ssl_tlsext.c revision 1.42
1/* $OpenBSD: ssl_tlsext.c,v 1.42 2019/03/17 15:16:39 jsing Exp $ */ 2/* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19#include <openssl/curve25519.h> 20#include <openssl/ocsp.h> 21 22#include "ssl_locl.h" 23 24#include "bytestring.h" 25#include "ssl_sigalgs.h" 26#include "ssl_tlsext.h" 27 28/* 29 * Supported Application-Layer Protocol Negotiation - RFC 7301 30 */ 31 32int 33tlsext_alpn_client_needs(SSL *s) 34{ 35 /* ALPN protos have been specified and this is the initial handshake */ 36 return s->internal->alpn_client_proto_list != NULL && 37 S3I(s)->tmp.finish_md_len == 0; 38} 39 40int 41tlsext_alpn_client_build(SSL *s, CBB *cbb) 42{ 43 CBB protolist; 44 45 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 46 return 0; 47 48 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 49 s->internal->alpn_client_proto_list_len)) 50 return 0; 51 52 if (!CBB_flush(cbb)) 53 return 0; 54 55 return 1; 56} 57 58int 59tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) 60{ 61 CBS proto_name_list, alpn; 62 const unsigned char *selected; 63 unsigned char selected_len; 64 int r; 65 66 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 67 goto err; 68 if (CBS_len(&alpn) < 2) 69 goto err; 70 if (CBS_len(cbs) != 0) 71 goto err; 72 73 CBS_dup(&alpn, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 goto err; 79 if (CBS_len(&proto_name) == 0) 80 goto err; 81 } 82 83 if (s->ctx->internal->alpn_select_cb == NULL) 84 return 1; 85 86 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 87 CBS_data(&alpn), CBS_len(&alpn), 88 s->ctx->internal->alpn_select_cb_arg); 89 if (r == SSL_TLSEXT_ERR_OK) { 90 free(S3I(s)->alpn_selected); 91 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 92 *alert = SSL_AD_INTERNAL_ERROR; 93 return 0; 94 } 95 memcpy(S3I(s)->alpn_selected, selected, selected_len); 96 S3I(s)->alpn_selected_len = selected_len; 97 } 98 99 return 1; 100 101 err: 102 *alert = SSL_AD_DECODE_ERROR; 103 return 0; 104} 105 106int 107tlsext_alpn_server_needs(SSL *s) 108{ 109 return S3I(s)->alpn_selected != NULL; 110} 111 112int 113tlsext_alpn_server_build(SSL *s, CBB *cbb) 114{ 115 CBB list, selected; 116 117 if (!CBB_add_u16_length_prefixed(cbb, &list)) 118 return 0; 119 120 if (!CBB_add_u8_length_prefixed(&list, &selected)) 121 return 0; 122 123 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 124 S3I(s)->alpn_selected_len)) 125 return 0; 126 127 if (!CBB_flush(cbb)) 128 return 0; 129 130 return 1; 131} 132 133int 134tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) 135{ 136 CBS list, proto; 137 138 if (s->internal->alpn_client_proto_list == NULL) { 139 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 140 return 0; 141 } 142 143 if (!CBS_get_u16_length_prefixed(cbs, &list)) 144 goto err; 145 if (CBS_len(cbs) != 0) 146 goto err; 147 148 if (!CBS_get_u8_length_prefixed(&list, &proto)) 149 goto err; 150 151 if (CBS_len(&list) != 0) 152 goto err; 153 if (CBS_len(&proto) == 0) 154 goto err; 155 156 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 157 &(S3I(s)->alpn_selected_len))) 158 goto err; 159 160 return 1; 161 162 err: 163 *alert = TLS1_AD_DECODE_ERROR; 164 return 0; 165} 166 167/* 168 * Supported Groups - RFC 7919 section 2 169 */ 170int 171tlsext_supportedgroups_client_needs(SSL *s) 172{ 173 return ssl_has_ecc_ciphers(s) || 174 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 175} 176 177int 178tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) 179{ 180 const uint16_t *groups; 181 size_t groups_len; 182 CBB grouplist; 183 int i; 184 185 tls1_get_group_list(s, 0, &groups, &groups_len); 186 if (groups_len == 0) { 187 SSLerror(s, ERR_R_INTERNAL_ERROR); 188 return 0; 189 } 190 191 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 192 return 0; 193 194 for (i = 0; i < groups_len; i++) { 195 if (!CBB_add_u16(&grouplist, groups[i])) 196 return 0; 197 } 198 199 if (!CBB_flush(cbb)) 200 return 0; 201 202 return 1; 203} 204 205int 206tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) 207{ 208 CBS grouplist; 209 size_t groups_len; 210 211 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 212 goto err; 213 if (CBS_len(cbs) != 0) 214 goto err; 215 216 groups_len = CBS_len(&grouplist); 217 if (groups_len == 0 || groups_len % 2 != 0) 218 goto err; 219 groups_len /= 2; 220 221 if (!s->internal->hit) { 222 uint16_t *groups; 223 int i; 224 225 if (SSI(s)->tlsext_supportedgroups != NULL) 226 goto err; 227 228 if ((groups = reallocarray(NULL, groups_len, 229 sizeof(uint16_t))) == NULL) { 230 *alert = TLS1_AD_INTERNAL_ERROR; 231 return 0; 232 } 233 234 for (i = 0; i < groups_len; i++) { 235 if (!CBS_get_u16(&grouplist, &groups[i])) { 236 free(groups); 237 goto err; 238 } 239 } 240 241 if (CBS_len(&grouplist) != 0) { 242 free(groups); 243 goto err; 244 } 245 246 SSI(s)->tlsext_supportedgroups = groups; 247 SSI(s)->tlsext_supportedgroups_length = groups_len; 248 } 249 250 return 1; 251 252 err: 253 *alert = TLS1_AD_DECODE_ERROR; 254 return 0; 255} 256 257/* This extension is never used by the server. */ 258int 259tlsext_supportedgroups_server_needs(SSL *s) 260{ 261 return 0; 262} 263 264int 265tlsext_supportedgroups_server_build(SSL *s, CBB *cbb) 266{ 267 return 0; 268} 269 270int 271tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) 272{ 273 /* 274 * Servers should not send this extension per the RFC. 275 * 276 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 277 * from at least 2014 but as of 2017, there are still large sites with 278 * this unpatched in production. As a result, we need to currently skip 279 * over the extension and ignore its content: 280 * 281 * https://support.f5.com/csp/article/K37345003 282 */ 283 if (!CBS_skip(cbs, CBS_len(cbs))) { 284 *alert = TLS1_AD_INTERNAL_ERROR; 285 return 0; 286 } 287 288 return 1; 289} 290 291/* 292 * Supported Point Formats Extension - RFC 4492 section 5.1.2 293 */ 294static int 295tlsext_ecpf_build(SSL *s, CBB *cbb) 296{ 297 CBB ecpf; 298 size_t formats_len; 299 const uint8_t *formats; 300 301 tls1_get_formatlist(s, 0, &formats, &formats_len); 302 303 if (formats_len == 0) { 304 SSLerror(s, ERR_R_INTERNAL_ERROR); 305 return 0; 306 } 307 308 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 309 return 0; 310 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 311 return 0; 312 if (!CBB_flush(cbb)) 313 return 0; 314 315 return 1; 316} 317 318static int 319tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 320{ 321 CBS ecpf; 322 323 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 324 goto err; 325 if (CBS_len(&ecpf) == 0) 326 goto err; 327 if (CBS_len(cbs) != 0) 328 goto err; 329 330 /* Must contain uncompressed (0) */ 331 if (!CBS_contains_zero_byte(&ecpf)) { 332 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 333 goto err; 334 } 335 336 if (!s->internal->hit) { 337 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 338 &(SSI(s)->tlsext_ecpointformatlist_length))) { 339 *alert = TLS1_AD_INTERNAL_ERROR; 340 return 0; 341 } 342 } 343 344 return 1; 345 346 err: 347 *alert = SSL_AD_DECODE_ERROR; 348 return 0; 349} 350 351int 352tlsext_ecpf_client_needs(SSL *s) 353{ 354 return ssl_has_ecc_ciphers(s); 355} 356 357int 358tlsext_ecpf_client_build(SSL *s, CBB *cbb) 359{ 360 return tlsext_ecpf_build(s, cbb); 361} 362 363int 364tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert) 365{ 366 return tlsext_ecpf_parse(s, cbs, alert); 367} 368 369int 370tlsext_ecpf_server_needs(SSL *s) 371{ 372 if (s->version == DTLS1_VERSION) 373 return 0; 374 375 return ssl_using_ecc_cipher(s); 376} 377 378int 379tlsext_ecpf_server_build(SSL *s, CBB *cbb) 380{ 381 return tlsext_ecpf_build(s, cbb); 382} 383 384int 385tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert) 386{ 387 return tlsext_ecpf_parse(s, cbs, alert); 388} 389 390/* 391 * Renegotiation Indication - RFC 5746. 392 */ 393int 394tlsext_ri_client_needs(SSL *s) 395{ 396 return (s->internal->renegotiate); 397} 398 399int 400tlsext_ri_client_build(SSL *s, CBB *cbb) 401{ 402 CBB reneg; 403 404 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 405 return 0; 406 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 407 S3I(s)->previous_client_finished_len)) 408 return 0; 409 if (!CBB_flush(cbb)) 410 return 0; 411 412 return 1; 413} 414 415int 416tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) 417{ 418 CBS reneg; 419 420 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 421 goto err; 422 if (CBS_len(cbs) != 0) 423 goto err; 424 425 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 426 S3I(s)->previous_client_finished_len)) { 427 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 428 *alert = SSL_AD_HANDSHAKE_FAILURE; 429 return 0; 430 } 431 432 S3I(s)->renegotiate_seen = 1; 433 S3I(s)->send_connection_binding = 1; 434 435 return 1; 436 437 err: 438 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 439 *alert = SSL_AD_DECODE_ERROR; 440 return 0; 441} 442 443int 444tlsext_ri_server_needs(SSL *s) 445{ 446 return (S3I(s)->send_connection_binding); 447} 448 449int 450tlsext_ri_server_build(SSL *s, CBB *cbb) 451{ 452 CBB reneg; 453 454 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 455 return 0; 456 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 457 S3I(s)->previous_client_finished_len)) 458 return 0; 459 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 460 S3I(s)->previous_server_finished_len)) 461 return 0; 462 if (!CBB_flush(cbb)) 463 return 0; 464 465 return 1; 466} 467 468int 469tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) 470{ 471 CBS reneg, prev_client, prev_server; 472 473 /* 474 * Ensure that the previous client and server values are both not 475 * present, or that they are both present. 476 */ 477 if ((S3I(s)->previous_client_finished_len == 0 && 478 S3I(s)->previous_server_finished_len != 0) || 479 (S3I(s)->previous_client_finished_len != 0 && 480 S3I(s)->previous_server_finished_len == 0)) { 481 *alert = TLS1_AD_INTERNAL_ERROR; 482 return 0; 483 } 484 485 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 486 goto err; 487 if (!CBS_get_bytes(&reneg, &prev_client, 488 S3I(s)->previous_client_finished_len)) 489 goto err; 490 if (!CBS_get_bytes(&reneg, &prev_server, 491 S3I(s)->previous_server_finished_len)) 492 goto err; 493 if (CBS_len(&reneg) != 0) 494 goto err; 495 if (CBS_len(cbs) != 0) 496 goto err; 497 498 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 499 S3I(s)->previous_client_finished_len)) { 500 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 501 *alert = SSL_AD_HANDSHAKE_FAILURE; 502 return 0; 503 } 504 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 505 S3I(s)->previous_server_finished_len)) { 506 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 507 *alert = SSL_AD_HANDSHAKE_FAILURE; 508 return 0; 509 } 510 511 S3I(s)->renegotiate_seen = 1; 512 S3I(s)->send_connection_binding = 1; 513 514 return 1; 515 516 err: 517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 518 *alert = SSL_AD_DECODE_ERROR; 519 return 0; 520} 521 522/* 523 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 524 */ 525int 526tlsext_sigalgs_client_needs(SSL *s) 527{ 528 return (s->client_version >= TLS1_2_VERSION); 529} 530 531int 532tlsext_sigalgs_client_build(SSL *s, CBB *cbb) 533{ 534 uint16_t *tls_sigalgs = tls12_sigalgs; 535 size_t tls_sigalgs_len = tls12_sigalgs_len; 536 CBB sigalgs; 537 538 if (s->client_version >= TLS1_3_VERSION && 539 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 540 tls_sigalgs = tls13_sigalgs; 541 tls_sigalgs_len = tls13_sigalgs_len; 542 } 543 544 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 545 return 0; 546 547 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 548 return 0; 549 550 if (!CBB_flush(cbb)) 551 return 0; 552 553 return 1; 554} 555 556int 557tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) 558{ 559 uint16_t *tls_sigalgs = tls12_sigalgs; 560 size_t tls_sigalgs_len = tls12_sigalgs_len; 561 CBS sigalgs; 562 563 if (s->version >= TLS1_3_VERSION) { 564 tls_sigalgs = tls13_sigalgs; 565 tls_sigalgs_len = tls13_sigalgs_len; 566 } 567 568 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 569 return 0; 570 571 return tls1_process_sigalgs(s, &sigalgs, tls_sigalgs, tls_sigalgs_len); 572} 573 574int 575tlsext_sigalgs_server_needs(SSL *s) 576{ 577 return 0; 578} 579 580int 581tlsext_sigalgs_server_build(SSL *s, CBB *cbb) 582{ 583 return 0; 584} 585 586int 587tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert) 588{ 589 /* As per the RFC, servers must not send this extension. */ 590 return 0; 591} 592 593/* 594 * Server Name Indication - RFC 6066, section 3. 595 */ 596int 597tlsext_sni_client_needs(SSL *s) 598{ 599 return (s->tlsext_hostname != NULL); 600} 601 602int 603tlsext_sni_client_build(SSL *s, CBB *cbb) 604{ 605 CBB server_name_list, host_name; 606 607 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 608 return 0; 609 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 610 return 0; 611 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 612 return 0; 613 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 614 strlen(s->tlsext_hostname))) 615 return 0; 616 if (!CBB_flush(cbb)) 617 return 0; 618 619 return 1; 620} 621 622int 623tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) 624{ 625 CBS server_name_list, host_name; 626 uint8_t name_type; 627 628 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 629 goto err; 630 631 /* 632 * RFC 6066 section 3 forbids multiple host names with the same type. 633 * Additionally, only one type (host_name) is specified. 634 */ 635 if (!CBS_get_u8(&server_name_list, &name_type)) 636 goto err; 637 if (name_type != TLSEXT_NAMETYPE_host_name) 638 goto err; 639 640 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 641 goto err; 642 if (CBS_len(&host_name) == 0 || 643 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 644 CBS_contains_zero_byte(&host_name)) { 645 *alert = TLS1_AD_UNRECOGNIZED_NAME; 646 return 0; 647 } 648 649 if (s->internal->hit) { 650 if (s->session->tlsext_hostname == NULL) { 651 *alert = TLS1_AD_UNRECOGNIZED_NAME; 652 return 0; 653 } 654 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 655 strlen(s->session->tlsext_hostname))) { 656 *alert = TLS1_AD_UNRECOGNIZED_NAME; 657 return 0; 658 } 659 } else { 660 if (s->session->tlsext_hostname != NULL) 661 goto err; 662 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 663 *alert = TLS1_AD_INTERNAL_ERROR; 664 return 0; 665 } 666 } 667 668 if (CBS_len(&server_name_list) != 0) 669 goto err; 670 if (CBS_len(cbs) != 0) 671 goto err; 672 673 return 1; 674 675 err: 676 *alert = SSL_AD_DECODE_ERROR; 677 return 0; 678} 679 680int 681tlsext_sni_server_needs(SSL *s) 682{ 683 return (s->session->tlsext_hostname != NULL); 684} 685 686int 687tlsext_sni_server_build(SSL *s, CBB *cbb) 688{ 689 return 1; 690} 691 692int 693tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) 694{ 695 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 696 *alert = TLS1_AD_UNRECOGNIZED_NAME; 697 return 0; 698 } 699 700 if (s->internal->hit) { 701 if (s->session->tlsext_hostname == NULL) { 702 *alert = TLS1_AD_UNRECOGNIZED_NAME; 703 return 0; 704 } 705 if (strcmp(s->tlsext_hostname, 706 s->session->tlsext_hostname) != 0) { 707 *alert = TLS1_AD_UNRECOGNIZED_NAME; 708 return 0; 709 } 710 } else { 711 if (s->session->tlsext_hostname != NULL) { 712 *alert = SSL_AD_DECODE_ERROR; 713 return 0; 714 } 715 if ((s->session->tlsext_hostname = 716 strdup(s->tlsext_hostname)) == NULL) { 717 *alert = TLS1_AD_INTERNAL_ERROR; 718 return 0; 719 } 720 } 721 722 return 1; 723} 724 725 726/* 727 *Certificate Status Request - RFC 6066 section 8. 728 */ 729 730int 731tlsext_ocsp_client_needs(SSL *s) 732{ 733 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 734 s->version != DTLS1_VERSION); 735} 736 737int 738tlsext_ocsp_client_build(SSL *s, CBB *cbb) 739{ 740 CBB respid_list, respid, exts; 741 unsigned char *ext_data; 742 size_t ext_len; 743 int i; 744 745 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 746 return 0; 747 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 748 return 0; 749 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 750 unsigned char *respid_data; 751 OCSP_RESPID *id; 752 size_t id_len; 753 754 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 755 i)) == NULL) 756 return 0; 757 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 758 return 0; 759 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 760 return 0; 761 if (!CBB_add_space(&respid, &respid_data, id_len)) 762 return 0; 763 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 764 return 0; 765 } 766 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 767 return 0; 768 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 769 NULL)) == -1) 770 return 0; 771 if (!CBB_add_space(&exts, &ext_data, ext_len)) 772 return 0; 773 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 774 ext_len)) 775 return 0; 776 if (!CBB_flush(cbb)) 777 return 0; 778 return 1; 779} 780 781int 782tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) 783{ 784 int failure = SSL_AD_DECODE_ERROR; 785 CBS respid_list, respid, exts; 786 const unsigned char *p; 787 uint8_t status_type; 788 int ret = 0; 789 790 if (!CBS_get_u8(cbs, &status_type)) 791 goto err; 792 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 793 /* ignore unknown status types */ 794 s->tlsext_status_type = -1; 795 796 if (!CBS_skip(cbs, CBS_len(cbs))) { 797 *alert = TLS1_AD_INTERNAL_ERROR; 798 return 0; 799 } 800 return 1; 801 } 802 s->tlsext_status_type = status_type; 803 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 804 goto err; 805 806 /* XXX */ 807 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 808 s->internal->tlsext_ocsp_ids = NULL; 809 if (CBS_len(&respid_list) > 0) { 810 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 811 if (s->internal->tlsext_ocsp_ids == NULL) { 812 failure = SSL_AD_INTERNAL_ERROR; 813 goto err; 814 } 815 } 816 817 while (CBS_len(&respid_list) > 0) { 818 OCSP_RESPID *id; 819 820 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 821 goto err; 822 p = CBS_data(&respid); 823 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 824 goto err; 825 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 826 failure = SSL_AD_INTERNAL_ERROR; 827 OCSP_RESPID_free(id); 828 goto err; 829 } 830 } 831 832 /* Read in request_extensions */ 833 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 834 goto err; 835 if (CBS_len(&exts) > 0) { 836 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 837 X509_EXTENSION_free); 838 p = CBS_data(&exts); 839 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 840 &p, CBS_len(&exts))) == NULL) 841 goto err; 842 } 843 844 /* should be nothing left */ 845 if (CBS_len(cbs) > 0) 846 goto err; 847 848 ret = 1; 849 err: 850 if (ret == 0) 851 *alert = failure; 852 return ret; 853} 854 855int 856tlsext_ocsp_server_needs(SSL *s) 857{ 858 return s->internal->tlsext_status_expected; 859} 860 861int 862tlsext_ocsp_server_build(SSL *s, CBB *cbb) 863{ 864 return 1; 865} 866 867int 868tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) 869{ 870 if (s->tlsext_status_type == -1) { 871 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 872 return 0; 873 } 874 /* Set flag to expect CertificateStatus message */ 875 s->internal->tlsext_status_expected = 1; 876 return 1; 877} 878 879/* 880 * SessionTicket extension - RFC 5077 section 3.2 881 */ 882int 883tlsext_sessionticket_client_needs(SSL *s) 884{ 885 /* 886 * Send session ticket extension when enabled and not overridden. 887 * 888 * When renegotiating, send an empty session ticket to indicate support. 889 */ 890 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 891 return 0; 892 893 if (s->internal->new_session) 894 return 1; 895 896 if (s->internal->tlsext_session_ticket != NULL && 897 s->internal->tlsext_session_ticket->data == NULL) 898 return 0; 899 900 return 1; 901} 902 903int 904tlsext_sessionticket_client_build(SSL *s, CBB *cbb) 905{ 906 /* 907 * Signal that we support session tickets by sending an empty 908 * extension when renegotiating or no session found. 909 */ 910 if (s->internal->new_session || s->session == NULL) 911 return 1; 912 913 if (s->session->tlsext_tick != NULL) { 914 /* Attempt to resume with an existing session ticket */ 915 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 916 s->session->tlsext_ticklen)) 917 return 0; 918 919 } else if (s->internal->tlsext_session_ticket != NULL) { 920 /* 921 * Attempt to resume with a custom provided session ticket set 922 * by SSL_set_session_ticket_ext(). 923 */ 924 if (s->internal->tlsext_session_ticket->length > 0) { 925 size_t ticklen = s->internal->tlsext_session_ticket->length; 926 927 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 928 return 0; 929 memcpy(s->session->tlsext_tick, 930 s->internal->tlsext_session_ticket->data, 931 ticklen); 932 s->session->tlsext_ticklen = ticklen; 933 934 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 935 s->session->tlsext_ticklen)) 936 return 0; 937 } 938 } 939 940 if (!CBB_flush(cbb)) 941 return 0; 942 943 return 1; 944} 945 946int 947tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) 948{ 949 if (s->internal->tls_session_ticket_ext_cb) { 950 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 951 (int)CBS_len(cbs), 952 s->internal->tls_session_ticket_ext_cb_arg)) { 953 *alert = TLS1_AD_INTERNAL_ERROR; 954 return 0; 955 } 956 } 957 958 /* We need to signal that this was processed fully */ 959 if (!CBS_skip(cbs, CBS_len(cbs))) { 960 *alert = TLS1_AD_INTERNAL_ERROR; 961 return 0; 962 } 963 964 return 1; 965} 966 967int 968tlsext_sessionticket_server_needs(SSL *s) 969{ 970 return (s->internal->tlsext_ticket_expected && 971 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 972} 973 974int 975tlsext_sessionticket_server_build(SSL *s, CBB *cbb) 976{ 977 /* Empty ticket */ 978 return 1; 979} 980 981int 982tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) 983{ 984 if (s->internal->tls_session_ticket_ext_cb) { 985 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 986 (int)CBS_len(cbs), 987 s->internal->tls_session_ticket_ext_cb_arg)) { 988 *alert = TLS1_AD_INTERNAL_ERROR; 989 return 0; 990 } 991 } 992 993 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 994 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 995 return 0; 996 } 997 998 s->internal->tlsext_ticket_expected = 1; 999 1000 return 1; 1001} 1002 1003/* 1004 * DTLS extension for SRTP key establishment - RFC 5764 1005 */ 1006 1007#ifndef OPENSSL_NO_SRTP 1008 1009int 1010tlsext_srtp_client_needs(SSL *s) 1011{ 1012 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1013} 1014 1015int 1016tlsext_srtp_client_build(SSL *s, CBB *cbb) 1017{ 1018 CBB profiles, mki; 1019 int ct, i; 1020 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1021 SRTP_PROTECTION_PROFILE *prof; 1022 1023 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1024 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1025 return 0; 1026 } 1027 1028 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1029 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1030 return 0; 1031 } 1032 1033 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1034 return 0; 1035 1036 for (i = 0; i < ct; i++) { 1037 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1038 return 0; 1039 if (!CBB_add_u16(&profiles, prof->id)) 1040 return 0; 1041 } 1042 1043 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1044 return 0; 1045 1046 if (!CBB_flush(cbb)) 1047 return 0; 1048 1049 return 1; 1050} 1051 1052int 1053tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) 1054{ 1055 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1056 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1057 int i, j; 1058 int ret; 1059 uint16_t id; 1060 CBS profiles, mki; 1061 1062 ret = 0; 1063 1064 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1065 goto err; 1066 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1067 goto err; 1068 1069 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1070 goto err; 1071 1072 while (CBS_len(&profiles) > 0) { 1073 if (!CBS_get_u16(&profiles, &id)) 1074 goto err; 1075 1076 if (!srtp_find_profile_by_num(id, &cprof)) { 1077 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1078 goto err; 1079 } 1080 } 1081 1082 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1083 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1084 *alert = SSL_AD_DECODE_ERROR; 1085 goto done; 1086 } 1087 if (CBS_len(cbs) != 0) 1088 goto err; 1089 1090 /* 1091 * Per RFC 5764 section 4.1.1 1092 * 1093 * Find the server preferred profile using the client's list. 1094 * 1095 * The server MUST send a profile if it sends the use_srtp 1096 * extension. If one is not found, it should fall back to the 1097 * negotiated DTLS cipher suite or return a DTLS alert. 1098 */ 1099 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1100 goto err; 1101 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1102 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1103 == NULL) 1104 goto err; 1105 1106 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1107 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1108 == NULL) 1109 goto err; 1110 1111 if (cprof->id == sprof->id) { 1112 s->internal->srtp_profile = sprof; 1113 ret = 1; 1114 goto done; 1115 } 1116 } 1117 } 1118 1119 /* If we didn't find anything, fall back to the negotiated */ 1120 ret = 1; 1121 goto done; 1122 1123 err: 1124 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1125 *alert = SSL_AD_DECODE_ERROR; 1126 1127 done: 1128 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1129 return ret; 1130} 1131 1132int 1133tlsext_srtp_server_needs(SSL *s) 1134{ 1135 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1136} 1137 1138int 1139tlsext_srtp_server_build(SSL *s, CBB *cbb) 1140{ 1141 SRTP_PROTECTION_PROFILE *profile; 1142 CBB srtp, mki; 1143 1144 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1145 return 0; 1146 1147 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1148 return 0; 1149 1150 if (!CBB_add_u16(&srtp, profile->id)) 1151 return 0; 1152 1153 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1154 return 0; 1155 1156 if (!CBB_flush(cbb)) 1157 return 0; 1158 1159 return 1; 1160} 1161 1162int 1163tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) 1164{ 1165 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1166 SRTP_PROTECTION_PROFILE *prof; 1167 int i; 1168 uint16_t id; 1169 CBS profile_ids, mki; 1170 1171 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1172 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1173 goto err; 1174 } 1175 1176 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1177 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1178 goto err; 1179 } 1180 1181 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1182 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1183 *alert = SSL_AD_ILLEGAL_PARAMETER; 1184 return 0; 1185 } 1186 1187 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1188 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1189 goto err; 1190 } 1191 1192 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1193 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1194 == NULL) { 1195 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1196 goto err; 1197 } 1198 1199 if (prof->id == id) { 1200 s->internal->srtp_profile = prof; 1201 return 1; 1202 } 1203 } 1204 1205 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1206 err: 1207 *alert = SSL_AD_DECODE_ERROR; 1208 return 0; 1209} 1210 1211#endif /* OPENSSL_NO_SRTP */ 1212 1213/* 1214 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1215 */ 1216int 1217tlsext_keyshare_client_needs(SSL *s) 1218{ 1219 /* XXX once this gets initialized when we get tls13_client.c */ 1220 if (S3I(s)->hs_tls13.max_version == 0) 1221 return 0; 1222 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1223 TLS1_3_VERSION); 1224} 1225 1226int 1227tlsext_keyshare_client_build(SSL *s, CBB *cbb) 1228{ 1229 uint8_t *public_key = NULL, *private_key = NULL; 1230 CBB client_shares, key_exchange; 1231 1232 /* Generate and provide key shares. */ 1233 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1234 return 0; 1235 1236 /* XXX - other groups. */ 1237 1238 /* Generate X25519 key pair. */ 1239 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) 1240 goto err; 1241 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) 1242 goto err; 1243 X25519_keypair(public_key, private_key); 1244 1245 /* Add the group and serialize the public key. */ 1246 if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519))) 1247 goto err; 1248 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1249 goto err; 1250 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) 1251 goto err; 1252 1253 if (!CBB_flush(cbb)) 1254 goto err; 1255 1256 S3I(s)->hs_tls13.x25519_public = public_key; 1257 S3I(s)->hs_tls13.x25519_private = private_key; 1258 1259 return 1; 1260 1261 err: 1262 freezero(public_key, X25519_KEY_LENGTH); 1263 freezero(private_key, X25519_KEY_LENGTH); 1264 1265 return 0; 1266} 1267 1268int 1269tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1270{ 1271 CBS client_shares; 1272 CBS key_exchange; 1273 uint16_t group; 1274 size_t out_len; 1275 int ret = 0; 1276 1277 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1278 goto err; 1279 1280 if (CBS_len(cbs) != 0) 1281 goto err; 1282 1283 while (CBS_len(&client_shares) > 0) { 1284 1285 /* Unpack client share. */ 1286 if (!CBS_get_u16(&client_shares, &group)) 1287 goto err; 1288 1289 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1290 goto err; 1291 1292 /* 1293 * Skip this client share if not X25519 1294 * XXX support other groups later. 1295 * XXX enforce group can only appear once. 1296 */ 1297 if (S3I(s)->hs_tls13.x25519_peer_public != NULL || 1298 group != tls1_ec_nid2curve_id(NID_X25519)) 1299 continue; 1300 1301 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1302 goto err; 1303 1304 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1305 &out_len)) 1306 goto err; 1307 1308 ret = 1; 1309 } 1310 1311 return ret; 1312 1313 err: 1314 *alert = SSL_AD_DECODE_ERROR; 1315 return 0; 1316} 1317 1318int 1319tlsext_keyshare_server_needs(SSL *s) 1320{ 1321 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1322 return 0; 1323 1324 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1325} 1326 1327int 1328tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1329{ 1330 uint8_t *public_key = NULL, *private_key = NULL; 1331 CBB key_exchange; 1332 1333 /* XXX deduplicate with client code */ 1334 1335 /* X25519 */ 1336 if (S3I(s)->hs_tls13.x25519_peer_public == NULL) 1337 return 0; 1338 1339 /* Generate X25519 key pair. */ 1340 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) 1341 goto err; 1342 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) 1343 goto err; 1344 X25519_keypair(public_key, private_key); 1345 1346 /* Add the group and serialize the public key. */ 1347 if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519))) 1348 goto err; 1349 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1350 goto err; 1351 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) 1352 goto err; 1353 1354 if (!CBB_flush(cbb)) 1355 goto err; 1356 1357 S3I(s)->hs_tls13.x25519_public = public_key; 1358 S3I(s)->hs_tls13.x25519_private = private_key; 1359 1360 return 1; 1361 1362 err: 1363 freezero(public_key, X25519_KEY_LENGTH); 1364 freezero(private_key, X25519_KEY_LENGTH); 1365 1366 return 0; 1367} 1368 1369int 1370tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) 1371{ 1372 CBS key_exchange; 1373 uint16_t group; 1374 size_t out_len; 1375 1376 /* Unpack server share. */ 1377 if (!CBS_get_u16(cbs, &group)) 1378 goto err; 1379 1380 /* Handle other groups and verify that they're valid. */ 1381 if (group != tls1_ec_nid2curve_id(NID_X25519)) 1382 goto err; 1383 1384 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1385 goto err; 1386 1387 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1388 goto err; 1389 1390 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1391 &out_len)) 1392 goto err; 1393 1394 return 1; 1395 1396 err: 1397 *alert = SSL_AD_DECODE_ERROR; 1398 return 0; 1399} 1400 1401/* 1402 * Supported Versions - RFC 8446 section 4.2.1. 1403 */ 1404int 1405tlsext_versions_client_needs(SSL *s) 1406{ 1407 if (SSL_IS_DTLS(s)) 1408 return 0; 1409 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1410} 1411 1412int 1413tlsext_versions_client_build(SSL *s, CBB *cbb) 1414{ 1415 uint16_t max, min; 1416 uint16_t version; 1417 CBB versions; 1418 1419 max = S3I(s)->hs_tls13.max_version; 1420 min = S3I(s)->hs_tls13.min_version; 1421 1422 if (min < TLS1_VERSION) 1423 return 0; 1424 1425 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1426 return 0; 1427 1428 /* XXX - fix, but contiguous for now... */ 1429 for (version = max; version >= min; version--) { 1430 if (!CBB_add_u16(&versions, version)) 1431 return 0; 1432 } 1433 1434 if (!CBB_flush(cbb)) 1435 return 0; 1436 1437 return 1; 1438} 1439 1440int 1441tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1442{ 1443 CBS versions; 1444 uint16_t version; 1445 uint16_t max, min; 1446 uint16_t matched_version = 0; 1447 1448 max = S3I(s)->hs_tls13.max_version; 1449 min = S3I(s)->hs_tls13.min_version; 1450 1451 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1452 goto err; 1453 1454 while (CBS_len(&versions) > 0) { 1455 if (!CBS_get_u16(&versions, &version)) 1456 goto err; 1457 /* 1458 * XXX What is below implements client preference, and 1459 * ignores any server preference entirely. 1460 */ 1461 if (matched_version == 0 && version >= min && version <= max) 1462 matched_version = version; 1463 } 1464 1465 /* 1466 * XXX if we haven't mached a version we should 1467 * fail - but we currently need to succeed to 1468 * ignore this before the server code for 1.3 1469 * is set up and initialized. 1470 */ 1471 if (max == 0) 1472 return 1; /* XXX */ 1473 1474 if (matched_version != 0) { 1475 s->version = matched_version; 1476 return 1; 1477 } 1478 1479 *alert = SSL_AD_PROTOCOL_VERSION; 1480 return 0; 1481 1482err: 1483 *alert = SSL_AD_DECODE_ERROR; 1484 return 0; 1485} 1486 1487int 1488tlsext_versions_server_needs(SSL *s) 1489{ 1490 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1491} 1492 1493int 1494tlsext_versions_server_build(SSL *s, CBB *cbb) 1495{ 1496 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1497 return 0; 1498 /* XXX set 1.2 in legacy version? */ 1499 1500 return 1; 1501} 1502 1503int 1504tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) 1505{ 1506 uint16_t selected_version; 1507 1508 if (!CBS_get_u16(cbs, &selected_version)) { 1509 *alert = SSL_AD_DECODE_ERROR; 1510 return 0; 1511 } 1512 1513 if (selected_version < TLS1_3_VERSION) { 1514 *alert = SSL_AD_ILLEGAL_PARAMETER; 1515 return 0; 1516 } 1517 1518 /* XXX test between min and max once initialization code goes in */ 1519 S3I(s)->hs_tls13.server_version = selected_version; 1520 1521 return 1; 1522} 1523 1524 1525/* 1526 * Cookie - RFC 8446 section 4.2.2. 1527 */ 1528 1529int 1530tlsext_cookie_client_needs(SSL *s) 1531{ 1532 if (SSL_IS_DTLS(s)) 1533 return 0; 1534 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1535 return 0; 1536 return (S3I(s)->hs_tls13.cookie_len > 0 && 1537 S3I(s)->hs_tls13.cookie != NULL); 1538} 1539 1540int 1541tlsext_cookie_client_build(SSL *s, CBB *cbb) 1542{ 1543 CBB cookie; 1544 1545 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1546 return 0; 1547 1548 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1549 S3I(s)->hs_tls13.cookie_len)) 1550 return 0; 1551 1552 if (!CBB_flush(cbb)) 1553 return 0; 1554 1555 return 1; 1556} 1557 1558int 1559tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) 1560{ 1561 CBS cookie; 1562 1563 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1564 goto err; 1565 1566 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1567 goto err; 1568 1569 /* 1570 * Check provided cookie value against what server previously 1571 * sent - client *MUST* send the same cookie with new CR after 1572 * a cookie is sent by the server with an HRR. 1573 */ 1574 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1575 S3I(s)->hs_tls13.cookie_len)) { 1576 /* XXX special cookie mismatch alert? */ 1577 *alert = SSL_AD_ILLEGAL_PARAMETER; 1578 return 0; 1579 } 1580 1581 return 1; 1582 1583 err: 1584 *alert = SSL_AD_DECODE_ERROR; 1585 return 0; 1586} 1587 1588int 1589tlsext_cookie_server_needs(SSL *s) 1590{ 1591 1592 if (SSL_IS_DTLS(s)) 1593 return 0; 1594 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1595 return 0; 1596 /* 1597 * Server needs to set cookie value in tls13 handshake 1598 * in order to send one, should only be sent with HRR. 1599 */ 1600 return (S3I(s)->hs_tls13.cookie_len > 0 && 1601 S3I(s)->hs_tls13.cookie != NULL); 1602} 1603 1604int 1605tlsext_cookie_server_build(SSL *s, CBB *cbb) 1606{ 1607 CBB cookie; 1608 1609 /* XXX deduplicate with client code */ 1610 1611 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1612 return 0; 1613 1614 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1615 S3I(s)->hs_tls13.cookie_len)) 1616 return 0; 1617 1618 if (!CBB_flush(cbb)) 1619 return 0; 1620 1621 return 1; 1622} 1623 1624int 1625tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) 1626{ 1627 CBS cookie; 1628 1629 /* 1630 * XXX This currently assumes we will not get a second 1631 * HRR from a server with a cookie to process after accepting 1632 * one from the server in the same handshake 1633 */ 1634 if (S3I(s)->hs_tls13.cookie != NULL || 1635 S3I(s)->hs_tls13.cookie_len != 0) { 1636 *alert = SSL_AD_ILLEGAL_PARAMETER; 1637 return 0; 1638 } 1639 1640 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1641 goto err; 1642 1643 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1644 &S3I(s)->hs_tls13.cookie_len)) 1645 goto err; 1646 1647 return 1; 1648 1649 err: 1650 *alert = SSL_AD_DECODE_ERROR; 1651 return 0; 1652} 1653 1654struct tls_extension_funcs { 1655 int (*needs)(SSL *s); 1656 int (*build)(SSL *s, CBB *cbb); 1657 int (*parse)(SSL *s, CBS *cbs, int *alert); 1658}; 1659 1660struct tls_extension { 1661 uint16_t type; 1662 uint16_t messages; 1663 struct tls_extension_funcs client; 1664 struct tls_extension_funcs server; 1665}; 1666 1667static struct tls_extension tls_extensions[] = { 1668 { 1669 .type = TLSEXT_TYPE_supported_versions, 1670 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1671 SSL_TLSEXT_MSG_HRR, 1672 .client = { 1673 .needs = tlsext_versions_client_needs, 1674 .build = tlsext_versions_client_build, 1675 .parse = tlsext_versions_server_parse, 1676 }, 1677 .server = { 1678 .needs = tlsext_versions_server_needs, 1679 .build = tlsext_versions_server_build, 1680 .parse = tlsext_versions_client_parse, 1681 }, 1682 }, 1683 { 1684 .type = TLSEXT_TYPE_key_share, 1685 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1686 SSL_TLSEXT_MSG_HRR, 1687 .client = { 1688 .needs = tlsext_keyshare_client_needs, 1689 .build = tlsext_keyshare_client_build, 1690 .parse = tlsext_keyshare_server_parse, 1691 }, 1692 .server = { 1693 .needs = tlsext_keyshare_server_needs, 1694 .build = tlsext_keyshare_server_build, 1695 .parse = tlsext_keyshare_client_parse, 1696 }, 1697 }, 1698 { 1699 .type = TLSEXT_TYPE_server_name, 1700 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1701 .client = { 1702 .needs = tlsext_sni_client_needs, 1703 .build = tlsext_sni_client_build, 1704 .parse = tlsext_sni_server_parse, 1705 }, 1706 .server = { 1707 .needs = tlsext_sni_server_needs, 1708 .build = tlsext_sni_server_build, 1709 .parse = tlsext_sni_client_parse, 1710 }, 1711 }, 1712 { 1713 .type = TLSEXT_TYPE_renegotiate, 1714 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1715 .client = { 1716 .needs = tlsext_ri_client_needs, 1717 .build = tlsext_ri_client_build, 1718 .parse = tlsext_ri_server_parse, 1719 }, 1720 .server = { 1721 .needs = tlsext_ri_server_needs, 1722 .build = tlsext_ri_server_build, 1723 .parse = tlsext_ri_client_parse, 1724 }, 1725 }, 1726 { 1727 .type = TLSEXT_TYPE_status_request, 1728 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1729 SSL_TLSEXT_MSG_CT, 1730 .client = { 1731 .needs = tlsext_ocsp_client_needs, 1732 .build = tlsext_ocsp_client_build, 1733 .parse = tlsext_ocsp_server_parse, 1734 }, 1735 .server = { 1736 .needs = tlsext_ocsp_server_needs, 1737 .build = tlsext_ocsp_server_build, 1738 .parse = tlsext_ocsp_client_parse, 1739 }, 1740 }, 1741 { 1742 .type = TLSEXT_TYPE_ec_point_formats, 1743 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1744 .client = { 1745 .needs = tlsext_ecpf_client_needs, 1746 .build = tlsext_ecpf_client_build, 1747 .parse = tlsext_ecpf_server_parse, 1748 }, 1749 .server = { 1750 .needs = tlsext_ecpf_server_needs, 1751 .build = tlsext_ecpf_server_build, 1752 .parse = tlsext_ecpf_client_parse, 1753 }, 1754 }, 1755 { 1756 .type = TLSEXT_TYPE_supported_groups, 1757 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1758 .client = { 1759 .needs = tlsext_supportedgroups_client_needs, 1760 .build = tlsext_supportedgroups_client_build, 1761 .parse = tlsext_supportedgroups_server_parse, 1762 }, 1763 .server = { 1764 .needs = tlsext_supportedgroups_server_needs, 1765 .build = tlsext_supportedgroups_server_build, 1766 .parse = tlsext_supportedgroups_client_parse, 1767 }, 1768 }, 1769 { 1770 .type = TLSEXT_TYPE_session_ticket, 1771 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1772 .client = { 1773 .needs = tlsext_sessionticket_client_needs, 1774 .build = tlsext_sessionticket_client_build, 1775 .parse = tlsext_sessionticket_server_parse, 1776 }, 1777 .server = { 1778 .needs = tlsext_sessionticket_server_needs, 1779 .build = tlsext_sessionticket_server_build, 1780 .parse = tlsext_sessionticket_client_parse, 1781 }, 1782 }, 1783 { 1784 .type = TLSEXT_TYPE_signature_algorithms, 1785 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1786 .client = { 1787 .needs = tlsext_sigalgs_client_needs, 1788 .build = tlsext_sigalgs_client_build, 1789 .parse = tlsext_sigalgs_server_parse, 1790 }, 1791 .server = { 1792 .needs = tlsext_sigalgs_server_needs, 1793 .build = tlsext_sigalgs_server_build, 1794 .parse = tlsext_sigalgs_client_parse, 1795 }, 1796 }, 1797 { 1798 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1799 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1800 .client = { 1801 .needs = tlsext_alpn_client_needs, 1802 .build = tlsext_alpn_client_build, 1803 .parse = tlsext_alpn_server_parse, 1804 }, 1805 .server = { 1806 .needs = tlsext_alpn_server_needs, 1807 .build = tlsext_alpn_server_build, 1808 .parse = tlsext_alpn_client_parse, 1809 }, 1810 }, 1811 { 1812 .type = TLSEXT_TYPE_cookie, 1813 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1814 .client = { 1815 .needs = tlsext_cookie_client_needs, 1816 .build = tlsext_cookie_client_build, 1817 .parse = tlsext_cookie_server_parse, 1818 }, 1819 .server = { 1820 .needs = tlsext_cookie_server_needs, 1821 .build = tlsext_cookie_server_build, 1822 .parse = tlsext_cookie_client_parse, 1823 }, 1824 }, 1825#ifndef OPENSSL_NO_SRTP 1826 { 1827 .type = TLSEXT_TYPE_use_srtp, 1828 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1829 .client = { 1830 .needs = tlsext_srtp_client_needs, 1831 .build = tlsext_srtp_client_build, 1832 .parse = tlsext_srtp_server_parse, 1833 }, 1834 .server = { 1835 .needs = tlsext_srtp_server_needs, 1836 .build = tlsext_srtp_server_build, 1837 .parse = tlsext_srtp_client_parse, 1838 }, 1839 } 1840#endif /* OPENSSL_NO_SRTP */ 1841}; 1842 1843#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1844 1845/* Ensure that extensions fit in a uint32_t bitmask. */ 1846CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1847 1848struct tls_extension * 1849tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1850{ 1851 size_t i; 1852 1853 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1854 if (tls_extensions[i].type == type) { 1855 *tls_extensions_idx = i; 1856 return &tls_extensions[i]; 1857 } 1858 } 1859 1860 return NULL; 1861} 1862 1863int 1864tlsext_extension_seen(SSL *s, uint16_t type) 1865{ 1866 size_t idx; 1867 1868 if (tls_extension_find(type, &idx) == NULL) 1869 return 0; 1870 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1871} 1872 1873static struct tls_extension_funcs * 1874tlsext_funcs(struct tls_extension *tlsext, int is_server) 1875{ 1876 if (is_server) 1877 return &tlsext->server; 1878 1879 return &tlsext->client; 1880} 1881 1882static int 1883tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) 1884{ 1885 struct tls_extension_funcs *ext; 1886 struct tls_extension *tlsext; 1887 CBB extensions, extension_data; 1888 int extensions_present = 0; 1889 size_t i; 1890 uint16_t version; 1891 1892 if (is_server) 1893 version = s->version; 1894 else 1895 version = s->client_version; 1896 1897 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1898 return 0; 1899 1900 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1901 tlsext = &tls_extensions[i]; 1902 ext = tlsext_funcs(tlsext, is_server); 1903 1904 /* RFC 8446 Section 4.2 */ 1905 if (version >= TLS1_3_VERSION && 1906 !(tlsext->messages & msg_type)) 1907 continue; 1908 1909 if (!ext->needs(s)) 1910 continue; 1911 1912 if (!CBB_add_u16(&extensions, tlsext->type)) 1913 return 0; 1914 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1915 return 0; 1916 1917 if (!ext->build(s, &extension_data)) 1918 return 0; 1919 1920 extensions_present = 1; 1921 } 1922 1923 if (!extensions_present) 1924 CBB_discard_child(cbb); 1925 1926 if (!CBB_flush(cbb)) 1927 return 0; 1928 1929 return 1; 1930} 1931 1932static int 1933tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) 1934{ 1935 struct tls_extension_funcs *ext; 1936 struct tls_extension *tlsext; 1937 CBS extensions, extension_data; 1938 uint16_t type; 1939 size_t idx; 1940 uint16_t version; 1941 1942 S3I(s)->hs.extensions_seen = 0; 1943 1944 if (is_server) 1945 version = s->version; 1946 else 1947 version = s->client_version; 1948 1949 /* An empty extensions block is valid. */ 1950 if (CBS_len(cbs) == 0) 1951 return 1; 1952 1953 *alert = SSL_AD_DECODE_ERROR; 1954 1955 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 1956 return 0; 1957 1958 while (CBS_len(&extensions) > 0) { 1959 if (!CBS_get_u16(&extensions, &type)) 1960 return 0; 1961 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 1962 return 0; 1963 1964 if (s->internal->tlsext_debug_cb != NULL) 1965 s->internal->tlsext_debug_cb(s, is_server, type, 1966 (unsigned char *)CBS_data(&extension_data), 1967 CBS_len(&extension_data), 1968 s->internal->tlsext_debug_arg); 1969 1970 /* Unknown extensions are ignored. */ 1971 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 1972 continue; 1973 1974 /* RFC 8446 Section 4.2 */ 1975 if (version >= TLS1_3_VERSION && 1976 !(tlsext->messages & msg_type)) { 1977 *alert = SSL_AD_ILLEGAL_PARAMETER; 1978 return 0; 1979 } 1980 1981 /* Check for duplicate known extensions. */ 1982 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 1983 return 0; 1984 S3I(s)->hs.extensions_seen |= (1 << idx); 1985 1986 ext = tlsext_funcs(tlsext, is_server); 1987 if (!ext->parse(s, &extension_data, alert)) 1988 return 0; 1989 1990 if (CBS_len(&extension_data) != 0) 1991 return 0; 1992 } 1993 1994 return 1; 1995} 1996 1997static void 1998tlsext_client_reset_state(SSL *s) 1999{ 2000 s->internal->servername_done = 0; 2001 s->tlsext_status_type = -1; 2002 S3I(s)->renegotiate_seen = 0; 2003 free(S3I(s)->alpn_selected); 2004 S3I(s)->alpn_selected = NULL; 2005 s->internal->srtp_profile = NULL; 2006} 2007 2008int 2009tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type) 2010{ 2011 return tlsext_build(s, cbb, 0, msg_type); 2012} 2013 2014int 2015tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2016{ 2017 /* XXX - this possibly should be done by the caller... */ 2018 tlsext_client_reset_state(s); 2019 2020 return tlsext_parse(s, cbs, alert, 0, msg_type); 2021} 2022 2023static void 2024tlsext_server_reset_state(SSL *s) 2025{ 2026 S3I(s)->renegotiate_seen = 0; 2027 free(S3I(s)->alpn_selected); 2028 S3I(s)->alpn_selected = NULL; 2029} 2030 2031int 2032tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type) 2033{ 2034 return tlsext_build(s, cbb, 1, msg_type); 2035} 2036 2037int 2038tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2039{ 2040 /* XXX - this possibly should be done by the caller... */ 2041 tlsext_server_reset_state(s); 2042 2043 return tlsext_parse(s, cbs, alert, 1, msg_type); 2044} 2045