1 /* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
2 /*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019, 2024 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/socket.h>
21
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24
25 #include <ctype.h>
26
27 #include <openssl/ocsp.h>
28 #include <openssl/opensslconf.h>
29
30 #include "bytestring.h"
31 #include "ssl_local.h"
32 #include "ssl_sigalgs.h"
33 #include "ssl_tlsext.h"
34
35 #define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation
36 #define TLSEXT_MAX_SUPPORTED_GROUPS 64
37
38 /*
39 * Supported Application-Layer Protocol Negotiation - RFC 7301
40 */
41
42 static int
tlsext_alpn_client_needs(SSL * s,uint16_t msg_type)43 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
44 {
45 /* ALPN protos have been specified and this is the initial handshake */
46 return s->alpn_client_proto_list != NULL &&
47 s->s3->hs.finished_len == 0;
48 }
49
50 static int
tlsext_alpn_client_build(SSL * s,uint16_t msg_type,CBB * cbb)51 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
52 {
53 CBB protolist;
54
55 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
56 return 0;
57
58 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list,
59 s->alpn_client_proto_list_len))
60 return 0;
61
62 if (!CBB_flush(cbb))
63 return 0;
64
65 return 1;
66 }
67
68 int
tlsext_alpn_check_format(CBS * cbs)69 tlsext_alpn_check_format(CBS *cbs)
70 {
71 CBS proto_name_list;
72
73 if (CBS_len(cbs) == 0)
74 return 0;
75
76 CBS_dup(cbs, &proto_name_list);
77 while (CBS_len(&proto_name_list) > 0) {
78 CBS proto_name;
79
80 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
81 return 0;
82 if (CBS_len(&proto_name) == 0)
83 return 0;
84 }
85
86 return 1;
87 }
88
89 static int
tlsext_alpn_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)90 tlsext_alpn_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
91 {
92 CBS alpn, selected_cbs;
93 const unsigned char *selected;
94 unsigned char selected_len;
95 int r;
96
97 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
98 return 0;
99 if (!tlsext_alpn_check_format(&alpn))
100 return 0;
101
102 if (s->ctx->alpn_select_cb == NULL)
103 return 1;
104
105 /*
106 * XXX - A few things should be considered here:
107 * 1. Ensure that the same protocol is selected on session resumption.
108 * 2. Should the callback be called even if no ALPN extension was sent?
109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
110 */
111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
112 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
113
114 if (r == SSL_TLSEXT_ERR_OK) {
115 CBS_init(&selected_cbs, selected, selected_len);
116
117 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected,
118 &s->s3->alpn_selected_len)) {
119 *alert = SSL_AD_INTERNAL_ERROR;
120 return 0;
121 }
122
123 return 1;
124 }
125
126 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
127 if (r == SSL_TLSEXT_ERR_NOACK)
128 return 1;
129
130 *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
131 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
132
133 return 0;
134 }
135
136 static int
tlsext_alpn_server_needs(SSL * s,uint16_t msg_type)137 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
138 {
139 return s->s3->alpn_selected != NULL;
140 }
141
142 static int
tlsext_alpn_server_build(SSL * s,uint16_t msg_type,CBB * cbb)143 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
144 {
145 CBB list, selected;
146
147 if (!CBB_add_u16_length_prefixed(cbb, &list))
148 return 0;
149
150 if (!CBB_add_u8_length_prefixed(&list, &selected))
151 return 0;
152
153 if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
154 s->s3->alpn_selected_len))
155 return 0;
156
157 if (!CBB_flush(cbb))
158 return 0;
159
160 return 1;
161 }
162
163 static int
tlsext_alpn_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)164 tlsext_alpn_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
165 {
166 CBS list, proto;
167
168 if (s->alpn_client_proto_list == NULL) {
169 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
170 return 0;
171 }
172
173 if (!CBS_get_u16_length_prefixed(cbs, &list))
174 return 0;
175
176 if (!CBS_get_u8_length_prefixed(&list, &proto))
177 return 0;
178
179 if (CBS_len(&list) != 0)
180 return 0;
181 if (CBS_len(&proto) == 0)
182 return 0;
183
184 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
185 return 0;
186
187 return 1;
188 }
189
190 /*
191 * Supported Groups - RFC 7919 section 2
192 */
193 static int
tlsext_supportedgroups_client_needs(SSL * s,uint16_t msg_type)194 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
195 {
196 return ssl_has_ecc_ciphers(s) ||
197 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
198 }
199
200 static int
tlsext_supportedgroups_client_build(SSL * s,uint16_t msg_type,CBB * cbb)201 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
202 {
203 const uint16_t *groups;
204 size_t groups_len;
205 CBB grouplist;
206 int i;
207
208 tls1_get_group_list(s, 0, &groups, &groups_len);
209 if (groups_len == 0) {
210 SSLerror(s, ERR_R_INTERNAL_ERROR);
211 return 0;
212 }
213
214 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
215 return 0;
216
217 for (i = 0; i < groups_len; i++) {
218 if (!ssl_security_supported_group(s, groups[i]))
219 continue;
220 if (!CBB_add_u16(&grouplist, groups[i]))
221 return 0;
222 }
223
224 if (!CBB_flush(cbb))
225 return 0;
226
227 return 1;
228 }
229
230 static int
tlsext_supportedgroups_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)231 tlsext_supportedgroups_server_process(SSL *s, uint16_t msg_type, CBS *cbs,
232 int *alert)
233 {
234 uint16_t *groups = NULL;
235 size_t groups_len;
236 CBS grouplist;
237 int i, j;
238 int ret = 0;
239
240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
241 goto err;
242
243 groups_len = CBS_len(&grouplist);
244 if (groups_len == 0 || groups_len % 2 != 0)
245 goto err;
246 groups_len /= 2;
247
248 if (groups_len > TLSEXT_MAX_SUPPORTED_GROUPS)
249 goto err;
250
251 if (s->hit)
252 goto done;
253
254 if (s->s3->hs.tls13.hrr) {
255 if (s->session->tlsext_supportedgroups == NULL) {
256 *alert = SSL_AD_HANDSHAKE_FAILURE;
257 return 0;
258 }
259
260 /*
261 * The ClientHello extension hashing ensures that the client
262 * did not change its list of supported groups.
263 */
264
265 goto done;
266 }
267
268 if (s->session->tlsext_supportedgroups != NULL)
269 goto err; /* XXX internal error? */
270
271 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) {
272 *alert = SSL_AD_INTERNAL_ERROR;
273 goto err;
274 }
275
276 for (i = 0; i < groups_len; i++) {
277 if (!CBS_get_u16(&grouplist, &groups[i]))
278 goto err;
279 /*
280 * Do not allow duplicate groups to be sent. This is not
281 * currently specified in RFC 8446 or earlier, but there is no
282 * legitimate justification for this to occur in TLS 1.2 or TLS
283 * 1.3.
284 */
285 for (j = 0; j < i; j++) {
286 if (groups[i] == groups[j]) {
287 *alert = SSL_AD_ILLEGAL_PARAMETER;
288 goto err;
289 }
290 }
291 }
292
293 if (CBS_len(&grouplist) != 0)
294 goto err;
295
296 s->session->tlsext_supportedgroups = groups;
297 s->session->tlsext_supportedgroups_length = groups_len;
298 groups = NULL;
299
300
301 done:
302 ret = 1;
303
304 err:
305 free(groups);
306
307 return ret;
308 }
309
310 /* This extension is never used by the server. */
311 static int
tlsext_supportedgroups_server_needs(SSL * s,uint16_t msg_type)312 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
313 {
314 return 0;
315 }
316
317 static int
tlsext_supportedgroups_server_build(SSL * s,uint16_t msg_type,CBB * cbb)318 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
319 {
320 return 0;
321 }
322
323 static int
tlsext_supportedgroups_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)324 tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
325 int *alert)
326 {
327 /*
328 * This extension is only allowed in TLSv1.3 encrypted extensions.
329 * It is not permitted in a ServerHello in any version of TLS.
330 */
331 if (msg_type != SSL_TLSEXT_MSG_EE)
332 return 0;
333
334 /*
335 * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but
336 * clients must not act on it during the handshake. This allows servers
337 * to advertise their preferences for subsequent handshakes. We ignore
338 * this complication.
339 */
340 if (!CBS_skip(cbs, CBS_len(cbs))) {
341 *alert = SSL_AD_INTERNAL_ERROR;
342 return 0;
343 }
344
345 return 1;
346 }
347
348 /*
349 * Supported Point Formats Extension - RFC 4492 section 5.1.2
350 */
351 static int
tlsext_ecpf_build(SSL * s,uint16_t msg_type,CBB * cbb)352 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
353 {
354 CBB ecpf;
355 size_t formats_len;
356 const uint8_t *formats;
357
358 tls1_get_formatlist(s, 0, &formats, &formats_len);
359
360 if (formats_len == 0) {
361 SSLerror(s, ERR_R_INTERNAL_ERROR);
362 return 0;
363 }
364
365 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
366 return 0;
367 if (!CBB_add_bytes(&ecpf, formats, formats_len))
368 return 0;
369 if (!CBB_flush(cbb))
370 return 0;
371
372 return 1;
373 }
374
375 static int
tlsext_ecpf_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)376 tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
377 {
378 CBS ecpf;
379
380 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
381 return 0;
382 if (CBS_len(&ecpf) == 0)
383 return 0;
384
385 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
386 if (!CBS_contains_zero_byte(&ecpf)) {
387 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
388 *alert = SSL_AD_ILLEGAL_PARAMETER;
389 return 0;
390 }
391
392 if (!s->hit) {
393 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
394 &(s->session->tlsext_ecpointformatlist_length))) {
395 *alert = SSL_AD_INTERNAL_ERROR;
396 return 0;
397 }
398 }
399
400 return 1;
401 }
402
403 static int
tlsext_ecpf_client_needs(SSL * s,uint16_t msg_type)404 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
405 {
406 return ssl_has_ecc_ciphers(s);
407 }
408
409 static int
tlsext_ecpf_client_build(SSL * s,uint16_t msg_type,CBB * cbb)410 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
411 {
412 return tlsext_ecpf_build(s, msg_type, cbb);
413 }
414
415 static int
tlsext_ecpf_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)416 tlsext_ecpf_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
417 {
418 return tlsext_ecpf_process(s, msg_type, cbs, alert);
419 }
420
421 static int
tlsext_ecpf_server_needs(SSL * s,uint16_t msg_type)422 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
423 {
424 return ssl_using_ecc_cipher(s);
425 }
426
427 static int
tlsext_ecpf_server_build(SSL * s,uint16_t msg_type,CBB * cbb)428 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
429 {
430 return tlsext_ecpf_build(s, msg_type, cbb);
431 }
432
433 static int
tlsext_ecpf_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)434 tlsext_ecpf_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
435 {
436 return tlsext_ecpf_process(s, msg_type, cbs, alert);
437 }
438
439 /*
440 * Renegotiation Indication - RFC 5746.
441 */
442 static int
tlsext_ri_client_needs(SSL * s,uint16_t msg_type)443 tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
444 {
445 return (s->renegotiate);
446 }
447
448 static int
tlsext_ri_client_build(SSL * s,uint16_t msg_type,CBB * cbb)449 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
450 {
451 CBB reneg;
452
453 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
454 return 0;
455 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
456 s->s3->previous_client_finished_len))
457 return 0;
458 if (!CBB_flush(cbb))
459 return 0;
460
461 return 1;
462 }
463
464 static int
tlsext_ri_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)465 tlsext_ri_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
466 {
467 CBS reneg;
468
469 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
470 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
471 return 0;
472 }
473
474 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
475 s->s3->previous_client_finished_len)) {
476 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
477 *alert = SSL_AD_HANDSHAKE_FAILURE;
478 return 0;
479 }
480
481 s->s3->renegotiate_seen = 1;
482 s->s3->send_connection_binding = 1;
483
484 return 1;
485 }
486
487 static int
tlsext_ri_server_needs(SSL * s,uint16_t msg_type)488 tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
489 {
490 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
491 s->s3->send_connection_binding);
492 }
493
494 static int
tlsext_ri_server_build(SSL * s,uint16_t msg_type,CBB * cbb)495 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
496 {
497 CBB reneg;
498
499 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
500 return 0;
501 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
502 s->s3->previous_client_finished_len))
503 return 0;
504 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
505 s->s3->previous_server_finished_len))
506 return 0;
507 if (!CBB_flush(cbb))
508 return 0;
509
510 return 1;
511 }
512
513 static int
tlsext_ri_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)514 tlsext_ri_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
515 {
516 CBS reneg, prev_client, prev_server;
517
518 /*
519 * Ensure that the previous client and server values are both not
520 * present, or that they are both present.
521 */
522 if ((s->s3->previous_client_finished_len == 0 &&
523 s->s3->previous_server_finished_len != 0) ||
524 (s->s3->previous_client_finished_len != 0 &&
525 s->s3->previous_server_finished_len == 0)) {
526 *alert = SSL_AD_INTERNAL_ERROR;
527 return 0;
528 }
529
530 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
531 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
532 return 0;
533 }
534 if (!CBS_get_bytes(&reneg, &prev_client,
535 s->s3->previous_client_finished_len)) {
536 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
537 return 0;
538 }
539 if (!CBS_get_bytes(&reneg, &prev_server,
540 s->s3->previous_server_finished_len)) {
541 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
542 return 0;
543 }
544 if (CBS_len(&reneg) != 0) {
545 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
546 return 0;
547 }
548
549 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
550 s->s3->previous_client_finished_len)) {
551 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
552 *alert = SSL_AD_HANDSHAKE_FAILURE;
553 return 0;
554 }
555 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
556 s->s3->previous_server_finished_len)) {
557 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
558 *alert = SSL_AD_HANDSHAKE_FAILURE;
559 return 0;
560 }
561
562 s->s3->renegotiate_seen = 1;
563 s->s3->send_connection_binding = 1;
564
565 return 1;
566 }
567
568 /*
569 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
570 */
571 static int
tlsext_sigalgs_client_needs(SSL * s,uint16_t msg_type)572 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
573 {
574 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
575 }
576
577 static int
tlsext_sigalgs_client_build(SSL * s,uint16_t msg_type,CBB * cbb)578 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
579 {
580 uint16_t tls_version = s->s3->hs.negotiated_tls_version;
581 CBB sigalgs;
582
583 if (msg_type == SSL_TLSEXT_MSG_CH)
584 tls_version = s->s3->hs.our_min_tls_version;
585
586 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
587 return 0;
588 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s)))
589 return 0;
590 if (!CBB_flush(cbb))
591 return 0;
592
593 return 1;
594 }
595
596 static int
tlsext_sigalgs_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)597 tlsext_sigalgs_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
598 {
599 CBS sigalgs;
600
601 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
602 return 0;
603 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
604 return 0;
605 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
606 return 0;
607
608 return 1;
609 }
610
611 static int
tlsext_sigalgs_server_needs(SSL * s,uint16_t msg_type)612 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
613 {
614 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
615 }
616
617 static int
tlsext_sigalgs_server_build(SSL * s,uint16_t msg_type,CBB * cbb)618 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
619 {
620 CBB sigalgs;
621
622 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
623 return 0;
624 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs,
625 SSL_get_security_level(s)))
626 return 0;
627 if (!CBB_flush(cbb))
628 return 0;
629
630 return 1;
631 }
632
633 static int
tlsext_sigalgs_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)634 tlsext_sigalgs_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
635 {
636 CBS sigalgs;
637
638 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
639 return 0;
640
641 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
642 return 0;
643 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
644 return 0;
645 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
646 return 0;
647
648 return 1;
649 }
650
651 /*
652 * Server Name Indication - RFC 6066, section 3.
653 */
654 static int
tlsext_sni_client_needs(SSL * s,uint16_t msg_type)655 tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
656 {
657 return (s->tlsext_hostname != NULL);
658 }
659
660 static int
tlsext_sni_client_build(SSL * s,uint16_t msg_type,CBB * cbb)661 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
662 {
663 CBB server_name_list, host_name;
664
665 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
666 return 0;
667 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
668 return 0;
669 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
670 return 0;
671 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
672 strlen(s->tlsext_hostname)))
673 return 0;
674 if (!CBB_flush(cbb))
675 return 0;
676
677 return 1;
678 }
679
680 static int
tlsext_sni_is_ip_literal(CBS * cbs,int * is_ip)681 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
682 {
683 union {
684 struct in_addr ip4;
685 struct in6_addr ip6;
686 } addrbuf;
687 char *hostname = NULL;
688
689 *is_ip = 0;
690
691 if (!CBS_strdup(cbs, &hostname))
692 return 0;
693
694 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 ||
695 inet_pton(AF_INET6, hostname, &addrbuf) == 1)
696 *is_ip = 1;
697
698 free(hostname);
699
700 return 1;
701 }
702
703 /*
704 * Validate that the CBS contains only a hostname consisting of RFC 5890
705 * compliant A-labels (see RFC 6066 section 3). Not a complete check
706 * since we don't parse punycode to verify its validity but limits to
707 * correct structure and character set.
708 */
709 int
tlsext_sni_is_valid_hostname(CBS * cbs,int * is_ip)710 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
711 {
712 uint8_t prev, c = 0;
713 int component = 0;
714 CBS hostname;
715
716 *is_ip = 0;
717
718 CBS_dup(cbs, &hostname);
719
720 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
721 return 0;
722
723 /* An IP literal is invalid as a host name (RFC 6066 section 3). */
724 if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
725 return 0;
726 if (*is_ip)
727 return 0;
728
729 while (CBS_len(&hostname) > 0) {
730 prev = c;
731 if (!CBS_get_u8(&hostname, &c))
732 return 0;
733 /* Everything has to be ASCII, with no NUL byte. */
734 if (!isascii(c) || c == '\0')
735 return 0;
736 /* It must be alphanumeric, a '-', or a '.' */
737 if (!isalnum(c) && c != '-' && c != '.')
738 return 0;
739 /* '-' and '.' must not start a component or be at the end. */
740 if (component == 0 || CBS_len(&hostname) == 0) {
741 if (c == '-' || c == '.')
742 return 0;
743 }
744 if (c == '.') {
745 /* Components can not end with a dash. */
746 if (prev == '-')
747 return 0;
748 /* Start new component */
749 component = 0;
750 continue;
751 }
752 /* Components must be 63 chars or less. */
753 if (++component > 63)
754 return 0;
755 }
756
757 return 1;
758 }
759
760 static int
tlsext_sni_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)761 tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
762 {
763 CBS server_name_list, host_name;
764 uint8_t name_type;
765 int is_ip;
766
767 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
768 goto err;
769
770 if (!CBS_get_u8(&server_name_list, &name_type))
771 goto err;
772
773 /*
774 * RFC 6066 section 3, only one type (host_name) is specified.
775 * We do not tolerate unknown types, neither does BoringSSL.
776 * other implementations appear more tolerant.
777 */
778 if (name_type != TLSEXT_NAMETYPE_host_name) {
779 *alert = SSL_AD_ILLEGAL_PARAMETER;
780 goto err;
781 }
782
783 /*
784 * RFC 6066 section 3 specifies a host name must be at least 1 byte
785 * so 0 length is a decode error.
786 */
787 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
788 goto err;
789 if (CBS_len(&host_name) < 1)
790 goto err;
791
792 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
793 /*
794 * Various pieces of software have been known to set the SNI
795 * host name to an IP address, even though that violates the
796 * RFC. If this is the case, pretend the SNI extension does
797 * not exist.
798 */
799 if (is_ip)
800 goto done;
801
802 *alert = SSL_AD_ILLEGAL_PARAMETER;
803 goto err;
804 }
805
806 if (s->hit || s->s3->hs.tls13.hrr) {
807 if (s->session->tlsext_hostname == NULL) {
808 *alert = SSL_AD_UNRECOGNIZED_NAME;
809 goto err;
810 }
811 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
812 strlen(s->session->tlsext_hostname))) {
813 *alert = SSL_AD_UNRECOGNIZED_NAME;
814 goto err;
815 }
816 } else {
817 if (s->session->tlsext_hostname != NULL)
818 goto err;
819 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
820 *alert = SSL_AD_INTERNAL_ERROR;
821 goto err;
822 }
823 }
824
825 done:
826 /*
827 * RFC 6066 section 3 forbids multiple host names with the same type,
828 * therefore we allow only one entry.
829 */
830 if (CBS_len(&server_name_list) != 0) {
831 *alert = SSL_AD_ILLEGAL_PARAMETER;
832 goto err;
833 }
834
835 return 1;
836
837 err:
838 return 0;
839 }
840
841 static int
tlsext_sni_server_needs(SSL * s,uint16_t msg_type)842 tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
843 {
844 if (s->hit)
845 return 0;
846
847 return (s->session->tlsext_hostname != NULL);
848 }
849
850 static int
tlsext_sni_server_build(SSL * s,uint16_t msg_type,CBB * cbb)851 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
852 {
853 return 1;
854 }
855
856 static int
tlsext_sni_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)857 tlsext_sni_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
858 {
859 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
860 *alert = SSL_AD_UNRECOGNIZED_NAME;
861 return 0;
862 }
863
864 if (s->hit) {
865 if (s->session->tlsext_hostname == NULL) {
866 *alert = SSL_AD_UNRECOGNIZED_NAME;
867 return 0;
868 }
869 if (strcmp(s->tlsext_hostname,
870 s->session->tlsext_hostname) != 0) {
871 *alert = SSL_AD_UNRECOGNIZED_NAME;
872 return 0;
873 }
874 } else {
875 if (s->session->tlsext_hostname != NULL)
876 return 0;
877 if ((s->session->tlsext_hostname =
878 strdup(s->tlsext_hostname)) == NULL) {
879 *alert = SSL_AD_INTERNAL_ERROR;
880 return 0;
881 }
882 }
883
884 return 1;
885 }
886
887 /*
888 * Certificate Status Request - RFC 6066 section 8.
889 */
890
891 static int
tlsext_ocsp_client_needs(SSL * s,uint16_t msg_type)892 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
893 {
894 if (msg_type != SSL_TLSEXT_MSG_CH)
895 return 0;
896
897 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
898 }
899
900 static int
tlsext_ocsp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)901 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
902 {
903 CBB respid_list, respid, exts;
904 unsigned char *ext_data;
905 size_t ext_len;
906 int i;
907
908 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
909 return 0;
910 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
911 return 0;
912 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
913 unsigned char *respid_data;
914 OCSP_RESPID *id;
915 size_t id_len;
916
917 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids,
918 i)) == NULL)
919 return 0;
920 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
921 return 0;
922 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
923 return 0;
924 if (!CBB_add_space(&respid, &respid_data, id_len))
925 return 0;
926 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
927 return 0;
928 }
929 if (!CBB_add_u16_length_prefixed(cbb, &exts))
930 return 0;
931 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts,
932 NULL)) == -1)
933 return 0;
934 if (!CBB_add_space(&exts, &ext_data, ext_len))
935 return 0;
936 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) !=
937 ext_len))
938 return 0;
939 if (!CBB_flush(cbb))
940 return 0;
941 return 1;
942 }
943
944 static int
tlsext_ocsp_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)945 tlsext_ocsp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
946 {
947 int alert_desc = SSL_AD_DECODE_ERROR;
948 CBS respid_list, respid, exts;
949 const unsigned char *p;
950 uint8_t status_type;
951 int ret = 0;
952
953 if (msg_type != SSL_TLSEXT_MSG_CH)
954 goto err;
955
956 if (!CBS_get_u8(cbs, &status_type))
957 goto err;
958 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
959 /* ignore unknown status types */
960 s->tlsext_status_type = -1;
961
962 if (!CBS_skip(cbs, CBS_len(cbs))) {
963 *alert = SSL_AD_INTERNAL_ERROR;
964 return 0;
965 }
966 return 1;
967 }
968 s->tlsext_status_type = status_type;
969 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
970 goto err;
971
972 /* XXX */
973 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
974 s->tlsext_ocsp_ids = NULL;
975 if (CBS_len(&respid_list) > 0) {
976 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
977 if (s->tlsext_ocsp_ids == NULL) {
978 alert_desc = SSL_AD_INTERNAL_ERROR;
979 goto err;
980 }
981 }
982
983 while (CBS_len(&respid_list) > 0) {
984 OCSP_RESPID *id;
985
986 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
987 goto err;
988 p = CBS_data(&respid);
989 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
990 goto err;
991 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
992 alert_desc = SSL_AD_INTERNAL_ERROR;
993 OCSP_RESPID_free(id);
994 goto err;
995 }
996 }
997
998 /* Read in request_extensions */
999 if (!CBS_get_u16_length_prefixed(cbs, &exts))
1000 goto err;
1001 if (CBS_len(&exts) > 0) {
1002 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1003 X509_EXTENSION_free);
1004 p = CBS_data(&exts);
1005 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
1006 &p, CBS_len(&exts))) == NULL)
1007 goto err;
1008 }
1009
1010 ret = 1;
1011 err:
1012 if (ret == 0)
1013 *alert = alert_desc;
1014 return ret;
1015 }
1016
1017 static int
tlsext_ocsp_server_needs(SSL * s,uint16_t msg_type)1018 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
1019 {
1020 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1021 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1022 s->ctx->tlsext_status_cb != NULL) {
1023 s->tlsext_status_expected = 0;
1024 if (s->ctx->tlsext_status_cb(s,
1025 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
1026 s->tlsext_ocsp_resp_len > 0)
1027 s->tlsext_status_expected = 1;
1028 }
1029 return s->tlsext_status_expected;
1030 }
1031
1032 static int
tlsext_ocsp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1033 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1034 {
1035 CBB ocsp_response;
1036
1037 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1038 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1039 return 0;
1040 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1041 return 0;
1042 if (!CBB_add_bytes(&ocsp_response,
1043 s->tlsext_ocsp_resp,
1044 s->tlsext_ocsp_resp_len))
1045 return 0;
1046 if (!CBB_flush(cbb))
1047 return 0;
1048 }
1049 return 1;
1050 }
1051
1052 static int
tlsext_ocsp_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1053 tlsext_ocsp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1054 {
1055 uint8_t status_type;
1056 CBS response;
1057
1058 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1059 if (msg_type == SSL_TLSEXT_MSG_CR) {
1060 /*
1061 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1062 * response with an empty status_request.
1063 */
1064 if (CBS_len(cbs) == 0)
1065 return 1;
1066
1067 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1068 return 0;
1069 }
1070 if (!CBS_get_u8(cbs, &status_type)) {
1071 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1072 return 0;
1073 }
1074 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1075 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1076 return 0;
1077 }
1078 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1079 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1080 return 0;
1081 }
1082 if (CBS_len(&response) > 65536) {
1083 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1084 return 0;
1085 }
1086 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1087 &s->tlsext_ocsp_resp_len)) {
1088 *alert = SSL_AD_INTERNAL_ERROR;
1089 return 0;
1090 }
1091 } else {
1092 if (s->tlsext_status_type == -1) {
1093 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1094 return 0;
1095 }
1096 /* Set flag to expect CertificateStatus message */
1097 s->tlsext_status_expected = 1;
1098 }
1099 return 1;
1100 }
1101
1102 /*
1103 * SessionTicket extension - RFC 5077 section 3.2
1104 */
1105 static int
tlsext_sessionticket_client_needs(SSL * s,uint16_t msg_type)1106 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1107 {
1108 /*
1109 * Send session ticket extension when enabled and not overridden.
1110 *
1111 * When renegotiating, send an empty session ticket to indicate support.
1112 */
1113 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1114 return 0;
1115
1116 if (!ssl_security_tickets(s))
1117 return 0;
1118
1119 if (s->new_session)
1120 return 1;
1121
1122 if (s->tlsext_session_ticket != NULL &&
1123 s->tlsext_session_ticket->data == NULL)
1124 return 0;
1125
1126 return 1;
1127 }
1128
1129 static int
tlsext_sessionticket_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1130 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1131 {
1132 /*
1133 * Signal that we support session tickets by sending an empty
1134 * extension when renegotiating or no session found.
1135 */
1136 if (s->new_session || s->session == NULL)
1137 return 1;
1138
1139 if (s->session->tlsext_tick != NULL) {
1140 /* Attempt to resume with an existing session ticket */
1141 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1142 s->session->tlsext_ticklen))
1143 return 0;
1144
1145 } else if (s->tlsext_session_ticket != NULL) {
1146 /*
1147 * Attempt to resume with a custom provided session ticket set
1148 * by SSL_set_session_ticket_ext().
1149 */
1150 if (s->tlsext_session_ticket->length > 0) {
1151 size_t ticklen = s->tlsext_session_ticket->length;
1152
1153 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1154 return 0;
1155 memcpy(s->session->tlsext_tick,
1156 s->tlsext_session_ticket->data,
1157 ticklen);
1158 s->session->tlsext_ticklen = ticklen;
1159
1160 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1161 s->session->tlsext_ticklen))
1162 return 0;
1163 }
1164 }
1165
1166 if (!CBB_flush(cbb))
1167 return 0;
1168
1169 return 1;
1170 }
1171
1172 static int
tlsext_sessionticket_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1173 tlsext_sessionticket_server_process(SSL *s, uint16_t msg_type, CBS *cbs,
1174 int *alert)
1175 {
1176 if (s->tls_session_ticket_ext_cb) {
1177 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1178 (int)CBS_len(cbs),
1179 s->tls_session_ticket_ext_cb_arg)) {
1180 *alert = SSL_AD_INTERNAL_ERROR;
1181 return 0;
1182 }
1183 }
1184
1185 /* We need to signal that this was processed fully */
1186 if (!CBS_skip(cbs, CBS_len(cbs))) {
1187 *alert = SSL_AD_INTERNAL_ERROR;
1188 return 0;
1189 }
1190
1191 return 1;
1192 }
1193
1194 static int
tlsext_sessionticket_server_needs(SSL * s,uint16_t msg_type)1195 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1196 {
1197 return (s->tlsext_ticket_expected &&
1198 !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
1199 ssl_security_tickets(s));
1200 }
1201
1202 static int
tlsext_sessionticket_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1203 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1204 {
1205 /* Empty ticket */
1206 return 1;
1207 }
1208
1209 static int
tlsext_sessionticket_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1210 tlsext_sessionticket_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
1211 int *alert)
1212 {
1213 if (s->tls_session_ticket_ext_cb) {
1214 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1215 (int)CBS_len(cbs),
1216 s->tls_session_ticket_ext_cb_arg)) {
1217 *alert = SSL_AD_INTERNAL_ERROR;
1218 return 0;
1219 }
1220 }
1221
1222 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1223 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1224 return 0;
1225 }
1226
1227 s->tlsext_ticket_expected = 1;
1228
1229 return 1;
1230 }
1231
1232 /*
1233 * DTLS extension for SRTP key establishment - RFC 5764
1234 */
1235
1236 #ifndef OPENSSL_NO_SRTP
1237
1238 static int
tlsext_srtp_client_needs(SSL * s,uint16_t msg_type)1239 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1240 {
1241 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1242 }
1243
1244 static int
tlsext_srtp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1245 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1246 {
1247 CBB profiles, mki;
1248 int ct, i;
1249 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1250 const SRTP_PROTECTION_PROFILE *prof;
1251
1252 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1253 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1254 return 0;
1255 }
1256
1257 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1258 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1259 return 0;
1260 }
1261
1262 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1263 return 0;
1264
1265 for (i = 0; i < ct; i++) {
1266 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1267 return 0;
1268 if (!CBB_add_u16(&profiles, prof->id))
1269 return 0;
1270 }
1271
1272 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1273 return 0;
1274
1275 if (!CBB_flush(cbb))
1276 return 0;
1277
1278 return 1;
1279 }
1280
1281 static int
tlsext_srtp_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1282 tlsext_srtp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1283 {
1284 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1285 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1286 int i, j;
1287 int ret;
1288 uint16_t id;
1289 CBS profiles, mki;
1290
1291 ret = 0;
1292
1293 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1294 goto err;
1295 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1296 goto err;
1297
1298 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1299 goto err;
1300
1301 while (CBS_len(&profiles) > 0) {
1302 if (!CBS_get_u16(&profiles, &id))
1303 goto err;
1304
1305 if (!srtp_find_profile_by_num(id, &cprof)) {
1306 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1307 goto err;
1308 }
1309 }
1310
1311 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1312 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1313 goto done;
1314 }
1315
1316 /*
1317 * Per RFC 5764 section 4.1.1
1318 *
1319 * Find the server preferred profile using the client's list.
1320 *
1321 * The server MUST send a profile if it sends the use_srtp
1322 * extension. If one is not found, it should fall back to the
1323 * negotiated DTLS cipher suite or return a DTLS alert.
1324 */
1325 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1326 goto err;
1327 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1328 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL)
1329 goto err;
1330
1331 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1332 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1333 == NULL)
1334 goto err;
1335
1336 if (cprof->id == sprof->id) {
1337 s->srtp_profile = sprof;
1338 ret = 1;
1339 goto done;
1340 }
1341 }
1342 }
1343
1344 /* If we didn't find anything, fall back to the negotiated */
1345 ret = 1;
1346 goto done;
1347
1348 err:
1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1350
1351 done:
1352 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1353 return ret;
1354 }
1355
1356 static int
tlsext_srtp_server_needs(SSL * s,uint16_t msg_type)1357 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1358 {
1359 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1360 }
1361
1362 static int
tlsext_srtp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1363 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1364 {
1365 SRTP_PROTECTION_PROFILE *profile;
1366 CBB srtp, mki;
1367
1368 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1369 return 0;
1370
1371 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1372 return 0;
1373
1374 if (!CBB_add_u16(&srtp, profile->id))
1375 return 0;
1376
1377 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1378 return 0;
1379
1380 if (!CBB_flush(cbb))
1381 return 0;
1382
1383 return 1;
1384 }
1385
1386 static int
tlsext_srtp_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1387 tlsext_srtp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1388 {
1389 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1390 const SRTP_PROTECTION_PROFILE *prof;
1391 int i;
1392 uint16_t id;
1393 CBS profile_ids, mki;
1394
1395 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1396 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1397 return 0;
1398 }
1399
1400 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1401 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1402 return 0;
1403 }
1404
1405 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1406 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1407 *alert = SSL_AD_ILLEGAL_PARAMETER;
1408 return 0;
1409 }
1410
1411 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1412 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1413 return 0;
1414 }
1415
1416 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1417 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1418 == NULL) {
1419 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1420 return 0;
1421 }
1422
1423 if (prof->id == id) {
1424 s->srtp_profile = prof;
1425 return 1;
1426 }
1427 }
1428
1429 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1430
1431 return 0;
1432 }
1433
1434 #endif /* OPENSSL_NO_SRTP */
1435
1436 /*
1437 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1438 */
1439 static int
tlsext_keyshare_client_needs(SSL * s,uint16_t msg_type)1440 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1441 {
1442 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1443 }
1444
1445 static int
tlsext_keyshare_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1446 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1447 {
1448 CBB client_shares, key_exchange;
1449
1450 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1451 return 0;
1452
1453 if (!CBB_add_u16(&client_shares,
1454 tls_key_share_group(s->s3->hs.key_share)))
1455 return 0;
1456 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1457 return 0;
1458 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1459 return 0;
1460
1461 if (!CBB_flush(cbb))
1462 return 0;
1463
1464 return 1;
1465 }
1466
1467 static int
tlsext_keyshare_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1468 tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1469 {
1470 const uint16_t *client_groups = NULL, *server_groups = NULL;
1471 size_t client_groups_len = 0, server_groups_len = 0;
1472 size_t i, j, client_groups_index;
1473 int preferred_group_found = 0;
1474 int decode_error;
1475 uint16_t client_preferred_group = 0;
1476 uint16_t group;
1477 CBS client_shares, key_exchange;
1478
1479 /*
1480 * RFC 8446 section 4.2.8:
1481 *
1482 * Each KeyShareEntry value MUST correspond to a group offered in the
1483 * "supported_groups" extension and MUST appear in the same order.
1484 * However, the values MAY be a non-contiguous subset of the
1485 * "supported_groups".
1486 */
1487
1488 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) {
1489 *alert = SSL_AD_ILLEGAL_PARAMETER;
1490 return 0;
1491 }
1492 if (!tlsext_extension_processed(s, TLSEXT_TYPE_supported_groups)) {
1493 *alert = SSL_AD_INTERNAL_ERROR;
1494 return 0;
1495 }
1496
1497 if (s->s3->hs.tls13.hrr) {
1498 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1499 return 0;
1500
1501 /* Unpack client share. */
1502 if (!CBS_get_u16(&client_shares, &group))
1503 return 0;
1504 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1505 return 0;
1506
1507 /* There should only be one share. */
1508 if (CBS_len(&client_shares) != 0)
1509 return 0;
1510
1511 if (group != s->s3->hs.tls13.server_group) {
1512 *alert = SSL_AD_ILLEGAL_PARAMETER;
1513 return 0;
1514 }
1515
1516 if (s->s3->hs.key_share != NULL) {
1517 *alert = SSL_AD_INTERNAL_ERROR;
1518 return 0;
1519 }
1520
1521 /* Decode and store the selected key share. */
1522 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1523 *alert = SSL_AD_INTERNAL_ERROR;
1524 return 0;
1525 }
1526 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1527 &key_exchange, &decode_error, NULL)) {
1528 if (!decode_error)
1529 *alert = SSL_AD_INTERNAL_ERROR;
1530 return 0;
1531 }
1532
1533 return 1;
1534 }
1535
1536 /*
1537 * XXX similar to tls1_get_supported_group, but client pref
1538 * only - consider deduping later.
1539 */
1540 /*
1541 * We are now assured of at least one client group.
1542 * Get the client and server group preference orders.
1543 */
1544 tls1_get_group_list(s, 0, &server_groups, &server_groups_len);
1545 tls1_get_group_list(s, 1, &client_groups, &client_groups_len);
1546
1547 /*
1548 * Find the group that is most preferred by the client that
1549 * we also support.
1550 */
1551 for (i = 0; i < client_groups_len && !preferred_group_found; i++) {
1552 if (!ssl_security_supported_group(s, client_groups[i]))
1553 continue;
1554 for (j = 0; j < server_groups_len; j++) {
1555 if (server_groups[j] == client_groups[i]) {
1556 client_preferred_group = client_groups[i];
1557 preferred_group_found = 1;
1558 break;
1559 }
1560 }
1561 }
1562
1563 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1564 return 0;
1565
1566 client_groups_index = 0;
1567 while (CBS_len(&client_shares) > 0) {
1568 int client_sent_group;
1569
1570 /* Unpack client share. */
1571 if (!CBS_get_u16(&client_shares, &group))
1572 return 0;
1573 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1574 return 0;
1575
1576 /* Ignore this client share if we're using earlier than TLSv1.3 */
1577 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1578 continue;
1579
1580 /*
1581 * Ensure the client share group was sent in supported groups,
1582 * and was sent in the same order as supported groups. The
1583 * supported groups has already been checked for duplicates.
1584 */
1585 client_sent_group = 0;
1586 while (client_groups_index < client_groups_len) {
1587 if (group == client_groups[client_groups_index++]) {
1588 client_sent_group = 1;
1589 break;
1590 }
1591 }
1592 if (!client_sent_group) {
1593 *alert = SSL_AD_ILLEGAL_PARAMETER;
1594 return 0;
1595 }
1596
1597 /* Ignore this client share if we have already selected a key share */
1598 if (s->s3->hs.key_share != NULL)
1599 continue;
1600
1601 /*
1602 * Ignore this client share if it is not for the most client
1603 * preferred supported group. This avoids a potential downgrade
1604 * situation where the client sends a client share for something
1605 * less preferred, and we choose to to use it instead of
1606 * requesting the more preferred group.
1607 */
1608 if (!preferred_group_found || group != client_preferred_group)
1609 continue;
1610
1611 /* Decode and store the selected key share. */
1612 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1613 *alert = SSL_AD_INTERNAL_ERROR;
1614 return 0;
1615 }
1616 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1617 &key_exchange, &decode_error, NULL)) {
1618 if (!decode_error)
1619 *alert = SSL_AD_INTERNAL_ERROR;
1620 return 0;
1621 }
1622 }
1623
1624 return 1;
1625 }
1626
1627 static int
tlsext_keyshare_server_needs(SSL * s,uint16_t msg_type)1628 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1629 {
1630 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1631 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1632 }
1633
1634 static int
tlsext_keyshare_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1635 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1636 {
1637 CBB key_exchange;
1638
1639 /* In the case of a HRR, we only send the server selected group. */
1640 if (s->s3->hs.tls13.hrr) {
1641 if (s->s3->hs.tls13.server_group == 0)
1642 return 0;
1643 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1644 }
1645
1646 if (s->s3->hs.key_share == NULL)
1647 return 0;
1648
1649 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1650 return 0;
1651 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1652 return 0;
1653 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1654 return 0;
1655
1656 if (!CBB_flush(cbb))
1657 return 0;
1658
1659 return 1;
1660 }
1661
1662 static int
tlsext_keyshare_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1663 tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1664 {
1665 CBS key_exchange;
1666 int decode_error;
1667 uint16_t group;
1668
1669 /* Unpack server share. */
1670 if (!CBS_get_u16(cbs, &group))
1671 return 0;
1672
1673 if (CBS_len(cbs) == 0) {
1674 /* HRR does not include an actual key share, only the group. */
1675 if (msg_type != SSL_TLSEXT_MSG_HRR)
1676 return 0;
1677
1678 s->s3->hs.tls13.server_group = group;
1679 return 1;
1680 }
1681
1682 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1683 return 0;
1684
1685 if (s->s3->hs.key_share == NULL) {
1686 *alert = SSL_AD_INTERNAL_ERROR;
1687 return 0;
1688 }
1689 if (tls_key_share_group(s->s3->hs.key_share) != group) {
1690 *alert = SSL_AD_INTERNAL_ERROR;
1691 return 0;
1692 }
1693 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1694 &key_exchange, &decode_error, NULL)) {
1695 if (!decode_error)
1696 *alert = SSL_AD_INTERNAL_ERROR;
1697 return 0;
1698 }
1699
1700 return 1;
1701 }
1702
1703 /*
1704 * Supported Versions - RFC 8446 section 4.2.1.
1705 */
1706 static int
tlsext_versions_client_needs(SSL * s,uint16_t msg_type)1707 tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1708 {
1709 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1710 }
1711
1712 static int
tlsext_versions_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1713 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1714 {
1715 uint16_t max, min;
1716 uint16_t version;
1717 CBB versions;
1718
1719 max = s->s3->hs.our_max_tls_version;
1720 min = s->s3->hs.our_min_tls_version;
1721
1722 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1723 return 0;
1724
1725 /* XXX - fix, but contiguous for now... */
1726 for (version = max; version >= min; version--) {
1727 if (!CBB_add_u16(&versions, version))
1728 return 0;
1729 }
1730
1731 if (!CBB_flush(cbb))
1732 return 0;
1733
1734 return 1;
1735 }
1736
1737 static int
tlsext_versions_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1738 tlsext_versions_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1739 {
1740 CBS versions;
1741 uint16_t version;
1742 uint16_t max, min;
1743 uint16_t matched_version = 0;
1744
1745 max = s->s3->hs.our_max_tls_version;
1746 min = s->s3->hs.our_min_tls_version;
1747
1748 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1749 return 0;
1750
1751 while (CBS_len(&versions) > 0) {
1752 if (!CBS_get_u16(&versions, &version))
1753 return 0;
1754 /*
1755 * XXX What is below implements client preference, and
1756 * ignores any server preference entirely.
1757 */
1758 if (matched_version == 0 && version >= min && version <= max)
1759 matched_version = version;
1760 }
1761
1762 if (matched_version > 0) {
1763 /* XXX - this should be stored for later processing. */
1764 s->version = matched_version;
1765 return 1;
1766 }
1767
1768 *alert = SSL_AD_PROTOCOL_VERSION;
1769 return 0;
1770 }
1771
1772 static int
tlsext_versions_server_needs(SSL * s,uint16_t msg_type)1773 tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1774 {
1775 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1776 }
1777
1778 static int
tlsext_versions_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1779 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1780 {
1781 return CBB_add_u16(cbb, TLS1_3_VERSION);
1782 }
1783
1784 static int
tlsext_versions_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1785 tlsext_versions_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1786 {
1787 uint16_t selected_version;
1788
1789 if (!CBS_get_u16(cbs, &selected_version))
1790 return 0;
1791
1792 /* XXX - need to fix for DTLS 1.3 */
1793 if (selected_version < TLS1_3_VERSION) {
1794 *alert = SSL_AD_ILLEGAL_PARAMETER;
1795 return 0;
1796 }
1797
1798 /* XXX test between min and max once initialization code goes in */
1799 s->s3->hs.tls13.server_version = selected_version;
1800
1801 return 1;
1802 }
1803
1804
1805 /*
1806 * Cookie - RFC 8446 section 4.2.2.
1807 */
1808
1809 static int
tlsext_cookie_client_needs(SSL * s,uint16_t msg_type)1810 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1811 {
1812 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1813 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1814 }
1815
1816 static int
tlsext_cookie_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1817 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1818 {
1819 CBB cookie;
1820
1821 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1822 return 0;
1823
1824 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1825 s->s3->hs.tls13.cookie_len))
1826 return 0;
1827
1828 if (!CBB_flush(cbb))
1829 return 0;
1830
1831 return 1;
1832 }
1833
1834 static int
tlsext_cookie_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1835 tlsext_cookie_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1836 {
1837 CBS cookie;
1838
1839 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1840 return 0;
1841
1842 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1843 return 0;
1844
1845 /*
1846 * Check provided cookie value against what server previously
1847 * sent - client *MUST* send the same cookie with new CR after
1848 * a cookie is sent by the server with an HRR.
1849 */
1850 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1851 s->s3->hs.tls13.cookie_len)) {
1852 /* XXX special cookie mismatch alert? */
1853 *alert = SSL_AD_ILLEGAL_PARAMETER;
1854 return 0;
1855 }
1856
1857 return 1;
1858 }
1859
1860 static int
tlsext_cookie_server_needs(SSL * s,uint16_t msg_type)1861 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1862 {
1863 /*
1864 * Server needs to set cookie value in tls13 handshake
1865 * in order to send one, should only be sent with HRR.
1866 */
1867 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1868 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1869 }
1870
1871 static int
tlsext_cookie_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1872 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1873 {
1874 CBB cookie;
1875
1876 /* XXX deduplicate with client code */
1877
1878 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1879 return 0;
1880
1881 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1882 s->s3->hs.tls13.cookie_len))
1883 return 0;
1884
1885 if (!CBB_flush(cbb))
1886 return 0;
1887
1888 return 1;
1889 }
1890
1891 static int
tlsext_cookie_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1892 tlsext_cookie_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1893 {
1894 CBS cookie;
1895
1896 /*
1897 * XXX This currently assumes we will not get a second
1898 * HRR from a server with a cookie to process after accepting
1899 * one from the server in the same handshake
1900 */
1901 if (s->s3->hs.tls13.cookie != NULL ||
1902 s->s3->hs.tls13.cookie_len != 0) {
1903 *alert = SSL_AD_ILLEGAL_PARAMETER;
1904 return 0;
1905 }
1906
1907 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1908 return 0;
1909
1910 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1911 &s->s3->hs.tls13.cookie_len))
1912 return 0;
1913
1914 return 1;
1915 }
1916
1917 /*
1918 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9.
1919 */
1920
1921 static int
tlsext_psk_kex_modes_client_needs(SSL * s,uint16_t msg_type)1922 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type)
1923 {
1924 return (s->s3->hs.tls13.use_psk_dhe_ke &&
1925 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1926 }
1927
1928 static int
tlsext_psk_kex_modes_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1929 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1930 {
1931 CBB ke_modes;
1932
1933 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes))
1934 return 0;
1935
1936 /* Only indicate support for PSK with DHE key establishment. */
1937 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE))
1938 return 0;
1939
1940 if (!CBB_flush(cbb))
1941 return 0;
1942
1943 return 1;
1944 }
1945
1946 static int
tlsext_psk_kex_modes_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1947 tlsext_psk_kex_modes_server_process(SSL *s, uint16_t msg_type, CBS *cbs,
1948 int *alert)
1949 {
1950 CBS ke_modes;
1951 uint8_t ke_mode;
1952
1953 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes))
1954 return 0;
1955
1956 while (CBS_len(&ke_modes) > 0) {
1957 if (!CBS_get_u8(&ke_modes, &ke_mode))
1958 return 0;
1959
1960 if (ke_mode == TLS13_PSK_DHE_KE)
1961 s->s3->hs.tls13.use_psk_dhe_ke = 1;
1962 }
1963
1964 return 1;
1965 }
1966
1967 static int
tlsext_psk_kex_modes_server_needs(SSL * s,uint16_t msg_type)1968 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type)
1969 {
1970 /* Servers MUST NOT send this extension. */
1971 return 0;
1972 }
1973
1974 static int
tlsext_psk_kex_modes_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1975 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1976 {
1977 return 0;
1978 }
1979
1980 static int
tlsext_psk_kex_modes_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1981 tlsext_psk_kex_modes_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
1982 int *alert)
1983 {
1984 return 0;
1985 }
1986
1987 /*
1988 * Pre-Shared Key Extension - RFC 8446, 4.2.11
1989 */
1990
1991 static int
tlsext_psk_client_needs(SSL * s,uint16_t msg_type)1992 tlsext_psk_client_needs(SSL *s, uint16_t msg_type)
1993 {
1994 return 0;
1995 }
1996
1997 static int
tlsext_psk_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1998 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1999 {
2000 return 0;
2001 }
2002
2003 static int
tlsext_psk_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2004 tlsext_psk_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2005 {
2006 return CBS_skip(cbs, CBS_len(cbs));
2007 }
2008
2009 static int
tlsext_psk_server_needs(SSL * s,uint16_t msg_type)2010 tlsext_psk_server_needs(SSL *s, uint16_t msg_type)
2011 {
2012 return 0;
2013 }
2014
2015 static int
tlsext_psk_server_build(SSL * s,uint16_t msg_type,CBB * cbb)2016 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2017 {
2018 return 0;
2019 }
2020
2021 static int
tlsext_psk_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2022 tlsext_psk_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2023 {
2024 return CBS_skip(cbs, CBS_len(cbs));
2025 }
2026
2027 /*
2028 * QUIC transport parameters extension - RFC 9001 section 8.2.
2029 */
2030
2031 static int
tlsext_quic_transport_parameters_client_needs(SSL * s,uint16_t msg_type)2032 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type)
2033 {
2034 return SSL_is_quic(s) && s->quic_transport_params_len > 0;
2035 }
2036
2037 static int
tlsext_quic_transport_parameters_client_build(SSL * s,uint16_t msg_type,CBB * cbb)2038 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type,
2039 CBB *cbb)
2040 {
2041 if (!CBB_add_bytes(cbb, s->quic_transport_params,
2042 s->quic_transport_params_len))
2043 return 0;
2044
2045 return 1;
2046 }
2047
2048 static int
tlsext_quic_transport_parameters_client_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2049 tlsext_quic_transport_parameters_client_process(SSL *s, uint16_t msg_type,
2050 CBS *cbs, int *alert)
2051 {
2052 if (!SSL_is_quic(s)) {
2053 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
2054 return 0;
2055 }
2056
2057 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
2058 &s->s3->peer_quic_transport_params_len))
2059 return 0;
2060 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
2061 return 0;
2062
2063 return 1;
2064 }
2065
2066 static int
tlsext_quic_transport_parameters_server_needs(SSL * s,uint16_t msg_type)2067 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type)
2068 {
2069 return SSL_is_quic(s) && s->quic_transport_params_len > 0;
2070 }
2071
2072 static int
tlsext_quic_transport_parameters_server_build(SSL * s,uint16_t msg_type,CBB * cbb)2073 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type,
2074 CBB *cbb)
2075 {
2076 if (!CBB_add_bytes(cbb, s->quic_transport_params,
2077 s->quic_transport_params_len))
2078 return 0;
2079
2080 return 1;
2081 }
2082
2083 static int
tlsext_quic_transport_parameters_server_process(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2084 tlsext_quic_transport_parameters_server_process(SSL *s, uint16_t msg_type,
2085 CBS *cbs, int *alert)
2086 {
2087 if (!SSL_is_quic(s)) {
2088 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
2089 return 0;
2090 }
2091
2092 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
2093 &s->s3->peer_quic_transport_params_len))
2094 return 0;
2095 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
2096 return 0;
2097
2098 return 1;
2099 }
2100
2101 struct tls_extension_funcs {
2102 int (*needs)(SSL *s, uint16_t msg_type);
2103 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
2104 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
2105 };
2106
2107 struct tls_extension {
2108 uint16_t type;
2109 uint16_t messages;
2110 struct tls_extension_funcs client;
2111 struct tls_extension_funcs server;
2112 };
2113
2114 /*
2115 * TLS extensions (in processing order).
2116 */
2117 static const struct tls_extension tls_extensions[] = {
2118 {
2119 .type = TLSEXT_TYPE_supported_versions,
2120 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
2121 SSL_TLSEXT_MSG_HRR,
2122 .client = {
2123 .needs = tlsext_versions_client_needs,
2124 .build = tlsext_versions_client_build,
2125 .process = tlsext_versions_client_process,
2126 },
2127 .server = {
2128 .needs = tlsext_versions_server_needs,
2129 .build = tlsext_versions_server_build,
2130 .process = tlsext_versions_server_process,
2131 },
2132 },
2133 {
2134 .type = TLSEXT_TYPE_supported_groups,
2135 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2136 .client = {
2137 .needs = tlsext_supportedgroups_client_needs,
2138 .build = tlsext_supportedgroups_client_build,
2139 .process = tlsext_supportedgroups_client_process,
2140 },
2141 .server = {
2142 .needs = tlsext_supportedgroups_server_needs,
2143 .build = tlsext_supportedgroups_server_build,
2144 .process = tlsext_supportedgroups_server_process,
2145 },
2146 },
2147 {
2148 .type = TLSEXT_TYPE_key_share,
2149 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
2150 SSL_TLSEXT_MSG_HRR,
2151 .client = {
2152 .needs = tlsext_keyshare_client_needs,
2153 .build = tlsext_keyshare_client_build,
2154 .process = tlsext_keyshare_client_process,
2155 },
2156 .server = {
2157 .needs = tlsext_keyshare_server_needs,
2158 .build = tlsext_keyshare_server_build,
2159 .process = tlsext_keyshare_server_process,
2160 },
2161 },
2162 {
2163 .type = TLSEXT_TYPE_server_name,
2164 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2165 .client = {
2166 .needs = tlsext_sni_client_needs,
2167 .build = tlsext_sni_client_build,
2168 .process = tlsext_sni_client_process,
2169 },
2170 .server = {
2171 .needs = tlsext_sni_server_needs,
2172 .build = tlsext_sni_server_build,
2173 .process = tlsext_sni_server_process,
2174 },
2175 },
2176 {
2177 .type = TLSEXT_TYPE_renegotiate,
2178 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2179 .client = {
2180 .needs = tlsext_ri_client_needs,
2181 .build = tlsext_ri_client_build,
2182 .process = tlsext_ri_client_process,
2183 },
2184 .server = {
2185 .needs = tlsext_ri_server_needs,
2186 .build = tlsext_ri_server_build,
2187 .process = tlsext_ri_server_process,
2188 },
2189 },
2190 {
2191 .type = TLSEXT_TYPE_status_request,
2192 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
2193 SSL_TLSEXT_MSG_CT,
2194 .client = {
2195 .needs = tlsext_ocsp_client_needs,
2196 .build = tlsext_ocsp_client_build,
2197 .process = tlsext_ocsp_client_process,
2198 },
2199 .server = {
2200 .needs = tlsext_ocsp_server_needs,
2201 .build = tlsext_ocsp_server_build,
2202 .process = tlsext_ocsp_server_process,
2203 },
2204 },
2205 {
2206 .type = TLSEXT_TYPE_ec_point_formats,
2207 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2208 .client = {
2209 .needs = tlsext_ecpf_client_needs,
2210 .build = tlsext_ecpf_client_build,
2211 .process = tlsext_ecpf_client_process,
2212 },
2213 .server = {
2214 .needs = tlsext_ecpf_server_needs,
2215 .build = tlsext_ecpf_server_build,
2216 .process = tlsext_ecpf_server_process,
2217 },
2218 },
2219 {
2220 .type = TLSEXT_TYPE_session_ticket,
2221 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2222 .client = {
2223 .needs = tlsext_sessionticket_client_needs,
2224 .build = tlsext_sessionticket_client_build,
2225 .process = tlsext_sessionticket_client_process,
2226 },
2227 .server = {
2228 .needs = tlsext_sessionticket_server_needs,
2229 .build = tlsext_sessionticket_server_build,
2230 .process = tlsext_sessionticket_server_process,
2231 },
2232 },
2233 {
2234 .type = TLSEXT_TYPE_signature_algorithms,
2235 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
2236 .client = {
2237 .needs = tlsext_sigalgs_client_needs,
2238 .build = tlsext_sigalgs_client_build,
2239 .process = tlsext_sigalgs_client_process,
2240 },
2241 .server = {
2242 .needs = tlsext_sigalgs_server_needs,
2243 .build = tlsext_sigalgs_server_build,
2244 .process = tlsext_sigalgs_server_process,
2245 },
2246 },
2247 {
2248 .type = TLSEXT_TYPE_alpn,
2249 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2250 .client = {
2251 .needs = tlsext_alpn_client_needs,
2252 .build = tlsext_alpn_client_build,
2253 .process = tlsext_alpn_client_process,
2254 },
2255 .server = {
2256 .needs = tlsext_alpn_server_needs,
2257 .build = tlsext_alpn_server_build,
2258 .process = tlsext_alpn_server_process,
2259 },
2260 },
2261 {
2262 .type = TLSEXT_TYPE_cookie,
2263 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
2264 .client = {
2265 .needs = tlsext_cookie_client_needs,
2266 .build = tlsext_cookie_client_build,
2267 .process = tlsext_cookie_client_process,
2268 },
2269 .server = {
2270 .needs = tlsext_cookie_server_needs,
2271 .build = tlsext_cookie_server_build,
2272 .process = tlsext_cookie_server_process,
2273 },
2274 },
2275 #ifndef OPENSSL_NO_SRTP
2276 {
2277 .type = TLSEXT_TYPE_use_srtp,
2278 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
2279 SSL_TLSEXT_MSG_EE,
2280 .client = {
2281 .needs = tlsext_srtp_client_needs,
2282 .build = tlsext_srtp_client_build,
2283 .process = tlsext_srtp_client_process,
2284 },
2285 .server = {
2286 .needs = tlsext_srtp_server_needs,
2287 .build = tlsext_srtp_server_build,
2288 .process = tlsext_srtp_server_process,
2289 },
2290 },
2291 #endif /* OPENSSL_NO_SRTP */
2292 {
2293 .type = TLSEXT_TYPE_quic_transport_parameters,
2294 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2295 .client = {
2296 .needs = tlsext_quic_transport_parameters_client_needs,
2297 .build = tlsext_quic_transport_parameters_client_build,
2298 .process = tlsext_quic_transport_parameters_client_process,
2299 },
2300 .server = {
2301 .needs = tlsext_quic_transport_parameters_server_needs,
2302 .build = tlsext_quic_transport_parameters_server_build,
2303 .process = tlsext_quic_transport_parameters_server_process,
2304 },
2305 },
2306 {
2307 .type = TLSEXT_TYPE_psk_key_exchange_modes,
2308 .messages = SSL_TLSEXT_MSG_CH,
2309 .client = {
2310 .needs = tlsext_psk_kex_modes_client_needs,
2311 .build = tlsext_psk_kex_modes_client_build,
2312 .process = tlsext_psk_kex_modes_client_process,
2313 },
2314 .server = {
2315 .needs = tlsext_psk_kex_modes_server_needs,
2316 .build = tlsext_psk_kex_modes_server_build,
2317 .process = tlsext_psk_kex_modes_server_process,
2318 },
2319 },
2320 {
2321 .type = TLSEXT_TYPE_pre_shared_key,
2322 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2323 .client = {
2324 .needs = tlsext_psk_client_needs,
2325 .build = tlsext_psk_client_build,
2326 .process = tlsext_psk_client_process,
2327 },
2328 .server = {
2329 .needs = tlsext_psk_server_needs,
2330 .build = tlsext_psk_server_build,
2331 .process = tlsext_psk_server_process,
2332 },
2333 },
2334 };
2335
2336 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
2337
2338 /* Ensure that extensions fit in a uint32_t bitmask. */
2339 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2340
2341 struct tlsext_data {
2342 CBS extensions[N_TLS_EXTENSIONS];
2343 };
2344
2345 static struct tlsext_data *
tlsext_data_new(void)2346 tlsext_data_new(void)
2347 {
2348 return calloc(1, sizeof(struct tlsext_data));
2349 }
2350
2351 static void
tlsext_data_free(struct tlsext_data * td)2352 tlsext_data_free(struct tlsext_data *td)
2353 {
2354 freezero(td, sizeof(*td));
2355 }
2356
2357 uint16_t
tls_extension_type(const struct tls_extension * extension)2358 tls_extension_type(const struct tls_extension *extension)
2359 {
2360 return extension->type;
2361 }
2362
2363 const struct tls_extension *
tls_extension_find(uint16_t type,size_t * tls_extensions_idx)2364 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2365 {
2366 size_t i;
2367
2368 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2369 if (tls_extensions[i].type == type) {
2370 if (tls_extensions_idx != NULL)
2371 *tls_extensions_idx = i;
2372 return &tls_extensions[i];
2373 }
2374 }
2375
2376 return NULL;
2377 }
2378
2379 int
tlsext_extension_seen(SSL * s,uint16_t type)2380 tlsext_extension_seen(SSL *s, uint16_t type)
2381 {
2382 size_t idx;
2383
2384 if (tls_extension_find(type, &idx) == NULL)
2385 return 0;
2386 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2387 }
2388
2389 int
tlsext_extension_processed(SSL * s,uint16_t type)2390 tlsext_extension_processed(SSL *s, uint16_t type)
2391 {
2392 size_t idx;
2393
2394 if (tls_extension_find(type, &idx) == NULL)
2395 return 0;
2396 return ((s->s3->hs.extensions_processed & (1 << idx)) != 0);
2397 }
2398
2399 const struct tls_extension_funcs *
tlsext_funcs(const struct tls_extension * tlsext,int is_server)2400 tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2401 {
2402 if (is_server)
2403 return &tlsext->server;
2404
2405 return &tlsext->client;
2406 }
2407
2408 int
tlsext_randomize_build_order(SSL * s)2409 tlsext_randomize_build_order(SSL *s)
2410 {
2411 const struct tls_extension *psk_ext;
2412 size_t idx, new_idx;
2413 size_t alpn_idx = 0, sni_idx = 0;
2414
2415 free(s->tlsext_build_order);
2416 s->tlsext_build_order_len = 0;
2417
2418 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
2419 N_TLS_EXTENSIONS)) == NULL)
2420 return 0;
2421 s->tlsext_build_order_len = N_TLS_EXTENSIONS;
2422
2423 /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */
2424 if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key,
2425 NULL)) == NULL)
2426 return 0;
2427 s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext;
2428
2429 /* Fisher-Yates shuffle with PSK fixed. */
2430 for (idx = 0; idx < N_TLS_EXTENSIONS - 1; idx++) {
2431 new_idx = arc4random_uniform(idx + 1);
2432 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx];
2433 s->tlsext_build_order[new_idx] = &tls_extensions[idx];
2434 }
2435
2436 /*
2437 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN
2438 * for clients so that virtual host setups work correctly.
2439 */
2440
2441 if (s->server)
2442 return 1;
2443
2444 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
2445 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn)
2446 alpn_idx = idx;
2447 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name)
2448 sni_idx = idx;
2449 }
2450 if (alpn_idx < sni_idx) {
2451 const struct tls_extension *tmp;
2452
2453 tmp = s->tlsext_build_order[alpn_idx];
2454 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx];
2455 s->tlsext_build_order[sni_idx] = tmp;
2456 }
2457
2458 return 1;
2459 }
2460
2461 int
tlsext_linearize_build_order(SSL * s)2462 tlsext_linearize_build_order(SSL *s)
2463 {
2464 size_t idx;
2465
2466 free(s->tlsext_build_order);
2467 s->tlsext_build_order_len = 0;
2468
2469 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
2470 N_TLS_EXTENSIONS)) == NULL)
2471 return 0;
2472 s->tlsext_build_order_len = N_TLS_EXTENSIONS;
2473
2474 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++)
2475 s->tlsext_build_order[idx] = &tls_extensions[idx];
2476
2477 return 1;
2478 }
2479
2480 static int
tlsext_build(SSL * s,int is_server,uint16_t msg_type,CBB * cbb)2481 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2482 {
2483 const struct tls_extension_funcs *ext;
2484 const struct tls_extension *tlsext;
2485 CBB extensions, extension_data;
2486 int extensions_present = 0;
2487 uint16_t tls_version;
2488 size_t i;
2489
2490 tls_version = ssl_effective_tls_version(s);
2491
2492 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2493 return 0;
2494
2495 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2496 tlsext = s->tlsext_build_order[i];
2497 ext = tlsext_funcs(tlsext, is_server);
2498
2499 /* RFC 8446 Section 4.2 */
2500 if (tls_version >= TLS1_3_VERSION &&
2501 !(tlsext->messages & msg_type))
2502 continue;
2503
2504 if (!ext->needs(s, msg_type))
2505 continue;
2506
2507 if (!CBB_add_u16(&extensions, tlsext->type))
2508 return 0;
2509 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2510 return 0;
2511
2512 if (!ext->build(s, msg_type, &extension_data))
2513 return 0;
2514
2515 extensions_present = 1;
2516 }
2517
2518 if (!extensions_present &&
2519 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2520 CBB_discard_child(cbb);
2521
2522 if (!CBB_flush(cbb))
2523 return 0;
2524
2525 return 1;
2526 }
2527
2528 int
tlsext_clienthello_hash_extension(SSL * s,uint16_t type,CBS * cbs)2529 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2530 {
2531 /*
2532 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2533 * cookie may be added, padding may be removed.
2534 */
2535 struct tls13_ctx *ctx = s->tls13;
2536
2537 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2538 type == TLSEXT_TYPE_padding)
2539 return 1;
2540 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2541 sizeof(type)))
2542 return 0;
2543 /*
2544 * key_share data may be changed, and pre_shared_key data may
2545 * be changed.
2546 */
2547 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2548 return 1;
2549 if (!tls13_clienthello_hash_update(ctx, cbs))
2550 return 0;
2551
2552 return 1;
2553 }
2554
2555 static int
tlsext_parse(SSL * s,struct tlsext_data * td,int is_server,uint16_t msg_type,CBS * cbs,int * alert)2556 tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
2557 CBS *cbs, int *alert)
2558 {
2559 const struct tls_extension *tlsext;
2560 CBS extensions, extension_data;
2561 uint16_t type;
2562 size_t idx;
2563 uint16_t tls_version;
2564 int alert_desc;
2565
2566 tls_version = ssl_effective_tls_version(s);
2567
2568 s->s3->hs.extensions_seen = 0;
2569
2570 /* An empty extensions block is valid. */
2571 if (CBS_len(cbs) == 0)
2572 return 1;
2573
2574 alert_desc = SSL_AD_DECODE_ERROR;
2575
2576 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2577 goto err;
2578
2579 while (CBS_len(&extensions) > 0) {
2580 if (!CBS_get_u16(&extensions, &type))
2581 goto err;
2582 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2583 goto err;
2584
2585 if (s->tlsext_debug_cb != NULL)
2586 s->tlsext_debug_cb(s, !is_server, type,
2587 (unsigned char *)CBS_data(&extension_data),
2588 CBS_len(&extension_data),
2589 s->tlsext_debug_arg);
2590
2591 /* Unknown extensions are ignored. */
2592 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2593 continue;
2594
2595 if (tls_version >= TLS1_3_VERSION && is_server &&
2596 msg_type == SSL_TLSEXT_MSG_CH) {
2597 if (!tlsext_clienthello_hash_extension(s, type,
2598 &extension_data))
2599 goto err;
2600 }
2601
2602 /* RFC 8446 Section 4.2 */
2603 if (tls_version >= TLS1_3_VERSION &&
2604 !(tlsext->messages & msg_type)) {
2605 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2606 goto err;
2607 }
2608
2609 /* Check for duplicate known extensions. */
2610 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2611 goto err;
2612 s->s3->hs.extensions_seen |= (1 << idx);
2613
2614 CBS_dup(&extension_data, &td->extensions[idx]);
2615 }
2616
2617 return 1;
2618
2619 err:
2620 *alert = alert_desc;
2621
2622 return 0;
2623 }
2624
2625 static int
tlsext_process(SSL * s,struct tlsext_data * td,int is_server,uint16_t msg_type,int * alert)2626 tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
2627 int *alert)
2628 {
2629 const struct tls_extension_funcs *ext;
2630 const struct tls_extension *tlsext;
2631 int alert_desc;
2632 size_t idx;
2633
2634 alert_desc = SSL_AD_DECODE_ERROR;
2635
2636 s->s3->hs.extensions_processed = 0;
2637
2638 /* Run processing for present TLS extensions, in a defined order. */
2639 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
2640 tlsext = &tls_extensions[idx];
2641 if ((s->s3->hs.extensions_seen & (1 << idx)) == 0)
2642 continue;
2643 ext = tlsext_funcs(tlsext, is_server);
2644 if (ext->process == NULL)
2645 continue;
2646 if (!ext->process(s, msg_type, &td->extensions[idx], &alert_desc))
2647 goto err;
2648
2649 if (CBS_len(&td->extensions[idx]) != 0)
2650 goto err;
2651
2652 s->s3->hs.extensions_processed |= (1 << idx);
2653 }
2654
2655 return 1;
2656
2657 err:
2658 *alert = alert_desc;
2659
2660 return 0;
2661 }
2662
2663 static void
tlsext_server_reset_state(SSL * s)2664 tlsext_server_reset_state(SSL *s)
2665 {
2666 s->tlsext_status_type = -1;
2667 s->s3->renegotiate_seen = 0;
2668 free(s->s3->alpn_selected);
2669 s->s3->alpn_selected = NULL;
2670 s->s3->alpn_selected_len = 0;
2671 s->srtp_profile = NULL;
2672 }
2673
2674 int
tlsext_server_build(SSL * s,uint16_t msg_type,CBB * cbb)2675 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2676 {
2677 return tlsext_build(s, 1, msg_type, cbb);
2678 }
2679
2680 int
tlsext_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2681 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2682 {
2683 struct tlsext_data *td;
2684 int ret = 0;
2685
2686 if ((td = tlsext_data_new()) == NULL)
2687 goto err;
2688
2689 /* XXX - this should be done by the caller... */
2690 if (msg_type == SSL_TLSEXT_MSG_CH)
2691 tlsext_server_reset_state(s);
2692
2693 if (!tlsext_parse(s, td, 1, msg_type, cbs, alert))
2694 goto err;
2695 if (!tlsext_process(s, td, 1, msg_type, alert))
2696 goto err;
2697
2698 ret = 1;
2699
2700 err:
2701 tlsext_data_free(td);
2702
2703 return ret;
2704 }
2705
2706 static void
tlsext_client_reset_state(SSL * s)2707 tlsext_client_reset_state(SSL *s)
2708 {
2709 s->s3->renegotiate_seen = 0;
2710 free(s->s3->alpn_selected);
2711 s->s3->alpn_selected = NULL;
2712 s->s3->alpn_selected_len = 0;
2713 }
2714
2715 int
tlsext_client_build(SSL * s,uint16_t msg_type,CBB * cbb)2716 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2717 {
2718 return tlsext_build(s, 0, msg_type, cbb);
2719 }
2720
2721 int
tlsext_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2722 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2723 {
2724 struct tlsext_data *td;
2725 int ret = 0;
2726
2727 if ((td = tlsext_data_new()) == NULL)
2728 goto err;
2729
2730 /* XXX - this should be done by the caller... */
2731 if (msg_type == SSL_TLSEXT_MSG_SH)
2732 tlsext_client_reset_state(s);
2733
2734 if (!tlsext_parse(s, td, 0, msg_type, cbs, alert))
2735 goto err;
2736 if (!tlsext_process(s, td, 0, msg_type, alert))
2737 goto err;
2738
2739 ret = 1;
2740
2741 err:
2742 tlsext_data_free(td);
2743
2744 return ret;
2745 }
2746