1 /* $OpenBSD: ssl_tlsext.c,v 1.99 2021/09/10 09:25:29 tb Exp $ */
2 /*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <ctype.h>
21
22 #include <openssl/ocsp.h>
23 #include <openssl/opensslconf.h>
24
25 #include "bytestring.h"
26 #include "ssl_locl.h"
27 #include "ssl_sigalgs.h"
28 #include "ssl_tlsext.h"
29
30 /*
31 * Supported Application-Layer Protocol Negotiation - RFC 7301
32 */
33
34 int
tlsext_alpn_client_needs(SSL * s,uint16_t msg_type)35 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
36 {
37 /* ALPN protos have been specified and this is the initial handshake */
38 return s->internal->alpn_client_proto_list != NULL &&
39 S3I(s)->hs.finished_len == 0;
40 }
41
42 int
tlsext_alpn_client_build(SSL * s,uint16_t msg_type,CBB * cbb)43 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
44 {
45 CBB protolist;
46
47 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
48 return 0;
49
50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
51 s->internal->alpn_client_proto_list_len))
52 return 0;
53
54 if (!CBB_flush(cbb))
55 return 0;
56
57 return 1;
58 }
59
60 int
tlsext_alpn_server_parse(SSL * s,uint16_t msg_types,CBS * cbs,int * alert)61 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
62 {
63 CBS proto_name_list, alpn;
64 const unsigned char *selected;
65 unsigned char selected_len;
66 int r;
67
68 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
69 goto err;
70 if (CBS_len(&alpn) < 2)
71 goto err;
72 if (CBS_len(cbs) != 0)
73 goto err;
74
75 CBS_dup(&alpn, &proto_name_list);
76 while (CBS_len(&proto_name_list) > 0) {
77 CBS proto_name;
78
79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
80 goto err;
81 if (CBS_len(&proto_name) == 0)
82 goto err;
83 }
84
85 if (s->ctx->internal->alpn_select_cb == NULL)
86 return 1;
87
88 /*
89 * XXX - A few things should be considered here:
90 * 1. Ensure that the same protocol is selected on session resumption.
91 * 2. Should the callback be called even if no ALPN extension was sent?
92 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
93 */
94 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
95 CBS_data(&alpn), CBS_len(&alpn),
96 s->ctx->internal->alpn_select_cb_arg);
97
98 if (r == SSL_TLSEXT_ERR_OK) {
99 free(S3I(s)->alpn_selected);
100 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
101 S3I(s)->alpn_selected_len = 0;
102 *alert = SSL_AD_INTERNAL_ERROR;
103 return 0;
104 }
105 memcpy(S3I(s)->alpn_selected, selected, selected_len);
106 S3I(s)->alpn_selected_len = selected_len;
107
108 return 1;
109 }
110
111 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
112 if (r == SSL_TLSEXT_ERR_NOACK)
113 return 1;
114
115 *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
116 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
117
118 return 0;
119
120 err:
121 *alert = SSL_AD_DECODE_ERROR;
122 return 0;
123 }
124
125 int
tlsext_alpn_server_needs(SSL * s,uint16_t msg_type)126 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
127 {
128 return S3I(s)->alpn_selected != NULL;
129 }
130
131 int
tlsext_alpn_server_build(SSL * s,uint16_t msg_type,CBB * cbb)132 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
133 {
134 CBB list, selected;
135
136 if (!CBB_add_u16_length_prefixed(cbb, &list))
137 return 0;
138
139 if (!CBB_add_u8_length_prefixed(&list, &selected))
140 return 0;
141
142 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected,
143 S3I(s)->alpn_selected_len))
144 return 0;
145
146 if (!CBB_flush(cbb))
147 return 0;
148
149 return 1;
150 }
151
152 int
tlsext_alpn_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)153 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
154 {
155 CBS list, proto;
156
157 if (s->internal->alpn_client_proto_list == NULL) {
158 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
159 return 0;
160 }
161
162 if (!CBS_get_u16_length_prefixed(cbs, &list))
163 goto err;
164 if (CBS_len(cbs) != 0)
165 goto err;
166
167 if (!CBS_get_u8_length_prefixed(&list, &proto))
168 goto err;
169
170 if (CBS_len(&list) != 0)
171 goto err;
172 if (CBS_len(&proto) == 0)
173 goto err;
174
175 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected),
176 &(S3I(s)->alpn_selected_len)))
177 goto err;
178
179 return 1;
180
181 err:
182 *alert = SSL_AD_DECODE_ERROR;
183 return 0;
184 }
185
186 /*
187 * Supported Groups - RFC 7919 section 2
188 */
189 int
tlsext_supportedgroups_client_needs(SSL * s,uint16_t msg_type)190 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
191 {
192 return ssl_has_ecc_ciphers(s) ||
193 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
194 }
195
196 int
tlsext_supportedgroups_client_build(SSL * s,uint16_t msg_type,CBB * cbb)197 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
198 {
199 const uint16_t *groups;
200 size_t groups_len;
201 CBB grouplist;
202 int i;
203
204 tls1_get_group_list(s, 0, &groups, &groups_len);
205 if (groups_len == 0) {
206 SSLerror(s, ERR_R_INTERNAL_ERROR);
207 return 0;
208 }
209
210 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
211 return 0;
212
213 for (i = 0; i < groups_len; i++) {
214 if (!CBB_add_u16(&grouplist, groups[i]))
215 return 0;
216 }
217
218 if (!CBB_flush(cbb))
219 return 0;
220
221 return 1;
222 }
223
224 int
tlsext_supportedgroups_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)225 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
226 int *alert)
227 {
228 CBS grouplist;
229 size_t groups_len;
230
231 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
232 goto err;
233 if (CBS_len(cbs) != 0)
234 goto err;
235
236 groups_len = CBS_len(&grouplist);
237 if (groups_len == 0 || groups_len % 2 != 0)
238 goto err;
239 groups_len /= 2;
240
241 if (!s->internal->hit) {
242 uint16_t *groups;
243 int i;
244
245 if (S3I(s)->hs.tls13.hrr) {
246 if (SSI(s)->tlsext_supportedgroups == NULL) {
247 *alert = SSL_AD_HANDSHAKE_FAILURE;
248 return 0;
249 }
250 /*
251 * In the case of TLSv1.3 the client cannot change
252 * the supported groups.
253 */
254 if (groups_len != SSI(s)->tlsext_supportedgroups_length) {
255 *alert = SSL_AD_ILLEGAL_PARAMETER;
256 return 0;
257 }
258 for (i = 0; i < groups_len; i++) {
259 uint16_t group;
260
261 if (!CBS_get_u16(&grouplist, &group))
262 goto err;
263 if (SSI(s)->tlsext_supportedgroups[i] != group) {
264 *alert = SSL_AD_ILLEGAL_PARAMETER;
265 return 0;
266 }
267 }
268
269 return 1;
270 }
271
272 if (SSI(s)->tlsext_supportedgroups != NULL)
273 goto err;
274
275 if ((groups = reallocarray(NULL, groups_len,
276 sizeof(uint16_t))) == NULL) {
277 *alert = SSL_AD_INTERNAL_ERROR;
278 return 0;
279 }
280
281 for (i = 0; i < groups_len; i++) {
282 if (!CBS_get_u16(&grouplist, &groups[i])) {
283 free(groups);
284 goto err;
285 }
286 }
287
288 if (CBS_len(&grouplist) != 0) {
289 free(groups);
290 goto err;
291 }
292
293 SSI(s)->tlsext_supportedgroups = groups;
294 SSI(s)->tlsext_supportedgroups_length = groups_len;
295 }
296
297 return 1;
298
299 err:
300 *alert = SSL_AD_DECODE_ERROR;
301 return 0;
302 }
303
304 /* This extension is never used by the server. */
305 int
tlsext_supportedgroups_server_needs(SSL * s,uint16_t msg_type)306 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
307 {
308 return 0;
309 }
310
311 int
tlsext_supportedgroups_server_build(SSL * s,uint16_t msg_type,CBB * cbb)312 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
313 {
314 return 0;
315 }
316
317 int
tlsext_supportedgroups_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)318 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
319 int *alert)
320 {
321 /*
322 * Servers should not send this extension per the RFC.
323 *
324 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
325 * from at least 2014 but as of 2017, there are still large sites with
326 * this unpatched in production. As a result, we need to currently skip
327 * over the extension and ignore its content:
328 *
329 * https://support.f5.com/csp/article/K37345003
330 */
331 if (!CBS_skip(cbs, CBS_len(cbs))) {
332 *alert = SSL_AD_INTERNAL_ERROR;
333 return 0;
334 }
335
336 return 1;
337 }
338
339 /*
340 * Supported Point Formats Extension - RFC 4492 section 5.1.2
341 */
342 static int
tlsext_ecpf_build(SSL * s,uint16_t msg_type,CBB * cbb)343 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
344 {
345 CBB ecpf;
346 size_t formats_len;
347 const uint8_t *formats;
348
349 tls1_get_formatlist(s, 0, &formats, &formats_len);
350
351 if (formats_len == 0) {
352 SSLerror(s, ERR_R_INTERNAL_ERROR);
353 return 0;
354 }
355
356 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
357 return 0;
358 if (!CBB_add_bytes(&ecpf, formats, formats_len))
359 return 0;
360 if (!CBB_flush(cbb))
361 return 0;
362
363 return 1;
364 }
365
366 static int
tlsext_ecpf_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)367 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
368 {
369 CBS ecpf;
370
371 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
372 return 0;
373 if (CBS_len(&ecpf) == 0)
374 return 0;
375 if (CBS_len(cbs) != 0)
376 return 0;
377
378 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
379 if (!CBS_contains_zero_byte(&ecpf)) {
380 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
381 *alert = SSL_AD_ILLEGAL_PARAMETER;
382 return 0;
383 }
384
385 if (!s->internal->hit) {
386 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
387 &(SSI(s)->tlsext_ecpointformatlist_length))) {
388 *alert = SSL_AD_INTERNAL_ERROR;
389 return 0;
390 }
391 }
392
393 return 1;
394 }
395
396 int
tlsext_ecpf_client_needs(SSL * s,uint16_t msg_type)397 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
398 {
399 return ssl_has_ecc_ciphers(s);
400 }
401
402 int
tlsext_ecpf_client_build(SSL * s,uint16_t msg_type,CBB * cbb)403 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
404 {
405 return tlsext_ecpf_build(s, msg_type, cbb);
406 }
407
408 int
tlsext_ecpf_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)409 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
410 {
411 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
412 }
413
414 int
tlsext_ecpf_server_needs(SSL * s,uint16_t msg_type)415 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
416 {
417 return ssl_using_ecc_cipher(s);
418 }
419
420 int
tlsext_ecpf_server_build(SSL * s,uint16_t msg_type,CBB * cbb)421 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
422 {
423 return tlsext_ecpf_build(s, msg_type, cbb);
424 }
425
426 int
tlsext_ecpf_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)427 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
428 {
429 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
430 }
431
432 /*
433 * Renegotiation Indication - RFC 5746.
434 */
435 int
tlsext_ri_client_needs(SSL * s,uint16_t msg_type)436 tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
437 {
438 return (s->internal->renegotiate);
439 }
440
441 int
tlsext_ri_client_build(SSL * s,uint16_t msg_type,CBB * cbb)442 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
443 {
444 CBB reneg;
445
446 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
447 return 0;
448 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
449 S3I(s)->previous_client_finished_len))
450 return 0;
451 if (!CBB_flush(cbb))
452 return 0;
453
454 return 1;
455 }
456
457 int
tlsext_ri_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)458 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
459 {
460 CBS reneg;
461
462 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
463 goto err;
464 if (CBS_len(cbs) != 0)
465 goto err;
466
467 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
468 S3I(s)->previous_client_finished_len)) {
469 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
470 *alert = SSL_AD_HANDSHAKE_FAILURE;
471 return 0;
472 }
473
474 S3I(s)->renegotiate_seen = 1;
475 S3I(s)->send_connection_binding = 1;
476
477 return 1;
478
479 err:
480 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
481 *alert = SSL_AD_DECODE_ERROR;
482 return 0;
483 }
484
485 int
tlsext_ri_server_needs(SSL * s,uint16_t msg_type)486 tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
487 {
488 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
489 S3I(s)->send_connection_binding);
490 }
491
492 int
tlsext_ri_server_build(SSL * s,uint16_t msg_type,CBB * cbb)493 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
494 {
495 CBB reneg;
496
497 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
498 return 0;
499 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
500 S3I(s)->previous_client_finished_len))
501 return 0;
502 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished,
503 S3I(s)->previous_server_finished_len))
504 return 0;
505 if (!CBB_flush(cbb))
506 return 0;
507
508 return 1;
509 }
510
511 int
tlsext_ri_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)512 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
513 {
514 CBS reneg, prev_client, prev_server;
515
516 /*
517 * Ensure that the previous client and server values are both not
518 * present, or that they are both present.
519 */
520 if ((S3I(s)->previous_client_finished_len == 0 &&
521 S3I(s)->previous_server_finished_len != 0) ||
522 (S3I(s)->previous_client_finished_len != 0 &&
523 S3I(s)->previous_server_finished_len == 0)) {
524 *alert = SSL_AD_INTERNAL_ERROR;
525 return 0;
526 }
527
528 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
529 goto err;
530 if (!CBS_get_bytes(&reneg, &prev_client,
531 S3I(s)->previous_client_finished_len))
532 goto err;
533 if (!CBS_get_bytes(&reneg, &prev_server,
534 S3I(s)->previous_server_finished_len))
535 goto err;
536 if (CBS_len(&reneg) != 0)
537 goto err;
538 if (CBS_len(cbs) != 0)
539 goto err;
540
541 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished,
542 S3I(s)->previous_client_finished_len)) {
543 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
544 *alert = SSL_AD_HANDSHAKE_FAILURE;
545 return 0;
546 }
547 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished,
548 S3I(s)->previous_server_finished_len)) {
549 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
550 *alert = SSL_AD_HANDSHAKE_FAILURE;
551 return 0;
552 }
553
554 S3I(s)->renegotiate_seen = 1;
555 S3I(s)->send_connection_binding = 1;
556
557 return 1;
558
559 err:
560 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
561 *alert = SSL_AD_DECODE_ERROR;
562 return 0;
563 }
564
565 /*
566 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
567 */
568 int
tlsext_sigalgs_client_needs(SSL * s,uint16_t msg_type)569 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
570 {
571 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION);
572 }
573
574 int
tlsext_sigalgs_client_build(SSL * s,uint16_t msg_type,CBB * cbb)575 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
576 {
577 uint16_t tls_version = S3I(s)->hs.negotiated_tls_version;
578 CBB sigalgs;
579
580 if (msg_type == SSL_TLSEXT_MSG_CH)
581 tls_version = S3I(s)->hs.our_min_tls_version;
582
583 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
584 return 0;
585 if (!ssl_sigalgs_build(tls_version, &sigalgs))
586 return 0;
587 if (!CBB_flush(cbb))
588 return 0;
589
590 return 1;
591 }
592
593 int
tlsext_sigalgs_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)594 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
595 {
596 CBS sigalgs;
597
598 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
599 return 0;
600 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
601 return 0;
602 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len))
603 return 0;
604
605 return 1;
606 }
607
608 int
tlsext_sigalgs_server_needs(SSL * s,uint16_t msg_type)609 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
610 {
611 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
612 }
613
614 int
tlsext_sigalgs_server_build(SSL * s,uint16_t msg_type,CBB * cbb)615 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
616 {
617 CBB sigalgs;
618
619 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
620 return 0;
621 if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs))
622 return 0;
623 if (!CBB_flush(cbb))
624 return 0;
625
626 return 1;
627 }
628
629 int
tlsext_sigalgs_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)630 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
631 {
632 CBS sigalgs;
633
634 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
635 return 0;
636
637 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
638 return 0;
639 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
640 return 0;
641 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len))
642 return 0;
643
644 return 1;
645 }
646
647 /*
648 * Server Name Indication - RFC 6066, section 3.
649 */
650 int
tlsext_sni_client_needs(SSL * s,uint16_t msg_type)651 tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
652 {
653 return (s->tlsext_hostname != NULL);
654 }
655
656 int
tlsext_sni_client_build(SSL * s,uint16_t msg_type,CBB * cbb)657 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
658 {
659 CBB server_name_list, host_name;
660
661 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
662 return 0;
663 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
664 return 0;
665 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
666 return 0;
667 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
668 strlen(s->tlsext_hostname)))
669 return 0;
670 if (!CBB_flush(cbb))
671 return 0;
672
673 return 1;
674 }
675
676 /*
677 * Validate that the CBS contains only a hostname consisting of RFC 5890
678 * compliant A-labels (see RFC 6066 section 3). Not a complete check
679 * since we don't parse punycode to verify its validity but limits to
680 * correct structure and character set.
681 */
682 int
tlsext_sni_is_valid_hostname(CBS * cbs)683 tlsext_sni_is_valid_hostname(CBS *cbs)
684 {
685 uint8_t prev, c = 0;
686 int component = 0;
687 CBS hostname;
688
689 CBS_dup(cbs, &hostname);
690
691 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
692 return 0;
693
694 while(CBS_len(&hostname) > 0) {
695 prev = c;
696 if (!CBS_get_u8(&hostname, &c))
697 return 0;
698 /* Everything has to be ASCII, with no NUL byte. */
699 if (!isascii(c) || c == '\0')
700 return 0;
701 /* It must be alphanumeric, a '-', or a '.' */
702 if (!isalnum(c) && c != '-' && c != '.')
703 return 0;
704 /* '-' and '.' must not start a component or be at the end. */
705 if (component == 0 || CBS_len(&hostname) == 0) {
706 if (c == '-' || c == '.')
707 return 0;
708 }
709 if (c == '.') {
710 /* Components can not end with a dash. */
711 if (prev == '-')
712 return 0;
713 /* Start new component */
714 component = 0;
715 continue;
716 }
717 /* Components must be 63 chars or less. */
718 if (++component > 63)
719 return 0;
720 }
721
722 return 1;
723 }
724
725 int
tlsext_sni_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)726 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
727 {
728 CBS server_name_list, host_name;
729 uint8_t name_type;
730
731 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
732 goto err;
733
734 if (!CBS_get_u8(&server_name_list, &name_type))
735 goto err;
736 /*
737 * RFC 6066 section 3, only one type (host_name) is specified.
738 * We do not tolerate unknown types, neither does BoringSSL.
739 * other implementations appear more tolerant.
740 */
741 if (name_type != TLSEXT_NAMETYPE_host_name) {
742 *alert = SSL_AD_ILLEGAL_PARAMETER;
743 goto err;
744 }
745
746
747 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
748 goto err;
749 /*
750 * RFC 6066 section 3 specifies a host name must be at least 1 byte
751 * so 0 length is a decode error.
752 */
753 if (CBS_len(&host_name) < 1)
754 goto err;
755
756 if (!tlsext_sni_is_valid_hostname(&host_name)) {
757 *alert = SSL_AD_ILLEGAL_PARAMETER;
758 goto err;
759 }
760
761 if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
762 if (s->session->tlsext_hostname == NULL) {
763 *alert = SSL_AD_UNRECOGNIZED_NAME;
764 goto err;
765 }
766 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
767 strlen(s->session->tlsext_hostname))) {
768 *alert = SSL_AD_UNRECOGNIZED_NAME;
769 goto err;
770 }
771 } else {
772 if (s->session->tlsext_hostname != NULL)
773 goto err;
774 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
775 *alert = SSL_AD_INTERNAL_ERROR;
776 goto err;
777 }
778 }
779
780 /*
781 * RFC 6066 section 3 forbids multiple host names with the same type,
782 * therefore we allow only one entry.
783 */
784 if (CBS_len(&server_name_list) != 0) {
785 *alert = SSL_AD_ILLEGAL_PARAMETER;
786 goto err;
787 }
788 if (CBS_len(cbs) != 0)
789 goto err;
790
791 return 1;
792
793 err:
794 return 0;
795 }
796
797 int
tlsext_sni_server_needs(SSL * s,uint16_t msg_type)798 tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
799 {
800 if (s->internal->hit)
801 return 0;
802
803 return (s->session->tlsext_hostname != NULL);
804 }
805
806 int
tlsext_sni_server_build(SSL * s,uint16_t msg_type,CBB * cbb)807 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
808 {
809 return 1;
810 }
811
812 int
tlsext_sni_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)813 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
814 {
815 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
816 *alert = SSL_AD_UNRECOGNIZED_NAME;
817 return 0;
818 }
819
820 if (s->internal->hit) {
821 if (s->session->tlsext_hostname == NULL) {
822 *alert = SSL_AD_UNRECOGNIZED_NAME;
823 return 0;
824 }
825 if (strcmp(s->tlsext_hostname,
826 s->session->tlsext_hostname) != 0) {
827 *alert = SSL_AD_UNRECOGNIZED_NAME;
828 return 0;
829 }
830 } else {
831 if (s->session->tlsext_hostname != NULL) {
832 *alert = SSL_AD_DECODE_ERROR;
833 return 0;
834 }
835 if ((s->session->tlsext_hostname =
836 strdup(s->tlsext_hostname)) == NULL) {
837 *alert = SSL_AD_INTERNAL_ERROR;
838 return 0;
839 }
840 }
841
842 return 1;
843 }
844
845
846 /*
847 * Certificate Status Request - RFC 6066 section 8.
848 */
849
850 int
tlsext_ocsp_client_needs(SSL * s,uint16_t msg_type)851 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
852 {
853 if (msg_type != SSL_TLSEXT_MSG_CH)
854 return 0;
855
856 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
857 }
858
859 int
tlsext_ocsp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)860 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
861 {
862 CBB respid_list, respid, exts;
863 unsigned char *ext_data;
864 size_t ext_len;
865 int i;
866
867 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
868 return 0;
869 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
870 return 0;
871 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
872 unsigned char *respid_data;
873 OCSP_RESPID *id;
874 size_t id_len;
875
876 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
877 i)) == NULL)
878 return 0;
879 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
880 return 0;
881 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
882 return 0;
883 if (!CBB_add_space(&respid, &respid_data, id_len))
884 return 0;
885 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
886 return 0;
887 }
888 if (!CBB_add_u16_length_prefixed(cbb, &exts))
889 return 0;
890 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
891 NULL)) == -1)
892 return 0;
893 if (!CBB_add_space(&exts, &ext_data, ext_len))
894 return 0;
895 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
896 ext_len))
897 return 0;
898 if (!CBB_flush(cbb))
899 return 0;
900 return 1;
901 }
902
903 int
tlsext_ocsp_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)904 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
905 {
906 int alert_desc = SSL_AD_DECODE_ERROR;
907 CBS respid_list, respid, exts;
908 const unsigned char *p;
909 uint8_t status_type;
910 int ret = 0;
911
912 if (msg_type != SSL_TLSEXT_MSG_CH)
913 goto err;
914
915 if (!CBS_get_u8(cbs, &status_type))
916 goto err;
917 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
918 /* ignore unknown status types */
919 s->tlsext_status_type = -1;
920
921 if (!CBS_skip(cbs, CBS_len(cbs))) {
922 *alert = SSL_AD_INTERNAL_ERROR;
923 return 0;
924 }
925 return 1;
926 }
927 s->tlsext_status_type = status_type;
928 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
929 goto err;
930
931 /* XXX */
932 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
933 s->internal->tlsext_ocsp_ids = NULL;
934 if (CBS_len(&respid_list) > 0) {
935 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
936 if (s->internal->tlsext_ocsp_ids == NULL) {
937 alert_desc = SSL_AD_INTERNAL_ERROR;
938 goto err;
939 }
940 }
941
942 while (CBS_len(&respid_list) > 0) {
943 OCSP_RESPID *id;
944
945 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
946 goto err;
947 p = CBS_data(&respid);
948 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
949 goto err;
950 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
951 alert_desc = SSL_AD_INTERNAL_ERROR;
952 OCSP_RESPID_free(id);
953 goto err;
954 }
955 }
956
957 /* Read in request_extensions */
958 if (!CBS_get_u16_length_prefixed(cbs, &exts))
959 goto err;
960 if (CBS_len(&exts) > 0) {
961 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
962 X509_EXTENSION_free);
963 p = CBS_data(&exts);
964 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
965 &p, CBS_len(&exts))) == NULL)
966 goto err;
967 }
968
969 /* should be nothing left */
970 if (CBS_len(cbs) > 0)
971 goto err;
972
973 ret = 1;
974 err:
975 if (ret == 0)
976 *alert = alert_desc;
977 return ret;
978 }
979
980 int
tlsext_ocsp_server_needs(SSL * s,uint16_t msg_type)981 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
982 {
983 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
984 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
985 s->ctx->internal->tlsext_status_cb != NULL) {
986 s->internal->tlsext_status_expected = 0;
987 if (s->ctx->internal->tlsext_status_cb(s,
988 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
989 s->internal->tlsext_ocsp_resp_len > 0)
990 s->internal->tlsext_status_expected = 1;
991 }
992 return s->internal->tlsext_status_expected;
993 }
994
995 int
tlsext_ocsp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)996 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
997 {
998 CBB ocsp_response;
999
1000 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1001 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1002 return 0;
1003 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1004 return 0;
1005 if (!CBB_add_bytes(&ocsp_response,
1006 s->internal->tlsext_ocsp_resp,
1007 s->internal->tlsext_ocsp_resp_len))
1008 return 0;
1009 if (!CBB_flush(cbb))
1010 return 0;
1011 }
1012 return 1;
1013 }
1014
1015 int
tlsext_ocsp_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1016 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1017 {
1018 uint8_t status_type;
1019 CBS response;
1020
1021 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1022 if (msg_type == SSL_TLSEXT_MSG_CR) {
1023 /*
1024 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1025 * response with an empty status_request.
1026 */
1027 if (CBS_len(cbs) == 0)
1028 return 1;
1029
1030 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1031 return 0;
1032 }
1033 if (!CBS_get_u8(cbs, &status_type)) {
1034 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1035 return 0;
1036 }
1037 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1038 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1039 return 0;
1040 }
1041 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1042 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1043 return 0;
1044 }
1045 if (CBS_len(&response) > 65536) {
1046 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1047 return 0;
1048 }
1049 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1050 &s->internal->tlsext_ocsp_resp_len)) {
1051 *alert = SSL_AD_INTERNAL_ERROR;
1052 return 0;
1053 }
1054 } else {
1055 if (s->tlsext_status_type == -1) {
1056 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1057 return 0;
1058 }
1059 /* Set flag to expect CertificateStatus message */
1060 s->internal->tlsext_status_expected = 1;
1061 }
1062 return 1;
1063 }
1064
1065 /*
1066 * SessionTicket extension - RFC 5077 section 3.2
1067 */
1068 int
tlsext_sessionticket_client_needs(SSL * s,uint16_t msg_type)1069 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1070 {
1071 /*
1072 * Send session ticket extension when enabled and not overridden.
1073 *
1074 * When renegotiating, send an empty session ticket to indicate support.
1075 */
1076 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1077 return 0;
1078
1079 if (s->internal->new_session)
1080 return 1;
1081
1082 if (s->internal->tlsext_session_ticket != NULL &&
1083 s->internal->tlsext_session_ticket->data == NULL)
1084 return 0;
1085
1086 return 1;
1087 }
1088
1089 int
tlsext_sessionticket_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1090 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1091 {
1092 /*
1093 * Signal that we support session tickets by sending an empty
1094 * extension when renegotiating or no session found.
1095 */
1096 if (s->internal->new_session || s->session == NULL)
1097 return 1;
1098
1099 if (s->session->tlsext_tick != NULL) {
1100 /* Attempt to resume with an existing session ticket */
1101 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1102 s->session->tlsext_ticklen))
1103 return 0;
1104
1105 } else if (s->internal->tlsext_session_ticket != NULL) {
1106 /*
1107 * Attempt to resume with a custom provided session ticket set
1108 * by SSL_set_session_ticket_ext().
1109 */
1110 if (s->internal->tlsext_session_ticket->length > 0) {
1111 size_t ticklen = s->internal->tlsext_session_ticket->length;
1112
1113 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1114 return 0;
1115 memcpy(s->session->tlsext_tick,
1116 s->internal->tlsext_session_ticket->data,
1117 ticklen);
1118 s->session->tlsext_ticklen = ticklen;
1119
1120 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1121 s->session->tlsext_ticklen))
1122 return 0;
1123 }
1124 }
1125
1126 if (!CBB_flush(cbb))
1127 return 0;
1128
1129 return 1;
1130 }
1131
1132 int
tlsext_sessionticket_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1133 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1134 int *alert)
1135 {
1136 if (s->internal->tls_session_ticket_ext_cb) {
1137 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1138 (int)CBS_len(cbs),
1139 s->internal->tls_session_ticket_ext_cb_arg)) {
1140 *alert = SSL_AD_INTERNAL_ERROR;
1141 return 0;
1142 }
1143 }
1144
1145 /* We need to signal that this was processed fully */
1146 if (!CBS_skip(cbs, CBS_len(cbs))) {
1147 *alert = SSL_AD_INTERNAL_ERROR;
1148 return 0;
1149 }
1150
1151 return 1;
1152 }
1153
1154 int
tlsext_sessionticket_server_needs(SSL * s,uint16_t msg_type)1155 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1156 {
1157 return (s->internal->tlsext_ticket_expected &&
1158 !(SSL_get_options(s) & SSL_OP_NO_TICKET));
1159 }
1160
1161 int
tlsext_sessionticket_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1162 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1163 {
1164 /* Empty ticket */
1165 return 1;
1166 }
1167
1168 int
tlsext_sessionticket_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1169 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1170 int *alert)
1171 {
1172 if (s->internal->tls_session_ticket_ext_cb) {
1173 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1174 (int)CBS_len(cbs),
1175 s->internal->tls_session_ticket_ext_cb_arg)) {
1176 *alert = SSL_AD_INTERNAL_ERROR;
1177 return 0;
1178 }
1179 }
1180
1181 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1182 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1183 return 0;
1184 }
1185
1186 s->internal->tlsext_ticket_expected = 1;
1187
1188 return 1;
1189 }
1190
1191 /*
1192 * DTLS extension for SRTP key establishment - RFC 5764
1193 */
1194
1195 #ifndef OPENSSL_NO_SRTP
1196
1197 int
tlsext_srtp_client_needs(SSL * s,uint16_t msg_type)1198 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1199 {
1200 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1201 }
1202
1203 int
tlsext_srtp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1204 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1205 {
1206 CBB profiles, mki;
1207 int ct, i;
1208 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1209 const SRTP_PROTECTION_PROFILE *prof;
1210
1211 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1212 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1213 return 0;
1214 }
1215
1216 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1217 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1218 return 0;
1219 }
1220
1221 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1222 return 0;
1223
1224 for (i = 0; i < ct; i++) {
1225 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1226 return 0;
1227 if (!CBB_add_u16(&profiles, prof->id))
1228 return 0;
1229 }
1230
1231 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1232 return 0;
1233
1234 if (!CBB_flush(cbb))
1235 return 0;
1236
1237 return 1;
1238 }
1239
1240 int
tlsext_srtp_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1241 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1242 {
1243 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1244 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1245 int i, j;
1246 int ret;
1247 uint16_t id;
1248 CBS profiles, mki;
1249
1250 ret = 0;
1251
1252 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1253 goto err;
1254 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1255 goto err;
1256
1257 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1258 goto err;
1259
1260 while (CBS_len(&profiles) > 0) {
1261 if (!CBS_get_u16(&profiles, &id))
1262 goto err;
1263
1264 if (!srtp_find_profile_by_num(id, &cprof)) {
1265 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1266 goto err;
1267 }
1268 }
1269
1270 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1271 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1272 *alert = SSL_AD_DECODE_ERROR;
1273 goto done;
1274 }
1275 if (CBS_len(cbs) != 0)
1276 goto err;
1277
1278 /*
1279 * Per RFC 5764 section 4.1.1
1280 *
1281 * Find the server preferred profile using the client's list.
1282 *
1283 * The server MUST send a profile if it sends the use_srtp
1284 * extension. If one is not found, it should fall back to the
1285 * negotiated DTLS cipher suite or return a DTLS alert.
1286 */
1287 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1288 goto err;
1289 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1290 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1291 == NULL)
1292 goto err;
1293
1294 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1295 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1296 == NULL)
1297 goto err;
1298
1299 if (cprof->id == sprof->id) {
1300 s->internal->srtp_profile = sprof;
1301 ret = 1;
1302 goto done;
1303 }
1304 }
1305 }
1306
1307 /* If we didn't find anything, fall back to the negotiated */
1308 ret = 1;
1309 goto done;
1310
1311 err:
1312 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1313 *alert = SSL_AD_DECODE_ERROR;
1314
1315 done:
1316 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1317 return ret;
1318 }
1319
1320 int
tlsext_srtp_server_needs(SSL * s,uint16_t msg_type)1321 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1322 {
1323 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1324 }
1325
1326 int
tlsext_srtp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1327 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1328 {
1329 SRTP_PROTECTION_PROFILE *profile;
1330 CBB srtp, mki;
1331
1332 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1333 return 0;
1334
1335 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1336 return 0;
1337
1338 if (!CBB_add_u16(&srtp, profile->id))
1339 return 0;
1340
1341 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1342 return 0;
1343
1344 if (!CBB_flush(cbb))
1345 return 0;
1346
1347 return 1;
1348 }
1349
1350 int
tlsext_srtp_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1351 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1352 {
1353 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1354 const SRTP_PROTECTION_PROFILE *prof;
1355 int i;
1356 uint16_t id;
1357 CBS profile_ids, mki;
1358
1359 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1360 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1361 goto err;
1362 }
1363
1364 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1365 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1366 goto err;
1367 }
1368
1369 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1370 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1371 *alert = SSL_AD_ILLEGAL_PARAMETER;
1372 return 0;
1373 }
1374
1375 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1376 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1377 goto err;
1378 }
1379
1380 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1381 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1382 == NULL) {
1383 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1384 goto err;
1385 }
1386
1387 if (prof->id == id) {
1388 s->internal->srtp_profile = prof;
1389 return 1;
1390 }
1391 }
1392
1393 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1394 err:
1395 *alert = SSL_AD_DECODE_ERROR;
1396 return 0;
1397 }
1398
1399 #endif /* OPENSSL_NO_SRTP */
1400
1401 /*
1402 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1403 */
1404 int
tlsext_keyshare_client_needs(SSL * s,uint16_t msg_type)1405 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1406 {
1407 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
1408 }
1409
1410 int
tlsext_keyshare_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1411 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1412 {
1413 CBB client_shares;
1414
1415 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1416 return 0;
1417
1418 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share,
1419 &client_shares))
1420 return 0;
1421
1422 if (!CBB_flush(cbb))
1423 return 0;
1424
1425 return 1;
1426 }
1427
1428 int
tlsext_keyshare_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1429 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1430 {
1431 CBS client_shares, key_exchange;
1432 uint16_t group;
1433
1434 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1435 goto err;
1436
1437 while (CBS_len(&client_shares) > 0) {
1438
1439 /* Unpack client share. */
1440 if (!CBS_get_u16(&client_shares, &group))
1441 goto err;
1442 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1443 return 0;
1444
1445 /*
1446 * XXX - check key exchange against supported groups from client.
1447 * XXX - check that groups only appear once.
1448 */
1449
1450 /*
1451 * Ignore this client share if we're using earlier than TLSv1.3
1452 * or we've already selected a key share.
1453 */
1454 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
1455 continue;
1456 if (S3I(s)->hs.tls13.key_share != NULL)
1457 continue;
1458
1459 /* XXX - consider implementing server preference. */
1460 if (!tls1_check_curve(s, group))
1461 continue;
1462
1463 /* Decode and store the selected key share. */
1464 S3I(s)->hs.tls13.key_share = tls13_key_share_new(group);
1465 if (S3I(s)->hs.tls13.key_share == NULL)
1466 goto err;
1467 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
1468 group, &key_exchange))
1469 goto err;
1470 }
1471
1472 return 1;
1473
1474 err:
1475 *alert = SSL_AD_DECODE_ERROR;
1476 return 0;
1477 }
1478
1479 int
tlsext_keyshare_server_needs(SSL * s,uint16_t msg_type)1480 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1481 {
1482 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1483 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1484 }
1485
1486 int
tlsext_keyshare_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1487 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1488 {
1489 /* In the case of a HRR, we only send the server selected group. */
1490 if (S3I(s)->hs.tls13.hrr) {
1491 if (S3I(s)->hs.tls13.server_group == 0)
1492 return 0;
1493 return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group);
1494 }
1495
1496 if (S3I(s)->hs.tls13.key_share == NULL)
1497 return 0;
1498
1499 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb))
1500 return 0;
1501
1502 return 1;
1503 }
1504
1505 int
tlsext_keyshare_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1506 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1507 {
1508 CBS key_exchange;
1509 uint16_t group;
1510
1511 /* Unpack server share. */
1512 if (!CBS_get_u16(cbs, &group))
1513 goto err;
1514
1515 if (CBS_len(cbs) == 0) {
1516 /* HRR does not include an actual key share. */
1517 /* XXX - we should know that we are in a HRR... */
1518 S3I(s)->hs.tls13.server_group = group;
1519 return 1;
1520 }
1521
1522 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1523 return 0;
1524
1525 if (S3I(s)->hs.tls13.key_share == NULL)
1526 return 0;
1527
1528 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
1529 group, &key_exchange))
1530 goto err;
1531
1532 return 1;
1533
1534 err:
1535 *alert = SSL_AD_DECODE_ERROR;
1536 return 0;
1537 }
1538
1539 /*
1540 * Supported Versions - RFC 8446 section 4.2.1.
1541 */
1542 int
tlsext_versions_client_needs(SSL * s,uint16_t msg_type)1543 tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1544 {
1545 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
1546 }
1547
1548 int
tlsext_versions_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1549 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1550 {
1551 uint16_t max, min;
1552 uint16_t version;
1553 CBB versions;
1554
1555 max = S3I(s)->hs.our_max_tls_version;
1556 min = S3I(s)->hs.our_min_tls_version;
1557
1558 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1559 return 0;
1560
1561 /* XXX - fix, but contiguous for now... */
1562 for (version = max; version >= min; version--) {
1563 if (!CBB_add_u16(&versions, version))
1564 return 0;
1565 }
1566
1567 if (!CBB_flush(cbb))
1568 return 0;
1569
1570 return 1;
1571 }
1572
1573 int
tlsext_versions_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1574 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1575 {
1576 CBS versions;
1577 uint16_t version;
1578 uint16_t max, min;
1579 uint16_t matched_version = 0;
1580
1581 max = S3I(s)->hs.our_max_tls_version;
1582 min = S3I(s)->hs.our_min_tls_version;
1583
1584 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1585 goto err;
1586
1587 while (CBS_len(&versions) > 0) {
1588 if (!CBS_get_u16(&versions, &version))
1589 goto err;
1590 /*
1591 * XXX What is below implements client preference, and
1592 * ignores any server preference entirely.
1593 */
1594 if (matched_version == 0 && version >= min && version <= max)
1595 matched_version = version;
1596 }
1597
1598 if (matched_version > 0) {
1599 /* XXX - this should be stored for later processing. */
1600 s->version = matched_version;
1601 return 1;
1602 }
1603
1604 *alert = SSL_AD_PROTOCOL_VERSION;
1605 return 0;
1606
1607 err:
1608 *alert = SSL_AD_DECODE_ERROR;
1609 return 0;
1610 }
1611
1612 int
tlsext_versions_server_needs(SSL * s,uint16_t msg_type)1613 tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1614 {
1615 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
1616 }
1617
1618 int
tlsext_versions_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1619 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1620 {
1621 return CBB_add_u16(cbb, TLS1_3_VERSION);
1622 }
1623
1624 int
tlsext_versions_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1625 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1626 {
1627 uint16_t selected_version;
1628
1629 if (!CBS_get_u16(cbs, &selected_version)) {
1630 *alert = SSL_AD_DECODE_ERROR;
1631 return 0;
1632 }
1633
1634 /* XXX - need to fix for DTLS 1.3 */
1635 if (selected_version < TLS1_3_VERSION) {
1636 *alert = SSL_AD_ILLEGAL_PARAMETER;
1637 return 0;
1638 }
1639
1640 /* XXX test between min and max once initialization code goes in */
1641 S3I(s)->hs.tls13.server_version = selected_version;
1642
1643 return 1;
1644 }
1645
1646
1647 /*
1648 * Cookie - RFC 8446 section 4.2.2.
1649 */
1650
1651 int
tlsext_cookie_client_needs(SSL * s,uint16_t msg_type)1652 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1653 {
1654 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
1655 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
1656 }
1657
1658 int
tlsext_cookie_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1659 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1660 {
1661 CBB cookie;
1662
1663 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1664 return 0;
1665
1666 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
1667 S3I(s)->hs.tls13.cookie_len))
1668 return 0;
1669
1670 if (!CBB_flush(cbb))
1671 return 0;
1672
1673 return 1;
1674 }
1675
1676 int
tlsext_cookie_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1677 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1678 {
1679 CBS cookie;
1680
1681 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1682 goto err;
1683
1684 if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len)
1685 goto err;
1686
1687 /*
1688 * Check provided cookie value against what server previously
1689 * sent - client *MUST* send the same cookie with new CR after
1690 * a cookie is sent by the server with an HRR.
1691 */
1692 if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie,
1693 S3I(s)->hs.tls13.cookie_len)) {
1694 /* XXX special cookie mismatch alert? */
1695 *alert = SSL_AD_ILLEGAL_PARAMETER;
1696 return 0;
1697 }
1698
1699 return 1;
1700
1701 err:
1702 *alert = SSL_AD_DECODE_ERROR;
1703 return 0;
1704 }
1705
1706 int
tlsext_cookie_server_needs(SSL * s,uint16_t msg_type)1707 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1708 {
1709 /*
1710 * Server needs to set cookie value in tls13 handshake
1711 * in order to send one, should only be sent with HRR.
1712 */
1713 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
1714 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
1715 }
1716
1717 int
tlsext_cookie_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1718 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1719 {
1720 CBB cookie;
1721
1722 /* XXX deduplicate with client code */
1723
1724 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1725 return 0;
1726
1727 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
1728 S3I(s)->hs.tls13.cookie_len))
1729 return 0;
1730
1731 if (!CBB_flush(cbb))
1732 return 0;
1733
1734 return 1;
1735 }
1736
1737 int
tlsext_cookie_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1738 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1739 {
1740 CBS cookie;
1741
1742 /*
1743 * XXX This currently assumes we will not get a second
1744 * HRR from a server with a cookie to process after accepting
1745 * one from the server in the same handshake
1746 */
1747 if (S3I(s)->hs.tls13.cookie != NULL ||
1748 S3I(s)->hs.tls13.cookie_len != 0) {
1749 *alert = SSL_AD_ILLEGAL_PARAMETER;
1750 return 0;
1751 }
1752
1753 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1754 goto err;
1755
1756 if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie,
1757 &S3I(s)->hs.tls13.cookie_len))
1758 goto err;
1759
1760 return 1;
1761
1762 err:
1763 *alert = SSL_AD_DECODE_ERROR;
1764 return 0;
1765 }
1766
1767 struct tls_extension_funcs {
1768 int (*needs)(SSL *s, uint16_t msg_type);
1769 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1770 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1771 };
1772
1773 struct tls_extension {
1774 uint16_t type;
1775 uint16_t messages;
1776 struct tls_extension_funcs client;
1777 struct tls_extension_funcs server;
1778 };
1779
1780 static const struct tls_extension tls_extensions[] = {
1781 {
1782 .type = TLSEXT_TYPE_supported_versions,
1783 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1784 SSL_TLSEXT_MSG_HRR,
1785 .client = {
1786 .needs = tlsext_versions_client_needs,
1787 .build = tlsext_versions_client_build,
1788 .parse = tlsext_versions_client_parse,
1789 },
1790 .server = {
1791 .needs = tlsext_versions_server_needs,
1792 .build = tlsext_versions_server_build,
1793 .parse = tlsext_versions_server_parse,
1794 },
1795 },
1796 {
1797 .type = TLSEXT_TYPE_key_share,
1798 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1799 SSL_TLSEXT_MSG_HRR,
1800 .client = {
1801 .needs = tlsext_keyshare_client_needs,
1802 .build = tlsext_keyshare_client_build,
1803 .parse = tlsext_keyshare_client_parse,
1804 },
1805 .server = {
1806 .needs = tlsext_keyshare_server_needs,
1807 .build = tlsext_keyshare_server_build,
1808 .parse = tlsext_keyshare_server_parse,
1809 },
1810 },
1811 {
1812 .type = TLSEXT_TYPE_server_name,
1813 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1814 .client = {
1815 .needs = tlsext_sni_client_needs,
1816 .build = tlsext_sni_client_build,
1817 .parse = tlsext_sni_client_parse,
1818 },
1819 .server = {
1820 .needs = tlsext_sni_server_needs,
1821 .build = tlsext_sni_server_build,
1822 .parse = tlsext_sni_server_parse,
1823 },
1824 },
1825 {
1826 .type = TLSEXT_TYPE_renegotiate,
1827 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1828 .client = {
1829 .needs = tlsext_ri_client_needs,
1830 .build = tlsext_ri_client_build,
1831 .parse = tlsext_ri_client_parse,
1832 },
1833 .server = {
1834 .needs = tlsext_ri_server_needs,
1835 .build = tlsext_ri_server_build,
1836 .parse = tlsext_ri_server_parse,
1837 },
1838 },
1839 {
1840 .type = TLSEXT_TYPE_status_request,
1841 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
1842 SSL_TLSEXT_MSG_CT,
1843 .client = {
1844 .needs = tlsext_ocsp_client_needs,
1845 .build = tlsext_ocsp_client_build,
1846 .parse = tlsext_ocsp_client_parse,
1847 },
1848 .server = {
1849 .needs = tlsext_ocsp_server_needs,
1850 .build = tlsext_ocsp_server_build,
1851 .parse = tlsext_ocsp_server_parse,
1852 },
1853 },
1854 {
1855 .type = TLSEXT_TYPE_ec_point_formats,
1856 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1857 .client = {
1858 .needs = tlsext_ecpf_client_needs,
1859 .build = tlsext_ecpf_client_build,
1860 .parse = tlsext_ecpf_client_parse,
1861 },
1862 .server = {
1863 .needs = tlsext_ecpf_server_needs,
1864 .build = tlsext_ecpf_server_build,
1865 .parse = tlsext_ecpf_server_parse,
1866 },
1867 },
1868 {
1869 .type = TLSEXT_TYPE_supported_groups,
1870 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1871 .client = {
1872 .needs = tlsext_supportedgroups_client_needs,
1873 .build = tlsext_supportedgroups_client_build,
1874 .parse = tlsext_supportedgroups_client_parse,
1875 },
1876 .server = {
1877 .needs = tlsext_supportedgroups_server_needs,
1878 .build = tlsext_supportedgroups_server_build,
1879 .parse = tlsext_supportedgroups_server_parse,
1880 },
1881 },
1882 {
1883 .type = TLSEXT_TYPE_session_ticket,
1884 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1885 .client = {
1886 .needs = tlsext_sessionticket_client_needs,
1887 .build = tlsext_sessionticket_client_build,
1888 .parse = tlsext_sessionticket_client_parse,
1889 },
1890 .server = {
1891 .needs = tlsext_sessionticket_server_needs,
1892 .build = tlsext_sessionticket_server_build,
1893 .parse = tlsext_sessionticket_server_parse,
1894 },
1895 },
1896 {
1897 .type = TLSEXT_TYPE_signature_algorithms,
1898 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
1899 .client = {
1900 .needs = tlsext_sigalgs_client_needs,
1901 .build = tlsext_sigalgs_client_build,
1902 .parse = tlsext_sigalgs_client_parse,
1903 },
1904 .server = {
1905 .needs = tlsext_sigalgs_server_needs,
1906 .build = tlsext_sigalgs_server_build,
1907 .parse = tlsext_sigalgs_server_parse,
1908 },
1909 },
1910 {
1911 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1912 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1913 .client = {
1914 .needs = tlsext_alpn_client_needs,
1915 .build = tlsext_alpn_client_build,
1916 .parse = tlsext_alpn_client_parse,
1917 },
1918 .server = {
1919 .needs = tlsext_alpn_server_needs,
1920 .build = tlsext_alpn_server_build,
1921 .parse = tlsext_alpn_server_parse,
1922 },
1923 },
1924 {
1925 .type = TLSEXT_TYPE_cookie,
1926 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
1927 .client = {
1928 .needs = tlsext_cookie_client_needs,
1929 .build = tlsext_cookie_client_build,
1930 .parse = tlsext_cookie_client_parse,
1931 },
1932 .server = {
1933 .needs = tlsext_cookie_server_needs,
1934 .build = tlsext_cookie_server_build,
1935 .parse = tlsext_cookie_server_parse,
1936 },
1937 },
1938 #ifndef OPENSSL_NO_SRTP
1939 {
1940 .type = TLSEXT_TYPE_use_srtp,
1941 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
1942 SSL_TLSEXT_MSG_EE,
1943 .client = {
1944 .needs = tlsext_srtp_client_needs,
1945 .build = tlsext_srtp_client_build,
1946 .parse = tlsext_srtp_client_parse,
1947 },
1948 .server = {
1949 .needs = tlsext_srtp_server_needs,
1950 .build = tlsext_srtp_server_build,
1951 .parse = tlsext_srtp_server_parse,
1952 },
1953 }
1954 #endif /* OPENSSL_NO_SRTP */
1955 };
1956
1957 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1958
1959 /* Ensure that extensions fit in a uint32_t bitmask. */
1960 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1961
1962 const struct tls_extension *
tls_extension_find(uint16_t type,size_t * tls_extensions_idx)1963 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1964 {
1965 size_t i;
1966
1967 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1968 if (tls_extensions[i].type == type) {
1969 *tls_extensions_idx = i;
1970 return &tls_extensions[i];
1971 }
1972 }
1973
1974 return NULL;
1975 }
1976
1977 int
tlsext_extension_seen(SSL * s,uint16_t type)1978 tlsext_extension_seen(SSL *s, uint16_t type)
1979 {
1980 size_t idx;
1981
1982 if (tls_extension_find(type, &idx) == NULL)
1983 return 0;
1984 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1985 }
1986
1987 static const struct tls_extension_funcs *
tlsext_funcs(const struct tls_extension * tlsext,int is_server)1988 tlsext_funcs(const struct tls_extension *tlsext, int is_server)
1989 {
1990 if (is_server)
1991 return &tlsext->server;
1992
1993 return &tlsext->client;
1994 }
1995
1996 static int
tlsext_build(SSL * s,int is_server,uint16_t msg_type,CBB * cbb)1997 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
1998 {
1999 const struct tls_extension_funcs *ext;
2000 const struct tls_extension *tlsext;
2001 CBB extensions, extension_data;
2002 int extensions_present = 0;
2003 uint16_t tls_version;
2004 size_t i;
2005
2006 tls_version = ssl_effective_tls_version(s);
2007
2008 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2009 return 0;
2010
2011 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2012 tlsext = &tls_extensions[i];
2013 ext = tlsext_funcs(tlsext, is_server);
2014
2015 /* RFC 8446 Section 4.2 */
2016 if (tls_version >= TLS1_3_VERSION &&
2017 !(tlsext->messages & msg_type))
2018 continue;
2019
2020 if (!ext->needs(s, msg_type))
2021 continue;
2022
2023 if (!CBB_add_u16(&extensions, tlsext->type))
2024 return 0;
2025 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2026 return 0;
2027
2028 if (!ext->build(s, msg_type, &extension_data))
2029 return 0;
2030
2031 extensions_present = 1;
2032 }
2033
2034 if (!extensions_present &&
2035 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2036 CBB_discard_child(cbb);
2037
2038 if (!CBB_flush(cbb))
2039 return 0;
2040
2041 return 1;
2042 }
2043
2044 int
tlsext_clienthello_hash_extension(SSL * s,uint16_t type,CBS * cbs)2045 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2046 {
2047 /*
2048 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2049 * cookie may be added, padding may be removed.
2050 */
2051 struct tls13_ctx *ctx = s->internal->tls13;
2052
2053 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2054 type == TLSEXT_TYPE_padding)
2055 return 1;
2056 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2057 sizeof(type)))
2058 return 0;
2059 /*
2060 * key_share data may be changed, and pre_shared_key data may
2061 * be changed
2062 */
2063 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2064 return 1;
2065 if (!tls13_clienthello_hash_update(ctx, cbs))
2066 return 0;
2067
2068 return 1;
2069 }
2070
2071 static int
tlsext_parse(SSL * s,int is_server,uint16_t msg_type,CBS * cbs,int * alert)2072 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2073 {
2074 const struct tls_extension_funcs *ext;
2075 const struct tls_extension *tlsext;
2076 CBS extensions, extension_data;
2077 uint16_t type;
2078 size_t idx;
2079 uint16_t tls_version;
2080 int alert_desc;
2081
2082 tls_version = ssl_effective_tls_version(s);
2083
2084 S3I(s)->hs.extensions_seen = 0;
2085
2086 /* An empty extensions block is valid. */
2087 if (CBS_len(cbs) == 0)
2088 return 1;
2089
2090 alert_desc = SSL_AD_DECODE_ERROR;
2091
2092 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2093 goto err;
2094
2095 while (CBS_len(&extensions) > 0) {
2096 if (!CBS_get_u16(&extensions, &type))
2097 goto err;
2098 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2099 goto err;
2100
2101 if (s->internal->tlsext_debug_cb != NULL)
2102 s->internal->tlsext_debug_cb(s, !is_server, type,
2103 (unsigned char *)CBS_data(&extension_data),
2104 CBS_len(&extension_data),
2105 s->internal->tlsext_debug_arg);
2106
2107 /* Unknown extensions are ignored. */
2108 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2109 continue;
2110
2111 if (tls_version >= TLS1_3_VERSION && is_server &&
2112 msg_type == SSL_TLSEXT_MSG_CH) {
2113 if (!tlsext_clienthello_hash_extension(s, type,
2114 &extension_data))
2115 goto err;
2116 }
2117
2118 /* RFC 8446 Section 4.2 */
2119 if (tls_version >= TLS1_3_VERSION &&
2120 !(tlsext->messages & msg_type)) {
2121 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2122 goto err;
2123 }
2124
2125 /* Check for duplicate known extensions. */
2126 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
2127 goto err;
2128 S3I(s)->hs.extensions_seen |= (1 << idx);
2129
2130 ext = tlsext_funcs(tlsext, is_server);
2131 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2132 goto err;
2133
2134 if (CBS_len(&extension_data) != 0)
2135 goto err;
2136 }
2137
2138 return 1;
2139
2140 err:
2141 *alert = alert_desc;
2142
2143 return 0;
2144 }
2145
2146 static void
tlsext_server_reset_state(SSL * s)2147 tlsext_server_reset_state(SSL *s)
2148 {
2149 s->tlsext_status_type = -1;
2150 S3I(s)->renegotiate_seen = 0;
2151 free(S3I(s)->alpn_selected);
2152 S3I(s)->alpn_selected = NULL;
2153 S3I(s)->alpn_selected_len = 0;
2154 s->internal->srtp_profile = NULL;
2155 }
2156
2157 int
tlsext_server_build(SSL * s,uint16_t msg_type,CBB * cbb)2158 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2159 {
2160 return tlsext_build(s, 1, msg_type, cbb);
2161 }
2162
2163 int
tlsext_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2164 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2165 {
2166 /* XXX - this should be done by the caller... */
2167 if (msg_type == SSL_TLSEXT_MSG_CH)
2168 tlsext_server_reset_state(s);
2169
2170 return tlsext_parse(s, 1, msg_type, cbs, alert);
2171 }
2172
2173 static void
tlsext_client_reset_state(SSL * s)2174 tlsext_client_reset_state(SSL *s)
2175 {
2176 S3I(s)->renegotiate_seen = 0;
2177 free(S3I(s)->alpn_selected);
2178 S3I(s)->alpn_selected = NULL;
2179 S3I(s)->alpn_selected_len = 0;
2180 }
2181
2182 int
tlsext_client_build(SSL * s,uint16_t msg_type,CBB * cbb)2183 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2184 {
2185 return tlsext_build(s, 0, msg_type, cbb);
2186 }
2187
2188 int
tlsext_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2189 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2190 {
2191 /* XXX - this should be done by the caller... */
2192 if (msg_type == SSL_TLSEXT_MSG_SH)
2193 tlsext_client_reset_state(s);
2194
2195 return tlsext_parse(s, 0, msg_type, cbs, alert);
2196 }
2197