ssl_tlsext.c revision 1.16
1/* $OpenBSD: ssl_tlsext.c,v 1.16 2017/09/25 17:51:49 jsing Exp $ */ 2/* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19#include <openssl/ocsp.h> 20 21#include "ssl_locl.h" 22 23#include "bytestring.h" 24#include "ssl_tlsext.h" 25 26/* 27 * Supported Application-Layer Protocol Negotiation - RFC 7301 28 */ 29 30int 31tlsext_alpn_clienthello_needs(SSL *s) 32{ 33 /* ALPN protos have been specified and this is the initial handshake */ 34 return s->internal->alpn_client_proto_list != NULL && 35 S3I(s)->tmp.finish_md_len == 0; 36} 37 38int 39tlsext_alpn_clienthello_build(SSL *s, CBB *cbb) 40{ 41 CBB protolist; 42 43 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 44 return 0; 45 46 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 47 s->internal->alpn_client_proto_list_len)) 48 return 0; 49 50 if (!CBB_flush(cbb)) 51 return 0; 52 53 return 1; 54} 55 56int 57tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert) 58{ 59 CBS proto_name_list, alpn; 60 const unsigned char *selected; 61 unsigned char selected_len; 62 int r; 63 64 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 65 goto err; 66 if (CBS_len(&alpn) < 2) 67 goto err; 68 if (CBS_len(cbs) != 0) 69 goto err; 70 71 CBS_dup(&alpn, &proto_name_list); 72 while (CBS_len(&proto_name_list) > 0) { 73 CBS proto_name; 74 75 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 76 goto err; 77 if (CBS_len(&proto_name) == 0) 78 goto err; 79 } 80 81 if (s->ctx->internal->alpn_select_cb == NULL) 82 return 1; 83 84 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 85 CBS_data(&alpn), CBS_len(&alpn), 86 s->ctx->internal->alpn_select_cb_arg); 87 if (r == SSL_TLSEXT_ERR_OK) { 88 free(S3I(s)->alpn_selected); 89 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 90 *alert = SSL_AD_INTERNAL_ERROR; 91 return 0; 92 } 93 memcpy(S3I(s)->alpn_selected, selected, selected_len); 94 S3I(s)->alpn_selected_len = selected_len; 95 } 96 97 return 1; 98 99 err: 100 *alert = SSL_AD_DECODE_ERROR; 101 return 0; 102} 103 104int 105tlsext_alpn_serverhello_needs(SSL *s) 106{ 107 return S3I(s)->alpn_selected != NULL; 108} 109 110int 111tlsext_alpn_serverhello_build(SSL *s, CBB *cbb) 112{ 113 CBB list, selected; 114 115 if (!CBB_add_u16_length_prefixed(cbb, &list)) 116 return 0; 117 118 if (!CBB_add_u8_length_prefixed(&list, &selected)) 119 return 0; 120 121 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 122 S3I(s)->alpn_selected_len)) 123 return 0; 124 125 if (!CBB_flush(cbb)) 126 return 0; 127 128 return 1; 129} 130 131int 132tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert) 133{ 134 CBS list, proto; 135 136 if (s->internal->alpn_client_proto_list == NULL) { 137 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 138 return 0; 139 } 140 141 if (!CBS_get_u16_length_prefixed(cbs, &list)) 142 goto err; 143 if (CBS_len(cbs) != 0) 144 goto err; 145 146 if (!CBS_get_u8_length_prefixed(&list, &proto)) 147 goto err; 148 149 if (CBS_len(&list) != 0) 150 goto err; 151 if (CBS_len(&proto) == 0) 152 goto err; 153 154 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 155 &(S3I(s)->alpn_selected_len))) 156 goto err; 157 158 return 1; 159 160 err: 161 *alert = TLS1_AD_DECODE_ERROR; 162 return 0; 163} 164 165/* 166 * Supported Elliptic Curves - RFC 4492 section 5.1.1 167 */ 168int 169tlsext_ec_clienthello_needs(SSL *s) 170{ 171 return ssl_has_ecc_ciphers(s); 172} 173 174int 175tlsext_ec_clienthello_build(SSL *s, CBB *cbb) 176{ 177 CBB curvelist; 178 size_t curves_len; 179 int i; 180 const uint16_t *curves; 181 182 tls1_get_curvelist(s, 0, &curves, &curves_len); 183 184 if (curves_len == 0) { 185 SSLerror(s, ERR_R_INTERNAL_ERROR); 186 return 0; 187 } 188 189 if (!CBB_add_u16_length_prefixed(cbb, &curvelist)) 190 return 0; 191 192 for (i = 0; i < curves_len; i++) { 193 if (!CBB_add_u16(&curvelist, curves[i])) 194 return 0; 195 } 196 197 if (!CBB_flush(cbb)) 198 return 0; 199 200 return 1; 201} 202 203int 204tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert) 205{ 206 CBS curvelist; 207 size_t curves_len; 208 209 if (!CBS_get_u16_length_prefixed(cbs, &curvelist)) 210 goto err; 211 if (CBS_len(cbs) != 0) 212 goto err; 213 214 curves_len = CBS_len(&curvelist); 215 if (curves_len == 0 || curves_len % 2 != 0) 216 goto err; 217 curves_len /= 2; 218 219 if (!s->internal->hit) { 220 int i; 221 uint16_t *curves; 222 223 if (SSI(s)->tlsext_supportedgroups != NULL) 224 goto err; 225 226 if ((curves = reallocarray(NULL, curves_len, 227 sizeof(uint16_t))) == NULL) { 228 *alert = TLS1_AD_INTERNAL_ERROR; 229 return 0; 230 } 231 232 for (i = 0; i < curves_len; i++) { 233 if (!CBS_get_u16(&curvelist, &curves[i])) { 234 free(curves); 235 goto err; 236 } 237 } 238 239 if (CBS_len(&curvelist) != 0) { 240 free(curves); 241 goto err; 242 } 243 244 SSI(s)->tlsext_supportedgroups = curves; 245 SSI(s)->tlsext_supportedgroups_length = curves_len; 246 } 247 248 return 1; 249 250 err: 251 *alert = TLS1_AD_DECODE_ERROR; 252 return 0; 253} 254 255/* This extension is never used by the server. */ 256int 257tlsext_ec_serverhello_needs(SSL *s) 258{ 259 return 0; 260} 261 262int 263tlsext_ec_serverhello_build(SSL *s, CBB *cbb) 264{ 265 return 0; 266} 267 268int 269tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) 270{ 271 /* 272 * Servers should not send this extension per the RFC. 273 * 274 * However, F5 sends it by mistake (case ID 492780) so we need to skip 275 * over it. This bug is from at least 2014 but as of 2017, there 276 * are still large sites with this bug in production. 277 * 278 * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server 279 */ 280 if (!CBS_skip(cbs, CBS_len(cbs))) { 281 *alert = TLS1_AD_INTERNAL_ERROR; 282 return 0; 283 } 284 285 return 1; 286} 287 288/* 289 * Supported Point Formats Extension - RFC 4492 section 5.1.2 290 */ 291static int 292tlsext_ecpf_build(SSL *s, CBB *cbb) 293{ 294 CBB ecpf; 295 size_t formats_len; 296 const uint8_t *formats; 297 298 tls1_get_formatlist(s, 0, &formats, &formats_len); 299 300 if (formats_len == 0) { 301 SSLerror(s, ERR_R_INTERNAL_ERROR); 302 return 0; 303 } 304 305 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 306 return 0; 307 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 308 return 0; 309 if (!CBB_flush(cbb)) 310 return 0; 311 312 return 1; 313} 314 315static int 316tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 317{ 318 CBS ecpf; 319 320 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 321 goto err; 322 if (CBS_len(&ecpf) == 0) 323 goto err; 324 if (CBS_len(cbs) != 0) 325 goto err; 326 327 /* Must contain uncompressed (0) */ 328 if (!CBS_contains_zero_byte(&ecpf)) { 329 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 330 goto err; 331 } 332 333 if (!s->internal->hit) { 334 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 335 &(SSI(s)->tlsext_ecpointformatlist_length))) 336 goto err; 337 } 338 339 return 1; 340 341 err: 342 *alert = TLS1_AD_INTERNAL_ERROR; 343 return 0; 344} 345 346int 347tlsext_ecpf_clienthello_needs(SSL *s) 348{ 349 return ssl_has_ecc_ciphers(s); 350} 351 352int 353tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb) 354{ 355 return tlsext_ecpf_build(s, cbb); 356} 357 358int 359tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert) 360{ 361 return tlsext_ecpf_parse(s, cbs, alert); 362} 363 364int 365tlsext_ecpf_serverhello_needs(SSL *s) 366{ 367 if (s->version == DTLS1_VERSION) 368 return 0; 369 370 return ssl_using_ecc_cipher(s); 371} 372 373int 374tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb) 375{ 376 return tlsext_ecpf_build(s, cbb); 377} 378 379int 380tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert) 381{ 382 return tlsext_ecpf_parse(s, cbs, alert); 383} 384 385/* 386 * Renegotiation Indication - RFC 5746. 387 */ 388int 389tlsext_ri_clienthello_needs(SSL *s) 390{ 391 return (s->internal->renegotiate); 392} 393 394int 395tlsext_ri_clienthello_build(SSL *s, CBB *cbb) 396{ 397 CBB reneg; 398 399 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 400 return 0; 401 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 402 S3I(s)->previous_client_finished_len)) 403 return 0; 404 if (!CBB_flush(cbb)) 405 return 0; 406 407 return 1; 408} 409 410int 411tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert) 412{ 413 CBS reneg; 414 415 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 416 goto err; 417 if (CBS_len(cbs) != 0) 418 goto err; 419 420 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 421 S3I(s)->previous_client_finished_len)) { 422 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 423 *alert = SSL_AD_HANDSHAKE_FAILURE; 424 return 0; 425 } 426 427 S3I(s)->renegotiate_seen = 1; 428 S3I(s)->send_connection_binding = 1; 429 430 return 1; 431 432 err: 433 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 434 *alert = SSL_AD_DECODE_ERROR; 435 return 0; 436} 437 438int 439tlsext_ri_serverhello_needs(SSL *s) 440{ 441 return (S3I(s)->send_connection_binding); 442} 443 444int 445tlsext_ri_serverhello_build(SSL *s, CBB *cbb) 446{ 447 CBB reneg; 448 449 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 450 return 0; 451 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 452 S3I(s)->previous_client_finished_len)) 453 return 0; 454 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 455 S3I(s)->previous_server_finished_len)) 456 return 0; 457 if (!CBB_flush(cbb)) 458 return 0; 459 460 return 1; 461} 462 463int 464tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert) 465{ 466 CBS reneg, prev_client, prev_server; 467 468 /* 469 * Ensure that the previous client and server values are both not 470 * present, or that they are both present. 471 */ 472 if ((S3I(s)->previous_client_finished_len == 0 && 473 S3I(s)->previous_server_finished_len != 0) || 474 (S3I(s)->previous_client_finished_len != 0 && 475 S3I(s)->previous_server_finished_len == 0)) { 476 *alert = TLS1_AD_INTERNAL_ERROR; 477 return 0; 478 } 479 480 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 481 goto err; 482 if (!CBS_get_bytes(&reneg, &prev_client, 483 S3I(s)->previous_client_finished_len)) 484 goto err; 485 if (!CBS_get_bytes(&reneg, &prev_server, 486 S3I(s)->previous_server_finished_len)) 487 goto err; 488 if (CBS_len(&reneg) != 0) 489 goto err; 490 if (CBS_len(cbs) != 0) 491 goto err; 492 493 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 494 S3I(s)->previous_client_finished_len)) { 495 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 496 *alert = SSL_AD_HANDSHAKE_FAILURE; 497 return 0; 498 } 499 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 500 S3I(s)->previous_server_finished_len)) { 501 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 502 *alert = SSL_AD_HANDSHAKE_FAILURE; 503 return 0; 504 } 505 506 S3I(s)->renegotiate_seen = 1; 507 S3I(s)->send_connection_binding = 1; 508 509 return 1; 510 511 err: 512 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 513 *alert = SSL_AD_DECODE_ERROR; 514 return 0; 515} 516 517/* 518 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 519 */ 520int 521tlsext_sigalgs_clienthello_needs(SSL *s) 522{ 523 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 524} 525 526int 527tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) 528{ 529 unsigned char *sigalgs_data; 530 size_t sigalgs_len; 531 CBB sigalgs; 532 533 tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len); 534 535 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 536 return 0; 537 if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) 538 return 0; 539 if (!CBB_flush(cbb)) 540 return 0; 541 542 return 1; 543} 544 545int 546tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert) 547{ 548 CBS sigalgs; 549 550 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 551 return 0; 552 553 return tls1_process_sigalgs(s, &sigalgs); 554} 555 556int 557tlsext_sigalgs_serverhello_needs(SSL *s) 558{ 559 return 0; 560} 561 562int 563tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb) 564{ 565 return 0; 566} 567 568int 569tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert) 570{ 571 /* As per the RFC, servers must not send this extension. */ 572 return 0; 573} 574 575/* 576 * Server Name Indication - RFC 6066, section 3. 577 */ 578int 579tlsext_sni_clienthello_needs(SSL *s) 580{ 581 return (s->tlsext_hostname != NULL); 582} 583 584int 585tlsext_sni_clienthello_build(SSL *s, CBB *cbb) 586{ 587 CBB server_name_list, host_name; 588 589 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 590 return 0; 591 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 592 return 0; 593 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 594 return 0; 595 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 596 strlen(s->tlsext_hostname))) 597 return 0; 598 if (!CBB_flush(cbb)) 599 return 0; 600 601 return 1; 602} 603 604int 605tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert) 606{ 607 CBS server_name_list, host_name; 608 uint8_t name_type; 609 610 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 611 goto err; 612 613 /* 614 * RFC 6066 section 3 forbids multiple host names with the same type. 615 * Additionally, only one type (host_name) is specified. 616 */ 617 if (!CBS_get_u8(&server_name_list, &name_type)) 618 goto err; 619 if (name_type != TLSEXT_NAMETYPE_host_name) 620 goto err; 621 622 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 623 goto err; 624 if (CBS_len(&host_name) == 0 || 625 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 626 CBS_contains_zero_byte(&host_name)) { 627 *alert = TLS1_AD_UNRECOGNIZED_NAME; 628 return 0; 629 } 630 631 if (s->internal->hit) { 632 if (s->session->tlsext_hostname == NULL) { 633 *alert = TLS1_AD_UNRECOGNIZED_NAME; 634 return 0; 635 } 636 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 637 strlen(s->session->tlsext_hostname))) { 638 *alert = TLS1_AD_UNRECOGNIZED_NAME; 639 return 0; 640 } 641 } else { 642 if (s->session->tlsext_hostname != NULL) 643 goto err; 644 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 645 *alert = TLS1_AD_INTERNAL_ERROR; 646 return 0; 647 } 648 } 649 650 if (CBS_len(&server_name_list) != 0) 651 goto err; 652 if (CBS_len(cbs) != 0) 653 goto err; 654 655 return 1; 656 657 err: 658 *alert = SSL_AD_DECODE_ERROR; 659 return 0; 660} 661 662int 663tlsext_sni_serverhello_needs(SSL *s) 664{ 665 return (s->session->tlsext_hostname != NULL); 666} 667 668int 669tlsext_sni_serverhello_build(SSL *s, CBB *cbb) 670{ 671 return 1; 672} 673 674int 675tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert) 676{ 677 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 678 *alert = TLS1_AD_UNRECOGNIZED_NAME; 679 return 0; 680 } 681 682 if (s->internal->hit) { 683 if (s->session->tlsext_hostname == NULL) { 684 *alert = TLS1_AD_UNRECOGNIZED_NAME; 685 return 0; 686 } 687 if (strcmp(s->tlsext_hostname, 688 s->session->tlsext_hostname) != 0) { 689 *alert = TLS1_AD_UNRECOGNIZED_NAME; 690 return 0; 691 } 692 } else { 693 if (s->session->tlsext_hostname != NULL) { 694 *alert = SSL_AD_DECODE_ERROR; 695 return 0; 696 } 697 if ((s->session->tlsext_hostname = 698 strdup(s->tlsext_hostname)) == NULL) { 699 *alert = TLS1_AD_INTERNAL_ERROR; 700 return 0; 701 } 702 } 703 704 return 1; 705} 706 707 708/* 709 *Certificate Status Request - RFC 6066 section 8. 710 */ 711 712int 713tlsext_ocsp_clienthello_needs(SSL *s) 714{ 715 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 716 s->version != DTLS1_VERSION); 717} 718 719int 720tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb) 721{ 722 CBB respid_list, respid, exts; 723 unsigned char *ext_data; 724 size_t ext_len; 725 int i; 726 727 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 728 return 0; 729 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 730 return 0; 731 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 732 unsigned char *respid_data; 733 OCSP_RESPID *id; 734 size_t id_len; 735 736 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 737 i)) == NULL) 738 return 0; 739 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 740 return 0; 741 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 742 return 0; 743 if (!CBB_add_space(&respid, &respid_data, id_len)) 744 return 0; 745 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 746 return 0; 747 } 748 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 749 return 0; 750 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 751 NULL)) == -1) 752 return 0; 753 if (!CBB_add_space(&exts, &ext_data, ext_len)) 754 return 0; 755 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 756 ext_len)) 757 return 0; 758 if (!CBB_flush(cbb)) 759 return 0; 760 return 1; 761} 762 763int 764tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) 765{ 766 int failure = SSL_AD_DECODE_ERROR; 767 unsigned char *respid_data = NULL; 768 unsigned char *ext_data = NULL; 769 size_t ext_len, respid_len; 770 uint8_t status_type; 771 CBS respids, exts; 772 int ret = 0; 773 774 if (!CBS_get_u8(cbs, &status_type)) 775 goto err; 776 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 777 /* ignore unknown status types */ 778 s->tlsext_status_type = -1; 779 780 if (!CBS_skip(cbs, CBS_len(cbs))) { 781 *alert = TLS1_AD_INTERNAL_ERROR; 782 return 0; 783 } 784 return 1; 785 } 786 s->tlsext_status_type = status_type; 787 if (!CBS_get_u16_length_prefixed(cbs, &respids)) 788 goto err; 789 790 /* XXX */ 791 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 792 s->internal->tlsext_ocsp_ids = NULL; 793 if (CBS_len(cbs) > 0) { 794 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 795 if (s->internal->tlsext_ocsp_ids == NULL) { 796 failure = SSL_AD_INTERNAL_ERROR; 797 goto err; 798 } 799 } 800 801 while (CBS_len(&respids) > 0) { 802 OCSP_RESPID *id = NULL; 803 804 if (!CBS_stow(cbs, &respid_data, &respid_len)) 805 goto err; 806 if ((id = d2i_OCSP_RESPID(NULL, 807 (const unsigned char **)&respid_data, respid_len)) == NULL) 808 goto err; 809 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 810 failure = SSL_AD_INTERNAL_ERROR; 811 OCSP_RESPID_free(id); 812 goto err; 813 } 814 free(respid_data); 815 respid_data = NULL; 816 } 817 818 /* Read in request_extensions */ 819 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 820 goto err; 821 if (!CBS_stow(&exts, &ext_data, &ext_len)) 822 goto err; 823 if (ext_len > 0) { 824 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 825 X509_EXTENSION_free); 826 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 827 (const unsigned char **)&ext_data, ext_len)) == NULL) 828 goto err; 829 } 830 /* should be nothing left */ 831 if (CBS_len(cbs) > 0) 832 goto err; 833 834 ret = 1; 835 err: 836 free(respid_data); 837 free(ext_data); 838 if (ret == 0) 839 *alert = failure; 840 return ret; 841} 842 843int 844tlsext_ocsp_serverhello_needs(SSL *s) 845{ 846 return s->internal->tlsext_status_expected; 847} 848 849int 850tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb) 851{ 852 return 1; 853} 854 855int 856tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert) 857{ 858 if (s->tlsext_status_type == -1) { 859 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 860 return 0; 861 } 862 /* Set flag to expect CertificateStatus message */ 863 s->internal->tlsext_status_expected = 1; 864 return 1; 865} 866 867/* 868 * SessionTicket extension - RFC 5077 section 3.2 869 */ 870int 871tlsext_sessionticket_clienthello_needs(SSL *s) 872{ 873 /* 874 * Send session ticket extension when enabled and not overridden. 875 * 876 * When renegotiating, send an empty session ticket to indicate support. 877 */ 878 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 879 return 0; 880 881 if (s->internal->new_session) 882 return 1; 883 884 if (s->internal->tlsext_session_ticket != NULL && 885 s->internal->tlsext_session_ticket->data == NULL) 886 return 0; 887 888 return 1; 889} 890 891int 892tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb) 893{ 894 /* 895 * Signal that we support session tickets by sending an empty 896 * extension when renegotiating or no session found. 897 */ 898 if (s->internal->new_session || s->session == NULL) 899 return 1; 900 901 if (s->session->tlsext_tick != NULL) { 902 /* Attempt to resume with an existing session ticket */ 903 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 904 s->session->tlsext_ticklen)) 905 return 0; 906 907 } else if (s->internal->tlsext_session_ticket != NULL) { 908 /* 909 * Attempt to resume with a custom provided session ticket set 910 * by SSL_set_session_ticket_ext(). 911 */ 912 if (s->internal->tlsext_session_ticket->length > 0) { 913 size_t ticklen = s->internal->tlsext_session_ticket->length; 914 915 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 916 return 0; 917 memcpy(s->session->tlsext_tick, 918 s->internal->tlsext_session_ticket->data, 919 ticklen); 920 s->session->tlsext_ticklen = ticklen; 921 922 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 923 s->session->tlsext_ticklen)) 924 return 0; 925 } 926 } 927 928 if (!CBB_flush(cbb)) 929 return 0; 930 931 return 1; 932} 933 934int 935tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert) 936{ 937 if (s->internal->tls_session_ticket_ext_cb) { 938 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 939 (int)CBS_len(cbs), 940 s->internal->tls_session_ticket_ext_cb_arg)) { 941 *alert = TLS1_AD_INTERNAL_ERROR; 942 return 0; 943 } 944 } 945 946 /* We need to signal that this was processed fully */ 947 if (!CBS_skip(cbs, CBS_len(cbs))) { 948 *alert = TLS1_AD_INTERNAL_ERROR; 949 return 0; 950 } 951 952 return 1; 953} 954 955int 956tlsext_sessionticket_serverhello_needs(SSL *s) 957{ 958 return (s->internal->tlsext_ticket_expected && 959 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 960} 961 962int 963tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb) 964{ 965 /* Empty ticket */ 966 967 return 1; 968} 969 970int 971tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert) 972{ 973 if (s->internal->tls_session_ticket_ext_cb) { 974 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 975 (int)CBS_len(cbs), 976 s->internal->tls_session_ticket_ext_cb_arg)) { 977 *alert = TLS1_AD_INTERNAL_ERROR; 978 return 0; 979 } 980 } 981 982 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 983 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 984 return 0; 985 } 986 987 s->internal->tlsext_ticket_expected = 1; 988 989 return 1; 990} 991 992/* 993 * DTLS extension for SRTP key establishment - RFC 5764 994 */ 995 996#ifndef OPENSSL_NO_SRTP 997 998int 999tlsext_srtp_clienthello_needs(SSL *s) 1000{ 1001 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1002} 1003 1004int 1005tlsext_srtp_clienthello_build(SSL *s, CBB *cbb) 1006{ 1007 CBB profiles, mki; 1008 int ct, i; 1009 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1010 SRTP_PROTECTION_PROFILE *prof; 1011 1012 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1013 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1014 return 0; 1015 } 1016 1017 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1018 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1019 return 0; 1020 } 1021 1022 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1023 return 0; 1024 1025 for (i = 0; i < ct; i++) { 1026 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1027 return 0; 1028 if (!CBB_add_u16(&profiles, prof->id)) 1029 return 0; 1030 } 1031 1032 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1033 return 0; 1034 1035 if (!CBB_flush(cbb)) 1036 return 0; 1037 1038 return 1; 1039} 1040 1041int 1042tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert) 1043{ 1044 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1045 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1046 int i, j; 1047 int ret; 1048 uint16_t id; 1049 CBS profiles, mki; 1050 1051 ret = 0; 1052 1053 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1054 goto err; 1055 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1056 goto err; 1057 1058 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1059 goto err; 1060 1061 while (CBS_len(&profiles) > 0) { 1062 if (!CBS_get_u16(&profiles, &id)) 1063 goto err; 1064 1065 if (!srtp_find_profile_by_num(id, &cprof)) { 1066 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1067 goto err; 1068 } 1069 } 1070 1071 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1072 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1073 *alert = SSL_AD_DECODE_ERROR; 1074 goto done; 1075 } 1076 if (CBS_len(cbs) != 0) 1077 goto err; 1078 1079 /* 1080 * Per RFC 5764 section 4.1.1 1081 * 1082 * Find the server preferred profile using the client's list. 1083 * 1084 * The server MUST send a profile if it sends the use_srtp 1085 * extension. If one is not found, it should fall back to the 1086 * negotiated DTLS cipher suite or return a DTLS alert. 1087 */ 1088 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1089 goto err; 1090 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1091 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1092 == NULL) 1093 goto err; 1094 1095 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1096 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1097 == NULL) 1098 goto err; 1099 1100 if (cprof->id == sprof->id) { 1101 s->internal->srtp_profile = sprof; 1102 ret = 1; 1103 goto done; 1104 } 1105 } 1106 } 1107 1108 /* If we didn't find anything, fall back to the negotiated */ 1109 ret = 1; 1110 goto done; 1111 1112 err: 1113 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1114 *alert = SSL_AD_DECODE_ERROR; 1115 1116 done: 1117 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1118 return ret; 1119} 1120 1121int 1122tlsext_srtp_serverhello_needs(SSL *s) 1123{ 1124 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1125} 1126 1127int 1128tlsext_srtp_serverhello_build(SSL *s, CBB *cbb) 1129{ 1130 SRTP_PROTECTION_PROFILE *profile; 1131 CBB srtp, mki; 1132 1133 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1134 return 0; 1135 1136 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1137 return 0; 1138 1139 if (!CBB_add_u16(&srtp, profile->id)) 1140 return 0; 1141 1142 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1143 return 0; 1144 1145 if (!CBB_flush(cbb)) 1146 return 0; 1147 1148 return 1; 1149} 1150 1151int 1152tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert) 1153{ 1154 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1155 SRTP_PROTECTION_PROFILE *prof; 1156 int i; 1157 uint16_t id; 1158 CBS profile_ids, mki; 1159 1160 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1161 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1162 goto err; 1163 } 1164 1165 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1166 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1167 goto err; 1168 } 1169 1170 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1171 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1172 *alert = SSL_AD_ILLEGAL_PARAMETER; 1173 return 0; 1174 } 1175 1176 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1177 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1178 goto err; 1179 } 1180 1181 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1182 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1183 == NULL) { 1184 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1185 goto err; 1186 } 1187 1188 if (prof->id == id) { 1189 s->internal->srtp_profile = prof; 1190 return 1; 1191 } 1192 } 1193 1194 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1195 err: 1196 *alert = SSL_AD_DECODE_ERROR; 1197 return 0; 1198} 1199 1200#endif /* OPENSSL_NO_SRTP */ 1201 1202struct tls_extension { 1203 uint16_t type; 1204 int (*clienthello_needs)(SSL *s); 1205 int (*clienthello_build)(SSL *s, CBB *cbb); 1206 int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert); 1207 int (*serverhello_needs)(SSL *s); 1208 int (*serverhello_build)(SSL *s, CBB *cbb); 1209 int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert); 1210}; 1211 1212static struct tls_extension tls_extensions[] = { 1213 { 1214 .type = TLSEXT_TYPE_server_name, 1215 .clienthello_needs = tlsext_sni_clienthello_needs, 1216 .clienthello_build = tlsext_sni_clienthello_build, 1217 .clienthello_parse = tlsext_sni_clienthello_parse, 1218 .serverhello_needs = tlsext_sni_serverhello_needs, 1219 .serverhello_build = tlsext_sni_serverhello_build, 1220 .serverhello_parse = tlsext_sni_serverhello_parse, 1221 }, 1222 { 1223 .type = TLSEXT_TYPE_renegotiate, 1224 .clienthello_needs = tlsext_ri_clienthello_needs, 1225 .clienthello_build = tlsext_ri_clienthello_build, 1226 .clienthello_parse = tlsext_ri_clienthello_parse, 1227 .serverhello_needs = tlsext_ri_serverhello_needs, 1228 .serverhello_build = tlsext_ri_serverhello_build, 1229 .serverhello_parse = tlsext_ri_serverhello_parse, 1230 }, 1231 { 1232 .type = TLSEXT_TYPE_status_request, 1233 .clienthello_needs = tlsext_ocsp_clienthello_needs, 1234 .clienthello_build = tlsext_ocsp_clienthello_build, 1235 .clienthello_parse = tlsext_ocsp_clienthello_parse, 1236 .serverhello_needs = tlsext_ocsp_serverhello_needs, 1237 .serverhello_build = tlsext_ocsp_serverhello_build, 1238 .serverhello_parse = tlsext_ocsp_serverhello_parse, 1239 }, 1240 { 1241 .type = TLSEXT_TYPE_ec_point_formats, 1242 .clienthello_needs = tlsext_ecpf_clienthello_needs, 1243 .clienthello_build = tlsext_ecpf_clienthello_build, 1244 .clienthello_parse = tlsext_ecpf_clienthello_parse, 1245 .serverhello_needs = tlsext_ecpf_serverhello_needs, 1246 .serverhello_build = tlsext_ecpf_serverhello_build, 1247 .serverhello_parse = tlsext_ecpf_serverhello_parse, 1248 }, 1249 { 1250 .type = TLSEXT_TYPE_elliptic_curves, 1251 .clienthello_needs = tlsext_ec_clienthello_needs, 1252 .clienthello_build = tlsext_ec_clienthello_build, 1253 .clienthello_parse = tlsext_ec_clienthello_parse, 1254 .serverhello_needs = tlsext_ec_serverhello_needs, 1255 .serverhello_build = tlsext_ec_serverhello_build, 1256 .serverhello_parse = tlsext_ec_serverhello_parse, 1257 }, 1258 { 1259 .type = TLSEXT_TYPE_session_ticket, 1260 .clienthello_needs = tlsext_sessionticket_clienthello_needs, 1261 .clienthello_build = tlsext_sessionticket_clienthello_build, 1262 .clienthello_parse = tlsext_sessionticket_clienthello_parse, 1263 .serverhello_needs = tlsext_sessionticket_serverhello_needs, 1264 .serverhello_build = tlsext_sessionticket_serverhello_build, 1265 .serverhello_parse = tlsext_sessionticket_serverhello_parse, 1266 }, 1267 { 1268 .type = TLSEXT_TYPE_signature_algorithms, 1269 .clienthello_needs = tlsext_sigalgs_clienthello_needs, 1270 .clienthello_build = tlsext_sigalgs_clienthello_build, 1271 .clienthello_parse = tlsext_sigalgs_clienthello_parse, 1272 .serverhello_needs = tlsext_sigalgs_serverhello_needs, 1273 .serverhello_build = tlsext_sigalgs_serverhello_build, 1274 .serverhello_parse = tlsext_sigalgs_serverhello_parse, 1275 }, 1276 { 1277 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1278 .clienthello_needs = tlsext_alpn_clienthello_needs, 1279 .clienthello_build = tlsext_alpn_clienthello_build, 1280 .clienthello_parse = tlsext_alpn_clienthello_parse, 1281 .serverhello_needs = tlsext_alpn_serverhello_needs, 1282 .serverhello_build = tlsext_alpn_serverhello_build, 1283 .serverhello_parse = tlsext_alpn_serverhello_parse, 1284 }, 1285#ifndef OPENSSL_NO_SRTP 1286 { 1287 .type = TLSEXT_TYPE_use_srtp, 1288 .clienthello_needs = tlsext_srtp_clienthello_needs, 1289 .clienthello_build = tlsext_srtp_clienthello_build, 1290 .clienthello_parse = tlsext_srtp_clienthello_parse, 1291 .serverhello_needs = tlsext_srtp_serverhello_needs, 1292 .serverhello_build = tlsext_srtp_serverhello_build, 1293 .serverhello_parse = tlsext_srtp_serverhello_parse, 1294 } 1295#endif /* OPENSSL_NO_SRTP */ 1296}; 1297 1298#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1299 1300int 1301tlsext_clienthello_build(SSL *s, CBB *cbb) 1302{ 1303 CBB extensions, extension_data; 1304 struct tls_extension *tlsext; 1305 size_t i; 1306 1307 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1308 return 0; 1309 1310 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1311 tlsext = &tls_extensions[i]; 1312 1313 if (!tlsext->clienthello_needs(s)) 1314 continue; 1315 1316 if (!CBB_add_u16(&extensions, tlsext->type)) 1317 return 0; 1318 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1319 return 0; 1320 if (!tls_extensions[i].clienthello_build(s, &extension_data)) 1321 return 0; 1322 } 1323 1324 if (!CBB_flush(cbb)) 1325 return 0; 1326 1327 return 1; 1328} 1329 1330int 1331tlsext_clienthello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert) 1332{ 1333 struct tls_extension *tlsext; 1334 size_t i; 1335 1336 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1337 tlsext = &tls_extensions[i]; 1338 1339 if (tlsext->type != type) 1340 continue; 1341 if (!tlsext->clienthello_parse(s, cbs, alert)) 1342 return 0; 1343 if (CBS_len(cbs) != 0) { 1344 *alert = SSL_AD_DECODE_ERROR; 1345 return 0; 1346 } 1347 1348 return 1; 1349 } 1350 1351 /* Not found. */ 1352 return 2; 1353} 1354 1355int 1356tlsext_serverhello_build(SSL *s, CBB *cbb) 1357{ 1358 CBB extensions, extension_data; 1359 struct tls_extension *tlsext; 1360 size_t i; 1361 1362 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1363 return 0; 1364 1365 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1366 tlsext = &tls_extensions[i]; 1367 1368 if (!tlsext->serverhello_needs(s)) 1369 continue; 1370 1371 if (!CBB_add_u16(&extensions, tlsext->type)) 1372 return 0; 1373 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1374 return 0; 1375 if (!tlsext->serverhello_build(s, &extension_data)) 1376 return 0; 1377 } 1378 1379 if (!CBB_flush(cbb)) 1380 return 0; 1381 1382 return 1; 1383} 1384 1385int 1386tlsext_serverhello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert) 1387{ 1388 struct tls_extension *tlsext; 1389 size_t i; 1390 1391 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1392 tlsext = &tls_extensions[i]; 1393 1394 if (tlsext->type != type) 1395 continue; 1396 if (!tlsext->serverhello_parse(s, cbs, alert)) 1397 return 0; 1398 if (CBS_len(cbs) != 0) { 1399 *alert = SSL_AD_DECODE_ERROR; 1400 return 0; 1401 } 1402 1403 return 1; 1404 } 1405 1406 /* Not found. */ 1407 return 2; 1408} 1409