ssl_tlsext.c revision 1.138
1/* $OpenBSD: ssl_tlsext.c,v 1.138 2024/03/25 03:23:59 jsing Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/socket.h> 21 22#include <arpa/inet.h> 23#include <netinet/in.h> 24 25#include <ctype.h> 26 27#include <openssl/ocsp.h> 28#include <openssl/opensslconf.h> 29 30#include "bytestring.h" 31#include "ssl_local.h" 32#include "ssl_sigalgs.h" 33#include "ssl_tlsext.h" 34 35#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 36 37/* 38 * Supported Application-Layer Protocol Negotiation - RFC 7301 39 */ 40 41static int 42tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 43{ 44 /* ALPN protos have been specified and this is the initial handshake */ 45 return s->alpn_client_proto_list != NULL && 46 s->s3->hs.finished_len == 0; 47} 48 49static int 50tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 51{ 52 CBB protolist; 53 54 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 55 return 0; 56 57 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, 58 s->alpn_client_proto_list_len)) 59 return 0; 60 61 if (!CBB_flush(cbb)) 62 return 0; 63 64 return 1; 65} 66 67int 68tlsext_alpn_check_format(CBS *cbs) 69{ 70 CBS proto_name_list; 71 72 if (CBS_len(cbs) == 0) 73 return 0; 74 75 CBS_dup(cbs, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 return 0; 81 if (CBS_len(&proto_name) == 0) 82 return 0; 83 } 84 85 return 1; 86} 87 88static int 89tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 90{ 91 CBS alpn, selected_cbs; 92 const unsigned char *selected; 93 unsigned char selected_len; 94 int r; 95 96 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 97 return 0; 98 99 if (!tlsext_alpn_check_format(&alpn)) 100 return 0; 101 102 if (s->ctx->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), 113 s->ctx->alpn_select_cb_arg); 114 115 if (r == SSL_TLSEXT_ERR_OK) { 116 CBS_init(&selected_cbs, selected, selected_len); 117 118 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 119 &s->s3->alpn_selected_len)) { 120 *alert = SSL_AD_INTERNAL_ERROR; 121 return 0; 122 } 123 124 return 1; 125 } 126 127 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 128 if (r == SSL_TLSEXT_ERR_NOACK) 129 return 1; 130 131 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 132 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 133 134 return 0; 135} 136 137static int 138tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 139{ 140 return s->s3->alpn_selected != NULL; 141} 142 143static int 144tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 145{ 146 CBB list, selected; 147 148 if (!CBB_add_u16_length_prefixed(cbb, &list)) 149 return 0; 150 151 if (!CBB_add_u8_length_prefixed(&list, &selected)) 152 return 0; 153 154 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 155 s->s3->alpn_selected_len)) 156 return 0; 157 158 if (!CBB_flush(cbb)) 159 return 0; 160 161 return 1; 162} 163 164static int 165tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 166{ 167 CBS list, proto; 168 169 if (s->alpn_client_proto_list == NULL) { 170 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 171 return 0; 172 } 173 174 if (!CBS_get_u16_length_prefixed(cbs, &list)) 175 return 0; 176 177 if (!CBS_get_u8_length_prefixed(&list, &proto)) 178 return 0; 179 180 if (CBS_len(&list) != 0) 181 return 0; 182 if (CBS_len(&proto) == 0) 183 return 0; 184 185 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 186 return 0; 187 188 return 1; 189} 190 191/* 192 * Supported Groups - RFC 7919 section 2 193 */ 194static int 195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 196{ 197 return ssl_has_ecc_ciphers(s) || 198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 199} 200 201static int 202tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 203{ 204 const uint16_t *groups; 205 size_t groups_len; 206 CBB grouplist; 207 int i; 208 209 tls1_get_group_list(s, 0, &groups, &groups_len); 210 if (groups_len == 0) { 211 SSLerror(s, ERR_R_INTERNAL_ERROR); 212 return 0; 213 } 214 215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 216 return 0; 217 218 for (i = 0; i < groups_len; i++) { 219 if (!ssl_security_supported_group(s, groups[i])) 220 continue; 221 if (!CBB_add_u16(&grouplist, groups[i])) 222 return 0; 223 } 224 225 if (!CBB_flush(cbb)) 226 return 0; 227 228 return 1; 229} 230 231static int 232tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 233 int *alert) 234{ 235 CBS grouplist; 236 uint16_t *groups; 237 size_t groups_len; 238 int i; 239 240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 241 return 0; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 return 0; 246 groups_len /= 2; 247 248 if (s->hit) 249 return 1; 250 251 if (s->s3->hs.tls13.hrr) { 252 if (s->session->tlsext_supportedgroups == NULL) { 253 *alert = SSL_AD_HANDSHAKE_FAILURE; 254 return 0; 255 } 256 257 /* 258 * The ClientHello extension hashing ensures that the client 259 * did not change its list of supported groups. 260 */ 261 262 return 1; 263 } 264 265 if (s->session->tlsext_supportedgroups != NULL) 266 return 0; /* XXX internal error? */ 267 268 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 269 *alert = SSL_AD_INTERNAL_ERROR; 270 return 0; 271 } 272 273 for (i = 0; i < groups_len; i++) { 274 if (!CBS_get_u16(&grouplist, &groups[i])) { 275 free(groups); 276 return 0; 277 } 278 } 279 280 if (CBS_len(&grouplist) != 0) { 281 free(groups); 282 return 0; 283 } 284 285 s->session->tlsext_supportedgroups = groups; 286 s->session->tlsext_supportedgroups_length = groups_len; 287 288 return 1; 289} 290 291/* This extension is never used by the server. */ 292static int 293tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 294{ 295 return 0; 296} 297 298static int 299tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 300{ 301 return 0; 302} 303 304static int 305tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 306 int *alert) 307{ 308 /* 309 * Servers should not send this extension per the RFC. 310 * 311 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 312 * from at least 2014 but as of 2017, there are still large sites with 313 * this unpatched in production. As a result, we need to currently skip 314 * over the extension and ignore its content: 315 * 316 * https://support.f5.com/csp/article/K37345003 317 */ 318 if (!CBS_skip(cbs, CBS_len(cbs))) { 319 *alert = SSL_AD_INTERNAL_ERROR; 320 return 0; 321 } 322 323 return 1; 324} 325 326/* 327 * Supported Point Formats Extension - RFC 4492 section 5.1.2 328 */ 329static int 330tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 331{ 332 CBB ecpf; 333 size_t formats_len; 334 const uint8_t *formats; 335 336 tls1_get_formatlist(s, 0, &formats, &formats_len); 337 338 if (formats_len == 0) { 339 SSLerror(s, ERR_R_INTERNAL_ERROR); 340 return 0; 341 } 342 343 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 344 return 0; 345 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 346 return 0; 347 if (!CBB_flush(cbb)) 348 return 0; 349 350 return 1; 351} 352 353static int 354tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 355{ 356 CBS ecpf; 357 358 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 359 return 0; 360 if (CBS_len(&ecpf) == 0) 361 return 0; 362 363 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 364 if (!CBS_contains_zero_byte(&ecpf)) { 365 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 366 *alert = SSL_AD_ILLEGAL_PARAMETER; 367 return 0; 368 } 369 370 if (!s->hit) { 371 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 372 &(s->session->tlsext_ecpointformatlist_length))) { 373 *alert = SSL_AD_INTERNAL_ERROR; 374 return 0; 375 } 376 } 377 378 return 1; 379} 380 381static int 382tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 383{ 384 return ssl_has_ecc_ciphers(s); 385} 386 387static int 388tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 389{ 390 return tlsext_ecpf_build(s, msg_type, cbb); 391} 392 393static int 394tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 395{ 396 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 397} 398 399static int 400tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 401{ 402 return ssl_using_ecc_cipher(s); 403} 404 405static int 406tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 407{ 408 return tlsext_ecpf_build(s, msg_type, cbb); 409} 410 411static int 412tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 413{ 414 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 415} 416 417/* 418 * Renegotiation Indication - RFC 5746. 419 */ 420static int 421tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 422{ 423 return (s->renegotiate); 424} 425 426static int 427tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 428{ 429 CBB reneg; 430 431 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 432 return 0; 433 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 434 s->s3->previous_client_finished_len)) 435 return 0; 436 if (!CBB_flush(cbb)) 437 return 0; 438 439 return 1; 440} 441 442static int 443tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 444{ 445 CBS reneg; 446 447 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 448 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 449 return 0; 450 } 451 452 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 453 s->s3->previous_client_finished_len)) { 454 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 455 *alert = SSL_AD_HANDSHAKE_FAILURE; 456 return 0; 457 } 458 459 s->s3->renegotiate_seen = 1; 460 s->s3->send_connection_binding = 1; 461 462 return 1; 463} 464 465static int 466tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 467{ 468 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 469 s->s3->send_connection_binding); 470} 471 472static int 473tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 474{ 475 CBB reneg; 476 477 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 478 return 0; 479 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 480 s->s3->previous_client_finished_len)) 481 return 0; 482 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 483 s->s3->previous_server_finished_len)) 484 return 0; 485 if (!CBB_flush(cbb)) 486 return 0; 487 488 return 1; 489} 490 491static int 492tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 493{ 494 CBS reneg, prev_client, prev_server; 495 496 /* 497 * Ensure that the previous client and server values are both not 498 * present, or that they are both present. 499 */ 500 if ((s->s3->previous_client_finished_len == 0 && 501 s->s3->previous_server_finished_len != 0) || 502 (s->s3->previous_client_finished_len != 0 && 503 s->s3->previous_server_finished_len == 0)) { 504 *alert = SSL_AD_INTERNAL_ERROR; 505 return 0; 506 } 507 508 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 509 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 510 return 0; 511 } 512 if (!CBS_get_bytes(&reneg, &prev_client, 513 s->s3->previous_client_finished_len)) { 514 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 515 return 0; 516 } 517 if (!CBS_get_bytes(&reneg, &prev_server, 518 s->s3->previous_server_finished_len)) { 519 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 520 return 0; 521 } 522 if (CBS_len(&reneg) != 0) { 523 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 524 return 0; 525 } 526 527 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 528 s->s3->previous_client_finished_len)) { 529 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 530 *alert = SSL_AD_HANDSHAKE_FAILURE; 531 return 0; 532 } 533 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 534 s->s3->previous_server_finished_len)) { 535 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 536 *alert = SSL_AD_HANDSHAKE_FAILURE; 537 return 0; 538 } 539 540 s->s3->renegotiate_seen = 1; 541 s->s3->send_connection_binding = 1; 542 543 return 1; 544} 545 546/* 547 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 548 */ 549static int 550tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 551{ 552 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 553} 554 555static int 556tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 557{ 558 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 559 CBB sigalgs; 560 561 if (msg_type == SSL_TLSEXT_MSG_CH) 562 tls_version = s->s3->hs.our_min_tls_version; 563 564 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 565 return 0; 566 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 567 return 0; 568 if (!CBB_flush(cbb)) 569 return 0; 570 571 return 1; 572} 573 574static int 575tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 576{ 577 CBS sigalgs; 578 579 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 580 return 0; 581 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 582 return 0; 583 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 584 return 0; 585 586 return 1; 587} 588 589static int 590tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 591{ 592 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 593} 594 595static int 596tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 597{ 598 CBB sigalgs; 599 600 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 601 return 0; 602 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 603 SSL_get_security_level(s))) 604 return 0; 605 if (!CBB_flush(cbb)) 606 return 0; 607 608 return 1; 609} 610 611static int 612tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 613{ 614 CBS sigalgs; 615 616 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 617 return 0; 618 619 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 620 return 0; 621 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 622 return 0; 623 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 624 return 0; 625 626 return 1; 627} 628 629/* 630 * Server Name Indication - RFC 6066, section 3. 631 */ 632static int 633tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 634{ 635 return (s->tlsext_hostname != NULL); 636} 637 638static int 639tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 640{ 641 CBB server_name_list, host_name; 642 643 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 644 return 0; 645 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 646 return 0; 647 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 648 return 0; 649 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 650 strlen(s->tlsext_hostname))) 651 return 0; 652 if (!CBB_flush(cbb)) 653 return 0; 654 655 return 1; 656} 657 658static int 659tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 660{ 661 union { 662 struct in_addr ip4; 663 struct in6_addr ip6; 664 } addrbuf; 665 char *hostname = NULL; 666 667 *is_ip = 0; 668 669 if (!CBS_strdup(cbs, &hostname)) 670 return 0; 671 672 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 673 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 674 *is_ip = 1; 675 676 free(hostname); 677 678 return 1; 679} 680 681/* 682 * Validate that the CBS contains only a hostname consisting of RFC 5890 683 * compliant A-labels (see RFC 6066 section 3). Not a complete check 684 * since we don't parse punycode to verify its validity but limits to 685 * correct structure and character set. 686 */ 687int 688tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 689{ 690 uint8_t prev, c = 0; 691 int component = 0; 692 CBS hostname; 693 694 *is_ip = 0; 695 696 CBS_dup(cbs, &hostname); 697 698 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 699 return 0; 700 701 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 702 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 703 return 0; 704 if (*is_ip) 705 return 0; 706 707 while (CBS_len(&hostname) > 0) { 708 prev = c; 709 if (!CBS_get_u8(&hostname, &c)) 710 return 0; 711 /* Everything has to be ASCII, with no NUL byte. */ 712 if (!isascii(c) || c == '\0') 713 return 0; 714 /* It must be alphanumeric, a '-', or a '.' */ 715 if (!isalnum(c) && c != '-' && c != '.') 716 return 0; 717 /* '-' and '.' must not start a component or be at the end. */ 718 if (component == 0 || CBS_len(&hostname) == 0) { 719 if (c == '-' || c == '.') 720 return 0; 721 } 722 if (c == '.') { 723 /* Components can not end with a dash. */ 724 if (prev == '-') 725 return 0; 726 /* Start new component */ 727 component = 0; 728 continue; 729 } 730 /* Components must be 63 chars or less. */ 731 if (++component > 63) 732 return 0; 733 } 734 735 return 1; 736} 737 738static int 739tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 740{ 741 CBS server_name_list, host_name; 742 uint8_t name_type; 743 int is_ip; 744 745 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 746 goto err; 747 748 if (!CBS_get_u8(&server_name_list, &name_type)) 749 goto err; 750 751 /* 752 * RFC 6066 section 3, only one type (host_name) is specified. 753 * We do not tolerate unknown types, neither does BoringSSL. 754 * other implementations appear more tolerant. 755 */ 756 if (name_type != TLSEXT_NAMETYPE_host_name) { 757 *alert = SSL_AD_ILLEGAL_PARAMETER; 758 goto err; 759 } 760 761 /* 762 * RFC 6066 section 3 specifies a host name must be at least 1 byte 763 * so 0 length is a decode error. 764 */ 765 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 766 goto err; 767 if (CBS_len(&host_name) < 1) 768 goto err; 769 770 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 771 /* 772 * Various pieces of software have been known to set the SNI 773 * host name to an IP address, even though that violates the 774 * RFC. If this is the case, pretend the SNI extension does 775 * not exist. 776 */ 777 if (is_ip) 778 goto done; 779 780 *alert = SSL_AD_ILLEGAL_PARAMETER; 781 goto err; 782 } 783 784 if (s->hit || s->s3->hs.tls13.hrr) { 785 if (s->session->tlsext_hostname == NULL) { 786 *alert = SSL_AD_UNRECOGNIZED_NAME; 787 goto err; 788 } 789 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 790 strlen(s->session->tlsext_hostname))) { 791 *alert = SSL_AD_UNRECOGNIZED_NAME; 792 goto err; 793 } 794 } else { 795 if (s->session->tlsext_hostname != NULL) 796 goto err; 797 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 798 *alert = SSL_AD_INTERNAL_ERROR; 799 goto err; 800 } 801 } 802 803 done: 804 /* 805 * RFC 6066 section 3 forbids multiple host names with the same type, 806 * therefore we allow only one entry. 807 */ 808 if (CBS_len(&server_name_list) != 0) { 809 *alert = SSL_AD_ILLEGAL_PARAMETER; 810 goto err; 811 } 812 813 return 1; 814 815 err: 816 return 0; 817} 818 819static int 820tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 821{ 822 if (s->hit) 823 return 0; 824 825 return (s->session->tlsext_hostname != NULL); 826} 827 828static int 829tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 830{ 831 return 1; 832} 833 834static int 835tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 836{ 837 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 838 *alert = SSL_AD_UNRECOGNIZED_NAME; 839 return 0; 840 } 841 842 if (s->hit) { 843 if (s->session->tlsext_hostname == NULL) { 844 *alert = SSL_AD_UNRECOGNIZED_NAME; 845 return 0; 846 } 847 if (strcmp(s->tlsext_hostname, 848 s->session->tlsext_hostname) != 0) { 849 *alert = SSL_AD_UNRECOGNIZED_NAME; 850 return 0; 851 } 852 } else { 853 if (s->session->tlsext_hostname != NULL) 854 return 0; 855 if ((s->session->tlsext_hostname = 856 strdup(s->tlsext_hostname)) == NULL) { 857 *alert = SSL_AD_INTERNAL_ERROR; 858 return 0; 859 } 860 } 861 862 return 1; 863} 864 865/* 866 * Certificate Status Request - RFC 6066 section 8. 867 */ 868 869static int 870tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 871{ 872 if (msg_type != SSL_TLSEXT_MSG_CH) 873 return 0; 874 875 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 876} 877 878static int 879tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 880{ 881 CBB respid_list, respid, exts; 882 unsigned char *ext_data; 883 size_t ext_len; 884 int i; 885 886 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 887 return 0; 888 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 889 return 0; 890 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 891 unsigned char *respid_data; 892 OCSP_RESPID *id; 893 size_t id_len; 894 895 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, 896 i)) == NULL) 897 return 0; 898 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 899 return 0; 900 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 901 return 0; 902 if (!CBB_add_space(&respid, &respid_data, id_len)) 903 return 0; 904 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 905 return 0; 906 } 907 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 908 return 0; 909 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, 910 NULL)) == -1) 911 return 0; 912 if (!CBB_add_space(&exts, &ext_data, ext_len)) 913 return 0; 914 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != 915 ext_len)) 916 return 0; 917 if (!CBB_flush(cbb)) 918 return 0; 919 return 1; 920} 921 922static int 923tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 924{ 925 int alert_desc = SSL_AD_DECODE_ERROR; 926 CBS respid_list, respid, exts; 927 const unsigned char *p; 928 uint8_t status_type; 929 int ret = 0; 930 931 if (msg_type != SSL_TLSEXT_MSG_CH) 932 goto err; 933 934 if (!CBS_get_u8(cbs, &status_type)) 935 goto err; 936 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 937 /* ignore unknown status types */ 938 s->tlsext_status_type = -1; 939 940 if (!CBS_skip(cbs, CBS_len(cbs))) { 941 *alert = SSL_AD_INTERNAL_ERROR; 942 return 0; 943 } 944 return 1; 945 } 946 s->tlsext_status_type = status_type; 947 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 948 goto err; 949 950 /* XXX */ 951 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 952 s->tlsext_ocsp_ids = NULL; 953 if (CBS_len(&respid_list) > 0) { 954 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 955 if (s->tlsext_ocsp_ids == NULL) { 956 alert_desc = SSL_AD_INTERNAL_ERROR; 957 goto err; 958 } 959 } 960 961 while (CBS_len(&respid_list) > 0) { 962 OCSP_RESPID *id; 963 964 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 965 goto err; 966 p = CBS_data(&respid); 967 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 968 goto err; 969 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 970 alert_desc = SSL_AD_INTERNAL_ERROR; 971 OCSP_RESPID_free(id); 972 goto err; 973 } 974 } 975 976 /* Read in request_extensions */ 977 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 978 goto err; 979 if (CBS_len(&exts) > 0) { 980 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 981 X509_EXTENSION_free); 982 p = CBS_data(&exts); 983 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 984 &p, CBS_len(&exts))) == NULL) 985 goto err; 986 } 987 988 ret = 1; 989 err: 990 if (ret == 0) 991 *alert = alert_desc; 992 return ret; 993} 994 995static int 996tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 997{ 998 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 999 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1000 s->ctx->tlsext_status_cb != NULL) { 1001 s->tlsext_status_expected = 0; 1002 if (s->ctx->tlsext_status_cb(s, 1003 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1004 s->tlsext_ocsp_resp_len > 0) 1005 s->tlsext_status_expected = 1; 1006 } 1007 return s->tlsext_status_expected; 1008} 1009 1010static int 1011tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1012{ 1013 CBB ocsp_response; 1014 1015 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1016 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1017 return 0; 1018 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1019 return 0; 1020 if (!CBB_add_bytes(&ocsp_response, 1021 s->tlsext_ocsp_resp, 1022 s->tlsext_ocsp_resp_len)) 1023 return 0; 1024 if (!CBB_flush(cbb)) 1025 return 0; 1026 } 1027 return 1; 1028} 1029 1030static int 1031tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1032{ 1033 uint8_t status_type; 1034 CBS response; 1035 1036 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1037 if (msg_type == SSL_TLSEXT_MSG_CR) { 1038 /* 1039 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1040 * response with an empty status_request. 1041 */ 1042 if (CBS_len(cbs) == 0) 1043 return 1; 1044 1045 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1046 return 0; 1047 } 1048 if (!CBS_get_u8(cbs, &status_type)) { 1049 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1050 return 0; 1051 } 1052 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1053 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1054 return 0; 1055 } 1056 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1057 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1058 return 0; 1059 } 1060 if (CBS_len(&response) > 65536) { 1061 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1062 return 0; 1063 } 1064 if (!CBS_stow(&response, &s->tlsext_ocsp_resp, 1065 &s->tlsext_ocsp_resp_len)) { 1066 *alert = SSL_AD_INTERNAL_ERROR; 1067 return 0; 1068 } 1069 } else { 1070 if (s->tlsext_status_type == -1) { 1071 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1072 return 0; 1073 } 1074 /* Set flag to expect CertificateStatus message */ 1075 s->tlsext_status_expected = 1; 1076 } 1077 return 1; 1078} 1079 1080/* 1081 * SessionTicket extension - RFC 5077 section 3.2 1082 */ 1083static int 1084tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1085{ 1086 /* 1087 * Send session ticket extension when enabled and not overridden. 1088 * 1089 * When renegotiating, send an empty session ticket to indicate support. 1090 */ 1091 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1092 return 0; 1093 1094 if (!ssl_security_tickets(s)) 1095 return 0; 1096 1097 if (s->new_session) 1098 return 1; 1099 1100 if (s->tlsext_session_ticket != NULL && 1101 s->tlsext_session_ticket->data == NULL) 1102 return 0; 1103 1104 return 1; 1105} 1106 1107static int 1108tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1109{ 1110 /* 1111 * Signal that we support session tickets by sending an empty 1112 * extension when renegotiating or no session found. 1113 */ 1114 if (s->new_session || s->session == NULL) 1115 return 1; 1116 1117 if (s->session->tlsext_tick != NULL) { 1118 /* Attempt to resume with an existing session ticket */ 1119 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1120 s->session->tlsext_ticklen)) 1121 return 0; 1122 1123 } else if (s->tlsext_session_ticket != NULL) { 1124 /* 1125 * Attempt to resume with a custom provided session ticket set 1126 * by SSL_set_session_ticket_ext(). 1127 */ 1128 if (s->tlsext_session_ticket->length > 0) { 1129 size_t ticklen = s->tlsext_session_ticket->length; 1130 1131 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1132 return 0; 1133 memcpy(s->session->tlsext_tick, 1134 s->tlsext_session_ticket->data, 1135 ticklen); 1136 s->session->tlsext_ticklen = ticklen; 1137 1138 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1139 s->session->tlsext_ticklen)) 1140 return 0; 1141 } 1142 } 1143 1144 if (!CBB_flush(cbb)) 1145 return 0; 1146 1147 return 1; 1148} 1149 1150static int 1151tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1152 int *alert) 1153{ 1154 if (s->tls_session_ticket_ext_cb) { 1155 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1156 (int)CBS_len(cbs), 1157 s->tls_session_ticket_ext_cb_arg)) { 1158 *alert = SSL_AD_INTERNAL_ERROR; 1159 return 0; 1160 } 1161 } 1162 1163 /* We need to signal that this was processed fully */ 1164 if (!CBS_skip(cbs, CBS_len(cbs))) { 1165 *alert = SSL_AD_INTERNAL_ERROR; 1166 return 0; 1167 } 1168 1169 return 1; 1170} 1171 1172static int 1173tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1174{ 1175 return (s->tlsext_ticket_expected && 1176 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1177 ssl_security_tickets(s)); 1178} 1179 1180static int 1181tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1182{ 1183 /* Empty ticket */ 1184 return 1; 1185} 1186 1187static int 1188tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1189 int *alert) 1190{ 1191 if (s->tls_session_ticket_ext_cb) { 1192 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1193 (int)CBS_len(cbs), 1194 s->tls_session_ticket_ext_cb_arg)) { 1195 *alert = SSL_AD_INTERNAL_ERROR; 1196 return 0; 1197 } 1198 } 1199 1200 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1201 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1202 return 0; 1203 } 1204 1205 s->tlsext_ticket_expected = 1; 1206 1207 return 1; 1208} 1209 1210/* 1211 * DTLS extension for SRTP key establishment - RFC 5764 1212 */ 1213 1214#ifndef OPENSSL_NO_SRTP 1215 1216static int 1217tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1218{ 1219 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1220} 1221 1222static int 1223tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1224{ 1225 CBB profiles, mki; 1226 int ct, i; 1227 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1228 const SRTP_PROTECTION_PROFILE *prof; 1229 1230 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1231 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1232 return 0; 1233 } 1234 1235 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1236 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1237 return 0; 1238 } 1239 1240 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1241 return 0; 1242 1243 for (i = 0; i < ct; i++) { 1244 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1245 return 0; 1246 if (!CBB_add_u16(&profiles, prof->id)) 1247 return 0; 1248 } 1249 1250 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1251 return 0; 1252 1253 if (!CBB_flush(cbb)) 1254 return 0; 1255 1256 return 1; 1257} 1258 1259static int 1260tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1261{ 1262 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1263 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1264 int i, j; 1265 int ret; 1266 uint16_t id; 1267 CBS profiles, mki; 1268 1269 ret = 0; 1270 1271 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1272 goto err; 1273 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1274 goto err; 1275 1276 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1277 goto err; 1278 1279 while (CBS_len(&profiles) > 0) { 1280 if (!CBS_get_u16(&profiles, &id)) 1281 goto err; 1282 1283 if (!srtp_find_profile_by_num(id, &cprof)) { 1284 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1285 goto err; 1286 } 1287 } 1288 1289 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1290 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1291 goto done; 1292 } 1293 1294 /* 1295 * Per RFC 5764 section 4.1.1 1296 * 1297 * Find the server preferred profile using the client's list. 1298 * 1299 * The server MUST send a profile if it sends the use_srtp 1300 * extension. If one is not found, it should fall back to the 1301 * negotiated DTLS cipher suite or return a DTLS alert. 1302 */ 1303 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1304 goto err; 1305 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1306 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1307 goto err; 1308 1309 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1310 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1311 == NULL) 1312 goto err; 1313 1314 if (cprof->id == sprof->id) { 1315 s->srtp_profile = sprof; 1316 ret = 1; 1317 goto done; 1318 } 1319 } 1320 } 1321 1322 /* If we didn't find anything, fall back to the negotiated */ 1323 ret = 1; 1324 goto done; 1325 1326 err: 1327 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1328 1329 done: 1330 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1331 return ret; 1332} 1333 1334static int 1335tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1336{ 1337 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1338} 1339 1340static int 1341tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1342{ 1343 SRTP_PROTECTION_PROFILE *profile; 1344 CBB srtp, mki; 1345 1346 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1347 return 0; 1348 1349 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1350 return 0; 1351 1352 if (!CBB_add_u16(&srtp, profile->id)) 1353 return 0; 1354 1355 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1356 return 0; 1357 1358 if (!CBB_flush(cbb)) 1359 return 0; 1360 1361 return 1; 1362} 1363 1364static int 1365tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1366{ 1367 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1368 const SRTP_PROTECTION_PROFILE *prof; 1369 int i; 1370 uint16_t id; 1371 CBS profile_ids, mki; 1372 1373 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1374 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1375 return 0; 1376 } 1377 1378 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1379 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1380 return 0; 1381 } 1382 1383 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1384 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1385 *alert = SSL_AD_ILLEGAL_PARAMETER; 1386 return 0; 1387 } 1388 1389 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1390 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1391 return 0; 1392 } 1393 1394 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1395 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1396 == NULL) { 1397 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1398 return 0; 1399 } 1400 1401 if (prof->id == id) { 1402 s->srtp_profile = prof; 1403 return 1; 1404 } 1405 } 1406 1407 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1408 1409 return 0; 1410} 1411 1412#endif /* OPENSSL_NO_SRTP */ 1413 1414/* 1415 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1416 */ 1417static int 1418tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1419{ 1420 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1421} 1422 1423static int 1424tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1425{ 1426 CBB client_shares, key_exchange; 1427 1428 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1429 return 0; 1430 1431 if (!CBB_add_u16(&client_shares, 1432 tls_key_share_group(s->s3->hs.key_share))) 1433 return 0; 1434 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1435 return 0; 1436 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1437 return 0; 1438 1439 if (!CBB_flush(cbb)) 1440 return 0; 1441 1442 return 1; 1443} 1444 1445static int 1446tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1447{ 1448 CBS client_shares, key_exchange; 1449 int decode_error; 1450 uint16_t group; 1451 1452 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1453 return 0; 1454 1455 while (CBS_len(&client_shares) > 0) { 1456 1457 /* Unpack client share. */ 1458 if (!CBS_get_u16(&client_shares, &group)) 1459 return 0; 1460 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1461 return 0; 1462 1463 /* 1464 * XXX - check key exchange against supported groups from client. 1465 * XXX - check that groups only appear once. 1466 */ 1467 1468 /* 1469 * Ignore this client share if we're using earlier than TLSv1.3 1470 * or we've already selected a key share. 1471 */ 1472 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1473 continue; 1474 if (s->s3->hs.key_share != NULL) 1475 continue; 1476 1477 /* XXX - consider implementing server preference. */ 1478 if (!tls1_check_group(s, group)) 1479 continue; 1480 1481 /* Decode and store the selected key share. */ 1482 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1483 *alert = SSL_AD_INTERNAL_ERROR; 1484 return 0; 1485 } 1486 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1487 &key_exchange, &decode_error, NULL)) { 1488 if (!decode_error) 1489 *alert = SSL_AD_INTERNAL_ERROR; 1490 return 0; 1491 } 1492 } 1493 1494 return 1; 1495} 1496 1497static int 1498tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1499{ 1500 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1501 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1502} 1503 1504static int 1505tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1506{ 1507 CBB key_exchange; 1508 1509 /* In the case of a HRR, we only send the server selected group. */ 1510 if (s->s3->hs.tls13.hrr) { 1511 if (s->s3->hs.tls13.server_group == 0) 1512 return 0; 1513 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1514 } 1515 1516 if (s->s3->hs.key_share == NULL) 1517 return 0; 1518 1519 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1520 return 0; 1521 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1522 return 0; 1523 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1524 return 0; 1525 1526 if (!CBB_flush(cbb)) 1527 return 0; 1528 1529 return 1; 1530} 1531 1532static int 1533tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1534{ 1535 CBS key_exchange; 1536 int decode_error; 1537 uint16_t group; 1538 1539 /* Unpack server share. */ 1540 if (!CBS_get_u16(cbs, &group)) 1541 return 0; 1542 1543 if (CBS_len(cbs) == 0) { 1544 /* HRR does not include an actual key share, only the group. */ 1545 if (msg_type != SSL_TLSEXT_MSG_HRR) 1546 return 0; 1547 1548 s->s3->hs.tls13.server_group = group; 1549 return 1; 1550 } 1551 1552 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1553 return 0; 1554 1555 if (s->s3->hs.key_share == NULL) { 1556 *alert = SSL_AD_INTERNAL_ERROR; 1557 return 0; 1558 } 1559 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1560 *alert = SSL_AD_INTERNAL_ERROR; 1561 return 0; 1562 } 1563 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1564 &key_exchange, &decode_error, NULL)) { 1565 if (!decode_error) 1566 *alert = SSL_AD_INTERNAL_ERROR; 1567 return 0; 1568 } 1569 1570 return 1; 1571} 1572 1573/* 1574 * Supported Versions - RFC 8446 section 4.2.1. 1575 */ 1576static int 1577tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1578{ 1579 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1580} 1581 1582static int 1583tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1584{ 1585 uint16_t max, min; 1586 uint16_t version; 1587 CBB versions; 1588 1589 max = s->s3->hs.our_max_tls_version; 1590 min = s->s3->hs.our_min_tls_version; 1591 1592 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1593 return 0; 1594 1595 /* XXX - fix, but contiguous for now... */ 1596 for (version = max; version >= min; version--) { 1597 if (!CBB_add_u16(&versions, version)) 1598 return 0; 1599 } 1600 1601 if (!CBB_flush(cbb)) 1602 return 0; 1603 1604 return 1; 1605} 1606 1607static int 1608tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1609{ 1610 CBS versions; 1611 uint16_t version; 1612 uint16_t max, min; 1613 uint16_t matched_version = 0; 1614 1615 max = s->s3->hs.our_max_tls_version; 1616 min = s->s3->hs.our_min_tls_version; 1617 1618 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1619 return 0; 1620 1621 while (CBS_len(&versions) > 0) { 1622 if (!CBS_get_u16(&versions, &version)) 1623 return 0; 1624 /* 1625 * XXX What is below implements client preference, and 1626 * ignores any server preference entirely. 1627 */ 1628 if (matched_version == 0 && version >= min && version <= max) 1629 matched_version = version; 1630 } 1631 1632 if (matched_version > 0) { 1633 /* XXX - this should be stored for later processing. */ 1634 s->version = matched_version; 1635 return 1; 1636 } 1637 1638 *alert = SSL_AD_PROTOCOL_VERSION; 1639 return 0; 1640} 1641 1642static int 1643tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1644{ 1645 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1646} 1647 1648static int 1649tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1650{ 1651 return CBB_add_u16(cbb, TLS1_3_VERSION); 1652} 1653 1654static int 1655tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1656{ 1657 uint16_t selected_version; 1658 1659 if (!CBS_get_u16(cbs, &selected_version)) 1660 return 0; 1661 1662 /* XXX - need to fix for DTLS 1.3 */ 1663 if (selected_version < TLS1_3_VERSION) { 1664 *alert = SSL_AD_ILLEGAL_PARAMETER; 1665 return 0; 1666 } 1667 1668 /* XXX test between min and max once initialization code goes in */ 1669 s->s3->hs.tls13.server_version = selected_version; 1670 1671 return 1; 1672} 1673 1674 1675/* 1676 * Cookie - RFC 8446 section 4.2.2. 1677 */ 1678 1679static int 1680tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1681{ 1682 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1683 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1684} 1685 1686static int 1687tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1688{ 1689 CBB cookie; 1690 1691 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1692 return 0; 1693 1694 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1695 s->s3->hs.tls13.cookie_len)) 1696 return 0; 1697 1698 if (!CBB_flush(cbb)) 1699 return 0; 1700 1701 return 1; 1702} 1703 1704static int 1705tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1706{ 1707 CBS cookie; 1708 1709 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1710 return 0; 1711 1712 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1713 return 0; 1714 1715 /* 1716 * Check provided cookie value against what server previously 1717 * sent - client *MUST* send the same cookie with new CR after 1718 * a cookie is sent by the server with an HRR. 1719 */ 1720 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1721 s->s3->hs.tls13.cookie_len)) { 1722 /* XXX special cookie mismatch alert? */ 1723 *alert = SSL_AD_ILLEGAL_PARAMETER; 1724 return 0; 1725 } 1726 1727 return 1; 1728} 1729 1730static int 1731tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1732{ 1733 /* 1734 * Server needs to set cookie value in tls13 handshake 1735 * in order to send one, should only be sent with HRR. 1736 */ 1737 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1738 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1739} 1740 1741static int 1742tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1743{ 1744 CBB cookie; 1745 1746 /* XXX deduplicate with client code */ 1747 1748 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1749 return 0; 1750 1751 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1752 s->s3->hs.tls13.cookie_len)) 1753 return 0; 1754 1755 if (!CBB_flush(cbb)) 1756 return 0; 1757 1758 return 1; 1759} 1760 1761static int 1762tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1763{ 1764 CBS cookie; 1765 1766 /* 1767 * XXX This currently assumes we will not get a second 1768 * HRR from a server with a cookie to process after accepting 1769 * one from the server in the same handshake 1770 */ 1771 if (s->s3->hs.tls13.cookie != NULL || 1772 s->s3->hs.tls13.cookie_len != 0) { 1773 *alert = SSL_AD_ILLEGAL_PARAMETER; 1774 return 0; 1775 } 1776 1777 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1778 return 0; 1779 1780 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1781 &s->s3->hs.tls13.cookie_len)) 1782 return 0; 1783 1784 return 1; 1785} 1786 1787/* 1788 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1789 */ 1790 1791static int 1792tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1793{ 1794 return (s->s3->hs.tls13.use_psk_dhe_ke && 1795 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1796} 1797 1798static int 1799tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1800{ 1801 CBB ke_modes; 1802 1803 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1804 return 0; 1805 1806 /* Only indicate support for PSK with DHE key establishment. */ 1807 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1808 return 0; 1809 1810 if (!CBB_flush(cbb)) 1811 return 0; 1812 1813 return 1; 1814} 1815 1816static int 1817tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1818 int *alert) 1819{ 1820 CBS ke_modes; 1821 uint8_t ke_mode; 1822 1823 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1824 return 0; 1825 1826 while (CBS_len(&ke_modes) > 0) { 1827 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1828 return 0; 1829 1830 if (ke_mode == TLS13_PSK_DHE_KE) 1831 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1832 } 1833 1834 return 1; 1835} 1836 1837static int 1838tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1839{ 1840 /* Servers MUST NOT send this extension. */ 1841 return 0; 1842} 1843 1844static int 1845tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1846{ 1847 return 0; 1848} 1849 1850static int 1851tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1852 int *alert) 1853{ 1854 return 0; 1855} 1856 1857/* 1858 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1859 */ 1860 1861static int 1862tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1863{ 1864 return 0; 1865} 1866 1867static int 1868tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1869{ 1870 return 0; 1871} 1872 1873static int 1874tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1875{ 1876 return CBS_skip(cbs, CBS_len(cbs)); 1877} 1878 1879static int 1880tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1881{ 1882 return 0; 1883} 1884 1885static int 1886tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1887{ 1888 return 0; 1889} 1890 1891static int 1892tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1893{ 1894 return CBS_skip(cbs, CBS_len(cbs)); 1895} 1896 1897/* 1898 * QUIC transport parameters extension - RFC 9001 section 8.2. 1899 */ 1900 1901static int 1902tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1903{ 1904 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 1905} 1906 1907static int 1908tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 1909 CBB *cbb) 1910{ 1911 if (!CBB_add_bytes(cbb, s->quic_transport_params, 1912 s->quic_transport_params_len)) 1913 return 0; 1914 1915 return 1; 1916} 1917 1918static int 1919tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, 1920 CBS *cbs, int *alert) 1921{ 1922 if (!SSL_is_quic(s)) { 1923 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1924 return 0; 1925 } 1926 1927 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1928 &s->s3->peer_quic_transport_params_len)) 1929 return 0; 1930 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1931 return 0; 1932 1933 return 1; 1934} 1935 1936static int 1937tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 1938{ 1939 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 1940} 1941 1942static int 1943tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 1944 CBB *cbb) 1945{ 1946 if (!CBB_add_bytes(cbb, s->quic_transport_params, 1947 s->quic_transport_params_len)) 1948 return 0; 1949 1950 return 1; 1951} 1952 1953static int 1954tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, 1955 CBS *cbs, int *alert) 1956{ 1957 if (!SSL_is_quic(s)) { 1958 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1959 return 0; 1960 } 1961 1962 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1963 &s->s3->peer_quic_transport_params_len)) 1964 return 0; 1965 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1966 return 0; 1967 1968 return 1; 1969} 1970 1971struct tls_extension_funcs { 1972 int (*needs)(SSL *s, uint16_t msg_type); 1973 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1974 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1975}; 1976 1977struct tls_extension { 1978 uint16_t type; 1979 uint16_t messages; 1980 struct tls_extension_funcs client; 1981 struct tls_extension_funcs server; 1982}; 1983 1984static const struct tls_extension tls_extensions[] = { 1985 { 1986 .type = TLSEXT_TYPE_supported_versions, 1987 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1988 SSL_TLSEXT_MSG_HRR, 1989 .client = { 1990 .needs = tlsext_versions_client_needs, 1991 .build = tlsext_versions_client_build, 1992 .parse = tlsext_versions_client_parse, 1993 }, 1994 .server = { 1995 .needs = tlsext_versions_server_needs, 1996 .build = tlsext_versions_server_build, 1997 .parse = tlsext_versions_server_parse, 1998 }, 1999 }, 2000 { 2001 .type = TLSEXT_TYPE_key_share, 2002 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2003 SSL_TLSEXT_MSG_HRR, 2004 .client = { 2005 .needs = tlsext_keyshare_client_needs, 2006 .build = tlsext_keyshare_client_build, 2007 .parse = tlsext_keyshare_client_parse, 2008 }, 2009 .server = { 2010 .needs = tlsext_keyshare_server_needs, 2011 .build = tlsext_keyshare_server_build, 2012 .parse = tlsext_keyshare_server_parse, 2013 }, 2014 }, 2015 { 2016 .type = TLSEXT_TYPE_server_name, 2017 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2018 .client = { 2019 .needs = tlsext_sni_client_needs, 2020 .build = tlsext_sni_client_build, 2021 .parse = tlsext_sni_client_parse, 2022 }, 2023 .server = { 2024 .needs = tlsext_sni_server_needs, 2025 .build = tlsext_sni_server_build, 2026 .parse = tlsext_sni_server_parse, 2027 }, 2028 }, 2029 { 2030 .type = TLSEXT_TYPE_renegotiate, 2031 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2032 .client = { 2033 .needs = tlsext_ri_client_needs, 2034 .build = tlsext_ri_client_build, 2035 .parse = tlsext_ri_client_parse, 2036 }, 2037 .server = { 2038 .needs = tlsext_ri_server_needs, 2039 .build = tlsext_ri_server_build, 2040 .parse = tlsext_ri_server_parse, 2041 }, 2042 }, 2043 { 2044 .type = TLSEXT_TYPE_status_request, 2045 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2046 SSL_TLSEXT_MSG_CT, 2047 .client = { 2048 .needs = tlsext_ocsp_client_needs, 2049 .build = tlsext_ocsp_client_build, 2050 .parse = tlsext_ocsp_client_parse, 2051 }, 2052 .server = { 2053 .needs = tlsext_ocsp_server_needs, 2054 .build = tlsext_ocsp_server_build, 2055 .parse = tlsext_ocsp_server_parse, 2056 }, 2057 }, 2058 { 2059 .type = TLSEXT_TYPE_ec_point_formats, 2060 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2061 .client = { 2062 .needs = tlsext_ecpf_client_needs, 2063 .build = tlsext_ecpf_client_build, 2064 .parse = tlsext_ecpf_client_parse, 2065 }, 2066 .server = { 2067 .needs = tlsext_ecpf_server_needs, 2068 .build = tlsext_ecpf_server_build, 2069 .parse = tlsext_ecpf_server_parse, 2070 }, 2071 }, 2072 { 2073 .type = TLSEXT_TYPE_supported_groups, 2074 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2075 .client = { 2076 .needs = tlsext_supportedgroups_client_needs, 2077 .build = tlsext_supportedgroups_client_build, 2078 .parse = tlsext_supportedgroups_client_parse, 2079 }, 2080 .server = { 2081 .needs = tlsext_supportedgroups_server_needs, 2082 .build = tlsext_supportedgroups_server_build, 2083 .parse = tlsext_supportedgroups_server_parse, 2084 }, 2085 }, 2086 { 2087 .type = TLSEXT_TYPE_session_ticket, 2088 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2089 .client = { 2090 .needs = tlsext_sessionticket_client_needs, 2091 .build = tlsext_sessionticket_client_build, 2092 .parse = tlsext_sessionticket_client_parse, 2093 }, 2094 .server = { 2095 .needs = tlsext_sessionticket_server_needs, 2096 .build = tlsext_sessionticket_server_build, 2097 .parse = tlsext_sessionticket_server_parse, 2098 }, 2099 }, 2100 { 2101 .type = TLSEXT_TYPE_signature_algorithms, 2102 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2103 .client = { 2104 .needs = tlsext_sigalgs_client_needs, 2105 .build = tlsext_sigalgs_client_build, 2106 .parse = tlsext_sigalgs_client_parse, 2107 }, 2108 .server = { 2109 .needs = tlsext_sigalgs_server_needs, 2110 .build = tlsext_sigalgs_server_build, 2111 .parse = tlsext_sigalgs_server_parse, 2112 }, 2113 }, 2114 { 2115 .type = TLSEXT_TYPE_alpn, 2116 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2117 .client = { 2118 .needs = tlsext_alpn_client_needs, 2119 .build = tlsext_alpn_client_build, 2120 .parse = tlsext_alpn_client_parse, 2121 }, 2122 .server = { 2123 .needs = tlsext_alpn_server_needs, 2124 .build = tlsext_alpn_server_build, 2125 .parse = tlsext_alpn_server_parse, 2126 }, 2127 }, 2128 { 2129 .type = TLSEXT_TYPE_cookie, 2130 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2131 .client = { 2132 .needs = tlsext_cookie_client_needs, 2133 .build = tlsext_cookie_client_build, 2134 .parse = tlsext_cookie_client_parse, 2135 }, 2136 .server = { 2137 .needs = tlsext_cookie_server_needs, 2138 .build = tlsext_cookie_server_build, 2139 .parse = tlsext_cookie_server_parse, 2140 }, 2141 }, 2142#ifndef OPENSSL_NO_SRTP 2143 { 2144 .type = TLSEXT_TYPE_use_srtp, 2145 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2146 SSL_TLSEXT_MSG_EE, 2147 .client = { 2148 .needs = tlsext_srtp_client_needs, 2149 .build = tlsext_srtp_client_build, 2150 .parse = tlsext_srtp_client_parse, 2151 }, 2152 .server = { 2153 .needs = tlsext_srtp_server_needs, 2154 .build = tlsext_srtp_server_build, 2155 .parse = tlsext_srtp_server_parse, 2156 }, 2157 }, 2158#endif /* OPENSSL_NO_SRTP */ 2159 { 2160 .type = TLSEXT_TYPE_quic_transport_parameters, 2161 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2162 .client = { 2163 .needs = tlsext_quic_transport_parameters_client_needs, 2164 .build = tlsext_quic_transport_parameters_client_build, 2165 .parse = tlsext_quic_transport_parameters_client_parse, 2166 }, 2167 .server = { 2168 .needs = tlsext_quic_transport_parameters_server_needs, 2169 .build = tlsext_quic_transport_parameters_server_build, 2170 .parse = tlsext_quic_transport_parameters_server_parse, 2171 }, 2172 }, 2173 { 2174 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2175 .messages = SSL_TLSEXT_MSG_CH, 2176 .client = { 2177 .needs = tlsext_psk_kex_modes_client_needs, 2178 .build = tlsext_psk_kex_modes_client_build, 2179 .parse = tlsext_psk_kex_modes_client_parse, 2180 }, 2181 .server = { 2182 .needs = tlsext_psk_kex_modes_server_needs, 2183 .build = tlsext_psk_kex_modes_server_build, 2184 .parse = tlsext_psk_kex_modes_server_parse, 2185 }, 2186 }, 2187 { 2188 .type = TLSEXT_TYPE_pre_shared_key, 2189 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2190 .client = { 2191 .needs = tlsext_psk_client_needs, 2192 .build = tlsext_psk_client_build, 2193 .parse = tlsext_psk_client_parse, 2194 }, 2195 .server = { 2196 .needs = tlsext_psk_server_needs, 2197 .build = tlsext_psk_server_build, 2198 .parse = tlsext_psk_server_parse, 2199 }, 2200 }, 2201}; 2202 2203#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2204 2205/* Ensure that extensions fit in a uint32_t bitmask. */ 2206CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2207 2208uint16_t 2209tls_extension_type(const struct tls_extension *extension) 2210{ 2211 return extension->type; 2212} 2213 2214const struct tls_extension * 2215tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2216{ 2217 size_t i; 2218 2219 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2220 if (tls_extensions[i].type == type) { 2221 *tls_extensions_idx = i; 2222 return &tls_extensions[i]; 2223 } 2224 } 2225 2226 return NULL; 2227} 2228 2229int 2230tlsext_extension_seen(SSL *s, uint16_t type) 2231{ 2232 size_t idx; 2233 2234 if (tls_extension_find(type, &idx) == NULL) 2235 return 0; 2236 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2237} 2238 2239const struct tls_extension_funcs * 2240tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2241{ 2242 if (is_server) 2243 return &tlsext->server; 2244 2245 return &tlsext->client; 2246} 2247 2248int 2249tlsext_randomize_build_order(SSL *s) 2250{ 2251 const struct tls_extension *psk_ext; 2252 size_t idx, new_idx, psk_idx; 2253 size_t alpn_idx = 0, sni_idx = 0; 2254 2255 free(s->tlsext_build_order); 2256 s->tlsext_build_order_len = 0; 2257 2258 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2259 N_TLS_EXTENSIONS)) == NULL) 2260 return 0; 2261 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2262 2263 /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */ 2264 if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key, 2265 &psk_idx)) == NULL) 2266 return 0; 2267 s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext; 2268 2269 /* Fisher-Yates shuffle with PSK fixed. */ 2270 for (idx = 0; idx < psk_idx; idx++) { 2271 new_idx = arc4random_uniform(idx + 1); 2272 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; 2273 s->tlsext_build_order[new_idx] = &tls_extensions[idx]; 2274 } 2275 2276 /* 2277 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN 2278 * for clients so that virtual host setups work correctly. 2279 */ 2280 2281 if (s->server) 2282 return 1; 2283 2284 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2285 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) 2286 alpn_idx = idx; 2287 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) 2288 sni_idx = idx; 2289 } 2290 if (alpn_idx < sni_idx) { 2291 const struct tls_extension *tmp; 2292 2293 tmp = s->tlsext_build_order[alpn_idx]; 2294 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; 2295 s->tlsext_build_order[sni_idx] = tmp; 2296 } 2297 2298 return 1; 2299} 2300 2301int 2302tlsext_linearize_build_order(SSL *s) 2303{ 2304 size_t idx; 2305 2306 free(s->tlsext_build_order); 2307 s->tlsext_build_order_len = 0; 2308 2309 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2310 N_TLS_EXTENSIONS)) == NULL) 2311 return 0; 2312 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2313 2314 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) 2315 s->tlsext_build_order[idx] = &tls_extensions[idx]; 2316 2317 return 1; 2318} 2319 2320static int 2321tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2322{ 2323 const struct tls_extension_funcs *ext; 2324 const struct tls_extension *tlsext; 2325 CBB extensions, extension_data; 2326 int extensions_present = 0; 2327 uint16_t tls_version; 2328 size_t i; 2329 2330 tls_version = ssl_effective_tls_version(s); 2331 2332 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2333 return 0; 2334 2335 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2336 tlsext = s->tlsext_build_order[i]; 2337 ext = tlsext_funcs(tlsext, is_server); 2338 2339 /* RFC 8446 Section 4.2 */ 2340 if (tls_version >= TLS1_3_VERSION && 2341 !(tlsext->messages & msg_type)) 2342 continue; 2343 2344 if (!ext->needs(s, msg_type)) 2345 continue; 2346 2347 if (!CBB_add_u16(&extensions, tlsext->type)) 2348 return 0; 2349 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2350 return 0; 2351 2352 if (!ext->build(s, msg_type, &extension_data)) 2353 return 0; 2354 2355 extensions_present = 1; 2356 } 2357 2358 if (!extensions_present && 2359 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2360 CBB_discard_child(cbb); 2361 2362 if (!CBB_flush(cbb)) 2363 return 0; 2364 2365 return 1; 2366} 2367 2368int 2369tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2370{ 2371 /* 2372 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2373 * cookie may be added, padding may be removed. 2374 */ 2375 struct tls13_ctx *ctx = s->tls13; 2376 2377 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2378 type == TLSEXT_TYPE_padding) 2379 return 1; 2380 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2381 sizeof(type))) 2382 return 0; 2383 /* 2384 * key_share data may be changed, and pre_shared_key data may 2385 * be changed 2386 */ 2387 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2388 return 1; 2389 if (!tls13_clienthello_hash_update(ctx, cbs)) 2390 return 0; 2391 2392 return 1; 2393} 2394 2395static int 2396tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2397{ 2398 const struct tls_extension_funcs *ext; 2399 const struct tls_extension *tlsext; 2400 CBS extensions, extension_data; 2401 uint16_t type; 2402 size_t idx; 2403 uint16_t tls_version; 2404 int alert_desc; 2405 2406 tls_version = ssl_effective_tls_version(s); 2407 2408 s->s3->hs.extensions_seen = 0; 2409 2410 /* An empty extensions block is valid. */ 2411 if (CBS_len(cbs) == 0) 2412 return 1; 2413 2414 alert_desc = SSL_AD_DECODE_ERROR; 2415 2416 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2417 goto err; 2418 2419 while (CBS_len(&extensions) > 0) { 2420 if (!CBS_get_u16(&extensions, &type)) 2421 goto err; 2422 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2423 goto err; 2424 2425 if (s->tlsext_debug_cb != NULL) 2426 s->tlsext_debug_cb(s, !is_server, type, 2427 (unsigned char *)CBS_data(&extension_data), 2428 CBS_len(&extension_data), 2429 s->tlsext_debug_arg); 2430 2431 /* Unknown extensions are ignored. */ 2432 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2433 continue; 2434 2435 if (tls_version >= TLS1_3_VERSION && is_server && 2436 msg_type == SSL_TLSEXT_MSG_CH) { 2437 if (!tlsext_clienthello_hash_extension(s, type, 2438 &extension_data)) 2439 goto err; 2440 } 2441 2442 /* RFC 8446 Section 4.2 */ 2443 if (tls_version >= TLS1_3_VERSION && 2444 !(tlsext->messages & msg_type)) { 2445 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2446 goto err; 2447 } 2448 2449 /* Check for duplicate known extensions. */ 2450 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2451 goto err; 2452 s->s3->hs.extensions_seen |= (1 << idx); 2453 2454 ext = tlsext_funcs(tlsext, is_server); 2455 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2456 goto err; 2457 2458 if (CBS_len(&extension_data) != 0) 2459 goto err; 2460 } 2461 2462 return 1; 2463 2464 err: 2465 *alert = alert_desc; 2466 2467 return 0; 2468} 2469 2470static void 2471tlsext_server_reset_state(SSL *s) 2472{ 2473 s->tlsext_status_type = -1; 2474 s->s3->renegotiate_seen = 0; 2475 free(s->s3->alpn_selected); 2476 s->s3->alpn_selected = NULL; 2477 s->s3->alpn_selected_len = 0; 2478 s->srtp_profile = NULL; 2479} 2480 2481int 2482tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2483{ 2484 return tlsext_build(s, 1, msg_type, cbb); 2485} 2486 2487int 2488tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2489{ 2490 /* XXX - this should be done by the caller... */ 2491 if (msg_type == SSL_TLSEXT_MSG_CH) 2492 tlsext_server_reset_state(s); 2493 2494 return tlsext_parse(s, 1, msg_type, cbs, alert); 2495} 2496 2497static void 2498tlsext_client_reset_state(SSL *s) 2499{ 2500 s->s3->renegotiate_seen = 0; 2501 free(s->s3->alpn_selected); 2502 s->s3->alpn_selected = NULL; 2503 s->s3->alpn_selected_len = 0; 2504} 2505 2506int 2507tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2508{ 2509 return tlsext_build(s, 0, msg_type, cbb); 2510} 2511 2512int 2513tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2514{ 2515 /* XXX - this should be done by the caller... */ 2516 if (msg_type == SSL_TLSEXT_MSG_SH) 2517 tlsext_client_reset_state(s); 2518 2519 return tlsext_parse(s, 0, msg_type, cbs, alert); 2520} 2521