ssl_tlsext.c revision 1.149
1/* $OpenBSD: ssl_tlsext.c,v 1.149 2024/04/16 17:46:30 tb Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019, 2024 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/socket.h> 21 22#include <arpa/inet.h> 23#include <netinet/in.h> 24 25#include <ctype.h> 26 27#include <openssl/ocsp.h> 28#include <openssl/opensslconf.h> 29 30#include "bytestring.h" 31#include "ssl_local.h" 32#include "ssl_sigalgs.h" 33#include "ssl_tlsext.h" 34 35#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 36#define TLSEXT_MAX_SUPPORTED_GROUPS 64 37 38/* 39 * Supported Application-Layer Protocol Negotiation - RFC 7301 40 */ 41 42static int 43tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 44{ 45 /* ALPN protos have been specified and this is the initial handshake */ 46 return s->alpn_client_proto_list != NULL && 47 s->s3->hs.finished_len == 0; 48} 49 50static int 51tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 52{ 53 CBB protolist; 54 55 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 56 return 0; 57 58 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, 59 s->alpn_client_proto_list_len)) 60 return 0; 61 62 if (!CBB_flush(cbb)) 63 return 0; 64 65 return 1; 66} 67 68int 69tlsext_alpn_check_format(CBS *cbs) 70{ 71 CBS proto_name_list; 72 73 if (CBS_len(cbs) == 0) 74 return 0; 75 76 CBS_dup(cbs, &proto_name_list); 77 while (CBS_len(&proto_name_list) > 0) { 78 CBS proto_name; 79 80 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 81 return 0; 82 if (CBS_len(&proto_name) == 0) 83 return 0; 84 } 85 86 return 1; 87} 88 89static int 90tlsext_alpn_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 91{ 92 CBS alpn, selected_cbs; 93 const unsigned char *selected; 94 unsigned char selected_len; 95 int r; 96 97 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 98 return 0; 99 if (!tlsext_alpn_check_format(&alpn)) 100 return 0; 101 102 if (s->ctx->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 113 114 if (r == SSL_TLSEXT_ERR_OK) { 115 CBS_init(&selected_cbs, selected, selected_len); 116 117 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 118 &s->s3->alpn_selected_len)) { 119 *alert = SSL_AD_INTERNAL_ERROR; 120 return 0; 121 } 122 123 return 1; 124 } 125 126 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 127 if (r == SSL_TLSEXT_ERR_NOACK) 128 return 1; 129 130 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 131 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 132 133 return 0; 134} 135 136static int 137tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 138{ 139 return s->s3->alpn_selected != NULL; 140} 141 142static int 143tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 144{ 145 CBB list, selected; 146 147 if (!CBB_add_u16_length_prefixed(cbb, &list)) 148 return 0; 149 150 if (!CBB_add_u8_length_prefixed(&list, &selected)) 151 return 0; 152 153 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 154 s->s3->alpn_selected_len)) 155 return 0; 156 157 if (!CBB_flush(cbb)) 158 return 0; 159 160 return 1; 161} 162 163static int 164tlsext_alpn_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 165{ 166 CBS list, proto; 167 168 if (s->alpn_client_proto_list == NULL) { 169 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 170 return 0; 171 } 172 173 if (!CBS_get_u16_length_prefixed(cbs, &list)) 174 return 0; 175 176 if (!CBS_get_u8_length_prefixed(&list, &proto)) 177 return 0; 178 179 if (CBS_len(&list) != 0) 180 return 0; 181 if (CBS_len(&proto) == 0) 182 return 0; 183 184 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 185 return 0; 186 187 return 1; 188} 189 190/* 191 * Supported Groups - RFC 7919 section 2 192 */ 193static int 194tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 195{ 196 return ssl_has_ecc_ciphers(s) || 197 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 198} 199 200static int 201tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 202{ 203 const uint16_t *groups; 204 size_t groups_len; 205 CBB grouplist; 206 int i; 207 208 tls1_get_group_list(s, 0, &groups, &groups_len); 209 if (groups_len == 0) { 210 SSLerror(s, ERR_R_INTERNAL_ERROR); 211 return 0; 212 } 213 214 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 215 return 0; 216 217 for (i = 0; i < groups_len; i++) { 218 if (!ssl_security_supported_group(s, groups[i])) 219 continue; 220 if (!CBB_add_u16(&grouplist, groups[i])) 221 return 0; 222 } 223 224 if (!CBB_flush(cbb)) 225 return 0; 226 227 return 1; 228} 229 230static int 231tlsext_supportedgroups_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 232 int *alert) 233{ 234 uint16_t *groups = NULL; 235 size_t groups_len; 236 CBS grouplist; 237 int i, j; 238 int ret = 0; 239 240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 241 goto err; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 goto err; 246 groups_len /= 2; 247 248 if (groups_len > TLSEXT_MAX_SUPPORTED_GROUPS) 249 goto err; 250 251 if (s->hit) 252 goto done; 253 254 if (s->s3->hs.tls13.hrr) { 255 if (s->session->tlsext_supportedgroups == NULL) { 256 *alert = SSL_AD_HANDSHAKE_FAILURE; 257 return 0; 258 } 259 260 /* 261 * The ClientHello extension hashing ensures that the client 262 * did not change its list of supported groups. 263 */ 264 265 goto done; 266 } 267 268 if (s->session->tlsext_supportedgroups != NULL) 269 goto err; /* XXX internal error? */ 270 271 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 272 *alert = SSL_AD_INTERNAL_ERROR; 273 goto err; 274 } 275 276 for (i = 0; i < groups_len; i++) { 277 if (!CBS_get_u16(&grouplist, &groups[i])) 278 goto err; 279 /* 280 * Do not allow duplicate groups to be sent. This is not 281 * currently specified in RFC 8446 or earlier, but there is no 282 * legitimate justification for this to occur in TLS 1.2 or TLS 283 * 1.3. 284 */ 285 for (j = 0; j < i; j++) { 286 if (groups[i] == groups[j]) { 287 *alert = SSL_AD_ILLEGAL_PARAMETER; 288 goto err; 289 } 290 } 291 } 292 293 if (CBS_len(&grouplist) != 0) 294 goto err; 295 296 s->session->tlsext_supportedgroups = groups; 297 s->session->tlsext_supportedgroups_length = groups_len; 298 groups = NULL; 299 300 301 done: 302 ret = 1; 303 304 err: 305 free(groups); 306 307 return ret; 308} 309 310/* This extension is never used by the server. */ 311static int 312tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 313{ 314 return 0; 315} 316 317static int 318tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 319{ 320 return 0; 321} 322 323static int 324tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 325 int *alert) 326{ 327 /* 328 * This extension is only allowed in TLSv1.3 encrypted extensions. 329 * It is not permitted in a ServerHello in any version of TLS. 330 */ 331 if (msg_type != SSL_TLSEXT_MSG_EE) 332 return 0; 333 334 /* 335 * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but 336 * clients must not act on it during the handshake. This allows servers 337 * to advertise their preferences for subsequent handshakes. We ignore 338 * this complication. 339 */ 340 if (!CBS_skip(cbs, CBS_len(cbs))) { 341 *alert = SSL_AD_INTERNAL_ERROR; 342 return 0; 343 } 344 345 return 1; 346} 347 348/* 349 * Supported Point Formats Extension - RFC 4492 section 5.1.2 350 */ 351static int 352tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 353{ 354 CBB ecpf; 355 size_t formats_len; 356 const uint8_t *formats; 357 358 tls1_get_formatlist(s, 0, &formats, &formats_len); 359 360 if (formats_len == 0) { 361 SSLerror(s, ERR_R_INTERNAL_ERROR); 362 return 0; 363 } 364 365 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 366 return 0; 367 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 368 return 0; 369 if (!CBB_flush(cbb)) 370 return 0; 371 372 return 1; 373} 374 375static int 376tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 377{ 378 CBS ecpf; 379 380 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 381 return 0; 382 if (CBS_len(&ecpf) == 0) 383 return 0; 384 385 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 386 if (!CBS_contains_zero_byte(&ecpf)) { 387 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 388 *alert = SSL_AD_ILLEGAL_PARAMETER; 389 return 0; 390 } 391 392 if (!s->hit) { 393 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 394 &(s->session->tlsext_ecpointformatlist_length))) { 395 *alert = SSL_AD_INTERNAL_ERROR; 396 return 0; 397 } 398 } 399 400 return 1; 401} 402 403static int 404tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 405{ 406 return ssl_has_ecc_ciphers(s); 407} 408 409static int 410tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 411{ 412 return tlsext_ecpf_build(s, msg_type, cbb); 413} 414 415static int 416tlsext_ecpf_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 417{ 418 return tlsext_ecpf_process(s, msg_type, cbs, alert); 419} 420 421static int 422tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 423{ 424 return ssl_using_ecc_cipher(s); 425} 426 427static int 428tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 429{ 430 return tlsext_ecpf_build(s, msg_type, cbb); 431} 432 433static int 434tlsext_ecpf_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 435{ 436 return tlsext_ecpf_process(s, msg_type, cbs, alert); 437} 438 439/* 440 * Renegotiation Indication - RFC 5746. 441 */ 442static int 443tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 444{ 445 return (s->renegotiate); 446} 447 448static int 449tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 450{ 451 CBB reneg; 452 453 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 454 return 0; 455 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 456 s->s3->previous_client_finished_len)) 457 return 0; 458 if (!CBB_flush(cbb)) 459 return 0; 460 461 return 1; 462} 463 464static int 465tlsext_ri_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 466{ 467 CBS reneg; 468 469 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 470 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 471 return 0; 472 } 473 474 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 475 s->s3->previous_client_finished_len)) { 476 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 477 *alert = SSL_AD_HANDSHAKE_FAILURE; 478 return 0; 479 } 480 481 s->s3->renegotiate_seen = 1; 482 s->s3->send_connection_binding = 1; 483 484 return 1; 485} 486 487static int 488tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 489{ 490 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 491 s->s3->send_connection_binding); 492} 493 494static int 495tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 496{ 497 CBB reneg; 498 499 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 500 return 0; 501 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 502 s->s3->previous_client_finished_len)) 503 return 0; 504 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 505 s->s3->previous_server_finished_len)) 506 return 0; 507 if (!CBB_flush(cbb)) 508 return 0; 509 510 return 1; 511} 512 513static int 514tlsext_ri_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 515{ 516 CBS reneg, prev_client, prev_server; 517 518 /* 519 * Ensure that the previous client and server values are both not 520 * present, or that they are both present. 521 */ 522 if ((s->s3->previous_client_finished_len == 0 && 523 s->s3->previous_server_finished_len != 0) || 524 (s->s3->previous_client_finished_len != 0 && 525 s->s3->previous_server_finished_len == 0)) { 526 *alert = SSL_AD_INTERNAL_ERROR; 527 return 0; 528 } 529 530 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 531 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 532 return 0; 533 } 534 if (!CBS_get_bytes(&reneg, &prev_client, 535 s->s3->previous_client_finished_len)) { 536 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 537 return 0; 538 } 539 if (!CBS_get_bytes(&reneg, &prev_server, 540 s->s3->previous_server_finished_len)) { 541 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 542 return 0; 543 } 544 if (CBS_len(&reneg) != 0) { 545 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 546 return 0; 547 } 548 549 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 550 s->s3->previous_client_finished_len)) { 551 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 552 *alert = SSL_AD_HANDSHAKE_FAILURE; 553 return 0; 554 } 555 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 556 s->s3->previous_server_finished_len)) { 557 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 558 *alert = SSL_AD_HANDSHAKE_FAILURE; 559 return 0; 560 } 561 562 s->s3->renegotiate_seen = 1; 563 s->s3->send_connection_binding = 1; 564 565 return 1; 566} 567 568/* 569 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 570 */ 571static int 572tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 573{ 574 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 575} 576 577static int 578tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 579{ 580 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 581 CBB sigalgs; 582 583 if (msg_type == SSL_TLSEXT_MSG_CH) 584 tls_version = s->s3->hs.our_min_tls_version; 585 586 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 587 return 0; 588 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 589 return 0; 590 if (!CBB_flush(cbb)) 591 return 0; 592 593 return 1; 594} 595 596static int 597tlsext_sigalgs_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 598{ 599 CBS sigalgs; 600 601 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 602 return 0; 603 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 604 return 0; 605 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 606 return 0; 607 608 return 1; 609} 610 611static int 612tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 613{ 614 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 615} 616 617static int 618tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 619{ 620 CBB sigalgs; 621 622 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 623 return 0; 624 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 625 SSL_get_security_level(s))) 626 return 0; 627 if (!CBB_flush(cbb)) 628 return 0; 629 630 return 1; 631} 632 633static int 634tlsext_sigalgs_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 635{ 636 CBS sigalgs; 637 638 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 639 return 0; 640 641 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 642 return 0; 643 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 644 return 0; 645 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 646 return 0; 647 648 return 1; 649} 650 651/* 652 * Server Name Indication - RFC 6066, section 3. 653 */ 654static int 655tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 656{ 657 return (s->tlsext_hostname != NULL); 658} 659 660static int 661tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 662{ 663 CBB server_name_list, host_name; 664 665 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 666 return 0; 667 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 668 return 0; 669 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 670 return 0; 671 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 672 strlen(s->tlsext_hostname))) 673 return 0; 674 if (!CBB_flush(cbb)) 675 return 0; 676 677 return 1; 678} 679 680static int 681tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 682{ 683 union { 684 struct in_addr ip4; 685 struct in6_addr ip6; 686 } addrbuf; 687 char *hostname = NULL; 688 689 *is_ip = 0; 690 691 if (!CBS_strdup(cbs, &hostname)) 692 return 0; 693 694 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 695 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 696 *is_ip = 1; 697 698 free(hostname); 699 700 return 1; 701} 702 703/* 704 * Validate that the CBS contains only a hostname consisting of RFC 5890 705 * compliant A-labels (see RFC 6066 section 3). Not a complete check 706 * since we don't parse punycode to verify its validity but limits to 707 * correct structure and character set. 708 */ 709int 710tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 711{ 712 uint8_t prev, c = 0; 713 int component = 0; 714 CBS hostname; 715 716 *is_ip = 0; 717 718 CBS_dup(cbs, &hostname); 719 720 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 721 return 0; 722 723 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 724 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 725 return 0; 726 if (*is_ip) 727 return 0; 728 729 while (CBS_len(&hostname) > 0) { 730 prev = c; 731 if (!CBS_get_u8(&hostname, &c)) 732 return 0; 733 /* Everything has to be ASCII, with no NUL byte. */ 734 if (!isascii(c) || c == '\0') 735 return 0; 736 /* It must be alphanumeric, a '-', or a '.' */ 737 if (!isalnum(c) && c != '-' && c != '.') 738 return 0; 739 /* '-' and '.' must not start a component or be at the end. */ 740 if (component == 0 || CBS_len(&hostname) == 0) { 741 if (c == '-' || c == '.') 742 return 0; 743 } 744 if (c == '.') { 745 /* Components can not end with a dash. */ 746 if (prev == '-') 747 return 0; 748 /* Start new component */ 749 component = 0; 750 continue; 751 } 752 /* Components must be 63 chars or less. */ 753 if (++component > 63) 754 return 0; 755 } 756 757 return 1; 758} 759 760static int 761tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 762{ 763 CBS server_name_list, host_name; 764 uint8_t name_type; 765 int is_ip; 766 767 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 768 goto err; 769 770 if (!CBS_get_u8(&server_name_list, &name_type)) 771 goto err; 772 773 /* 774 * RFC 6066 section 3, only one type (host_name) is specified. 775 * We do not tolerate unknown types, neither does BoringSSL. 776 * other implementations appear more tolerant. 777 */ 778 if (name_type != TLSEXT_NAMETYPE_host_name) { 779 *alert = SSL_AD_ILLEGAL_PARAMETER; 780 goto err; 781 } 782 783 /* 784 * RFC 6066 section 3 specifies a host name must be at least 1 byte 785 * so 0 length is a decode error. 786 */ 787 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 788 goto err; 789 if (CBS_len(&host_name) < 1) 790 goto err; 791 792 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 793 /* 794 * Various pieces of software have been known to set the SNI 795 * host name to an IP address, even though that violates the 796 * RFC. If this is the case, pretend the SNI extension does 797 * not exist. 798 */ 799 if (is_ip) 800 goto done; 801 802 *alert = SSL_AD_ILLEGAL_PARAMETER; 803 goto err; 804 } 805 806 if (s->hit || s->s3->hs.tls13.hrr) { 807 if (s->session->tlsext_hostname == NULL) { 808 *alert = SSL_AD_UNRECOGNIZED_NAME; 809 goto err; 810 } 811 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 812 strlen(s->session->tlsext_hostname))) { 813 *alert = SSL_AD_UNRECOGNIZED_NAME; 814 goto err; 815 } 816 } else { 817 if (s->session->tlsext_hostname != NULL) 818 goto err; 819 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 820 *alert = SSL_AD_INTERNAL_ERROR; 821 goto err; 822 } 823 } 824 825 done: 826 /* 827 * RFC 6066 section 3 forbids multiple host names with the same type, 828 * therefore we allow only one entry. 829 */ 830 if (CBS_len(&server_name_list) != 0) { 831 *alert = SSL_AD_ILLEGAL_PARAMETER; 832 goto err; 833 } 834 835 return 1; 836 837 err: 838 return 0; 839} 840 841static int 842tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 843{ 844 if (s->hit) 845 return 0; 846 847 return (s->session->tlsext_hostname != NULL); 848} 849 850static int 851tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 852{ 853 return 1; 854} 855 856static int 857tlsext_sni_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 858{ 859 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 860 *alert = SSL_AD_UNRECOGNIZED_NAME; 861 return 0; 862 } 863 864 if (s->hit) { 865 if (s->session->tlsext_hostname == NULL) { 866 *alert = SSL_AD_UNRECOGNIZED_NAME; 867 return 0; 868 } 869 if (strcmp(s->tlsext_hostname, 870 s->session->tlsext_hostname) != 0) { 871 *alert = SSL_AD_UNRECOGNIZED_NAME; 872 return 0; 873 } 874 } else { 875 if (s->session->tlsext_hostname != NULL) 876 return 0; 877 if ((s->session->tlsext_hostname = 878 strdup(s->tlsext_hostname)) == NULL) { 879 *alert = SSL_AD_INTERNAL_ERROR; 880 return 0; 881 } 882 } 883 884 return 1; 885} 886 887/* 888 * Certificate Status Request - RFC 6066 section 8. 889 */ 890 891static int 892tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 893{ 894 if (msg_type != SSL_TLSEXT_MSG_CH) 895 return 0; 896 897 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 898} 899 900static int 901tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 902{ 903 CBB respid_list, respid, exts; 904 unsigned char *ext_data; 905 size_t ext_len; 906 int i; 907 908 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 909 return 0; 910 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 911 return 0; 912 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 913 unsigned char *respid_data; 914 OCSP_RESPID *id; 915 size_t id_len; 916 917 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, 918 i)) == NULL) 919 return 0; 920 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 921 return 0; 922 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 923 return 0; 924 if (!CBB_add_space(&respid, &respid_data, id_len)) 925 return 0; 926 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 927 return 0; 928 } 929 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 930 return 0; 931 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, 932 NULL)) == -1) 933 return 0; 934 if (!CBB_add_space(&exts, &ext_data, ext_len)) 935 return 0; 936 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != 937 ext_len)) 938 return 0; 939 if (!CBB_flush(cbb)) 940 return 0; 941 return 1; 942} 943 944static int 945tlsext_ocsp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 946{ 947 int alert_desc = SSL_AD_DECODE_ERROR; 948 CBS respid_list, respid, exts; 949 const unsigned char *p; 950 uint8_t status_type; 951 int ret = 0; 952 953 if (msg_type != SSL_TLSEXT_MSG_CH) 954 goto err; 955 956 if (!CBS_get_u8(cbs, &status_type)) 957 goto err; 958 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 959 /* ignore unknown status types */ 960 s->tlsext_status_type = -1; 961 962 if (!CBS_skip(cbs, CBS_len(cbs))) { 963 *alert = SSL_AD_INTERNAL_ERROR; 964 return 0; 965 } 966 return 1; 967 } 968 s->tlsext_status_type = status_type; 969 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 970 goto err; 971 972 /* XXX */ 973 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 974 s->tlsext_ocsp_ids = NULL; 975 if (CBS_len(&respid_list) > 0) { 976 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 977 if (s->tlsext_ocsp_ids == NULL) { 978 alert_desc = SSL_AD_INTERNAL_ERROR; 979 goto err; 980 } 981 } 982 983 while (CBS_len(&respid_list) > 0) { 984 OCSP_RESPID *id; 985 986 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 987 goto err; 988 p = CBS_data(&respid); 989 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 990 goto err; 991 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 992 alert_desc = SSL_AD_INTERNAL_ERROR; 993 OCSP_RESPID_free(id); 994 goto err; 995 } 996 } 997 998 /* Read in request_extensions */ 999 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1000 goto err; 1001 if (CBS_len(&exts) > 0) { 1002 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1003 X509_EXTENSION_free); 1004 p = CBS_data(&exts); 1005 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1006 &p, CBS_len(&exts))) == NULL) 1007 goto err; 1008 } 1009 1010 ret = 1; 1011 err: 1012 if (ret == 0) 1013 *alert = alert_desc; 1014 return ret; 1015} 1016 1017static int 1018tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1019{ 1020 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1021 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1022 s->ctx->tlsext_status_cb != NULL) { 1023 s->tlsext_status_expected = 0; 1024 if (s->ctx->tlsext_status_cb(s, 1025 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1026 s->tlsext_ocsp_resp_len > 0) 1027 s->tlsext_status_expected = 1; 1028 } 1029 return s->tlsext_status_expected; 1030} 1031 1032static int 1033tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1034{ 1035 CBB ocsp_response; 1036 1037 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1038 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1039 return 0; 1040 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1041 return 0; 1042 if (!CBB_add_bytes(&ocsp_response, 1043 s->tlsext_ocsp_resp, 1044 s->tlsext_ocsp_resp_len)) 1045 return 0; 1046 if (!CBB_flush(cbb)) 1047 return 0; 1048 } 1049 return 1; 1050} 1051 1052static int 1053tlsext_ocsp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1054{ 1055 uint8_t status_type; 1056 CBS response; 1057 1058 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1059 if (msg_type == SSL_TLSEXT_MSG_CR) { 1060 /* 1061 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1062 * response with an empty status_request. 1063 */ 1064 if (CBS_len(cbs) == 0) 1065 return 1; 1066 1067 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1068 return 0; 1069 } 1070 if (!CBS_get_u8(cbs, &status_type)) { 1071 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1072 return 0; 1073 } 1074 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1075 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1076 return 0; 1077 } 1078 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1079 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1080 return 0; 1081 } 1082 if (CBS_len(&response) > 65536) { 1083 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1084 return 0; 1085 } 1086 if (!CBS_stow(&response, &s->tlsext_ocsp_resp, 1087 &s->tlsext_ocsp_resp_len)) { 1088 *alert = SSL_AD_INTERNAL_ERROR; 1089 return 0; 1090 } 1091 } else { 1092 if (s->tlsext_status_type == -1) { 1093 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1094 return 0; 1095 } 1096 /* Set flag to expect CertificateStatus message */ 1097 s->tlsext_status_expected = 1; 1098 } 1099 return 1; 1100} 1101 1102/* 1103 * SessionTicket extension - RFC 5077 section 3.2 1104 */ 1105static int 1106tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1107{ 1108 /* 1109 * Send session ticket extension when enabled and not overridden. 1110 * 1111 * When renegotiating, send an empty session ticket to indicate support. 1112 */ 1113 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1114 return 0; 1115 1116 if (!ssl_security_tickets(s)) 1117 return 0; 1118 1119 if (s->new_session) 1120 return 1; 1121 1122 if (s->tlsext_session_ticket != NULL && 1123 s->tlsext_session_ticket->data == NULL) 1124 return 0; 1125 1126 return 1; 1127} 1128 1129static int 1130tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1131{ 1132 /* 1133 * Signal that we support session tickets by sending an empty 1134 * extension when renegotiating or no session found. 1135 */ 1136 if (s->new_session || s->session == NULL) 1137 return 1; 1138 1139 if (s->session->tlsext_tick != NULL) { 1140 /* Attempt to resume with an existing session ticket */ 1141 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1142 s->session->tlsext_ticklen)) 1143 return 0; 1144 1145 } else if (s->tlsext_session_ticket != NULL) { 1146 /* 1147 * Attempt to resume with a custom provided session ticket set 1148 * by SSL_set_session_ticket_ext(). 1149 */ 1150 if (s->tlsext_session_ticket->length > 0) { 1151 size_t ticklen = s->tlsext_session_ticket->length; 1152 1153 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1154 return 0; 1155 memcpy(s->session->tlsext_tick, 1156 s->tlsext_session_ticket->data, 1157 ticklen); 1158 s->session->tlsext_ticklen = ticklen; 1159 1160 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1161 s->session->tlsext_ticklen)) 1162 return 0; 1163 } 1164 } 1165 1166 if (!CBB_flush(cbb)) 1167 return 0; 1168 1169 return 1; 1170} 1171 1172static int 1173tlsext_sessionticket_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1174 int *alert) 1175{ 1176 if (s->tls_session_ticket_ext_cb) { 1177 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1178 (int)CBS_len(cbs), 1179 s->tls_session_ticket_ext_cb_arg)) { 1180 *alert = SSL_AD_INTERNAL_ERROR; 1181 return 0; 1182 } 1183 } 1184 1185 /* We need to signal that this was processed fully */ 1186 if (!CBS_skip(cbs, CBS_len(cbs))) { 1187 *alert = SSL_AD_INTERNAL_ERROR; 1188 return 0; 1189 } 1190 1191 return 1; 1192} 1193 1194static int 1195tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1196{ 1197 return (s->tlsext_ticket_expected && 1198 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1199 ssl_security_tickets(s)); 1200} 1201 1202static int 1203tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1204{ 1205 /* Empty ticket */ 1206 return 1; 1207} 1208 1209static int 1210tlsext_sessionticket_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1211 int *alert) 1212{ 1213 if (s->tls_session_ticket_ext_cb) { 1214 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1215 (int)CBS_len(cbs), 1216 s->tls_session_ticket_ext_cb_arg)) { 1217 *alert = SSL_AD_INTERNAL_ERROR; 1218 return 0; 1219 } 1220 } 1221 1222 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1223 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1224 return 0; 1225 } 1226 1227 s->tlsext_ticket_expected = 1; 1228 1229 return 1; 1230} 1231 1232/* 1233 * DTLS extension for SRTP key establishment - RFC 5764 1234 */ 1235 1236#ifndef OPENSSL_NO_SRTP 1237 1238static int 1239tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1240{ 1241 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1242} 1243 1244static int 1245tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1246{ 1247 CBB profiles, mki; 1248 int ct, i; 1249 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1250 const SRTP_PROTECTION_PROFILE *prof; 1251 1252 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1253 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1254 return 0; 1255 } 1256 1257 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1258 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1259 return 0; 1260 } 1261 1262 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1263 return 0; 1264 1265 for (i = 0; i < ct; i++) { 1266 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1267 return 0; 1268 if (!CBB_add_u16(&profiles, prof->id)) 1269 return 0; 1270 } 1271 1272 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1273 return 0; 1274 1275 if (!CBB_flush(cbb)) 1276 return 0; 1277 1278 return 1; 1279} 1280 1281static int 1282tlsext_srtp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1283{ 1284 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1285 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1286 int i, j; 1287 int ret; 1288 uint16_t id; 1289 CBS profiles, mki; 1290 1291 ret = 0; 1292 1293 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1294 goto err; 1295 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1296 goto err; 1297 1298 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1299 goto err; 1300 1301 while (CBS_len(&profiles) > 0) { 1302 if (!CBS_get_u16(&profiles, &id)) 1303 goto err; 1304 1305 if (!srtp_find_profile_by_num(id, &cprof)) { 1306 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1307 goto err; 1308 } 1309 } 1310 1311 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1312 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1313 goto done; 1314 } 1315 1316 /* 1317 * Per RFC 5764 section 4.1.1 1318 * 1319 * Find the server preferred profile using the client's list. 1320 * 1321 * The server MUST send a profile if it sends the use_srtp 1322 * extension. If one is not found, it should fall back to the 1323 * negotiated DTLS cipher suite or return a DTLS alert. 1324 */ 1325 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1326 goto err; 1327 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1328 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1329 goto err; 1330 1331 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1332 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1333 == NULL) 1334 goto err; 1335 1336 if (cprof->id == sprof->id) { 1337 s->srtp_profile = sprof; 1338 ret = 1; 1339 goto done; 1340 } 1341 } 1342 } 1343 1344 /* If we didn't find anything, fall back to the negotiated */ 1345 ret = 1; 1346 goto done; 1347 1348 err: 1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1350 1351 done: 1352 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1353 return ret; 1354} 1355 1356static int 1357tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1358{ 1359 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1360} 1361 1362static int 1363tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1364{ 1365 SRTP_PROTECTION_PROFILE *profile; 1366 CBB srtp, mki; 1367 1368 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1369 return 0; 1370 1371 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1372 return 0; 1373 1374 if (!CBB_add_u16(&srtp, profile->id)) 1375 return 0; 1376 1377 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1378 return 0; 1379 1380 if (!CBB_flush(cbb)) 1381 return 0; 1382 1383 return 1; 1384} 1385 1386static int 1387tlsext_srtp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1388{ 1389 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1390 const SRTP_PROTECTION_PROFILE *prof; 1391 int i; 1392 uint16_t id; 1393 CBS profile_ids, mki; 1394 1395 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1396 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1397 return 0; 1398 } 1399 1400 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1401 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1402 return 0; 1403 } 1404 1405 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1406 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1407 *alert = SSL_AD_ILLEGAL_PARAMETER; 1408 return 0; 1409 } 1410 1411 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1412 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1413 return 0; 1414 } 1415 1416 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1417 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1418 == NULL) { 1419 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1420 return 0; 1421 } 1422 1423 if (prof->id == id) { 1424 s->srtp_profile = prof; 1425 return 1; 1426 } 1427 } 1428 1429 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1430 1431 return 0; 1432} 1433 1434#endif /* OPENSSL_NO_SRTP */ 1435 1436/* 1437 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1438 */ 1439static int 1440tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1441{ 1442 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1443} 1444 1445static int 1446tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1447{ 1448 CBB client_shares, key_exchange; 1449 1450 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1451 return 0; 1452 1453 if (!CBB_add_u16(&client_shares, 1454 tls_key_share_group(s->s3->hs.key_share))) 1455 return 0; 1456 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1457 return 0; 1458 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1459 return 0; 1460 1461 if (!CBB_flush(cbb)) 1462 return 0; 1463 1464 return 1; 1465} 1466 1467static int 1468tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1469{ 1470 const uint16_t *client_groups = NULL, *server_groups = NULL; 1471 size_t client_groups_len = 0, server_groups_len = 0; 1472 size_t i, j, client_groups_index; 1473 int preferred_group_found = 0; 1474 int decode_error; 1475 uint16_t group, client_preferred_group; 1476 CBS client_shares, key_exchange; 1477 1478 /* 1479 * RFC 8446 section 4.2.8: 1480 * 1481 * Each KeyShareEntry value MUST correspond to a group offered in the 1482 * "supported_groups" extension and MUST appear in the same order. 1483 * However, the values MAY be a non-contiguous subset of the 1484 * "supported_groups". 1485 */ 1486 1487 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) { 1488 *alert = SSL_AD_ILLEGAL_PARAMETER; 1489 return 0; 1490 } 1491 if (!tlsext_extension_processed(s, TLSEXT_TYPE_supported_groups)) { 1492 *alert = SSL_AD_INTERNAL_ERROR; 1493 return 0; 1494 } 1495 1496 if (s->s3->hs.tls13.hrr) { 1497 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1498 return 0; 1499 1500 /* Unpack client share. */ 1501 if (!CBS_get_u16(&client_shares, &group)) 1502 return 0; 1503 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1504 return 0; 1505 1506 /* There should only be one share. */ 1507 if (CBS_len(&client_shares) != 0) 1508 return 0; 1509 1510 if (group != s->s3->hs.tls13.server_group) { 1511 *alert = SSL_AD_ILLEGAL_PARAMETER; 1512 return 0; 1513 } 1514 1515 if (s->s3->hs.key_share != NULL) { 1516 *alert = SSL_AD_INTERNAL_ERROR; 1517 return 0; 1518 } 1519 1520 /* Decode and store the selected key share. */ 1521 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1522 *alert = SSL_AD_INTERNAL_ERROR; 1523 return 0; 1524 } 1525 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1526 &key_exchange, &decode_error, NULL)) { 1527 if (!decode_error) 1528 *alert = SSL_AD_INTERNAL_ERROR; 1529 return 0; 1530 } 1531 1532 return 1; 1533 } 1534 1535 /* 1536 * XXX similar to tls1_get_supported_group, but client pref 1537 * only - consider deduping later. 1538 */ 1539 /* 1540 * We are now assured of at least one client group. 1541 * Get the client and server group preference orders. 1542 */ 1543 tls1_get_group_list(s, 0, &server_groups, &server_groups_len); 1544 tls1_get_group_list(s, 1, &client_groups, &client_groups_len); 1545 1546 /* 1547 * Find the group that is most preferred by the client that 1548 * we also support. 1549 */ 1550 for (i = 0; i < client_groups_len && !preferred_group_found; i++) { 1551 if (!ssl_security_supported_group(s, client_groups[i])) 1552 continue; 1553 for (j = 0; j < server_groups_len; j++) { 1554 if (server_groups[j] == client_groups[i]) { 1555 client_preferred_group = client_groups[i]; 1556 preferred_group_found = 1; 1557 break; 1558 } 1559 } 1560 } 1561 1562 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1563 return 0; 1564 1565 client_groups_index = 0; 1566 while (CBS_len(&client_shares) > 0) { 1567 int client_sent_group; 1568 1569 /* Unpack client share. */ 1570 if (!CBS_get_u16(&client_shares, &group)) 1571 return 0; 1572 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1573 return 0; 1574 1575 /* 1576 * Ensure the client share group was sent in supported groups, 1577 * and was sent in the same order as supported groups. The 1578 * supported groups has already been checked for duplicates. 1579 */ 1580 client_sent_group = 0; 1581 while (client_groups_index < client_groups_len) { 1582 if (group == client_groups[client_groups_index++]) { 1583 client_sent_group = 1; 1584 break; 1585 } 1586 } 1587 if (!client_sent_group) { 1588 *alert = SSL_AD_ILLEGAL_PARAMETER; 1589 return 0; 1590 } 1591 1592 /* 1593 * Ignore this client share if we're using earlier than TLSv1.3 1594 * or we've already selected a key share. 1595 */ 1596 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1597 continue; 1598 if (s->s3->hs.key_share != NULL) 1599 continue; 1600 1601 /* 1602 * Ignore this client share if it is not for the most client 1603 * preferred supported group. This avoids a potential downgrade 1604 * situation where the client sends a client share for something 1605 * less preferred, and we choose to to use it instead of 1606 * requesting the more preferred group. 1607 */ 1608 if (!preferred_group_found || group != client_preferred_group) 1609 continue; 1610 1611 /* Decode and store the selected key share. */ 1612 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1613 *alert = SSL_AD_INTERNAL_ERROR; 1614 return 0; 1615 } 1616 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1617 &key_exchange, &decode_error, NULL)) { 1618 if (!decode_error) 1619 *alert = SSL_AD_INTERNAL_ERROR; 1620 return 0; 1621 } 1622 } 1623 1624 return 1; 1625} 1626 1627static int 1628tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1629{ 1630 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1631 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1632} 1633 1634static int 1635tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1636{ 1637 CBB key_exchange; 1638 1639 /* In the case of a HRR, we only send the server selected group. */ 1640 if (s->s3->hs.tls13.hrr) { 1641 if (s->s3->hs.tls13.server_group == 0) 1642 return 0; 1643 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1644 } 1645 1646 if (s->s3->hs.key_share == NULL) 1647 return 0; 1648 1649 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1650 return 0; 1651 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1652 return 0; 1653 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1654 return 0; 1655 1656 if (!CBB_flush(cbb)) 1657 return 0; 1658 1659 return 1; 1660} 1661 1662static int 1663tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1664{ 1665 CBS key_exchange; 1666 int decode_error; 1667 uint16_t group; 1668 1669 /* Unpack server share. */ 1670 if (!CBS_get_u16(cbs, &group)) 1671 return 0; 1672 1673 if (CBS_len(cbs) == 0) { 1674 /* HRR does not include an actual key share, only the group. */ 1675 if (msg_type != SSL_TLSEXT_MSG_HRR) 1676 return 0; 1677 1678 s->s3->hs.tls13.server_group = group; 1679 return 1; 1680 } 1681 1682 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1683 return 0; 1684 1685 if (s->s3->hs.key_share == NULL) { 1686 *alert = SSL_AD_INTERNAL_ERROR; 1687 return 0; 1688 } 1689 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1690 *alert = SSL_AD_INTERNAL_ERROR; 1691 return 0; 1692 } 1693 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1694 &key_exchange, &decode_error, NULL)) { 1695 if (!decode_error) 1696 *alert = SSL_AD_INTERNAL_ERROR; 1697 return 0; 1698 } 1699 1700 return 1; 1701} 1702 1703/* 1704 * Supported Versions - RFC 8446 section 4.2.1. 1705 */ 1706static int 1707tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1708{ 1709 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1710} 1711 1712static int 1713tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1714{ 1715 uint16_t max, min; 1716 uint16_t version; 1717 CBB versions; 1718 1719 max = s->s3->hs.our_max_tls_version; 1720 min = s->s3->hs.our_min_tls_version; 1721 1722 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1723 return 0; 1724 1725 /* XXX - fix, but contiguous for now... */ 1726 for (version = max; version >= min; version--) { 1727 if (!CBB_add_u16(&versions, version)) 1728 return 0; 1729 } 1730 1731 if (!CBB_flush(cbb)) 1732 return 0; 1733 1734 return 1; 1735} 1736 1737static int 1738tlsext_versions_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1739{ 1740 CBS versions; 1741 uint16_t version; 1742 uint16_t max, min; 1743 uint16_t matched_version = 0; 1744 1745 max = s->s3->hs.our_max_tls_version; 1746 min = s->s3->hs.our_min_tls_version; 1747 1748 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1749 return 0; 1750 1751 while (CBS_len(&versions) > 0) { 1752 if (!CBS_get_u16(&versions, &version)) 1753 return 0; 1754 /* 1755 * XXX What is below implements client preference, and 1756 * ignores any server preference entirely. 1757 */ 1758 if (matched_version == 0 && version >= min && version <= max) 1759 matched_version = version; 1760 } 1761 1762 if (matched_version > 0) { 1763 /* XXX - this should be stored for later processing. */ 1764 s->version = matched_version; 1765 return 1; 1766 } 1767 1768 *alert = SSL_AD_PROTOCOL_VERSION; 1769 return 0; 1770} 1771 1772static int 1773tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1774{ 1775 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1776} 1777 1778static int 1779tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1780{ 1781 return CBB_add_u16(cbb, TLS1_3_VERSION); 1782} 1783 1784static int 1785tlsext_versions_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1786{ 1787 uint16_t selected_version; 1788 1789 if (!CBS_get_u16(cbs, &selected_version)) 1790 return 0; 1791 1792 /* XXX - need to fix for DTLS 1.3 */ 1793 if (selected_version < TLS1_3_VERSION) { 1794 *alert = SSL_AD_ILLEGAL_PARAMETER; 1795 return 0; 1796 } 1797 1798 /* XXX test between min and max once initialization code goes in */ 1799 s->s3->hs.tls13.server_version = selected_version; 1800 1801 return 1; 1802} 1803 1804 1805/* 1806 * Cookie - RFC 8446 section 4.2.2. 1807 */ 1808 1809static int 1810tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1811{ 1812 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1813 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1814} 1815 1816static int 1817tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1818{ 1819 CBB cookie; 1820 1821 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1822 return 0; 1823 1824 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1825 s->s3->hs.tls13.cookie_len)) 1826 return 0; 1827 1828 if (!CBB_flush(cbb)) 1829 return 0; 1830 1831 return 1; 1832} 1833 1834static int 1835tlsext_cookie_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1836{ 1837 CBS cookie; 1838 1839 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1840 return 0; 1841 1842 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1843 return 0; 1844 1845 /* 1846 * Check provided cookie value against what server previously 1847 * sent - client *MUST* send the same cookie with new CR after 1848 * a cookie is sent by the server with an HRR. 1849 */ 1850 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1851 s->s3->hs.tls13.cookie_len)) { 1852 /* XXX special cookie mismatch alert? */ 1853 *alert = SSL_AD_ILLEGAL_PARAMETER; 1854 return 0; 1855 } 1856 1857 return 1; 1858} 1859 1860static int 1861tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1862{ 1863 /* 1864 * Server needs to set cookie value in tls13 handshake 1865 * in order to send one, should only be sent with HRR. 1866 */ 1867 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1868 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1869} 1870 1871static int 1872tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1873{ 1874 CBB cookie; 1875 1876 /* XXX deduplicate with client code */ 1877 1878 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1879 return 0; 1880 1881 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1882 s->s3->hs.tls13.cookie_len)) 1883 return 0; 1884 1885 if (!CBB_flush(cbb)) 1886 return 0; 1887 1888 return 1; 1889} 1890 1891static int 1892tlsext_cookie_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1893{ 1894 CBS cookie; 1895 1896 /* 1897 * XXX This currently assumes we will not get a second 1898 * HRR from a server with a cookie to process after accepting 1899 * one from the server in the same handshake 1900 */ 1901 if (s->s3->hs.tls13.cookie != NULL || 1902 s->s3->hs.tls13.cookie_len != 0) { 1903 *alert = SSL_AD_ILLEGAL_PARAMETER; 1904 return 0; 1905 } 1906 1907 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1908 return 0; 1909 1910 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1911 &s->s3->hs.tls13.cookie_len)) 1912 return 0; 1913 1914 return 1; 1915} 1916 1917/* 1918 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1919 */ 1920 1921static int 1922tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1923{ 1924 return (s->s3->hs.tls13.use_psk_dhe_ke && 1925 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1926} 1927 1928static int 1929tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1930{ 1931 CBB ke_modes; 1932 1933 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1934 return 0; 1935 1936 /* Only indicate support for PSK with DHE key establishment. */ 1937 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1938 return 0; 1939 1940 if (!CBB_flush(cbb)) 1941 return 0; 1942 1943 return 1; 1944} 1945 1946static int 1947tlsext_psk_kex_modes_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1948 int *alert) 1949{ 1950 CBS ke_modes; 1951 uint8_t ke_mode; 1952 1953 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1954 return 0; 1955 1956 while (CBS_len(&ke_modes) > 0) { 1957 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1958 return 0; 1959 1960 if (ke_mode == TLS13_PSK_DHE_KE) 1961 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1962 } 1963 1964 return 1; 1965} 1966 1967static int 1968tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1969{ 1970 /* Servers MUST NOT send this extension. */ 1971 return 0; 1972} 1973 1974static int 1975tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1976{ 1977 return 0; 1978} 1979 1980static int 1981tlsext_psk_kex_modes_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1982 int *alert) 1983{ 1984 return 0; 1985} 1986 1987/* 1988 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1989 */ 1990 1991static int 1992tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1993{ 1994 return 0; 1995} 1996 1997static int 1998tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1999{ 2000 return 0; 2001} 2002 2003static int 2004tlsext_psk_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2005{ 2006 return CBS_skip(cbs, CBS_len(cbs)); 2007} 2008 2009static int 2010tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 2011{ 2012 return 0; 2013} 2014 2015static int 2016tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2017{ 2018 return 0; 2019} 2020 2021static int 2022tlsext_psk_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2023{ 2024 return CBS_skip(cbs, CBS_len(cbs)); 2025} 2026 2027/* 2028 * QUIC transport parameters extension - RFC 9001 section 8.2. 2029 */ 2030 2031static int 2032tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 2033{ 2034 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2035} 2036 2037static int 2038tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 2039 CBB *cbb) 2040{ 2041 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2042 s->quic_transport_params_len)) 2043 return 0; 2044 2045 return 1; 2046} 2047 2048static int 2049tlsext_quic_transport_parameters_client_process(SSL *s, uint16_t msg_type, 2050 CBS *cbs, int *alert) 2051{ 2052 if (!SSL_is_quic(s)) { 2053 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2054 return 0; 2055 } 2056 2057 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2058 &s->s3->peer_quic_transport_params_len)) 2059 return 0; 2060 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2061 return 0; 2062 2063 return 1; 2064} 2065 2066static int 2067tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 2068{ 2069 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2070} 2071 2072static int 2073tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 2074 CBB *cbb) 2075{ 2076 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2077 s->quic_transport_params_len)) 2078 return 0; 2079 2080 return 1; 2081} 2082 2083static int 2084tlsext_quic_transport_parameters_server_process(SSL *s, uint16_t msg_type, 2085 CBS *cbs, int *alert) 2086{ 2087 if (!SSL_is_quic(s)) { 2088 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2089 return 0; 2090 } 2091 2092 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2093 &s->s3->peer_quic_transport_params_len)) 2094 return 0; 2095 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2096 return 0; 2097 2098 return 1; 2099} 2100 2101struct tls_extension_funcs { 2102 int (*needs)(SSL *s, uint16_t msg_type); 2103 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2104 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2105}; 2106 2107struct tls_extension { 2108 uint16_t type; 2109 uint16_t messages; 2110 struct tls_extension_funcs client; 2111 struct tls_extension_funcs server; 2112}; 2113 2114/* 2115 * TLS extensions (in processing order). 2116 */ 2117static const struct tls_extension tls_extensions[] = { 2118 { 2119 .type = TLSEXT_TYPE_supported_versions, 2120 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2121 SSL_TLSEXT_MSG_HRR, 2122 .client = { 2123 .needs = tlsext_versions_client_needs, 2124 .build = tlsext_versions_client_build, 2125 .process = tlsext_versions_client_process, 2126 }, 2127 .server = { 2128 .needs = tlsext_versions_server_needs, 2129 .build = tlsext_versions_server_build, 2130 .process = tlsext_versions_server_process, 2131 }, 2132 }, 2133 { 2134 .type = TLSEXT_TYPE_supported_groups, 2135 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2136 .client = { 2137 .needs = tlsext_supportedgroups_client_needs, 2138 .build = tlsext_supportedgroups_client_build, 2139 .process = tlsext_supportedgroups_client_process, 2140 }, 2141 .server = { 2142 .needs = tlsext_supportedgroups_server_needs, 2143 .build = tlsext_supportedgroups_server_build, 2144 .process = tlsext_supportedgroups_server_process, 2145 }, 2146 }, 2147 { 2148 .type = TLSEXT_TYPE_key_share, 2149 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2150 SSL_TLSEXT_MSG_HRR, 2151 .client = { 2152 .needs = tlsext_keyshare_client_needs, 2153 .build = tlsext_keyshare_client_build, 2154 .process = tlsext_keyshare_client_process, 2155 }, 2156 .server = { 2157 .needs = tlsext_keyshare_server_needs, 2158 .build = tlsext_keyshare_server_build, 2159 .process = tlsext_keyshare_server_process, 2160 }, 2161 }, 2162 { 2163 .type = TLSEXT_TYPE_server_name, 2164 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2165 .client = { 2166 .needs = tlsext_sni_client_needs, 2167 .build = tlsext_sni_client_build, 2168 .process = tlsext_sni_client_process, 2169 }, 2170 .server = { 2171 .needs = tlsext_sni_server_needs, 2172 .build = tlsext_sni_server_build, 2173 .process = tlsext_sni_server_process, 2174 }, 2175 }, 2176 { 2177 .type = TLSEXT_TYPE_renegotiate, 2178 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2179 .client = { 2180 .needs = tlsext_ri_client_needs, 2181 .build = tlsext_ri_client_build, 2182 .process = tlsext_ri_client_process, 2183 }, 2184 .server = { 2185 .needs = tlsext_ri_server_needs, 2186 .build = tlsext_ri_server_build, 2187 .process = tlsext_ri_server_process, 2188 }, 2189 }, 2190 { 2191 .type = TLSEXT_TYPE_status_request, 2192 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2193 SSL_TLSEXT_MSG_CT, 2194 .client = { 2195 .needs = tlsext_ocsp_client_needs, 2196 .build = tlsext_ocsp_client_build, 2197 .process = tlsext_ocsp_client_process, 2198 }, 2199 .server = { 2200 .needs = tlsext_ocsp_server_needs, 2201 .build = tlsext_ocsp_server_build, 2202 .process = tlsext_ocsp_server_process, 2203 }, 2204 }, 2205 { 2206 .type = TLSEXT_TYPE_ec_point_formats, 2207 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2208 .client = { 2209 .needs = tlsext_ecpf_client_needs, 2210 .build = tlsext_ecpf_client_build, 2211 .process = tlsext_ecpf_client_process, 2212 }, 2213 .server = { 2214 .needs = tlsext_ecpf_server_needs, 2215 .build = tlsext_ecpf_server_build, 2216 .process = tlsext_ecpf_server_process, 2217 }, 2218 }, 2219 { 2220 .type = TLSEXT_TYPE_session_ticket, 2221 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2222 .client = { 2223 .needs = tlsext_sessionticket_client_needs, 2224 .build = tlsext_sessionticket_client_build, 2225 .process = tlsext_sessionticket_client_process, 2226 }, 2227 .server = { 2228 .needs = tlsext_sessionticket_server_needs, 2229 .build = tlsext_sessionticket_server_build, 2230 .process = tlsext_sessionticket_server_process, 2231 }, 2232 }, 2233 { 2234 .type = TLSEXT_TYPE_signature_algorithms, 2235 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2236 .client = { 2237 .needs = tlsext_sigalgs_client_needs, 2238 .build = tlsext_sigalgs_client_build, 2239 .process = tlsext_sigalgs_client_process, 2240 }, 2241 .server = { 2242 .needs = tlsext_sigalgs_server_needs, 2243 .build = tlsext_sigalgs_server_build, 2244 .process = tlsext_sigalgs_server_process, 2245 }, 2246 }, 2247 { 2248 .type = TLSEXT_TYPE_alpn, 2249 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2250 .client = { 2251 .needs = tlsext_alpn_client_needs, 2252 .build = tlsext_alpn_client_build, 2253 .process = tlsext_alpn_client_process, 2254 }, 2255 .server = { 2256 .needs = tlsext_alpn_server_needs, 2257 .build = tlsext_alpn_server_build, 2258 .process = tlsext_alpn_server_process, 2259 }, 2260 }, 2261 { 2262 .type = TLSEXT_TYPE_cookie, 2263 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2264 .client = { 2265 .needs = tlsext_cookie_client_needs, 2266 .build = tlsext_cookie_client_build, 2267 .process = tlsext_cookie_client_process, 2268 }, 2269 .server = { 2270 .needs = tlsext_cookie_server_needs, 2271 .build = tlsext_cookie_server_build, 2272 .process = tlsext_cookie_server_process, 2273 }, 2274 }, 2275#ifndef OPENSSL_NO_SRTP 2276 { 2277 .type = TLSEXT_TYPE_use_srtp, 2278 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2279 SSL_TLSEXT_MSG_EE, 2280 .client = { 2281 .needs = tlsext_srtp_client_needs, 2282 .build = tlsext_srtp_client_build, 2283 .process = tlsext_srtp_client_process, 2284 }, 2285 .server = { 2286 .needs = tlsext_srtp_server_needs, 2287 .build = tlsext_srtp_server_build, 2288 .process = tlsext_srtp_server_process, 2289 }, 2290 }, 2291#endif /* OPENSSL_NO_SRTP */ 2292 { 2293 .type = TLSEXT_TYPE_quic_transport_parameters, 2294 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2295 .client = { 2296 .needs = tlsext_quic_transport_parameters_client_needs, 2297 .build = tlsext_quic_transport_parameters_client_build, 2298 .process = tlsext_quic_transport_parameters_client_process, 2299 }, 2300 .server = { 2301 .needs = tlsext_quic_transport_parameters_server_needs, 2302 .build = tlsext_quic_transport_parameters_server_build, 2303 .process = tlsext_quic_transport_parameters_server_process, 2304 }, 2305 }, 2306 { 2307 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2308 .messages = SSL_TLSEXT_MSG_CH, 2309 .client = { 2310 .needs = tlsext_psk_kex_modes_client_needs, 2311 .build = tlsext_psk_kex_modes_client_build, 2312 .process = tlsext_psk_kex_modes_client_process, 2313 }, 2314 .server = { 2315 .needs = tlsext_psk_kex_modes_server_needs, 2316 .build = tlsext_psk_kex_modes_server_build, 2317 .process = tlsext_psk_kex_modes_server_process, 2318 }, 2319 }, 2320 { 2321 .type = TLSEXT_TYPE_pre_shared_key, 2322 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2323 .client = { 2324 .needs = tlsext_psk_client_needs, 2325 .build = tlsext_psk_client_build, 2326 .process = tlsext_psk_client_process, 2327 }, 2328 .server = { 2329 .needs = tlsext_psk_server_needs, 2330 .build = tlsext_psk_server_build, 2331 .process = tlsext_psk_server_process, 2332 }, 2333 }, 2334}; 2335 2336#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2337 2338/* Ensure that extensions fit in a uint32_t bitmask. */ 2339CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2340 2341struct tlsext_data { 2342 CBS extensions[N_TLS_EXTENSIONS]; 2343}; 2344 2345static struct tlsext_data * 2346tlsext_data_new(void) 2347{ 2348 return calloc(1, sizeof(struct tlsext_data)); 2349} 2350 2351static void 2352tlsext_data_free(struct tlsext_data *td) 2353{ 2354 freezero(td, sizeof(*td)); 2355} 2356 2357uint16_t 2358tls_extension_type(const struct tls_extension *extension) 2359{ 2360 return extension->type; 2361} 2362 2363const struct tls_extension * 2364tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2365{ 2366 size_t i; 2367 2368 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2369 if (tls_extensions[i].type == type) { 2370 *tls_extensions_idx = i; 2371 return &tls_extensions[i]; 2372 } 2373 } 2374 2375 return NULL; 2376} 2377 2378int 2379tlsext_extension_seen(SSL *s, uint16_t type) 2380{ 2381 size_t idx; 2382 2383 if (tls_extension_find(type, &idx) == NULL) 2384 return 0; 2385 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2386} 2387 2388int 2389tlsext_extension_processed(SSL *s, uint16_t type) 2390{ 2391 size_t idx; 2392 2393 if (tls_extension_find(type, &idx) == NULL) 2394 return 0; 2395 return ((s->s3->hs.extensions_processed & (1 << idx)) != 0); 2396} 2397 2398const struct tls_extension_funcs * 2399tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2400{ 2401 if (is_server) 2402 return &tlsext->server; 2403 2404 return &tlsext->client; 2405} 2406 2407int 2408tlsext_randomize_build_order(SSL *s) 2409{ 2410 const struct tls_extension *psk_ext; 2411 size_t idx, new_idx, psk_idx; 2412 size_t alpn_idx = 0, sni_idx = 0; 2413 2414 free(s->tlsext_build_order); 2415 s->tlsext_build_order_len = 0; 2416 2417 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2418 N_TLS_EXTENSIONS)) == NULL) 2419 return 0; 2420 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2421 2422 /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */ 2423 if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key, 2424 &psk_idx)) == NULL) 2425 return 0; 2426 s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext; 2427 2428 /* Fisher-Yates shuffle with PSK fixed. */ 2429 for (idx = 0; idx < psk_idx; idx++) { 2430 new_idx = arc4random_uniform(idx + 1); 2431 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; 2432 s->tlsext_build_order[new_idx] = &tls_extensions[idx]; 2433 } 2434 2435 /* 2436 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN 2437 * for clients so that virtual host setups work correctly. 2438 */ 2439 2440 if (s->server) 2441 return 1; 2442 2443 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2444 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) 2445 alpn_idx = idx; 2446 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) 2447 sni_idx = idx; 2448 } 2449 if (alpn_idx < sni_idx) { 2450 const struct tls_extension *tmp; 2451 2452 tmp = s->tlsext_build_order[alpn_idx]; 2453 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; 2454 s->tlsext_build_order[sni_idx] = tmp; 2455 } 2456 2457 return 1; 2458} 2459 2460int 2461tlsext_linearize_build_order(SSL *s) 2462{ 2463 size_t idx; 2464 2465 free(s->tlsext_build_order); 2466 s->tlsext_build_order_len = 0; 2467 2468 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2469 N_TLS_EXTENSIONS)) == NULL) 2470 return 0; 2471 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2472 2473 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) 2474 s->tlsext_build_order[idx] = &tls_extensions[idx]; 2475 2476 return 1; 2477} 2478 2479static int 2480tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2481{ 2482 const struct tls_extension_funcs *ext; 2483 const struct tls_extension *tlsext; 2484 CBB extensions, extension_data; 2485 int extensions_present = 0; 2486 uint16_t tls_version; 2487 size_t i; 2488 2489 tls_version = ssl_effective_tls_version(s); 2490 2491 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2492 return 0; 2493 2494 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2495 tlsext = s->tlsext_build_order[i]; 2496 ext = tlsext_funcs(tlsext, is_server); 2497 2498 /* RFC 8446 Section 4.2 */ 2499 if (tls_version >= TLS1_3_VERSION && 2500 !(tlsext->messages & msg_type)) 2501 continue; 2502 2503 if (!ext->needs(s, msg_type)) 2504 continue; 2505 2506 if (!CBB_add_u16(&extensions, tlsext->type)) 2507 return 0; 2508 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2509 return 0; 2510 2511 if (!ext->build(s, msg_type, &extension_data)) 2512 return 0; 2513 2514 extensions_present = 1; 2515 } 2516 2517 if (!extensions_present && 2518 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2519 CBB_discard_child(cbb); 2520 2521 if (!CBB_flush(cbb)) 2522 return 0; 2523 2524 return 1; 2525} 2526 2527int 2528tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2529{ 2530 /* 2531 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2532 * cookie may be added, padding may be removed. 2533 */ 2534 struct tls13_ctx *ctx = s->tls13; 2535 2536 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2537 type == TLSEXT_TYPE_padding) 2538 return 1; 2539 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2540 sizeof(type))) 2541 return 0; 2542 /* 2543 * key_share data may be changed, and pre_shared_key data may 2544 * be changed. 2545 */ 2546 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2547 return 1; 2548 if (!tls13_clienthello_hash_update(ctx, cbs)) 2549 return 0; 2550 2551 return 1; 2552} 2553 2554static int 2555tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2556 CBS *cbs, int *alert) 2557{ 2558 const struct tls_extension *tlsext; 2559 CBS extensions, extension_data; 2560 uint16_t type; 2561 size_t idx; 2562 uint16_t tls_version; 2563 int alert_desc; 2564 2565 tls_version = ssl_effective_tls_version(s); 2566 2567 s->s3->hs.extensions_seen = 0; 2568 2569 /* An empty extensions block is valid. */ 2570 if (CBS_len(cbs) == 0) 2571 return 1; 2572 2573 alert_desc = SSL_AD_DECODE_ERROR; 2574 2575 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2576 goto err; 2577 2578 while (CBS_len(&extensions) > 0) { 2579 if (!CBS_get_u16(&extensions, &type)) 2580 goto err; 2581 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2582 goto err; 2583 2584 if (s->tlsext_debug_cb != NULL) 2585 s->tlsext_debug_cb(s, !is_server, type, 2586 (unsigned char *)CBS_data(&extension_data), 2587 CBS_len(&extension_data), 2588 s->tlsext_debug_arg); 2589 2590 /* Unknown extensions are ignored. */ 2591 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2592 continue; 2593 2594 if (tls_version >= TLS1_3_VERSION && is_server && 2595 msg_type == SSL_TLSEXT_MSG_CH) { 2596 if (!tlsext_clienthello_hash_extension(s, type, 2597 &extension_data)) 2598 goto err; 2599 } 2600 2601 /* RFC 8446 Section 4.2 */ 2602 if (tls_version >= TLS1_3_VERSION && 2603 !(tlsext->messages & msg_type)) { 2604 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2605 goto err; 2606 } 2607 2608 /* Check for duplicate known extensions. */ 2609 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2610 goto err; 2611 s->s3->hs.extensions_seen |= (1 << idx); 2612 2613 CBS_dup(&extension_data, &td->extensions[idx]); 2614 } 2615 2616 return 1; 2617 2618 err: 2619 *alert = alert_desc; 2620 2621 return 0; 2622} 2623 2624static int 2625tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2626 int *alert) 2627{ 2628 const struct tls_extension_funcs *ext; 2629 const struct tls_extension *tlsext; 2630 int alert_desc; 2631 size_t idx; 2632 2633 alert_desc = SSL_AD_DECODE_ERROR; 2634 2635 s->s3->hs.extensions_processed = 0; 2636 2637 /* Run processing for present TLS extensions, in a defined order. */ 2638 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2639 tlsext = &tls_extensions[idx]; 2640 if ((s->s3->hs.extensions_seen & (1 << idx)) == 0) 2641 continue; 2642 ext = tlsext_funcs(tlsext, is_server); 2643 if (ext->process == NULL) 2644 continue; 2645 if (!ext->process(s, msg_type, &td->extensions[idx], &alert_desc)) 2646 goto err; 2647 2648 if (CBS_len(&td->extensions[idx]) != 0) 2649 goto err; 2650 2651 s->s3->hs.extensions_processed |= (1 << idx); 2652 } 2653 2654 return 1; 2655 2656 err: 2657 *alert = alert_desc; 2658 2659 return 0; 2660} 2661 2662static void 2663tlsext_server_reset_state(SSL *s) 2664{ 2665 s->tlsext_status_type = -1; 2666 s->s3->renegotiate_seen = 0; 2667 free(s->s3->alpn_selected); 2668 s->s3->alpn_selected = NULL; 2669 s->s3->alpn_selected_len = 0; 2670 s->srtp_profile = NULL; 2671} 2672 2673int 2674tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2675{ 2676 return tlsext_build(s, 1, msg_type, cbb); 2677} 2678 2679int 2680tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2681{ 2682 struct tlsext_data *td; 2683 int ret = 0; 2684 2685 if ((td = tlsext_data_new()) == NULL) 2686 goto err; 2687 2688 /* XXX - this should be done by the caller... */ 2689 if (msg_type == SSL_TLSEXT_MSG_CH) 2690 tlsext_server_reset_state(s); 2691 2692 if (!tlsext_parse(s, td, 1, msg_type, cbs, alert)) 2693 goto err; 2694 if (!tlsext_process(s, td, 1, msg_type, alert)) 2695 goto err; 2696 2697 ret = 1; 2698 2699 err: 2700 tlsext_data_free(td); 2701 2702 return ret; 2703} 2704 2705static void 2706tlsext_client_reset_state(SSL *s) 2707{ 2708 s->s3->renegotiate_seen = 0; 2709 free(s->s3->alpn_selected); 2710 s->s3->alpn_selected = NULL; 2711 s->s3->alpn_selected_len = 0; 2712} 2713 2714int 2715tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2716{ 2717 return tlsext_build(s, 0, msg_type, cbb); 2718} 2719 2720int 2721tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2722{ 2723 struct tlsext_data *td; 2724 int ret = 0; 2725 2726 if ((td = tlsext_data_new()) == NULL) 2727 goto err; 2728 2729 /* XXX - this should be done by the caller... */ 2730 if (msg_type == SSL_TLSEXT_MSG_SH) 2731 tlsext_client_reset_state(s); 2732 2733 if (!tlsext_parse(s, td, 0, msg_type, cbs, alert)) 2734 goto err; 2735 if (!tlsext_process(s, td, 0, msg_type, alert)) 2736 goto err; 2737 2738 ret = 1; 2739 2740 err: 2741 tlsext_data_free(td); 2742 2743 return ret; 2744} 2745