1150 return 0; 1151 1152 return 1; 1153} 1154 1155int 1156tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1157{ 1158 /* 1159 * Signal that we support session tickets by sending an empty 1160 * extension when renegotiating or no session found. 1161 */ 1162 if (s->internal->new_session || s->session == NULL) 1163 return 1; 1164 1165 if (s->session->tlsext_tick != NULL) { 1166 /* Attempt to resume with an existing session ticket */ 1167 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1168 s->session->tlsext_ticklen)) 1169 return 0; 1170 1171 } else if (s->internal->tlsext_session_ticket != NULL) { 1172 /* 1173 * Attempt to resume with a custom provided session ticket set 1174 * by SSL_set_session_ticket_ext(). 1175 */ 1176 if (s->internal->tlsext_session_ticket->length > 0) { 1177 size_t ticklen = s->internal->tlsext_session_ticket->length; 1178 1179 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1180 return 0; 1181 memcpy(s->session->tlsext_tick, 1182 s->internal->tlsext_session_ticket->data, 1183 ticklen); 1184 s->session->tlsext_ticklen = ticklen; 1185 1186 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1187 s->session->tlsext_ticklen)) 1188 return 0; 1189 } 1190 } 1191 1192 if (!CBB_flush(cbb)) 1193 return 0; 1194 1195 return 1; 1196} 1197 1198int 1199tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1200 int *alert) 1201{ 1202 if (s->internal->tls_session_ticket_ext_cb) { 1203 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1204 (int)CBS_len(cbs), 1205 s->internal->tls_session_ticket_ext_cb_arg)) { 1206 *alert = SSL_AD_INTERNAL_ERROR; 1207 return 0; 1208 } 1209 } 1210 1211 /* We need to signal that this was processed fully */ 1212 if (!CBS_skip(cbs, CBS_len(cbs))) { 1213 *alert = SSL_AD_INTERNAL_ERROR; 1214 return 0; 1215 } 1216 1217 return 1; 1218} 1219 1220int 1221tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1222{ 1223 return (s->internal->tlsext_ticket_expected && 1224 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1225 ssl_security_tickets(s)); 1226} 1227 1228int 1229tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1230{ 1231 /* Empty ticket */ 1232 return 1; 1233} 1234 1235int 1236tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1237 int *alert) 1238{ 1239 if (s->internal->tls_session_ticket_ext_cb) { 1240 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1241 (int)CBS_len(cbs), 1242 s->internal->tls_session_ticket_ext_cb_arg)) { 1243 *alert = SSL_AD_INTERNAL_ERROR; 1244 return 0; 1245 } 1246 } 1247 1248 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1249 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1250 return 0; 1251 } 1252 1253 s->internal->tlsext_ticket_expected = 1; 1254 1255 return 1; 1256} 1257 1258/* 1259 * DTLS extension for SRTP key establishment - RFC 5764 1260 */ 1261 1262#ifndef OPENSSL_NO_SRTP 1263 1264int 1265tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1266{ 1267 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1268} 1269 1270int 1271tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1272{ 1273 CBB profiles, mki; 1274 int ct, i; 1275 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1276 const SRTP_PROTECTION_PROFILE *prof; 1277 1278 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1279 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1280 return 0; 1281 } 1282 1283 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1284 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1285 return 0; 1286 } 1287 1288 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1289 return 0; 1290 1291 for (i = 0; i < ct; i++) { 1292 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1293 return 0; 1294 if (!CBB_add_u16(&profiles, prof->id)) 1295 return 0; 1296 } 1297 1298 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1299 return 0; 1300 1301 if (!CBB_flush(cbb)) 1302 return 0; 1303 1304 return 1; 1305} 1306 1307int 1308tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1309{ 1310 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1311 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1312 int i, j; 1313 int ret; 1314 uint16_t id; 1315 CBS profiles, mki; 1316 1317 ret = 0; 1318 1319 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1320 goto err; 1321 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1322 goto err; 1323 1324 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1325 goto err; 1326 1327 while (CBS_len(&profiles) > 0) { 1328 if (!CBS_get_u16(&profiles, &id)) 1329 goto err; 1330 1331 if (!srtp_find_profile_by_num(id, &cprof)) { 1332 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1333 goto err; 1334 } 1335 } 1336 1337 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1338 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1339 *alert = SSL_AD_DECODE_ERROR; 1340 goto done; 1341 } 1342 if (CBS_len(cbs) != 0) 1343 goto err; 1344 1345 /* 1346 * Per RFC 5764 section 4.1.1 1347 * 1348 * Find the server preferred profile using the client's list. 1349 * 1350 * The server MUST send a profile if it sends the use_srtp 1351 * extension. If one is not found, it should fall back to the 1352 * negotiated DTLS cipher suite or return a DTLS alert. 1353 */ 1354 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1355 goto err; 1356 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1357 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1358 == NULL) 1359 goto err; 1360 1361 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1362 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1363 == NULL) 1364 goto err; 1365 1366 if (cprof->id == sprof->id) { 1367 s->internal->srtp_profile = sprof; 1368 ret = 1; 1369 goto done; 1370 } 1371 } 1372 } 1373 1374 /* If we didn't find anything, fall back to the negotiated */ 1375 ret = 1; 1376 goto done; 1377 1378 err: 1379 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1380 *alert = SSL_AD_DECODE_ERROR; 1381 1382 done: 1383 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1384 return ret; 1385} 1386 1387int 1388tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1389{ 1390 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1391} 1392 1393int 1394tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1395{ 1396 SRTP_PROTECTION_PROFILE *profile; 1397 CBB srtp, mki; 1398 1399 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1400 return 0; 1401 1402 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1403 return 0; 1404 1405 if (!CBB_add_u16(&srtp, profile->id)) 1406 return 0; 1407 1408 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1409 return 0; 1410 1411 if (!CBB_flush(cbb)) 1412 return 0; 1413 1414 return 1; 1415} 1416 1417int 1418tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1419{ 1420 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1421 const SRTP_PROTECTION_PROFILE *prof; 1422 int i; 1423 uint16_t id; 1424 CBS profile_ids, mki; 1425 1426 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1427 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1428 goto err; 1429 } 1430 1431 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1432 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1433 goto err; 1434 } 1435 1436 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1437 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1438 *alert = SSL_AD_ILLEGAL_PARAMETER; 1439 return 0; 1440 } 1441 1442 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1443 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1444 goto err; 1445 } 1446 1447 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1448 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1449 == NULL) { 1450 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1451 goto err; 1452 } 1453 1454 if (prof->id == id) { 1455 s->internal->srtp_profile = prof; 1456 return 1; 1457 } 1458 } 1459 1460 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1461 err: 1462 *alert = SSL_AD_DECODE_ERROR; 1463 return 0; 1464} 1465 1466#endif /* OPENSSL_NO_SRTP */ 1467 1468/* 1469 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1470 */ 1471int 1472tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1473{ 1474 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1475} 1476 1477int 1478tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1479{ 1480 CBB client_shares, key_exchange; 1481 1482 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1483 return 0; 1484 1485 if (!CBB_add_u16(&client_shares, 1486 tls_key_share_group(s->s3->hs.key_share))) 1487 return 0; 1488 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1489 return 0; 1490 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1491 return 0; 1492 1493 if (!CBB_flush(cbb)) 1494 return 0; 1495 1496 return 1; 1497} 1498 1499int 1500tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1501{ 1502 CBS client_shares, key_exchange; 1503 int decode_error; 1504 uint16_t group; 1505 1506 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1507 return 0; 1508 1509 while (CBS_len(&client_shares) > 0) { 1510 1511 /* Unpack client share. */ 1512 if (!CBS_get_u16(&client_shares, &group)) 1513 return 0; 1514 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1515 return 0; 1516 1517 /* 1518 * XXX - check key exchange against supported groups from client. 1519 * XXX - check that groups only appear once. 1520 */ 1521 1522 /* 1523 * Ignore this client share if we're using earlier than TLSv1.3 1524 * or we've already selected a key share. 1525 */ 1526 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1527 continue; 1528 if (s->s3->hs.key_share != NULL) 1529 continue; 1530 1531 /* XXX - consider implementing server preference. */ 1532 if (!tls1_check_group(s, group)) 1533 continue; 1534 1535 /* Decode and store the selected key share. */ 1536 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1537 *alert = SSL_AD_INTERNAL_ERROR; 1538 return 0; 1539 } 1540 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1541 &key_exchange, &decode_error, NULL)) { 1542 if (!decode_error) 1543 *alert = SSL_AD_INTERNAL_ERROR; 1544 return 0; 1545 } 1546 } 1547 1548 return 1; 1549} 1550 1551int 1552tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1553{ 1554 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1555 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1556} 1557 1558int 1559tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1560{ 1561 CBB key_exchange; 1562 1563 /* In the case of a HRR, we only send the server selected group. */ 1564 if (s->s3->hs.tls13.hrr) { 1565 if (s->s3->hs.tls13.server_group == 0) 1566 return 0; 1567 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1568 } 1569 1570 if (s->s3->hs.key_share == NULL) 1571 return 0; 1572 1573 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1574 return 0; 1575 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1576 return 0; 1577 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1578 return 0; 1579 1580 if (!CBB_flush(cbb)) 1581 return 0; 1582 1583 return 1; 1584} 1585 1586int 1587tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1588{ 1589 CBS key_exchange; 1590 int decode_error; 1591 uint16_t group; 1592 1593 /* Unpack server share. */ 1594 if (!CBS_get_u16(cbs, &group)) 1595 return 0; 1596 1597 if (CBS_len(cbs) == 0) { 1598 /* HRR does not include an actual key share, only the group. */ 1599 if (msg_type != SSL_TLSEXT_MSG_HRR) 1600 return 0; 1601 1602 s->s3->hs.tls13.server_group = group; 1603 return 1; 1604 } 1605 1606 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1607 return 0; 1608 1609 if (s->s3->hs.key_share == NULL) { 1610 *alert = SSL_AD_INTERNAL_ERROR; 1611 return 0; 1612 } 1613 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1614 *alert = SSL_AD_INTERNAL_ERROR; 1615 return 0; 1616 } 1617 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1618 &key_exchange, &decode_error, NULL)) { 1619 if (!decode_error) 1620 *alert = SSL_AD_INTERNAL_ERROR; 1621 return 0; 1622 } 1623 1624 return 1; 1625} 1626 1627/* 1628 * Supported Versions - RFC 8446 section 4.2.1. 1629 */ 1630int 1631tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1632{ 1633 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1634} 1635 1636int 1637tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1638{ 1639 uint16_t max, min; 1640 uint16_t version; 1641 CBB versions; 1642 1643 max = s->s3->hs.our_max_tls_version; 1644 min = s->s3->hs.our_min_tls_version; 1645 1646 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1647 return 0; 1648 1649 /* XXX - fix, but contiguous for now... */ 1650 for (version = max; version >= min; version--) { 1651 if (!CBB_add_u16(&versions, version)) 1652 return 0; 1653 } 1654 1655 if (!CBB_flush(cbb)) 1656 return 0; 1657 1658 return 1; 1659} 1660 1661int 1662tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1663{ 1664 CBS versions; 1665 uint16_t version; 1666 uint16_t max, min; 1667 uint16_t matched_version = 0; 1668 1669 max = s->s3->hs.our_max_tls_version; 1670 min = s->s3->hs.our_min_tls_version; 1671 1672 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1673 goto err; 1674 1675 while (CBS_len(&versions) > 0) { 1676 if (!CBS_get_u16(&versions, &version)) 1677 goto err; 1678 /* 1679 * XXX What is below implements client preference, and 1680 * ignores any server preference entirely. 1681 */ 1682 if (matched_version == 0 && version >= min && version <= max) 1683 matched_version = version; 1684 } 1685 1686 if (matched_version > 0) { 1687 /* XXX - this should be stored for later processing. */ 1688 s->version = matched_version; 1689 return 1; 1690 } 1691 1692 *alert = SSL_AD_PROTOCOL_VERSION; 1693 return 0; 1694 1695 err: 1696 *alert = SSL_AD_DECODE_ERROR; 1697 return 0; 1698} 1699 1700int 1701tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1702{ 1703 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1704} 1705 1706int 1707tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1708{ 1709 return CBB_add_u16(cbb, TLS1_3_VERSION); 1710} 1711 1712int 1713tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1714{ 1715 uint16_t selected_version; 1716 1717 if (!CBS_get_u16(cbs, &selected_version)) { 1718 *alert = SSL_AD_DECODE_ERROR; 1719 return 0; 1720 } 1721 1722 /* XXX - need to fix for DTLS 1.3 */ 1723 if (selected_version < TLS1_3_VERSION) { 1724 *alert = SSL_AD_ILLEGAL_PARAMETER; 1725 return 0; 1726 } 1727 1728 /* XXX test between min and max once initialization code goes in */ 1729 s->s3->hs.tls13.server_version = selected_version; 1730 1731 return 1; 1732} 1733 1734 1735/* 1736 * Cookie - RFC 8446 section 4.2.2. 1737 */ 1738 1739int 1740tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1741{ 1742 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1743 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1744} 1745 1746int 1747tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1748{ 1749 CBB cookie; 1750 1751 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1752 return 0; 1753 1754 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1755 s->s3->hs.tls13.cookie_len)) 1756 return 0; 1757 1758 if (!CBB_flush(cbb)) 1759 return 0; 1760 1761 return 1; 1762} 1763 1764int 1765tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1766{ 1767 CBS cookie; 1768 1769 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1770 goto err; 1771 1772 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1773 goto err; 1774 1775 /* 1776 * Check provided cookie value against what server previously 1777 * sent - client *MUST* send the same cookie with new CR after 1778 * a cookie is sent by the server with an HRR. 1779 */ 1780 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1781 s->s3->hs.tls13.cookie_len)) { 1782 /* XXX special cookie mismatch alert? */ 1783 *alert = SSL_AD_ILLEGAL_PARAMETER; 1784 return 0; 1785 } 1786 1787 return 1; 1788 1789 err: 1790 *alert = SSL_AD_DECODE_ERROR; 1791 return 0; 1792} 1793 1794int 1795tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1796{ 1797 /* 1798 * Server needs to set cookie value in tls13 handshake 1799 * in order to send one, should only be sent with HRR. 1800 */ 1801 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1802 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1803} 1804 1805int 1806tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1807{ 1808 CBB cookie; 1809 1810 /* XXX deduplicate with client code */ 1811 1812 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1813 return 0; 1814 1815 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1816 s->s3->hs.tls13.cookie_len)) 1817 return 0; 1818 1819 if (!CBB_flush(cbb)) 1820 return 0; 1821 1822 return 1; 1823} 1824 1825int 1826tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1827{ 1828 CBS cookie; 1829 1830 /* 1831 * XXX This currently assumes we will not get a second 1832 * HRR from a server with a cookie to process after accepting 1833 * one from the server in the same handshake 1834 */ 1835 if (s->s3->hs.tls13.cookie != NULL || 1836 s->s3->hs.tls13.cookie_len != 0) { 1837 *alert = SSL_AD_ILLEGAL_PARAMETER; 1838 return 0; 1839 } 1840 1841 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1842 goto err; 1843 1844 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1845 &s->s3->hs.tls13.cookie_len)) 1846 goto err; 1847 1848 return 1; 1849 1850 err: 1851 *alert = SSL_AD_DECODE_ERROR; 1852 return 0; 1853} 1854 1855/* 1856 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1857 */ 1858 1859int 1860tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1861{ 1862 return (s->s3->hs.tls13.use_psk_dhe_ke && 1863 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1864} 1865 1866int 1867tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1868{ 1869 CBB ke_modes; 1870 1871 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1872 return 0; 1873 1874 /* Only indicate support for PSK with DHE key establishment. */ 1875 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1876 return 0; 1877 1878 if (!CBB_flush(cbb)) 1879 return 0; 1880 1881 return 1; 1882} 1883 1884int 1885tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1886 int *alert) 1887{ 1888 CBS ke_modes; 1889 uint8_t ke_mode; 1890 1891 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1892 return 0; 1893 1894 while (CBS_len(&ke_modes) > 0) { 1895 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1896 return 0; 1897 1898 if (ke_mode == TLS13_PSK_DHE_KE) 1899 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1900 } 1901 1902 return 1; 1903} 1904 1905int 1906tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1907{ 1908 /* Servers MUST NOT send this extension. */ 1909 return 0; 1910} 1911 1912int 1913tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1914{ 1915 return 0; 1916} 1917 1918int 1919tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1920 int *alert) 1921{ 1922 return 0; 1923} 1924 1925/* 1926 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1927 */ 1928 1929int 1930tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1931{ 1932 return 0; 1933} 1934 1935int 1936tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1937{ 1938 return 0; 1939} 1940 1941int 1942tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1943{ 1944 return CBS_skip(cbs, CBS_len(cbs)); 1945} 1946 1947int 1948tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1949{ 1950 return 0; 1951} 1952 1953int 1954tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1955{ 1956 return 0; 1957} 1958 1959int 1960tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1961{ 1962 return CBS_skip(cbs, CBS_len(cbs)); 1963} 1964 1965/* 1966 * QUIC transport parameters extension - RFC 9001 section 8.2. 1967 */ 1968 1969int 1970tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1971{ 1972 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; 1973} 1974 1975int 1976tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 1977 CBB *cbb) 1978{ 1979 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, 1980 s->internal->quic_transport_params_len)) 1981 return 0; 1982 1983 return 1; 1984} 1985 1986int 1987tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, 1988 CBS *cbs, int *alert) 1989{ 1990 if (!SSL_is_quic(s)) { 1991 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1992 return 0; 1993 } 1994 1995 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1996 &s->s3->peer_quic_transport_params_len)) 1997 return 0; 1998 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1999 return 0; 2000 2001 return 1; 2002} 2003 2004int 2005tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 2006{ 2007 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; 2008} 2009 2010int 2011tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 2012 CBB *cbb) 2013{ 2014 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, 2015 s->internal->quic_transport_params_len)) 2016 return 0; 2017 2018 return 1; 2019} 2020 2021int 2022tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, 2023 CBS *cbs, int *alert) 2024{ 2025 if (!SSL_is_quic(s)) { 2026 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2027 return 0; 2028 } 2029 2030 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2031 &s->s3->peer_quic_transport_params_len)) 2032 return 0; 2033 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2034 return 0; 2035 2036 return 1; 2037} 2038 2039struct tls_extension_funcs { 2040 int (*needs)(SSL *s, uint16_t msg_type); 2041 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2042 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2043}; 2044 2045struct tls_extension { 2046 uint16_t type; 2047 uint16_t messages; 2048 struct tls_extension_funcs client; 2049 struct tls_extension_funcs server; 2050}; 2051 2052static const struct tls_extension tls_extensions[] = { 2053 { 2054 .type = TLSEXT_TYPE_supported_versions, 2055 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2056 SSL_TLSEXT_MSG_HRR, 2057 .client = { 2058 .needs = tlsext_versions_client_needs, 2059 .build = tlsext_versions_client_build, 2060 .parse = tlsext_versions_client_parse, 2061 }, 2062 .server = { 2063 .needs = tlsext_versions_server_needs, 2064 .build = tlsext_versions_server_build, 2065 .parse = tlsext_versions_server_parse, 2066 }, 2067 }, 2068 { 2069 .type = TLSEXT_TYPE_key_share, 2070 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2071 SSL_TLSEXT_MSG_HRR, 2072 .client = { 2073 .needs = tlsext_keyshare_client_needs, 2074 .build = tlsext_keyshare_client_build, 2075 .parse = tlsext_keyshare_client_parse, 2076 }, 2077 .server = { 2078 .needs = tlsext_keyshare_server_needs, 2079 .build = tlsext_keyshare_server_build, 2080 .parse = tlsext_keyshare_server_parse, 2081 }, 2082 }, 2083 { 2084 .type = TLSEXT_TYPE_server_name, 2085 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2086 .client = { 2087 .needs = tlsext_sni_client_needs, 2088 .build = tlsext_sni_client_build, 2089 .parse = tlsext_sni_client_parse, 2090 }, 2091 .server = { 2092 .needs = tlsext_sni_server_needs, 2093 .build = tlsext_sni_server_build, 2094 .parse = tlsext_sni_server_parse, 2095 }, 2096 }, 2097 { 2098 .type = TLSEXT_TYPE_renegotiate, 2099 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2100 .client = { 2101 .needs = tlsext_ri_client_needs, 2102 .build = tlsext_ri_client_build, 2103 .parse = tlsext_ri_client_parse, 2104 }, 2105 .server = { 2106 .needs = tlsext_ri_server_needs, 2107 .build = tlsext_ri_server_build, 2108 .parse = tlsext_ri_server_parse, 2109 }, 2110 }, 2111 { 2112 .type = TLSEXT_TYPE_status_request, 2113 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2114 SSL_TLSEXT_MSG_CT, 2115 .client = { 2116 .needs = tlsext_ocsp_client_needs, 2117 .build = tlsext_ocsp_client_build, 2118 .parse = tlsext_ocsp_client_parse, 2119 }, 2120 .server = { 2121 .needs = tlsext_ocsp_server_needs, 2122 .build = tlsext_ocsp_server_build, 2123 .parse = tlsext_ocsp_server_parse, 2124 }, 2125 }, 2126 { 2127 .type = TLSEXT_TYPE_ec_point_formats, 2128 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2129 .client = { 2130 .needs = tlsext_ecpf_client_needs, 2131 .build = tlsext_ecpf_client_build, 2132 .parse = tlsext_ecpf_client_parse, 2133 }, 2134 .server = { 2135 .needs = tlsext_ecpf_server_needs, 2136 .build = tlsext_ecpf_server_build, 2137 .parse = tlsext_ecpf_server_parse, 2138 }, 2139 }, 2140 { 2141 .type = TLSEXT_TYPE_supported_groups, 2142 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2143 .client = { 2144 .needs = tlsext_supportedgroups_client_needs, 2145 .build = tlsext_supportedgroups_client_build, 2146 .parse = tlsext_supportedgroups_client_parse, 2147 }, 2148 .server = { 2149 .needs = tlsext_supportedgroups_server_needs, 2150 .build = tlsext_supportedgroups_server_build, 2151 .parse = tlsext_supportedgroups_server_parse, 2152 }, 2153 }, 2154 { 2155 .type = TLSEXT_TYPE_session_ticket, 2156 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2157 .client = { 2158 .needs = tlsext_sessionticket_client_needs, 2159 .build = tlsext_sessionticket_client_build, 2160 .parse = tlsext_sessionticket_client_parse, 2161 }, 2162 .server = { 2163 .needs = tlsext_sessionticket_server_needs, 2164 .build = tlsext_sessionticket_server_build, 2165 .parse = tlsext_sessionticket_server_parse, 2166 }, 2167 }, 2168 { 2169 .type = TLSEXT_TYPE_signature_algorithms, 2170 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2171 .client = { 2172 .needs = tlsext_sigalgs_client_needs, 2173 .build = tlsext_sigalgs_client_build, 2174 .parse = tlsext_sigalgs_client_parse, 2175 }, 2176 .server = { 2177 .needs = tlsext_sigalgs_server_needs, 2178 .build = tlsext_sigalgs_server_build, 2179 .parse = tlsext_sigalgs_server_parse, 2180 }, 2181 }, 2182 { 2183 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 2184 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2185 .client = { 2186 .needs = tlsext_alpn_client_needs, 2187 .build = tlsext_alpn_client_build, 2188 .parse = tlsext_alpn_client_parse, 2189 }, 2190 .server = { 2191 .needs = tlsext_alpn_server_needs, 2192 .build = tlsext_alpn_server_build, 2193 .parse = tlsext_alpn_server_parse, 2194 }, 2195 }, 2196 { 2197 .type = TLSEXT_TYPE_cookie, 2198 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2199 .client = { 2200 .needs = tlsext_cookie_client_needs, 2201 .build = tlsext_cookie_client_build, 2202 .parse = tlsext_cookie_client_parse, 2203 }, 2204 .server = { 2205 .needs = tlsext_cookie_server_needs, 2206 .build = tlsext_cookie_server_build, 2207 .parse = tlsext_cookie_server_parse, 2208 }, 2209 }, 2210#ifndef OPENSSL_NO_SRTP 2211 { 2212 .type = TLSEXT_TYPE_use_srtp, 2213 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2214 SSL_TLSEXT_MSG_EE, 2215 .client = { 2216 .needs = tlsext_srtp_client_needs, 2217 .build = tlsext_srtp_client_build, 2218 .parse = tlsext_srtp_client_parse, 2219 }, 2220 .server = { 2221 .needs = tlsext_srtp_server_needs, 2222 .build = tlsext_srtp_server_build, 2223 .parse = tlsext_srtp_server_parse, 2224 }, 2225 }, 2226#endif /* OPENSSL_NO_SRTP */ 2227 { 2228 .type = TLSEXT_TYPE_quic_transport_parameters, 2229 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2230 .client = { 2231 .needs = tlsext_quic_transport_parameters_client_needs, 2232 .build = tlsext_quic_transport_parameters_client_build, 2233 .parse = tlsext_quic_transport_parameters_client_parse, 2234 }, 2235 .server = { 2236 .needs = tlsext_quic_transport_parameters_server_needs, 2237 .build = tlsext_quic_transport_parameters_server_build, 2238 .parse = tlsext_quic_transport_parameters_server_parse, 2239 }, 2240 }, 2241 { 2242 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2243 .messages = SSL_TLSEXT_MSG_CH, 2244 .client = { 2245 .needs = tlsext_psk_kex_modes_client_needs, 2246 .build = tlsext_psk_kex_modes_client_build, 2247 .parse = tlsext_psk_kex_modes_client_parse, 2248 }, 2249 .server = { 2250 .needs = tlsext_psk_kex_modes_server_needs, 2251 .build = tlsext_psk_kex_modes_server_build, 2252 .parse = tlsext_psk_kex_modes_server_parse, 2253 }, 2254 }, 2255 { 2256 /* MUST be last extension in CH per RFC 8446 section 4.2. */ 2257 2258 .type = TLSEXT_TYPE_pre_shared_key, 2259 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2260 .client = { 2261 .needs = tlsext_psk_client_needs, 2262 .build = tlsext_psk_client_build, 2263 .parse = tlsext_psk_client_parse, 2264 }, 2265 .server = { 2266 .needs = tlsext_psk_server_needs, 2267 .build = tlsext_psk_server_build, 2268 .parse = tlsext_psk_server_parse, 2269 }, 2270 }, 2271}; 2272 2273#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2274 2275/* Ensure that extensions fit in a uint32_t bitmask. */ 2276CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2277 2278const struct tls_extension * 2279tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2280{ 2281 size_t i; 2282 2283 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2284 if (tls_extensions[i].type == type) { 2285 *tls_extensions_idx = i; 2286 return &tls_extensions[i]; 2287 } 2288 } 2289 2290 return NULL; 2291} 2292 2293int 2294tlsext_extension_seen(SSL *s, uint16_t type) 2295{ 2296 size_t idx; 2297 2298 if (tls_extension_find(type, &idx) == NULL) 2299 return 0; 2300 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2301} 2302 2303static const struct tls_extension_funcs * 2304tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2305{ 2306 if (is_server) 2307 return &tlsext->server; 2308 2309 return &tlsext->client; 2310} 2311 2312static int 2313tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2314{ 2315 const struct tls_extension_funcs *ext; 2316 const struct tls_extension *tlsext; 2317 CBB extensions, extension_data; 2318 int extensions_present = 0; 2319 uint16_t tls_version; 2320 size_t i; 2321 2322 tls_version = ssl_effective_tls_version(s); 2323 2324 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2325 return 0; 2326 2327 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2328 tlsext = &tls_extensions[i]; 2329 ext = tlsext_funcs(tlsext, is_server); 2330 2331 /* RFC 8446 Section 4.2 */ 2332 if (tls_version >= TLS1_3_VERSION && 2333 !(tlsext->messages & msg_type)) 2334 continue; 2335 2336 if (!ext->needs(s, msg_type)) 2337 continue; 2338 2339 if (!CBB_add_u16(&extensions, tlsext->type)) 2340 return 0; 2341 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2342 return 0; 2343 2344 if (!ext->build(s, msg_type, &extension_data)) 2345 return 0; 2346 2347 extensions_present = 1; 2348 } 2349 2350 if (!extensions_present && 2351 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2352 CBB_discard_child(cbb); 2353 2354 if (!CBB_flush(cbb)) 2355 return 0; 2356 2357 return 1; 2358} 2359 2360int 2361tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2362{ 2363 /* 2364 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2365 * cookie may be added, padding may be removed. 2366 */ 2367 struct tls13_ctx *ctx = s->internal->tls13; 2368 2369 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2370 type == TLSEXT_TYPE_padding) 2371 return 1; 2372 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2373 sizeof(type))) 2374 return 0; 2375 /* 2376 * key_share data may be changed, and pre_shared_key data may 2377 * be changed 2378 */ 2379 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2380 return 1; 2381 if (!tls13_clienthello_hash_update(ctx, cbs)) 2382 return 0; 2383 2384 return 1; 2385} 2386 2387static int 2388tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2389{ 2390 const struct tls_extension_funcs *ext; 2391 const struct tls_extension *tlsext; 2392 CBS extensions, extension_data; 2393 uint16_t type; 2394 size_t idx; 2395 uint16_t tls_version; 2396 int alert_desc; 2397 2398 tls_version = ssl_effective_tls_version(s); 2399 2400 s->s3->hs.extensions_seen = 0; 2401 2402 /* An empty extensions block is valid. */ 2403 if (CBS_len(cbs) == 0) 2404 return 1; 2405 2406 alert_desc = SSL_AD_DECODE_ERROR; 2407 2408 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2409 goto err; 2410 2411 while (CBS_len(&extensions) > 0) { 2412 if (!CBS_get_u16(&extensions, &type)) 2413 goto err; 2414 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2415 goto err; 2416 2417 if (s->internal->tlsext_debug_cb != NULL) 2418 s->internal->tlsext_debug_cb(s, !is_server, type, 2419 (unsigned char *)CBS_data(&extension_data), 2420 CBS_len(&extension_data), 2421 s->internal->tlsext_debug_arg); 2422 2423 /* Unknown extensions are ignored. */ 2424 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2425 continue; 2426 2427 if (tls_version >= TLS1_3_VERSION && is_server && 2428 msg_type == SSL_TLSEXT_MSG_CH) { 2429 if (!tlsext_clienthello_hash_extension(s, type, 2430 &extension_data)) 2431 goto err; 2432 } 2433 2434 /* RFC 8446 Section 4.2 */ 2435 if (tls_version >= TLS1_3_VERSION && 2436 !(tlsext->messages & msg_type)) { 2437 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2438 goto err; 2439 } 2440 2441 /* Check for duplicate known extensions. */ 2442 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2443 goto err; 2444 s->s3->hs.extensions_seen |= (1 << idx); 2445 2446 ext = tlsext_funcs(tlsext, is_server); 2447 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2448 goto err; 2449 2450 if (CBS_len(&extension_data) != 0) 2451 goto err; 2452 } 2453 2454 return 1; 2455 2456 err: 2457 *alert = alert_desc; 2458 2459 return 0; 2460} 2461 2462static void 2463tlsext_server_reset_state(SSL *s) 2464{ 2465 s->tlsext_status_type = -1; 2466 s->s3->renegotiate_seen = 0; 2467 free(s->s3->alpn_selected); 2468 s->s3->alpn_selected = NULL; 2469 s->s3->alpn_selected_len = 0; 2470 s->internal->srtp_profile = NULL; 2471} 2472 2473int 2474tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2475{ 2476 return tlsext_build(s, 1, msg_type, cbb); 2477} 2478 2479int 2480tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2481{ 2482 /* XXX - this should be done by the caller... */ 2483 if (msg_type == SSL_TLSEXT_MSG_CH) 2484 tlsext_server_reset_state(s); 2485 2486 return tlsext_parse(s, 1, msg_type, cbs, alert); 2487} 2488 2489static void 2490tlsext_client_reset_state(SSL *s) 2491{ 2492 s->s3->renegotiate_seen = 0; 2493 free(s->s3->alpn_selected); 2494 s->s3->alpn_selected = NULL; 2495 s->s3->alpn_selected_len = 0; 2496} 2497 2498int 2499tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2500{ 2501 return tlsext_build(s, 0, msg_type, cbb); 2502} 2503 2504int 2505tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2506{ 2507 /* XXX - this should be done by the caller... */ 2508 if (msg_type == SSL_TLSEXT_MSG_SH) 2509 tlsext_client_reset_state(s); 2510 2511 return tlsext_parse(s, 0, msg_type, cbs, alert); 2512} 2513