1 /* $OpenBSD: ssl_tlsext.c,v 1.129 2022/08/15 10:46:53 tb Exp $ */
2 /*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/socket.h>
21
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24
25 #include <ctype.h>
26
27 #include <openssl/ocsp.h>
28 #include <openssl/opensslconf.h>
29
30 #include "bytestring.h"
31 #include "ssl_locl.h"
32 #include "ssl_sigalgs.h"
33 #include "ssl_tlsext.h"
34
35 /*
36 * Supported Application-Layer Protocol Negotiation - RFC 7301
37 */
38
39 static int
tlsext_alpn_client_needs(SSL * s,uint16_t msg_type)40 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
41 {
42 /* ALPN protos have been specified and this is the initial handshake */
43 return s->internal->alpn_client_proto_list != NULL &&
44 s->s3->hs.finished_len == 0;
45 }
46
47 static int
tlsext_alpn_client_build(SSL * s,uint16_t msg_type,CBB * cbb)48 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
49 {
50 CBB protolist;
51
52 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
53 return 0;
54
55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
56 s->internal->alpn_client_proto_list_len))
57 return 0;
58
59 if (!CBB_flush(cbb))
60 return 0;
61
62 return 1;
63 }
64
65 int
tlsext_alpn_check_format(CBS * cbs)66 tlsext_alpn_check_format(CBS *cbs)
67 {
68 CBS proto_name_list;
69
70 if (CBS_len(cbs) == 0)
71 return 0;
72
73 CBS_dup(cbs, &proto_name_list);
74 while (CBS_len(&proto_name_list) > 0) {
75 CBS proto_name;
76
77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
78 return 0;
79 if (CBS_len(&proto_name) == 0)
80 return 0;
81 }
82
83 return 1;
84 }
85
86 static int
tlsext_alpn_server_parse(SSL * s,uint16_t msg_types,CBS * cbs,int * alert)87 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
88 {
89 CBS alpn, selected_cbs;
90 const unsigned char *selected;
91 unsigned char selected_len;
92 int r;
93
94 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
95 return 0;
96
97 if (!tlsext_alpn_check_format(&alpn))
98 return 0;
99
100 if (s->ctx->internal->alpn_select_cb == NULL)
101 return 1;
102
103 /*
104 * XXX - A few things should be considered here:
105 * 1. Ensure that the same protocol is selected on session resumption.
106 * 2. Should the callback be called even if no ALPN extension was sent?
107 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
108 */
109 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
110 CBS_data(&alpn), CBS_len(&alpn),
111 s->ctx->internal->alpn_select_cb_arg);
112
113 if (r == SSL_TLSEXT_ERR_OK) {
114 CBS_init(&selected_cbs, selected, selected_len);
115
116 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected,
117 &s->s3->alpn_selected_len)) {
118 *alert = SSL_AD_INTERNAL_ERROR;
119 return 0;
120 }
121
122 return 1;
123 }
124
125 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
126 if (r == SSL_TLSEXT_ERR_NOACK)
127 return 1;
128
129 *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
130 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
131
132 return 0;
133 }
134
135 static int
tlsext_alpn_server_needs(SSL * s,uint16_t msg_type)136 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
137 {
138 return s->s3->alpn_selected != NULL;
139 }
140
141 static int
tlsext_alpn_server_build(SSL * s,uint16_t msg_type,CBB * cbb)142 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
143 {
144 CBB list, selected;
145
146 if (!CBB_add_u16_length_prefixed(cbb, &list))
147 return 0;
148
149 if (!CBB_add_u8_length_prefixed(&list, &selected))
150 return 0;
151
152 if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
153 s->s3->alpn_selected_len))
154 return 0;
155
156 if (!CBB_flush(cbb))
157 return 0;
158
159 return 1;
160 }
161
162 static int
tlsext_alpn_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)163 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
164 {
165 CBS list, proto;
166
167 if (s->internal->alpn_client_proto_list == NULL) {
168 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
169 return 0;
170 }
171
172 if (!CBS_get_u16_length_prefixed(cbs, &list))
173 return 0;
174
175 if (!CBS_get_u8_length_prefixed(&list, &proto))
176 return 0;
177
178 if (CBS_len(&list) != 0)
179 return 0;
180 if (CBS_len(&proto) == 0)
181 return 0;
182
183 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
184 return 0;
185
186 return 1;
187 }
188
189 /*
190 * Supported Groups - RFC 7919 section 2
191 */
192 static int
tlsext_supportedgroups_client_needs(SSL * s,uint16_t msg_type)193 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
194 {
195 return ssl_has_ecc_ciphers(s) ||
196 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
197 }
198
199 static int
tlsext_supportedgroups_client_build(SSL * s,uint16_t msg_type,CBB * cbb)200 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
201 {
202 const uint16_t *groups;
203 size_t groups_len;
204 CBB grouplist;
205 int i;
206
207 tls1_get_group_list(s, 0, &groups, &groups_len);
208 if (groups_len == 0) {
209 SSLerror(s, ERR_R_INTERNAL_ERROR);
210 return 0;
211 }
212
213 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
214 return 0;
215
216 for (i = 0; i < groups_len; i++) {
217 if (!ssl_security_supported_group(s, groups[i]))
218 continue;
219 if (!CBB_add_u16(&grouplist, groups[i]))
220 return 0;
221 }
222
223 if (!CBB_flush(cbb))
224 return 0;
225
226 return 1;
227 }
228
229 static int
tlsext_supportedgroups_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)230 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
231 int *alert)
232 {
233 CBS grouplist;
234 uint16_t *groups;
235 size_t groups_len;
236 int i;
237
238 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
239 return 0;
240
241 groups_len = CBS_len(&grouplist);
242 if (groups_len == 0 || groups_len % 2 != 0)
243 return 0;
244 groups_len /= 2;
245
246 if (s->internal->hit)
247 return 1;
248
249 if (s->s3->hs.tls13.hrr) {
250 if (s->session->tlsext_supportedgroups == NULL) {
251 *alert = SSL_AD_HANDSHAKE_FAILURE;
252 return 0;
253 }
254
255 /*
256 * The ClientHello extension hashing ensures that the client
257 * did not change its list of supported groups.
258 */
259
260 return 1;
261 }
262
263 if (s->session->tlsext_supportedgroups != NULL)
264 return 0; /* XXX internal error? */
265
266 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) {
267 *alert = SSL_AD_INTERNAL_ERROR;
268 return 0;
269 }
270
271 for (i = 0; i < groups_len; i++) {
272 if (!CBS_get_u16(&grouplist, &groups[i])) {
273 free(groups);
274 return 0;
275 }
276 }
277
278 if (CBS_len(&grouplist) != 0) {
279 free(groups);
280 return 0;
281 }
282
283 s->session->tlsext_supportedgroups = groups;
284 s->session->tlsext_supportedgroups_length = groups_len;
285
286 return 1;
287 }
288
289 /* This extension is never used by the server. */
290 static int
tlsext_supportedgroups_server_needs(SSL * s,uint16_t msg_type)291 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
292 {
293 return 0;
294 }
295
296 static int
tlsext_supportedgroups_server_build(SSL * s,uint16_t msg_type,CBB * cbb)297 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
298 {
299 return 0;
300 }
301
302 static int
tlsext_supportedgroups_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)303 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
304 int *alert)
305 {
306 /*
307 * Servers should not send this extension per the RFC.
308 *
309 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
310 * from at least 2014 but as of 2017, there are still large sites with
311 * this unpatched in production. As a result, we need to currently skip
312 * over the extension and ignore its content:
313 *
314 * https://support.f5.com/csp/article/K37345003
315 */
316 if (!CBS_skip(cbs, CBS_len(cbs))) {
317 *alert = SSL_AD_INTERNAL_ERROR;
318 return 0;
319 }
320
321 return 1;
322 }
323
324 /*
325 * Supported Point Formats Extension - RFC 4492 section 5.1.2
326 */
327 static int
tlsext_ecpf_build(SSL * s,uint16_t msg_type,CBB * cbb)328 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
329 {
330 CBB ecpf;
331 size_t formats_len;
332 const uint8_t *formats;
333
334 tls1_get_formatlist(s, 0, &formats, &formats_len);
335
336 if (formats_len == 0) {
337 SSLerror(s, ERR_R_INTERNAL_ERROR);
338 return 0;
339 }
340
341 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
342 return 0;
343 if (!CBB_add_bytes(&ecpf, formats, formats_len))
344 return 0;
345 if (!CBB_flush(cbb))
346 return 0;
347
348 return 1;
349 }
350
351 static int
tlsext_ecpf_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)352 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
353 {
354 CBS ecpf;
355
356 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
357 return 0;
358 if (CBS_len(&ecpf) == 0)
359 return 0;
360
361 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
362 if (!CBS_contains_zero_byte(&ecpf)) {
363 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
364 *alert = SSL_AD_ILLEGAL_PARAMETER;
365 return 0;
366 }
367
368 if (!s->internal->hit) {
369 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
370 &(s->session->tlsext_ecpointformatlist_length))) {
371 *alert = SSL_AD_INTERNAL_ERROR;
372 return 0;
373 }
374 }
375
376 return 1;
377 }
378
379 static int
tlsext_ecpf_client_needs(SSL * s,uint16_t msg_type)380 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
381 {
382 return ssl_has_ecc_ciphers(s);
383 }
384
385 static int
tlsext_ecpf_client_build(SSL * s,uint16_t msg_type,CBB * cbb)386 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
387 {
388 return tlsext_ecpf_build(s, msg_type, cbb);
389 }
390
391 static int
tlsext_ecpf_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)392 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
393 {
394 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
395 }
396
397 static int
tlsext_ecpf_server_needs(SSL * s,uint16_t msg_type)398 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
399 {
400 return ssl_using_ecc_cipher(s);
401 }
402
403 static int
tlsext_ecpf_server_build(SSL * s,uint16_t msg_type,CBB * cbb)404 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
405 {
406 return tlsext_ecpf_build(s, msg_type, cbb);
407 }
408
409 static int
tlsext_ecpf_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)410 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
411 {
412 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
413 }
414
415 /*
416 * Renegotiation Indication - RFC 5746.
417 */
418 static int
tlsext_ri_client_needs(SSL * s,uint16_t msg_type)419 tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
420 {
421 return (s->internal->renegotiate);
422 }
423
424 static int
tlsext_ri_client_build(SSL * s,uint16_t msg_type,CBB * cbb)425 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
426 {
427 CBB reneg;
428
429 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
430 return 0;
431 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
432 s->s3->previous_client_finished_len))
433 return 0;
434 if (!CBB_flush(cbb))
435 return 0;
436
437 return 1;
438 }
439
440 static int
tlsext_ri_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)441 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
442 {
443 CBS reneg;
444
445 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
446 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
447 return 0;
448 }
449
450 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
451 s->s3->previous_client_finished_len)) {
452 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
453 *alert = SSL_AD_HANDSHAKE_FAILURE;
454 return 0;
455 }
456
457 s->s3->renegotiate_seen = 1;
458 s->s3->send_connection_binding = 1;
459
460 return 1;
461 }
462
463 static int
tlsext_ri_server_needs(SSL * s,uint16_t msg_type)464 tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
465 {
466 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
467 s->s3->send_connection_binding);
468 }
469
470 static int
tlsext_ri_server_build(SSL * s,uint16_t msg_type,CBB * cbb)471 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
472 {
473 CBB reneg;
474
475 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
476 return 0;
477 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
478 s->s3->previous_client_finished_len))
479 return 0;
480 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
481 s->s3->previous_server_finished_len))
482 return 0;
483 if (!CBB_flush(cbb))
484 return 0;
485
486 return 1;
487 }
488
489 static int
tlsext_ri_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)490 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
491 {
492 CBS reneg, prev_client, prev_server;
493
494 /*
495 * Ensure that the previous client and server values are both not
496 * present, or that they are both present.
497 */
498 if ((s->s3->previous_client_finished_len == 0 &&
499 s->s3->previous_server_finished_len != 0) ||
500 (s->s3->previous_client_finished_len != 0 &&
501 s->s3->previous_server_finished_len == 0)) {
502 *alert = SSL_AD_INTERNAL_ERROR;
503 return 0;
504 }
505
506 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
507 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
508 return 0;
509 }
510 if (!CBS_get_bytes(&reneg, &prev_client,
511 s->s3->previous_client_finished_len)) {
512 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
513 return 0;
514 }
515 if (!CBS_get_bytes(&reneg, &prev_server,
516 s->s3->previous_server_finished_len)) {
517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
518 return 0;
519 }
520 if (CBS_len(&reneg) != 0) {
521 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
522 return 0;
523 }
524
525 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
526 s->s3->previous_client_finished_len)) {
527 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
528 *alert = SSL_AD_HANDSHAKE_FAILURE;
529 return 0;
530 }
531 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
532 s->s3->previous_server_finished_len)) {
533 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
534 *alert = SSL_AD_HANDSHAKE_FAILURE;
535 return 0;
536 }
537
538 s->s3->renegotiate_seen = 1;
539 s->s3->send_connection_binding = 1;
540
541 return 1;
542 }
543
544 /*
545 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
546 */
547 static int
tlsext_sigalgs_client_needs(SSL * s,uint16_t msg_type)548 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
549 {
550 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
551 }
552
553 static int
tlsext_sigalgs_client_build(SSL * s,uint16_t msg_type,CBB * cbb)554 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
555 {
556 uint16_t tls_version = s->s3->hs.negotiated_tls_version;
557 CBB sigalgs;
558
559 if (msg_type == SSL_TLSEXT_MSG_CH)
560 tls_version = s->s3->hs.our_min_tls_version;
561
562 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
563 return 0;
564 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s)))
565 return 0;
566 if (!CBB_flush(cbb))
567 return 0;
568
569 return 1;
570 }
571
572 static int
tlsext_sigalgs_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)573 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
574 {
575 CBS sigalgs;
576
577 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
578 return 0;
579 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
580 return 0;
581 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
582 return 0;
583
584 return 1;
585 }
586
587 static int
tlsext_sigalgs_server_needs(SSL * s,uint16_t msg_type)588 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
589 {
590 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
591 }
592
593 static int
tlsext_sigalgs_server_build(SSL * s,uint16_t msg_type,CBB * cbb)594 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
595 {
596 CBB sigalgs;
597
598 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
599 return 0;
600 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs,
601 SSL_get_security_level(s)))
602 return 0;
603 if (!CBB_flush(cbb))
604 return 0;
605
606 return 1;
607 }
608
609 static int
tlsext_sigalgs_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)610 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
611 {
612 CBS sigalgs;
613
614 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
615 return 0;
616
617 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
618 return 0;
619 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
620 return 0;
621 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
622 return 0;
623
624 return 1;
625 }
626
627 /*
628 * Server Name Indication - RFC 6066, section 3.
629 */
630 static int
tlsext_sni_client_needs(SSL * s,uint16_t msg_type)631 tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
632 {
633 return (s->tlsext_hostname != NULL);
634 }
635
636 static int
tlsext_sni_client_build(SSL * s,uint16_t msg_type,CBB * cbb)637 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
638 {
639 CBB server_name_list, host_name;
640
641 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
642 return 0;
643 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
644 return 0;
645 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
646 return 0;
647 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
648 strlen(s->tlsext_hostname)))
649 return 0;
650 if (!CBB_flush(cbb))
651 return 0;
652
653 return 1;
654 }
655
656 static int
tlsext_sni_is_ip_literal(CBS * cbs,int * is_ip)657 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
658 {
659 union {
660 struct in_addr ip4;
661 struct in6_addr ip6;
662 } addrbuf;
663 char *hostname = NULL;
664
665 *is_ip = 0;
666
667 if (!CBS_strdup(cbs, &hostname))
668 return 0;
669
670 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 ||
671 inet_pton(AF_INET6, hostname, &addrbuf) == 1)
672 *is_ip = 1;
673
674 free(hostname);
675
676 return 1;
677 }
678
679 /*
680 * Validate that the CBS contains only a hostname consisting of RFC 5890
681 * compliant A-labels (see RFC 6066 section 3). Not a complete check
682 * since we don't parse punycode to verify its validity but limits to
683 * correct structure and character set.
684 */
685 int
tlsext_sni_is_valid_hostname(CBS * cbs,int * is_ip)686 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
687 {
688 uint8_t prev, c = 0;
689 int component = 0;
690 CBS hostname;
691
692 *is_ip = 0;
693
694 CBS_dup(cbs, &hostname);
695
696 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
697 return 0;
698
699 /* An IP literal is invalid as a host name (RFC 6066 section 3). */
700 if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
701 return 0;
702 if (*is_ip)
703 return 0;
704
705 while (CBS_len(&hostname) > 0) {
706 prev = c;
707 if (!CBS_get_u8(&hostname, &c))
708 return 0;
709 /* Everything has to be ASCII, with no NUL byte. */
710 if (!isascii(c) || c == '\0')
711 return 0;
712 /* It must be alphanumeric, a '-', or a '.' */
713 if (!isalnum(c) && c != '-' && c != '.')
714 return 0;
715 /* '-' and '.' must not start a component or be at the end. */
716 if (component == 0 || CBS_len(&hostname) == 0) {
717 if (c == '-' || c == '.')
718 return 0;
719 }
720 if (c == '.') {
721 /* Components can not end with a dash. */
722 if (prev == '-')
723 return 0;
724 /* Start new component */
725 component = 0;
726 continue;
727 }
728 /* Components must be 63 chars or less. */
729 if (++component > 63)
730 return 0;
731 }
732
733 return 1;
734 }
735
736 static int
tlsext_sni_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)737 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
738 {
739 CBS server_name_list, host_name;
740 uint8_t name_type;
741 int is_ip;
742
743 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
744 goto err;
745
746 if (!CBS_get_u8(&server_name_list, &name_type))
747 goto err;
748
749 /*
750 * RFC 6066 section 3, only one type (host_name) is specified.
751 * We do not tolerate unknown types, neither does BoringSSL.
752 * other implementations appear more tolerant.
753 */
754 if (name_type != TLSEXT_NAMETYPE_host_name) {
755 *alert = SSL_AD_ILLEGAL_PARAMETER;
756 goto err;
757 }
758
759 /*
760 * RFC 6066 section 3 specifies a host name must be at least 1 byte
761 * so 0 length is a decode error.
762 */
763 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
764 goto err;
765 if (CBS_len(&host_name) < 1)
766 goto err;
767
768 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
769 /*
770 * Various pieces of software have been known to set the SNI
771 * host name to an IP address, even though that violates the
772 * RFC. If this is the case, pretend the SNI extension does
773 * not exist.
774 */
775 if (is_ip)
776 goto done;
777
778 *alert = SSL_AD_ILLEGAL_PARAMETER;
779 goto err;
780 }
781
782 if (s->internal->hit || s->s3->hs.tls13.hrr) {
783 if (s->session->tlsext_hostname == NULL) {
784 *alert = SSL_AD_UNRECOGNIZED_NAME;
785 goto err;
786 }
787 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
788 strlen(s->session->tlsext_hostname))) {
789 *alert = SSL_AD_UNRECOGNIZED_NAME;
790 goto err;
791 }
792 } else {
793 if (s->session->tlsext_hostname != NULL)
794 goto err;
795 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
796 *alert = SSL_AD_INTERNAL_ERROR;
797 goto err;
798 }
799 }
800
801 done:
802 /*
803 * RFC 6066 section 3 forbids multiple host names with the same type,
804 * therefore we allow only one entry.
805 */
806 if (CBS_len(&server_name_list) != 0) {
807 *alert = SSL_AD_ILLEGAL_PARAMETER;
808 goto err;
809 }
810
811 return 1;
812
813 err:
814 return 0;
815 }
816
817 static int
tlsext_sni_server_needs(SSL * s,uint16_t msg_type)818 tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
819 {
820 if (s->internal->hit)
821 return 0;
822
823 return (s->session->tlsext_hostname != NULL);
824 }
825
826 static int
tlsext_sni_server_build(SSL * s,uint16_t msg_type,CBB * cbb)827 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
828 {
829 return 1;
830 }
831
832 static int
tlsext_sni_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)833 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
834 {
835 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
836 *alert = SSL_AD_UNRECOGNIZED_NAME;
837 return 0;
838 }
839
840 if (s->internal->hit) {
841 if (s->session->tlsext_hostname == NULL) {
842 *alert = SSL_AD_UNRECOGNIZED_NAME;
843 return 0;
844 }
845 if (strcmp(s->tlsext_hostname,
846 s->session->tlsext_hostname) != 0) {
847 *alert = SSL_AD_UNRECOGNIZED_NAME;
848 return 0;
849 }
850 } else {
851 if (s->session->tlsext_hostname != NULL)
852 return 0;
853 if ((s->session->tlsext_hostname =
854 strdup(s->tlsext_hostname)) == NULL) {
855 *alert = SSL_AD_INTERNAL_ERROR;
856 return 0;
857 }
858 }
859
860 return 1;
861 }
862
863 /*
864 * Certificate Status Request - RFC 6066 section 8.
865 */
866
867 static int
tlsext_ocsp_client_needs(SSL * s,uint16_t msg_type)868 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
869 {
870 if (msg_type != SSL_TLSEXT_MSG_CH)
871 return 0;
872
873 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
874 }
875
876 static int
tlsext_ocsp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)877 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
878 {
879 CBB respid_list, respid, exts;
880 unsigned char *ext_data;
881 size_t ext_len;
882 int i;
883
884 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
885 return 0;
886 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
887 return 0;
888 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
889 unsigned char *respid_data;
890 OCSP_RESPID *id;
891 size_t id_len;
892
893 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
894 i)) == NULL)
895 return 0;
896 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
897 return 0;
898 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
899 return 0;
900 if (!CBB_add_space(&respid, &respid_data, id_len))
901 return 0;
902 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
903 return 0;
904 }
905 if (!CBB_add_u16_length_prefixed(cbb, &exts))
906 return 0;
907 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
908 NULL)) == -1)
909 return 0;
910 if (!CBB_add_space(&exts, &ext_data, ext_len))
911 return 0;
912 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
913 ext_len))
914 return 0;
915 if (!CBB_flush(cbb))
916 return 0;
917 return 1;
918 }
919
920 static int
tlsext_ocsp_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)921 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
922 {
923 int alert_desc = SSL_AD_DECODE_ERROR;
924 CBS respid_list, respid, exts;
925 const unsigned char *p;
926 uint8_t status_type;
927 int ret = 0;
928
929 if (msg_type != SSL_TLSEXT_MSG_CH)
930 goto err;
931
932 if (!CBS_get_u8(cbs, &status_type))
933 goto err;
934 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
935 /* ignore unknown status types */
936 s->tlsext_status_type = -1;
937
938 if (!CBS_skip(cbs, CBS_len(cbs))) {
939 *alert = SSL_AD_INTERNAL_ERROR;
940 return 0;
941 }
942 return 1;
943 }
944 s->tlsext_status_type = status_type;
945 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
946 goto err;
947
948 /* XXX */
949 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
950 s->internal->tlsext_ocsp_ids = NULL;
951 if (CBS_len(&respid_list) > 0) {
952 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
953 if (s->internal->tlsext_ocsp_ids == NULL) {
954 alert_desc = SSL_AD_INTERNAL_ERROR;
955 goto err;
956 }
957 }
958
959 while (CBS_len(&respid_list) > 0) {
960 OCSP_RESPID *id;
961
962 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
963 goto err;
964 p = CBS_data(&respid);
965 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
966 goto err;
967 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
968 alert_desc = SSL_AD_INTERNAL_ERROR;
969 OCSP_RESPID_free(id);
970 goto err;
971 }
972 }
973
974 /* Read in request_extensions */
975 if (!CBS_get_u16_length_prefixed(cbs, &exts))
976 goto err;
977 if (CBS_len(&exts) > 0) {
978 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
979 X509_EXTENSION_free);
980 p = CBS_data(&exts);
981 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
982 &p, CBS_len(&exts))) == NULL)
983 goto err;
984 }
985
986 ret = 1;
987 err:
988 if (ret == 0)
989 *alert = alert_desc;
990 return ret;
991 }
992
993 static int
tlsext_ocsp_server_needs(SSL * s,uint16_t msg_type)994 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
995 {
996 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
997 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
998 s->ctx->internal->tlsext_status_cb != NULL) {
999 s->internal->tlsext_status_expected = 0;
1000 if (s->ctx->internal->tlsext_status_cb(s,
1001 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
1002 s->internal->tlsext_ocsp_resp_len > 0)
1003 s->internal->tlsext_status_expected = 1;
1004 }
1005 return s->internal->tlsext_status_expected;
1006 }
1007
1008 static int
tlsext_ocsp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1009 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1010 {
1011 CBB ocsp_response;
1012
1013 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1014 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1015 return 0;
1016 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1017 return 0;
1018 if (!CBB_add_bytes(&ocsp_response,
1019 s->internal->tlsext_ocsp_resp,
1020 s->internal->tlsext_ocsp_resp_len))
1021 return 0;
1022 if (!CBB_flush(cbb))
1023 return 0;
1024 }
1025 return 1;
1026 }
1027
1028 static int
tlsext_ocsp_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1029 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1030 {
1031 uint8_t status_type;
1032 CBS response;
1033
1034 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1035 if (msg_type == SSL_TLSEXT_MSG_CR) {
1036 /*
1037 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1038 * response with an empty status_request.
1039 */
1040 if (CBS_len(cbs) == 0)
1041 return 1;
1042
1043 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1044 return 0;
1045 }
1046 if (!CBS_get_u8(cbs, &status_type)) {
1047 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1048 return 0;
1049 }
1050 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1051 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1052 return 0;
1053 }
1054 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1055 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1056 return 0;
1057 }
1058 if (CBS_len(&response) > 65536) {
1059 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1060 return 0;
1061 }
1062 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1063 &s->internal->tlsext_ocsp_resp_len)) {
1064 *alert = SSL_AD_INTERNAL_ERROR;
1065 return 0;
1066 }
1067 } else {
1068 if (s->tlsext_status_type == -1) {
1069 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1070 return 0;
1071 }
1072 /* Set flag to expect CertificateStatus message */
1073 s->internal->tlsext_status_expected = 1;
1074 }
1075 return 1;
1076 }
1077
1078 /*
1079 * SessionTicket extension - RFC 5077 section 3.2
1080 */
1081 static int
tlsext_sessionticket_client_needs(SSL * s,uint16_t msg_type)1082 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1083 {
1084 /*
1085 * Send session ticket extension when enabled and not overridden.
1086 *
1087 * When renegotiating, send an empty session ticket to indicate support.
1088 */
1089 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1090 return 0;
1091
1092 if (!ssl_security_tickets(s))
1093 return 0;
1094
1095 if (s->internal->new_session)
1096 return 1;
1097
1098 if (s->internal->tlsext_session_ticket != NULL &&
1099 s->internal->tlsext_session_ticket->data == NULL)
1100 return 0;
1101
1102 return 1;
1103 }
1104
1105 static int
tlsext_sessionticket_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1106 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1107 {
1108 /*
1109 * Signal that we support session tickets by sending an empty
1110 * extension when renegotiating or no session found.
1111 */
1112 if (s->internal->new_session || s->session == NULL)
1113 return 1;
1114
1115 if (s->session->tlsext_tick != NULL) {
1116 /* Attempt to resume with an existing session ticket */
1117 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1118 s->session->tlsext_ticklen))
1119 return 0;
1120
1121 } else if (s->internal->tlsext_session_ticket != NULL) {
1122 /*
1123 * Attempt to resume with a custom provided session ticket set
1124 * by SSL_set_session_ticket_ext().
1125 */
1126 if (s->internal->tlsext_session_ticket->length > 0) {
1127 size_t ticklen = s->internal->tlsext_session_ticket->length;
1128
1129 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1130 return 0;
1131 memcpy(s->session->tlsext_tick,
1132 s->internal->tlsext_session_ticket->data,
1133 ticklen);
1134 s->session->tlsext_ticklen = ticklen;
1135
1136 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1137 s->session->tlsext_ticklen))
1138 return 0;
1139 }
1140 }
1141
1142 if (!CBB_flush(cbb))
1143 return 0;
1144
1145 return 1;
1146 }
1147
1148 static int
tlsext_sessionticket_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1149 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1150 int *alert)
1151 {
1152 if (s->internal->tls_session_ticket_ext_cb) {
1153 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1154 (int)CBS_len(cbs),
1155 s->internal->tls_session_ticket_ext_cb_arg)) {
1156 *alert = SSL_AD_INTERNAL_ERROR;
1157 return 0;
1158 }
1159 }
1160
1161 /* We need to signal that this was processed fully */
1162 if (!CBS_skip(cbs, CBS_len(cbs))) {
1163 *alert = SSL_AD_INTERNAL_ERROR;
1164 return 0;
1165 }
1166
1167 return 1;
1168 }
1169
1170 static int
tlsext_sessionticket_server_needs(SSL * s,uint16_t msg_type)1171 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1172 {
1173 return (s->internal->tlsext_ticket_expected &&
1174 !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
1175 ssl_security_tickets(s));
1176 }
1177
1178 static int
tlsext_sessionticket_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1179 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1180 {
1181 /* Empty ticket */
1182 return 1;
1183 }
1184
1185 static int
tlsext_sessionticket_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1186 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1187 int *alert)
1188 {
1189 if (s->internal->tls_session_ticket_ext_cb) {
1190 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1191 (int)CBS_len(cbs),
1192 s->internal->tls_session_ticket_ext_cb_arg)) {
1193 *alert = SSL_AD_INTERNAL_ERROR;
1194 return 0;
1195 }
1196 }
1197
1198 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1199 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1200 return 0;
1201 }
1202
1203 s->internal->tlsext_ticket_expected = 1;
1204
1205 return 1;
1206 }
1207
1208 /*
1209 * DTLS extension for SRTP key establishment - RFC 5764
1210 */
1211
1212 #ifndef OPENSSL_NO_SRTP
1213
1214 static int
tlsext_srtp_client_needs(SSL * s,uint16_t msg_type)1215 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1216 {
1217 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1218 }
1219
1220 static int
tlsext_srtp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1221 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1222 {
1223 CBB profiles, mki;
1224 int ct, i;
1225 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1226 const SRTP_PROTECTION_PROFILE *prof;
1227
1228 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1229 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1230 return 0;
1231 }
1232
1233 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1234 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1235 return 0;
1236 }
1237
1238 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1239 return 0;
1240
1241 for (i = 0; i < ct; i++) {
1242 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1243 return 0;
1244 if (!CBB_add_u16(&profiles, prof->id))
1245 return 0;
1246 }
1247
1248 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1249 return 0;
1250
1251 if (!CBB_flush(cbb))
1252 return 0;
1253
1254 return 1;
1255 }
1256
1257 static int
tlsext_srtp_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1258 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1259 {
1260 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1261 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1262 int i, j;
1263 int ret;
1264 uint16_t id;
1265 CBS profiles, mki;
1266
1267 ret = 0;
1268
1269 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1270 goto err;
1271 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1272 goto err;
1273
1274 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1275 goto err;
1276
1277 while (CBS_len(&profiles) > 0) {
1278 if (!CBS_get_u16(&profiles, &id))
1279 goto err;
1280
1281 if (!srtp_find_profile_by_num(id, &cprof)) {
1282 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1283 goto err;
1284 }
1285 }
1286
1287 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1288 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1289 goto done;
1290 }
1291
1292 /*
1293 * Per RFC 5764 section 4.1.1
1294 *
1295 * Find the server preferred profile using the client's list.
1296 *
1297 * The server MUST send a profile if it sends the use_srtp
1298 * extension. If one is not found, it should fall back to the
1299 * negotiated DTLS cipher suite or return a DTLS alert.
1300 */
1301 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1302 goto err;
1303 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1304 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL)
1305 goto err;
1306
1307 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1308 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1309 == NULL)
1310 goto err;
1311
1312 if (cprof->id == sprof->id) {
1313 s->internal->srtp_profile = sprof;
1314 ret = 1;
1315 goto done;
1316 }
1317 }
1318 }
1319
1320 /* If we didn't find anything, fall back to the negotiated */
1321 ret = 1;
1322 goto done;
1323
1324 err:
1325 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1326
1327 done:
1328 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1329 return ret;
1330 }
1331
1332 static int
tlsext_srtp_server_needs(SSL * s,uint16_t msg_type)1333 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1334 {
1335 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1336 }
1337
1338 static int
tlsext_srtp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1339 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1340 {
1341 SRTP_PROTECTION_PROFILE *profile;
1342 CBB srtp, mki;
1343
1344 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1345 return 0;
1346
1347 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1348 return 0;
1349
1350 if (!CBB_add_u16(&srtp, profile->id))
1351 return 0;
1352
1353 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1354 return 0;
1355
1356 if (!CBB_flush(cbb))
1357 return 0;
1358
1359 return 1;
1360 }
1361
1362 static int
tlsext_srtp_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1363 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1364 {
1365 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1366 const SRTP_PROTECTION_PROFILE *prof;
1367 int i;
1368 uint16_t id;
1369 CBS profile_ids, mki;
1370
1371 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1372 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1373 return 0;
1374 }
1375
1376 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1377 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1378 return 0;
1379 }
1380
1381 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1382 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1383 *alert = SSL_AD_ILLEGAL_PARAMETER;
1384 return 0;
1385 }
1386
1387 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1388 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1389 return 0;
1390 }
1391
1392 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1393 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1394 == NULL) {
1395 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1396 return 0;
1397 }
1398
1399 if (prof->id == id) {
1400 s->internal->srtp_profile = prof;
1401 return 1;
1402 }
1403 }
1404
1405 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1406
1407 return 0;
1408 }
1409
1410 #endif /* OPENSSL_NO_SRTP */
1411
1412 /*
1413 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1414 */
1415 static int
tlsext_keyshare_client_needs(SSL * s,uint16_t msg_type)1416 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1417 {
1418 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1419 }
1420
1421 static int
tlsext_keyshare_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1422 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1423 {
1424 CBB client_shares, key_exchange;
1425
1426 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1427 return 0;
1428
1429 if (!CBB_add_u16(&client_shares,
1430 tls_key_share_group(s->s3->hs.key_share)))
1431 return 0;
1432 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1433 return 0;
1434 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1435 return 0;
1436
1437 if (!CBB_flush(cbb))
1438 return 0;
1439
1440 return 1;
1441 }
1442
1443 static int
tlsext_keyshare_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1444 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1445 {
1446 CBS client_shares, key_exchange;
1447 int decode_error;
1448 uint16_t group;
1449
1450 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1451 return 0;
1452
1453 while (CBS_len(&client_shares) > 0) {
1454
1455 /* Unpack client share. */
1456 if (!CBS_get_u16(&client_shares, &group))
1457 return 0;
1458 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1459 return 0;
1460
1461 /*
1462 * XXX - check key exchange against supported groups from client.
1463 * XXX - check that groups only appear once.
1464 */
1465
1466 /*
1467 * Ignore this client share if we're using earlier than TLSv1.3
1468 * or we've already selected a key share.
1469 */
1470 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1471 continue;
1472 if (s->s3->hs.key_share != NULL)
1473 continue;
1474
1475 /* XXX - consider implementing server preference. */
1476 if (!tls1_check_group(s, group))
1477 continue;
1478
1479 /* Decode and store the selected key share. */
1480 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1481 *alert = SSL_AD_INTERNAL_ERROR;
1482 return 0;
1483 }
1484 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1485 &key_exchange, &decode_error, NULL)) {
1486 if (!decode_error)
1487 *alert = SSL_AD_INTERNAL_ERROR;
1488 return 0;
1489 }
1490 }
1491
1492 return 1;
1493 }
1494
1495 static int
tlsext_keyshare_server_needs(SSL * s,uint16_t msg_type)1496 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1497 {
1498 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1499 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1500 }
1501
1502 static int
tlsext_keyshare_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1503 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1504 {
1505 CBB key_exchange;
1506
1507 /* In the case of a HRR, we only send the server selected group. */
1508 if (s->s3->hs.tls13.hrr) {
1509 if (s->s3->hs.tls13.server_group == 0)
1510 return 0;
1511 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1512 }
1513
1514 if (s->s3->hs.key_share == NULL)
1515 return 0;
1516
1517 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1518 return 0;
1519 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1520 return 0;
1521 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1522 return 0;
1523
1524 if (!CBB_flush(cbb))
1525 return 0;
1526
1527 return 1;
1528 }
1529
1530 static int
tlsext_keyshare_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1531 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1532 {
1533 CBS key_exchange;
1534 int decode_error;
1535 uint16_t group;
1536
1537 /* Unpack server share. */
1538 if (!CBS_get_u16(cbs, &group))
1539 return 0;
1540
1541 if (CBS_len(cbs) == 0) {
1542 /* HRR does not include an actual key share, only the group. */
1543 if (msg_type != SSL_TLSEXT_MSG_HRR)
1544 return 0;
1545
1546 s->s3->hs.tls13.server_group = group;
1547 return 1;
1548 }
1549
1550 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1551 return 0;
1552
1553 if (s->s3->hs.key_share == NULL) {
1554 *alert = SSL_AD_INTERNAL_ERROR;
1555 return 0;
1556 }
1557 if (tls_key_share_group(s->s3->hs.key_share) != group) {
1558 *alert = SSL_AD_INTERNAL_ERROR;
1559 return 0;
1560 }
1561 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1562 &key_exchange, &decode_error, NULL)) {
1563 if (!decode_error)
1564 *alert = SSL_AD_INTERNAL_ERROR;
1565 return 0;
1566 }
1567
1568 return 1;
1569 }
1570
1571 /*
1572 * Supported Versions - RFC 8446 section 4.2.1.
1573 */
1574 static int
tlsext_versions_client_needs(SSL * s,uint16_t msg_type)1575 tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1576 {
1577 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1578 }
1579
1580 static int
tlsext_versions_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1581 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1582 {
1583 uint16_t max, min;
1584 uint16_t version;
1585 CBB versions;
1586
1587 max = s->s3->hs.our_max_tls_version;
1588 min = s->s3->hs.our_min_tls_version;
1589
1590 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1591 return 0;
1592
1593 /* XXX - fix, but contiguous for now... */
1594 for (version = max; version >= min; version--) {
1595 if (!CBB_add_u16(&versions, version))
1596 return 0;
1597 }
1598
1599 if (!CBB_flush(cbb))
1600 return 0;
1601
1602 return 1;
1603 }
1604
1605 static int
tlsext_versions_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1606 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1607 {
1608 CBS versions;
1609 uint16_t version;
1610 uint16_t max, min;
1611 uint16_t matched_version = 0;
1612
1613 max = s->s3->hs.our_max_tls_version;
1614 min = s->s3->hs.our_min_tls_version;
1615
1616 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1617 return 0;
1618
1619 while (CBS_len(&versions) > 0) {
1620 if (!CBS_get_u16(&versions, &version))
1621 return 0;
1622 /*
1623 * XXX What is below implements client preference, and
1624 * ignores any server preference entirely.
1625 */
1626 if (matched_version == 0 && version >= min && version <= max)
1627 matched_version = version;
1628 }
1629
1630 if (matched_version > 0) {
1631 /* XXX - this should be stored for later processing. */
1632 s->version = matched_version;
1633 return 1;
1634 }
1635
1636 *alert = SSL_AD_PROTOCOL_VERSION;
1637 return 0;
1638 }
1639
1640 static int
tlsext_versions_server_needs(SSL * s,uint16_t msg_type)1641 tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1642 {
1643 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1644 }
1645
1646 static int
tlsext_versions_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1647 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1648 {
1649 return CBB_add_u16(cbb, TLS1_3_VERSION);
1650 }
1651
1652 static int
tlsext_versions_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1653 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1654 {
1655 uint16_t selected_version;
1656
1657 if (!CBS_get_u16(cbs, &selected_version))
1658 return 0;
1659
1660 /* XXX - need to fix for DTLS 1.3 */
1661 if (selected_version < TLS1_3_VERSION) {
1662 *alert = SSL_AD_ILLEGAL_PARAMETER;
1663 return 0;
1664 }
1665
1666 /* XXX test between min and max once initialization code goes in */
1667 s->s3->hs.tls13.server_version = selected_version;
1668
1669 return 1;
1670 }
1671
1672
1673 /*
1674 * Cookie - RFC 8446 section 4.2.2.
1675 */
1676
1677 static int
tlsext_cookie_client_needs(SSL * s,uint16_t msg_type)1678 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1679 {
1680 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1681 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1682 }
1683
1684 static int
tlsext_cookie_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1685 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1686 {
1687 CBB cookie;
1688
1689 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1690 return 0;
1691
1692 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1693 s->s3->hs.tls13.cookie_len))
1694 return 0;
1695
1696 if (!CBB_flush(cbb))
1697 return 0;
1698
1699 return 1;
1700 }
1701
1702 static int
tlsext_cookie_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1703 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1704 {
1705 CBS cookie;
1706
1707 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1708 return 0;
1709
1710 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1711 return 0;
1712
1713 /*
1714 * Check provided cookie value against what server previously
1715 * sent - client *MUST* send the same cookie with new CR after
1716 * a cookie is sent by the server with an HRR.
1717 */
1718 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1719 s->s3->hs.tls13.cookie_len)) {
1720 /* XXX special cookie mismatch alert? */
1721 *alert = SSL_AD_ILLEGAL_PARAMETER;
1722 return 0;
1723 }
1724
1725 return 1;
1726 }
1727
1728 static int
tlsext_cookie_server_needs(SSL * s,uint16_t msg_type)1729 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1730 {
1731 /*
1732 * Server needs to set cookie value in tls13 handshake
1733 * in order to send one, should only be sent with HRR.
1734 */
1735 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1736 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1737 }
1738
1739 static int
tlsext_cookie_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1740 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1741 {
1742 CBB cookie;
1743
1744 /* XXX deduplicate with client code */
1745
1746 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1747 return 0;
1748
1749 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1750 s->s3->hs.tls13.cookie_len))
1751 return 0;
1752
1753 if (!CBB_flush(cbb))
1754 return 0;
1755
1756 return 1;
1757 }
1758
1759 static int
tlsext_cookie_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1760 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1761 {
1762 CBS cookie;
1763
1764 /*
1765 * XXX This currently assumes we will not get a second
1766 * HRR from a server with a cookie to process after accepting
1767 * one from the server in the same handshake
1768 */
1769 if (s->s3->hs.tls13.cookie != NULL ||
1770 s->s3->hs.tls13.cookie_len != 0) {
1771 *alert = SSL_AD_ILLEGAL_PARAMETER;
1772 return 0;
1773 }
1774
1775 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1776 return 0;
1777
1778 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1779 &s->s3->hs.tls13.cookie_len))
1780 return 0;
1781
1782 return 1;
1783 }
1784
1785 /*
1786 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9.
1787 */
1788
1789 static int
tlsext_psk_kex_modes_client_needs(SSL * s,uint16_t msg_type)1790 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type)
1791 {
1792 return (s->s3->hs.tls13.use_psk_dhe_ke &&
1793 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1794 }
1795
1796 static int
tlsext_psk_kex_modes_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1797 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1798 {
1799 CBB ke_modes;
1800
1801 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes))
1802 return 0;
1803
1804 /* Only indicate support for PSK with DHE key establishment. */
1805 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE))
1806 return 0;
1807
1808 if (!CBB_flush(cbb))
1809 return 0;
1810
1811 return 1;
1812 }
1813
1814 static int
tlsext_psk_kex_modes_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1815 tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1816 int *alert)
1817 {
1818 CBS ke_modes;
1819 uint8_t ke_mode;
1820
1821 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes))
1822 return 0;
1823
1824 while (CBS_len(&ke_modes) > 0) {
1825 if (!CBS_get_u8(&ke_modes, &ke_mode))
1826 return 0;
1827
1828 if (ke_mode == TLS13_PSK_DHE_KE)
1829 s->s3->hs.tls13.use_psk_dhe_ke = 1;
1830 }
1831
1832 return 1;
1833 }
1834
1835 static int
tlsext_psk_kex_modes_server_needs(SSL * s,uint16_t msg_type)1836 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type)
1837 {
1838 /* Servers MUST NOT send this extension. */
1839 return 0;
1840 }
1841
1842 static int
tlsext_psk_kex_modes_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1843 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1844 {
1845 return 0;
1846 }
1847
1848 static int
tlsext_psk_kex_modes_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1849 tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1850 int *alert)
1851 {
1852 return 0;
1853 }
1854
1855 /*
1856 * Pre-Shared Key Extension - RFC 8446, 4.2.11
1857 */
1858
1859 static int
tlsext_psk_client_needs(SSL * s,uint16_t msg_type)1860 tlsext_psk_client_needs(SSL *s, uint16_t msg_type)
1861 {
1862 return 0;
1863 }
1864
1865 static int
tlsext_psk_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1866 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1867 {
1868 return 0;
1869 }
1870
1871 static int
tlsext_psk_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1872 tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1873 {
1874 return CBS_skip(cbs, CBS_len(cbs));
1875 }
1876
1877 static int
tlsext_psk_server_needs(SSL * s,uint16_t msg_type)1878 tlsext_psk_server_needs(SSL *s, uint16_t msg_type)
1879 {
1880 return 0;
1881 }
1882
1883 static int
tlsext_psk_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1884 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1885 {
1886 return 0;
1887 }
1888
1889 static int
tlsext_psk_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1890 tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1891 {
1892 return CBS_skip(cbs, CBS_len(cbs));
1893 }
1894
1895 /*
1896 * QUIC transport parameters extension - RFC 9001 section 8.2.
1897 */
1898
1899 static int
tlsext_quic_transport_parameters_client_needs(SSL * s,uint16_t msg_type)1900 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type)
1901 {
1902 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0;
1903 }
1904
1905 static int
tlsext_quic_transport_parameters_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1906 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type,
1907 CBB *cbb)
1908 {
1909 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params,
1910 s->internal->quic_transport_params_len))
1911 return 0;
1912
1913 return 1;
1914 }
1915
1916 static int
tlsext_quic_transport_parameters_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1917 tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type,
1918 CBS *cbs, int *alert)
1919 {
1920 if (!SSL_is_quic(s)) {
1921 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1922 return 0;
1923 }
1924
1925 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1926 &s->s3->peer_quic_transport_params_len))
1927 return 0;
1928 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1929 return 0;
1930
1931 return 1;
1932 }
1933
1934 static int
tlsext_quic_transport_parameters_server_needs(SSL * s,uint16_t msg_type)1935 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type)
1936 {
1937 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0;
1938 }
1939
1940 static int
tlsext_quic_transport_parameters_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1941 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type,
1942 CBB *cbb)
1943 {
1944 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params,
1945 s->internal->quic_transport_params_len))
1946 return 0;
1947
1948 return 1;
1949 }
1950
1951 static int
tlsext_quic_transport_parameters_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1952 tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type,
1953 CBS *cbs, int *alert)
1954 {
1955 if (!SSL_is_quic(s)) {
1956 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1957 return 0;
1958 }
1959
1960 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1961 &s->s3->peer_quic_transport_params_len))
1962 return 0;
1963 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1964 return 0;
1965
1966 return 1;
1967 }
1968
1969 struct tls_extension_funcs {
1970 int (*needs)(SSL *s, uint16_t msg_type);
1971 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1972 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1973 };
1974
1975 struct tls_extension {
1976 uint16_t type;
1977 uint16_t messages;
1978 struct tls_extension_funcs client;
1979 struct tls_extension_funcs server;
1980 };
1981
1982 static const struct tls_extension tls_extensions[] = {
1983 {
1984 .type = TLSEXT_TYPE_supported_versions,
1985 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1986 SSL_TLSEXT_MSG_HRR,
1987 .client = {
1988 .needs = tlsext_versions_client_needs,
1989 .build = tlsext_versions_client_build,
1990 .parse = tlsext_versions_client_parse,
1991 },
1992 .server = {
1993 .needs = tlsext_versions_server_needs,
1994 .build = tlsext_versions_server_build,
1995 .parse = tlsext_versions_server_parse,
1996 },
1997 },
1998 {
1999 .type = TLSEXT_TYPE_key_share,
2000 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
2001 SSL_TLSEXT_MSG_HRR,
2002 .client = {
2003 .needs = tlsext_keyshare_client_needs,
2004 .build = tlsext_keyshare_client_build,
2005 .parse = tlsext_keyshare_client_parse,
2006 },
2007 .server = {
2008 .needs = tlsext_keyshare_server_needs,
2009 .build = tlsext_keyshare_server_build,
2010 .parse = tlsext_keyshare_server_parse,
2011 },
2012 },
2013 {
2014 .type = TLSEXT_TYPE_server_name,
2015 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2016 .client = {
2017 .needs = tlsext_sni_client_needs,
2018 .build = tlsext_sni_client_build,
2019 .parse = tlsext_sni_client_parse,
2020 },
2021 .server = {
2022 .needs = tlsext_sni_server_needs,
2023 .build = tlsext_sni_server_build,
2024 .parse = tlsext_sni_server_parse,
2025 },
2026 },
2027 {
2028 .type = TLSEXT_TYPE_renegotiate,
2029 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2030 .client = {
2031 .needs = tlsext_ri_client_needs,
2032 .build = tlsext_ri_client_build,
2033 .parse = tlsext_ri_client_parse,
2034 },
2035 .server = {
2036 .needs = tlsext_ri_server_needs,
2037 .build = tlsext_ri_server_build,
2038 .parse = tlsext_ri_server_parse,
2039 },
2040 },
2041 {
2042 .type = TLSEXT_TYPE_status_request,
2043 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
2044 SSL_TLSEXT_MSG_CT,
2045 .client = {
2046 .needs = tlsext_ocsp_client_needs,
2047 .build = tlsext_ocsp_client_build,
2048 .parse = tlsext_ocsp_client_parse,
2049 },
2050 .server = {
2051 .needs = tlsext_ocsp_server_needs,
2052 .build = tlsext_ocsp_server_build,
2053 .parse = tlsext_ocsp_server_parse,
2054 },
2055 },
2056 {
2057 .type = TLSEXT_TYPE_ec_point_formats,
2058 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2059 .client = {
2060 .needs = tlsext_ecpf_client_needs,
2061 .build = tlsext_ecpf_client_build,
2062 .parse = tlsext_ecpf_client_parse,
2063 },
2064 .server = {
2065 .needs = tlsext_ecpf_server_needs,
2066 .build = tlsext_ecpf_server_build,
2067 .parse = tlsext_ecpf_server_parse,
2068 },
2069 },
2070 {
2071 .type = TLSEXT_TYPE_supported_groups,
2072 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2073 .client = {
2074 .needs = tlsext_supportedgroups_client_needs,
2075 .build = tlsext_supportedgroups_client_build,
2076 .parse = tlsext_supportedgroups_client_parse,
2077 },
2078 .server = {
2079 .needs = tlsext_supportedgroups_server_needs,
2080 .build = tlsext_supportedgroups_server_build,
2081 .parse = tlsext_supportedgroups_server_parse,
2082 },
2083 },
2084 {
2085 .type = TLSEXT_TYPE_session_ticket,
2086 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2087 .client = {
2088 .needs = tlsext_sessionticket_client_needs,
2089 .build = tlsext_sessionticket_client_build,
2090 .parse = tlsext_sessionticket_client_parse,
2091 },
2092 .server = {
2093 .needs = tlsext_sessionticket_server_needs,
2094 .build = tlsext_sessionticket_server_build,
2095 .parse = tlsext_sessionticket_server_parse,
2096 },
2097 },
2098 {
2099 .type = TLSEXT_TYPE_signature_algorithms,
2100 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
2101 .client = {
2102 .needs = tlsext_sigalgs_client_needs,
2103 .build = tlsext_sigalgs_client_build,
2104 .parse = tlsext_sigalgs_client_parse,
2105 },
2106 .server = {
2107 .needs = tlsext_sigalgs_server_needs,
2108 .build = tlsext_sigalgs_server_build,
2109 .parse = tlsext_sigalgs_server_parse,
2110 },
2111 },
2112 {
2113 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
2114 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2115 .client = {
2116 .needs = tlsext_alpn_client_needs,
2117 .build = tlsext_alpn_client_build,
2118 .parse = tlsext_alpn_client_parse,
2119 },
2120 .server = {
2121 .needs = tlsext_alpn_server_needs,
2122 .build = tlsext_alpn_server_build,
2123 .parse = tlsext_alpn_server_parse,
2124 },
2125 },
2126 {
2127 .type = TLSEXT_TYPE_cookie,
2128 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
2129 .client = {
2130 .needs = tlsext_cookie_client_needs,
2131 .build = tlsext_cookie_client_build,
2132 .parse = tlsext_cookie_client_parse,
2133 },
2134 .server = {
2135 .needs = tlsext_cookie_server_needs,
2136 .build = tlsext_cookie_server_build,
2137 .parse = tlsext_cookie_server_parse,
2138 },
2139 },
2140 #ifndef OPENSSL_NO_SRTP
2141 {
2142 .type = TLSEXT_TYPE_use_srtp,
2143 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
2144 SSL_TLSEXT_MSG_EE,
2145 .client = {
2146 .needs = tlsext_srtp_client_needs,
2147 .build = tlsext_srtp_client_build,
2148 .parse = tlsext_srtp_client_parse,
2149 },
2150 .server = {
2151 .needs = tlsext_srtp_server_needs,
2152 .build = tlsext_srtp_server_build,
2153 .parse = tlsext_srtp_server_parse,
2154 },
2155 },
2156 #endif /* OPENSSL_NO_SRTP */
2157 {
2158 .type = TLSEXT_TYPE_quic_transport_parameters,
2159 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2160 .client = {
2161 .needs = tlsext_quic_transport_parameters_client_needs,
2162 .build = tlsext_quic_transport_parameters_client_build,
2163 .parse = tlsext_quic_transport_parameters_client_parse,
2164 },
2165 .server = {
2166 .needs = tlsext_quic_transport_parameters_server_needs,
2167 .build = tlsext_quic_transport_parameters_server_build,
2168 .parse = tlsext_quic_transport_parameters_server_parse,
2169 },
2170 },
2171 {
2172 .type = TLSEXT_TYPE_psk_key_exchange_modes,
2173 .messages = SSL_TLSEXT_MSG_CH,
2174 .client = {
2175 .needs = tlsext_psk_kex_modes_client_needs,
2176 .build = tlsext_psk_kex_modes_client_build,
2177 .parse = tlsext_psk_kex_modes_client_parse,
2178 },
2179 .server = {
2180 .needs = tlsext_psk_kex_modes_server_needs,
2181 .build = tlsext_psk_kex_modes_server_build,
2182 .parse = tlsext_psk_kex_modes_server_parse,
2183 },
2184 },
2185 {
2186 /* MUST be last extension in CH per RFC 8446 section 4.2. */
2187
2188 .type = TLSEXT_TYPE_pre_shared_key,
2189 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2190 .client = {
2191 .needs = tlsext_psk_client_needs,
2192 .build = tlsext_psk_client_build,
2193 .parse = tlsext_psk_client_parse,
2194 },
2195 .server = {
2196 .needs = tlsext_psk_server_needs,
2197 .build = tlsext_psk_server_build,
2198 .parse = tlsext_psk_server_parse,
2199 },
2200 },
2201 };
2202
2203 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
2204
2205 /* Ensure that extensions fit in a uint32_t bitmask. */
2206 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2207
2208 const struct tls_extension *
tls_extension_find(uint16_t type,size_t * tls_extensions_idx)2209 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2210 {
2211 size_t i;
2212
2213 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2214 if (tls_extensions[i].type == type) {
2215 *tls_extensions_idx = i;
2216 return &tls_extensions[i];
2217 }
2218 }
2219
2220 return NULL;
2221 }
2222
2223 int
tlsext_extension_seen(SSL * s,uint16_t type)2224 tlsext_extension_seen(SSL *s, uint16_t type)
2225 {
2226 size_t idx;
2227
2228 if (tls_extension_find(type, &idx) == NULL)
2229 return 0;
2230 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2231 }
2232
2233 const struct tls_extension_funcs *
tlsext_funcs(const struct tls_extension * tlsext,int is_server)2234 tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2235 {
2236 if (is_server)
2237 return &tlsext->server;
2238
2239 return &tlsext->client;
2240 }
2241
2242 static int
tlsext_build(SSL * s,int is_server,uint16_t msg_type,CBB * cbb)2243 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2244 {
2245 const struct tls_extension_funcs *ext;
2246 const struct tls_extension *tlsext;
2247 CBB extensions, extension_data;
2248 int extensions_present = 0;
2249 uint16_t tls_version;
2250 size_t i;
2251
2252 tls_version = ssl_effective_tls_version(s);
2253
2254 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2255 return 0;
2256
2257 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2258 tlsext = &tls_extensions[i];
2259 ext = tlsext_funcs(tlsext, is_server);
2260
2261 /* RFC 8446 Section 4.2 */
2262 if (tls_version >= TLS1_3_VERSION &&
2263 !(tlsext->messages & msg_type))
2264 continue;
2265
2266 if (!ext->needs(s, msg_type))
2267 continue;
2268
2269 if (!CBB_add_u16(&extensions, tlsext->type))
2270 return 0;
2271 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2272 return 0;
2273
2274 if (!ext->build(s, msg_type, &extension_data))
2275 return 0;
2276
2277 extensions_present = 1;
2278 }
2279
2280 if (!extensions_present &&
2281 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2282 CBB_discard_child(cbb);
2283
2284 if (!CBB_flush(cbb))
2285 return 0;
2286
2287 return 1;
2288 }
2289
2290 int
tlsext_clienthello_hash_extension(SSL * s,uint16_t type,CBS * cbs)2291 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2292 {
2293 /*
2294 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2295 * cookie may be added, padding may be removed.
2296 */
2297 struct tls13_ctx *ctx = s->internal->tls13;
2298
2299 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2300 type == TLSEXT_TYPE_padding)
2301 return 1;
2302 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2303 sizeof(type)))
2304 return 0;
2305 /*
2306 * key_share data may be changed, and pre_shared_key data may
2307 * be changed
2308 */
2309 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2310 return 1;
2311 if (!tls13_clienthello_hash_update(ctx, cbs))
2312 return 0;
2313
2314 return 1;
2315 }
2316
2317 static int
tlsext_parse(SSL * s,int is_server,uint16_t msg_type,CBS * cbs,int * alert)2318 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2319 {
2320 const struct tls_extension_funcs *ext;
2321 const struct tls_extension *tlsext;
2322 CBS extensions, extension_data;
2323 uint16_t type;
2324 size_t idx;
2325 uint16_t tls_version;
2326 int alert_desc;
2327
2328 tls_version = ssl_effective_tls_version(s);
2329
2330 s->s3->hs.extensions_seen = 0;
2331
2332 /* An empty extensions block is valid. */
2333 if (CBS_len(cbs) == 0)
2334 return 1;
2335
2336 alert_desc = SSL_AD_DECODE_ERROR;
2337
2338 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2339 goto err;
2340
2341 while (CBS_len(&extensions) > 0) {
2342 if (!CBS_get_u16(&extensions, &type))
2343 goto err;
2344 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2345 goto err;
2346
2347 if (s->internal->tlsext_debug_cb != NULL)
2348 s->internal->tlsext_debug_cb(s, !is_server, type,
2349 (unsigned char *)CBS_data(&extension_data),
2350 CBS_len(&extension_data),
2351 s->internal->tlsext_debug_arg);
2352
2353 /* Unknown extensions are ignored. */
2354 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2355 continue;
2356
2357 if (tls_version >= TLS1_3_VERSION && is_server &&
2358 msg_type == SSL_TLSEXT_MSG_CH) {
2359 if (!tlsext_clienthello_hash_extension(s, type,
2360 &extension_data))
2361 goto err;
2362 }
2363
2364 /* RFC 8446 Section 4.2 */
2365 if (tls_version >= TLS1_3_VERSION &&
2366 !(tlsext->messages & msg_type)) {
2367 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2368 goto err;
2369 }
2370
2371 /* Check for duplicate known extensions. */
2372 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2373 goto err;
2374 s->s3->hs.extensions_seen |= (1 << idx);
2375
2376 ext = tlsext_funcs(tlsext, is_server);
2377 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2378 goto err;
2379
2380 if (CBS_len(&extension_data) != 0)
2381 goto err;
2382 }
2383
2384 return 1;
2385
2386 err:
2387 *alert = alert_desc;
2388
2389 return 0;
2390 }
2391
2392 static void
tlsext_server_reset_state(SSL * s)2393 tlsext_server_reset_state(SSL *s)
2394 {
2395 s->tlsext_status_type = -1;
2396 s->s3->renegotiate_seen = 0;
2397 free(s->s3->alpn_selected);
2398 s->s3->alpn_selected = NULL;
2399 s->s3->alpn_selected_len = 0;
2400 s->internal->srtp_profile = NULL;
2401 }
2402
2403 int
tlsext_server_build(SSL * s,uint16_t msg_type,CBB * cbb)2404 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2405 {
2406 return tlsext_build(s, 1, msg_type, cbb);
2407 }
2408
2409 int
tlsext_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2410 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2411 {
2412 /* XXX - this should be done by the caller... */
2413 if (msg_type == SSL_TLSEXT_MSG_CH)
2414 tlsext_server_reset_state(s);
2415
2416 return tlsext_parse(s, 1, msg_type, cbs, alert);
2417 }
2418
2419 static void
tlsext_client_reset_state(SSL * s)2420 tlsext_client_reset_state(SSL *s)
2421 {
2422 s->s3->renegotiate_seen = 0;
2423 free(s->s3->alpn_selected);
2424 s->s3->alpn_selected = NULL;
2425 s->s3->alpn_selected_len = 0;
2426 }
2427
2428 int
tlsext_client_build(SSL * s,uint16_t msg_type,CBB * cbb)2429 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2430 {
2431 return tlsext_build(s, 0, msg_type, cbb);
2432 }
2433
2434 int
tlsext_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2435 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2436 {
2437 /* XXX - this should be done by the caller... */
2438 if (msg_type == SSL_TLSEXT_MSG_SH)
2439 tlsext_client_reset_state(s);
2440
2441 return tlsext_parse(s, 0, msg_type, cbs, alert);
2442 }
2443