1 /* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <openssl/ocsp.h> 21 22 #include "ssl_locl.h" 23 24 #include "bytestring.h" 25 #include "ssl_sigalgs.h" 26 #include "ssl_tlsext.h" 27 28 /* 29 * Supported Application-Layer Protocol Negotiation - RFC 7301 30 */ 31 32 int 33 tlsext_alpn_client_needs(SSL *s) 34 { 35 /* ALPN protos have been specified and this is the initial handshake */ 36 return s->internal->alpn_client_proto_list != NULL && 37 S3I(s)->tmp.finish_md_len == 0; 38 } 39 40 int 41 tlsext_alpn_client_build(SSL *s, CBB *cbb) 42 { 43 CBB protolist; 44 45 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 46 return 0; 47 48 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 49 s->internal->alpn_client_proto_list_len)) 50 return 0; 51 52 if (!CBB_flush(cbb)) 53 return 0; 54 55 return 1; 56 } 57 58 int 59 tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) 60 { 61 CBS proto_name_list, alpn; 62 const unsigned char *selected; 63 unsigned char selected_len; 64 int r; 65 66 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 67 goto err; 68 if (CBS_len(&alpn) < 2) 69 goto err; 70 if (CBS_len(cbs) != 0) 71 goto err; 72 73 CBS_dup(&alpn, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 goto err; 79 if (CBS_len(&proto_name) == 0) 80 goto err; 81 } 82 83 if (s->ctx->internal->alpn_select_cb == NULL) 84 return 1; 85 86 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 87 CBS_data(&alpn), CBS_len(&alpn), 88 s->ctx->internal->alpn_select_cb_arg); 89 if (r == SSL_TLSEXT_ERR_OK) { 90 free(S3I(s)->alpn_selected); 91 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 92 *alert = SSL_AD_INTERNAL_ERROR; 93 return 0; 94 } 95 memcpy(S3I(s)->alpn_selected, selected, selected_len); 96 S3I(s)->alpn_selected_len = selected_len; 97 } 98 99 return 1; 100 101 err: 102 *alert = SSL_AD_DECODE_ERROR; 103 return 0; 104 } 105 106 int 107 tlsext_alpn_server_needs(SSL *s) 108 { 109 return S3I(s)->alpn_selected != NULL; 110 } 111 112 int 113 tlsext_alpn_server_build(SSL *s, CBB *cbb) 114 { 115 CBB list, selected; 116 117 if (!CBB_add_u16_length_prefixed(cbb, &list)) 118 return 0; 119 120 if (!CBB_add_u8_length_prefixed(&list, &selected)) 121 return 0; 122 123 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 124 S3I(s)->alpn_selected_len)) 125 return 0; 126 127 if (!CBB_flush(cbb)) 128 return 0; 129 130 return 1; 131 } 132 133 int 134 tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) 135 { 136 CBS list, proto; 137 138 if (s->internal->alpn_client_proto_list == NULL) { 139 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 140 return 0; 141 } 142 143 if (!CBS_get_u16_length_prefixed(cbs, &list)) 144 goto err; 145 if (CBS_len(cbs) != 0) 146 goto err; 147 148 if (!CBS_get_u8_length_prefixed(&list, &proto)) 149 goto err; 150 151 if (CBS_len(&list) != 0) 152 goto err; 153 if (CBS_len(&proto) == 0) 154 goto err; 155 156 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 157 &(S3I(s)->alpn_selected_len))) 158 goto err; 159 160 return 1; 161 162 err: 163 *alert = TLS1_AD_DECODE_ERROR; 164 return 0; 165 } 166 167 /* 168 * Supported Groups - RFC 7919 section 2 169 */ 170 int 171 tlsext_supportedgroups_client_needs(SSL *s) 172 { 173 return ssl_has_ecc_ciphers(s) || 174 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 175 } 176 177 int 178 tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) 179 { 180 const uint16_t *groups; 181 size_t groups_len; 182 CBB grouplist; 183 int i; 184 185 tls1_get_group_list(s, 0, &groups, &groups_len); 186 if (groups_len == 0) { 187 SSLerror(s, ERR_R_INTERNAL_ERROR); 188 return 0; 189 } 190 191 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 192 return 0; 193 194 for (i = 0; i < groups_len; i++) { 195 if (!CBB_add_u16(&grouplist, groups[i])) 196 return 0; 197 } 198 199 if (!CBB_flush(cbb)) 200 return 0; 201 202 return 1; 203 } 204 205 int 206 tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) 207 { 208 CBS grouplist; 209 size_t groups_len; 210 211 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 212 goto err; 213 if (CBS_len(cbs) != 0) 214 goto err; 215 216 groups_len = CBS_len(&grouplist); 217 if (groups_len == 0 || groups_len % 2 != 0) 218 goto err; 219 groups_len /= 2; 220 221 if (!s->internal->hit) { 222 uint16_t *groups; 223 int i; 224 225 if (SSI(s)->tlsext_supportedgroups != NULL) 226 goto err; 227 228 if ((groups = reallocarray(NULL, groups_len, 229 sizeof(uint16_t))) == NULL) { 230 *alert = TLS1_AD_INTERNAL_ERROR; 231 return 0; 232 } 233 234 for (i = 0; i < groups_len; i++) { 235 if (!CBS_get_u16(&grouplist, &groups[i])) { 236 free(groups); 237 goto err; 238 } 239 } 240 241 if (CBS_len(&grouplist) != 0) { 242 free(groups); 243 goto err; 244 } 245 246 SSI(s)->tlsext_supportedgroups = groups; 247 SSI(s)->tlsext_supportedgroups_length = groups_len; 248 } 249 250 return 1; 251 252 err: 253 *alert = TLS1_AD_DECODE_ERROR; 254 return 0; 255 } 256 257 /* This extension is never used by the server. */ 258 int 259 tlsext_supportedgroups_server_needs(SSL *s) 260 { 261 return 0; 262 } 263 264 int 265 tlsext_supportedgroups_server_build(SSL *s, CBB *cbb) 266 { 267 return 0; 268 } 269 270 int 271 tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) 272 { 273 /* 274 * Servers should not send this extension per the RFC. 275 * 276 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 277 * from at least 2014 but as of 2017, there are still large sites with 278 * this unpatched in production. As a result, we need to currently skip 279 * over the extension and ignore its content: 280 * 281 * https://support.f5.com/csp/article/K37345003 282 */ 283 if (!CBS_skip(cbs, CBS_len(cbs))) { 284 *alert = TLS1_AD_INTERNAL_ERROR; 285 return 0; 286 } 287 288 return 1; 289 } 290 291 /* 292 * Supported Point Formats Extension - RFC 4492 section 5.1.2 293 */ 294 static int 295 tlsext_ecpf_build(SSL *s, CBB *cbb) 296 { 297 CBB ecpf; 298 size_t formats_len; 299 const uint8_t *formats; 300 301 tls1_get_formatlist(s, 0, &formats, &formats_len); 302 303 if (formats_len == 0) { 304 SSLerror(s, ERR_R_INTERNAL_ERROR); 305 return 0; 306 } 307 308 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 309 return 0; 310 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 311 return 0; 312 if (!CBB_flush(cbb)) 313 return 0; 314 315 return 1; 316 } 317 318 static int 319 tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 320 { 321 CBS ecpf; 322 323 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 324 goto err; 325 if (CBS_len(&ecpf) == 0) 326 goto err; 327 if (CBS_len(cbs) != 0) 328 goto err; 329 330 /* Must contain uncompressed (0) */ 331 if (!CBS_contains_zero_byte(&ecpf)) { 332 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 333 goto err; 334 } 335 336 if (!s->internal->hit) { 337 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 338 &(SSI(s)->tlsext_ecpointformatlist_length))) { 339 *alert = TLS1_AD_INTERNAL_ERROR; 340 return 0; 341 } 342 } 343 344 return 1; 345 346 err: 347 *alert = SSL_AD_DECODE_ERROR; 348 return 0; 349 } 350 351 int 352 tlsext_ecpf_client_needs(SSL *s) 353 { 354 return ssl_has_ecc_ciphers(s); 355 } 356 357 int 358 tlsext_ecpf_client_build(SSL *s, CBB *cbb) 359 { 360 return tlsext_ecpf_build(s, cbb); 361 } 362 363 int 364 tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert) 365 { 366 return tlsext_ecpf_parse(s, cbs, alert); 367 } 368 369 int 370 tlsext_ecpf_server_needs(SSL *s) 371 { 372 if (s->version == DTLS1_VERSION) 373 return 0; 374 375 return ssl_using_ecc_cipher(s); 376 } 377 378 int 379 tlsext_ecpf_server_build(SSL *s, CBB *cbb) 380 { 381 return tlsext_ecpf_build(s, cbb); 382 } 383 384 int 385 tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert) 386 { 387 return tlsext_ecpf_parse(s, cbs, alert); 388 } 389 390 /* 391 * Renegotiation Indication - RFC 5746. 392 */ 393 int 394 tlsext_ri_client_needs(SSL *s) 395 { 396 return (s->internal->renegotiate); 397 } 398 399 int 400 tlsext_ri_client_build(SSL *s, CBB *cbb) 401 { 402 CBB reneg; 403 404 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 405 return 0; 406 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 407 S3I(s)->previous_client_finished_len)) 408 return 0; 409 if (!CBB_flush(cbb)) 410 return 0; 411 412 return 1; 413 } 414 415 int 416 tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) 417 { 418 CBS reneg; 419 420 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 421 goto err; 422 if (CBS_len(cbs) != 0) 423 goto err; 424 425 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 426 S3I(s)->previous_client_finished_len)) { 427 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 428 *alert = SSL_AD_HANDSHAKE_FAILURE; 429 return 0; 430 } 431 432 S3I(s)->renegotiate_seen = 1; 433 S3I(s)->send_connection_binding = 1; 434 435 return 1; 436 437 err: 438 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 439 *alert = SSL_AD_DECODE_ERROR; 440 return 0; 441 } 442 443 int 444 tlsext_ri_server_needs(SSL *s) 445 { 446 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 447 } 448 449 int 450 tlsext_ri_server_build(SSL *s, CBB *cbb) 451 { 452 CBB reneg; 453 454 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 455 return 0; 456 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 457 S3I(s)->previous_client_finished_len)) 458 return 0; 459 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 460 S3I(s)->previous_server_finished_len)) 461 return 0; 462 if (!CBB_flush(cbb)) 463 return 0; 464 465 return 1; 466 } 467 468 int 469 tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) 470 { 471 CBS reneg, prev_client, prev_server; 472 473 /* 474 * Ensure that the previous client and server values are both not 475 * present, or that they are both present. 476 */ 477 if ((S3I(s)->previous_client_finished_len == 0 && 478 S3I(s)->previous_server_finished_len != 0) || 479 (S3I(s)->previous_client_finished_len != 0 && 480 S3I(s)->previous_server_finished_len == 0)) { 481 *alert = TLS1_AD_INTERNAL_ERROR; 482 return 0; 483 } 484 485 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 486 goto err; 487 if (!CBS_get_bytes(&reneg, &prev_client, 488 S3I(s)->previous_client_finished_len)) 489 goto err; 490 if (!CBS_get_bytes(&reneg, &prev_server, 491 S3I(s)->previous_server_finished_len)) 492 goto err; 493 if (CBS_len(&reneg) != 0) 494 goto err; 495 if (CBS_len(cbs) != 0) 496 goto err; 497 498 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 499 S3I(s)->previous_client_finished_len)) { 500 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 501 *alert = SSL_AD_HANDSHAKE_FAILURE; 502 return 0; 503 } 504 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 505 S3I(s)->previous_server_finished_len)) { 506 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 507 *alert = SSL_AD_HANDSHAKE_FAILURE; 508 return 0; 509 } 510 511 S3I(s)->renegotiate_seen = 1; 512 S3I(s)->send_connection_binding = 1; 513 514 return 1; 515 516 err: 517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 518 *alert = SSL_AD_DECODE_ERROR; 519 return 0; 520 } 521 522 /* 523 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 524 */ 525 int 526 tlsext_sigalgs_client_needs(SSL *s) 527 { 528 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 529 } 530 531 int 532 tlsext_sigalgs_client_build(SSL *s, CBB *cbb) 533 { 534 uint16_t *tls_sigalgs = tls12_sigalgs; 535 size_t tls_sigalgs_len = tls12_sigalgs_len; 536 CBB sigalgs; 537 538 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 539 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 540 tls_sigalgs = tls13_sigalgs; 541 tls_sigalgs_len = tls13_sigalgs_len; 542 } 543 544 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 545 return 0; 546 547 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 548 return 0; 549 550 if (!CBB_flush(cbb)) 551 return 0; 552 553 return 1; 554 } 555 556 int 557 tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) 558 { 559 CBS sigalgs; 560 561 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 562 return 0; 563 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 564 return 0; 565 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 566 return 0; 567 568 return 1; 569 } 570 571 int 572 tlsext_sigalgs_server_needs(SSL *s) 573 { 574 return (s->version >= TLS1_3_VERSION); 575 } 576 577 int 578 tlsext_sigalgs_server_build(SSL *s, CBB *cbb) 579 { 580 uint16_t *tls_sigalgs = tls12_sigalgs; 581 size_t tls_sigalgs_len = tls12_sigalgs_len; 582 CBB sigalgs; 583 584 if (s->version >= TLS1_3_VERSION) { 585 tls_sigalgs = tls13_sigalgs; 586 tls_sigalgs_len = tls13_sigalgs_len; 587 } 588 589 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 590 return 0; 591 592 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 593 return 0; 594 595 if (!CBB_flush(cbb)) 596 return 0; 597 598 return 1; 599 } 600 601 int 602 tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert) 603 { 604 CBS sigalgs; 605 606 if (s->version < TLS1_3_VERSION) 607 return 0; 608 609 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 610 return 0; 611 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 612 return 0; 613 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 614 return 0; 615 616 return 1; 617 } 618 619 /* 620 * Server Name Indication - RFC 6066, section 3. 621 */ 622 int 623 tlsext_sni_client_needs(SSL *s) 624 { 625 return (s->tlsext_hostname != NULL); 626 } 627 628 int 629 tlsext_sni_client_build(SSL *s, CBB *cbb) 630 { 631 CBB server_name_list, host_name; 632 633 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 634 return 0; 635 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 636 return 0; 637 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 638 return 0; 639 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 640 strlen(s->tlsext_hostname))) 641 return 0; 642 if (!CBB_flush(cbb)) 643 return 0; 644 645 return 1; 646 } 647 648 int 649 tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) 650 { 651 CBS server_name_list, host_name; 652 uint8_t name_type; 653 654 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 655 goto err; 656 657 /* 658 * RFC 6066 section 3 forbids multiple host names with the same type. 659 * Additionally, only one type (host_name) is specified. 660 */ 661 if (!CBS_get_u8(&server_name_list, &name_type)) 662 goto err; 663 if (name_type != TLSEXT_NAMETYPE_host_name) 664 goto err; 665 666 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 667 goto err; 668 if (CBS_len(&host_name) == 0 || 669 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 670 CBS_contains_zero_byte(&host_name)) { 671 *alert = TLS1_AD_UNRECOGNIZED_NAME; 672 return 0; 673 } 674 675 if (s->internal->hit) { 676 if (s->session->tlsext_hostname == NULL) { 677 *alert = TLS1_AD_UNRECOGNIZED_NAME; 678 return 0; 679 } 680 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 681 strlen(s->session->tlsext_hostname))) { 682 *alert = TLS1_AD_UNRECOGNIZED_NAME; 683 return 0; 684 } 685 } else { 686 if (s->session->tlsext_hostname != NULL) 687 goto err; 688 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 689 *alert = TLS1_AD_INTERNAL_ERROR; 690 return 0; 691 } 692 } 693 694 if (CBS_len(&server_name_list) != 0) 695 goto err; 696 if (CBS_len(cbs) != 0) 697 goto err; 698 699 return 1; 700 701 err: 702 *alert = SSL_AD_DECODE_ERROR; 703 return 0; 704 } 705 706 int 707 tlsext_sni_server_needs(SSL *s) 708 { 709 if (s->internal->hit) 710 return 0; 711 712 return (s->session->tlsext_hostname != NULL); 713 } 714 715 int 716 tlsext_sni_server_build(SSL *s, CBB *cbb) 717 { 718 return 1; 719 } 720 721 int 722 tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) 723 { 724 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 725 *alert = TLS1_AD_UNRECOGNIZED_NAME; 726 return 0; 727 } 728 729 if (s->internal->hit) { 730 if (s->session->tlsext_hostname == NULL) { 731 *alert = TLS1_AD_UNRECOGNIZED_NAME; 732 return 0; 733 } 734 if (strcmp(s->tlsext_hostname, 735 s->session->tlsext_hostname) != 0) { 736 *alert = TLS1_AD_UNRECOGNIZED_NAME; 737 return 0; 738 } 739 } else { 740 if (s->session->tlsext_hostname != NULL) { 741 *alert = SSL_AD_DECODE_ERROR; 742 return 0; 743 } 744 if ((s->session->tlsext_hostname = 745 strdup(s->tlsext_hostname)) == NULL) { 746 *alert = TLS1_AD_INTERNAL_ERROR; 747 return 0; 748 } 749 } 750 751 return 1; 752 } 753 754 755 /* 756 *Certificate Status Request - RFC 6066 section 8. 757 */ 758 759 int 760 tlsext_ocsp_client_needs(SSL *s) 761 { 762 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 763 s->version != DTLS1_VERSION); 764 } 765 766 int 767 tlsext_ocsp_client_build(SSL *s, CBB *cbb) 768 { 769 CBB respid_list, respid, exts; 770 unsigned char *ext_data; 771 size_t ext_len; 772 int i; 773 774 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 775 return 0; 776 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 777 return 0; 778 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 779 unsigned char *respid_data; 780 OCSP_RESPID *id; 781 size_t id_len; 782 783 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 784 i)) == NULL) 785 return 0; 786 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 787 return 0; 788 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 789 return 0; 790 if (!CBB_add_space(&respid, &respid_data, id_len)) 791 return 0; 792 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 793 return 0; 794 } 795 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 796 return 0; 797 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 798 NULL)) == -1) 799 return 0; 800 if (!CBB_add_space(&exts, &ext_data, ext_len)) 801 return 0; 802 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 803 ext_len)) 804 return 0; 805 if (!CBB_flush(cbb)) 806 return 0; 807 return 1; 808 } 809 810 int 811 tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) 812 { 813 int alert_desc = SSL_AD_DECODE_ERROR; 814 CBS respid_list, respid, exts; 815 const unsigned char *p; 816 uint8_t status_type; 817 int ret = 0; 818 819 if (!CBS_get_u8(cbs, &status_type)) 820 goto err; 821 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 822 /* ignore unknown status types */ 823 s->tlsext_status_type = -1; 824 825 if (!CBS_skip(cbs, CBS_len(cbs))) { 826 *alert = TLS1_AD_INTERNAL_ERROR; 827 return 0; 828 } 829 return 1; 830 } 831 s->tlsext_status_type = status_type; 832 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 833 goto err; 834 835 /* XXX */ 836 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 837 s->internal->tlsext_ocsp_ids = NULL; 838 if (CBS_len(&respid_list) > 0) { 839 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 840 if (s->internal->tlsext_ocsp_ids == NULL) { 841 alert_desc = SSL_AD_INTERNAL_ERROR; 842 goto err; 843 } 844 } 845 846 while (CBS_len(&respid_list) > 0) { 847 OCSP_RESPID *id; 848 849 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 850 goto err; 851 p = CBS_data(&respid); 852 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 853 goto err; 854 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 855 alert_desc = SSL_AD_INTERNAL_ERROR; 856 OCSP_RESPID_free(id); 857 goto err; 858 } 859 } 860 861 /* Read in request_extensions */ 862 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 863 goto err; 864 if (CBS_len(&exts) > 0) { 865 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 866 X509_EXTENSION_free); 867 p = CBS_data(&exts); 868 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 869 &p, CBS_len(&exts))) == NULL) 870 goto err; 871 } 872 873 /* should be nothing left */ 874 if (CBS_len(cbs) > 0) 875 goto err; 876 877 ret = 1; 878 err: 879 if (ret == 0) 880 *alert = alert_desc; 881 return ret; 882 } 883 884 int 885 tlsext_ocsp_server_needs(SSL *s) 886 { 887 return s->internal->tlsext_status_expected; 888 } 889 890 int 891 tlsext_ocsp_server_build(SSL *s, CBB *cbb) 892 { 893 return 1; 894 } 895 896 int 897 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) 898 { 899 if (s->tlsext_status_type == -1) { 900 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 901 return 0; 902 } 903 /* Set flag to expect CertificateStatus message */ 904 s->internal->tlsext_status_expected = 1; 905 return 1; 906 } 907 908 /* 909 * SessionTicket extension - RFC 5077 section 3.2 910 */ 911 int 912 tlsext_sessionticket_client_needs(SSL *s) 913 { 914 /* 915 * Send session ticket extension when enabled and not overridden. 916 * 917 * When renegotiating, send an empty session ticket to indicate support. 918 */ 919 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 920 return 0; 921 922 if (s->internal->new_session) 923 return 1; 924 925 if (s->internal->tlsext_session_ticket != NULL && 926 s->internal->tlsext_session_ticket->data == NULL) 927 return 0; 928 929 return 1; 930 } 931 932 int 933 tlsext_sessionticket_client_build(SSL *s, CBB *cbb) 934 { 935 /* 936 * Signal that we support session tickets by sending an empty 937 * extension when renegotiating or no session found. 938 */ 939 if (s->internal->new_session || s->session == NULL) 940 return 1; 941 942 if (s->session->tlsext_tick != NULL) { 943 /* Attempt to resume with an existing session ticket */ 944 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 945 s->session->tlsext_ticklen)) 946 return 0; 947 948 } else if (s->internal->tlsext_session_ticket != NULL) { 949 /* 950 * Attempt to resume with a custom provided session ticket set 951 * by SSL_set_session_ticket_ext(). 952 */ 953 if (s->internal->tlsext_session_ticket->length > 0) { 954 size_t ticklen = s->internal->tlsext_session_ticket->length; 955 956 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 957 return 0; 958 memcpy(s->session->tlsext_tick, 959 s->internal->tlsext_session_ticket->data, 960 ticklen); 961 s->session->tlsext_ticklen = ticklen; 962 963 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 964 s->session->tlsext_ticklen)) 965 return 0; 966 } 967 } 968 969 if (!CBB_flush(cbb)) 970 return 0; 971 972 return 1; 973 } 974 975 int 976 tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) 977 { 978 if (s->internal->tls_session_ticket_ext_cb) { 979 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 980 (int)CBS_len(cbs), 981 s->internal->tls_session_ticket_ext_cb_arg)) { 982 *alert = TLS1_AD_INTERNAL_ERROR; 983 return 0; 984 } 985 } 986 987 /* We need to signal that this was processed fully */ 988 if (!CBS_skip(cbs, CBS_len(cbs))) { 989 *alert = TLS1_AD_INTERNAL_ERROR; 990 return 0; 991 } 992 993 return 1; 994 } 995 996 int 997 tlsext_sessionticket_server_needs(SSL *s) 998 { 999 return (s->internal->tlsext_ticket_expected && 1000 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1001 } 1002 1003 int 1004 tlsext_sessionticket_server_build(SSL *s, CBB *cbb) 1005 { 1006 /* Empty ticket */ 1007 return 1; 1008 } 1009 1010 int 1011 tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) 1012 { 1013 if (s->internal->tls_session_ticket_ext_cb) { 1014 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1015 (int)CBS_len(cbs), 1016 s->internal->tls_session_ticket_ext_cb_arg)) { 1017 *alert = TLS1_AD_INTERNAL_ERROR; 1018 return 0; 1019 } 1020 } 1021 1022 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1023 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1024 return 0; 1025 } 1026 1027 s->internal->tlsext_ticket_expected = 1; 1028 1029 return 1; 1030 } 1031 1032 /* 1033 * DTLS extension for SRTP key establishment - RFC 5764 1034 */ 1035 1036 #ifndef OPENSSL_NO_SRTP 1037 1038 int 1039 tlsext_srtp_client_needs(SSL *s) 1040 { 1041 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1042 } 1043 1044 int 1045 tlsext_srtp_client_build(SSL *s, CBB *cbb) 1046 { 1047 CBB profiles, mki; 1048 int ct, i; 1049 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1050 SRTP_PROTECTION_PROFILE *prof; 1051 1052 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1053 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1054 return 0; 1055 } 1056 1057 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1058 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1059 return 0; 1060 } 1061 1062 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1063 return 0; 1064 1065 for (i = 0; i < ct; i++) { 1066 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1067 return 0; 1068 if (!CBB_add_u16(&profiles, prof->id)) 1069 return 0; 1070 } 1071 1072 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1073 return 0; 1074 1075 if (!CBB_flush(cbb)) 1076 return 0; 1077 1078 return 1; 1079 } 1080 1081 int 1082 tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) 1083 { 1084 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1085 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1086 int i, j; 1087 int ret; 1088 uint16_t id; 1089 CBS profiles, mki; 1090 1091 ret = 0; 1092 1093 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1094 goto err; 1095 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1096 goto err; 1097 1098 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1099 goto err; 1100 1101 while (CBS_len(&profiles) > 0) { 1102 if (!CBS_get_u16(&profiles, &id)) 1103 goto err; 1104 1105 if (!srtp_find_profile_by_num(id, &cprof)) { 1106 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1107 goto err; 1108 } 1109 } 1110 1111 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1112 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1113 *alert = SSL_AD_DECODE_ERROR; 1114 goto done; 1115 } 1116 if (CBS_len(cbs) != 0) 1117 goto err; 1118 1119 /* 1120 * Per RFC 5764 section 4.1.1 1121 * 1122 * Find the server preferred profile using the client's list. 1123 * 1124 * The server MUST send a profile if it sends the use_srtp 1125 * extension. If one is not found, it should fall back to the 1126 * negotiated DTLS cipher suite or return a DTLS alert. 1127 */ 1128 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1129 goto err; 1130 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1131 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1132 == NULL) 1133 goto err; 1134 1135 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1136 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1137 == NULL) 1138 goto err; 1139 1140 if (cprof->id == sprof->id) { 1141 s->internal->srtp_profile = sprof; 1142 ret = 1; 1143 goto done; 1144 } 1145 } 1146 } 1147 1148 /* If we didn't find anything, fall back to the negotiated */ 1149 ret = 1; 1150 goto done; 1151 1152 err: 1153 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1154 *alert = SSL_AD_DECODE_ERROR; 1155 1156 done: 1157 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1158 return ret; 1159 } 1160 1161 int 1162 tlsext_srtp_server_needs(SSL *s) 1163 { 1164 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1165 } 1166 1167 int 1168 tlsext_srtp_server_build(SSL *s, CBB *cbb) 1169 { 1170 SRTP_PROTECTION_PROFILE *profile; 1171 CBB srtp, mki; 1172 1173 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1174 return 0; 1175 1176 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1177 return 0; 1178 1179 if (!CBB_add_u16(&srtp, profile->id)) 1180 return 0; 1181 1182 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1183 return 0; 1184 1185 if (!CBB_flush(cbb)) 1186 return 0; 1187 1188 return 1; 1189 } 1190 1191 int 1192 tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) 1193 { 1194 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1195 SRTP_PROTECTION_PROFILE *prof; 1196 int i; 1197 uint16_t id; 1198 CBS profile_ids, mki; 1199 1200 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1201 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1202 goto err; 1203 } 1204 1205 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1206 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1207 goto err; 1208 } 1209 1210 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1211 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1212 *alert = SSL_AD_ILLEGAL_PARAMETER; 1213 return 0; 1214 } 1215 1216 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1217 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1218 goto err; 1219 } 1220 1221 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1222 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1223 == NULL) { 1224 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1225 goto err; 1226 } 1227 1228 if (prof->id == id) { 1229 s->internal->srtp_profile = prof; 1230 return 1; 1231 } 1232 } 1233 1234 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1235 err: 1236 *alert = SSL_AD_DECODE_ERROR; 1237 return 0; 1238 } 1239 1240 #endif /* OPENSSL_NO_SRTP */ 1241 1242 /* 1243 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1244 */ 1245 int 1246 tlsext_keyshare_client_needs(SSL *s) 1247 { 1248 /* XXX once this gets initialized when we get tls13_client.c */ 1249 if (S3I(s)->hs_tls13.max_version == 0) 1250 return 0; 1251 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1252 TLS1_3_VERSION); 1253 } 1254 1255 int 1256 tlsext_keyshare_client_build(SSL *s, CBB *cbb) 1257 { 1258 CBB client_shares; 1259 1260 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1261 return 0; 1262 1263 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, 1264 &client_shares)) 1265 return 0; 1266 1267 if (!CBB_flush(cbb)) 1268 return 0; 1269 1270 return 1; 1271 } 1272 1273 int 1274 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1275 { 1276 CBS client_shares, key_exchange; 1277 uint16_t group; 1278 1279 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1280 goto err; 1281 1282 while (CBS_len(&client_shares) > 0) { 1283 1284 /* Unpack client share. */ 1285 if (!CBS_get_u16(&client_shares, &group)) 1286 goto err; 1287 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1288 return 0; 1289 1290 /* 1291 * XXX - check key exchange against supported groups from client. 1292 * XXX - check that groups only appear once. 1293 */ 1294 1295 /* 1296 * Ignore this client share if we're using earlier than TLSv1.3 1297 * or we've already selected a key share. 1298 */ 1299 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1300 continue; 1301 if (S3I(s)->hs_tls13.key_share != NULL) 1302 continue; 1303 1304 /* XXX - consider implementing server preference. */ 1305 if (!tls1_check_curve(s, group)) 1306 continue; 1307 1308 /* Decode and store the selected key share. */ 1309 S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); 1310 if (S3I(s)->hs_tls13.key_share == NULL) 1311 goto err; 1312 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1313 group, &key_exchange)) 1314 goto err; 1315 } 1316 1317 return 1; 1318 1319 err: 1320 *alert = SSL_AD_DECODE_ERROR; 1321 return 0; 1322 } 1323 1324 int 1325 tlsext_keyshare_server_needs(SSL *s) 1326 { 1327 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1328 return 0; 1329 1330 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1331 } 1332 1333 int 1334 tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1335 { 1336 if (S3I(s)->hs_tls13.key_share == NULL) 1337 return 0; 1338 1339 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) 1340 return 0; 1341 1342 return 1; 1343 } 1344 1345 int 1346 tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) 1347 { 1348 CBS key_exchange; 1349 uint16_t group; 1350 1351 /* Unpack server share. */ 1352 if (!CBS_get_u16(cbs, &group)) 1353 goto err; 1354 1355 if (CBS_len(cbs) == 0) { 1356 /* HRR does not include an actual key share. */ 1357 /* XXX - we should know that we are in a HRR... */ 1358 S3I(s)->hs_tls13.server_group = group; 1359 return 1; 1360 } 1361 1362 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1363 return 0; 1364 1365 if (S3I(s)->hs_tls13.key_share == NULL) 1366 return 0; 1367 1368 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1369 group, &key_exchange)) 1370 goto err; 1371 1372 return 1; 1373 1374 err: 1375 *alert = SSL_AD_DECODE_ERROR; 1376 return 0; 1377 } 1378 1379 /* 1380 * Supported Versions - RFC 8446 section 4.2.1. 1381 */ 1382 int 1383 tlsext_versions_client_needs(SSL *s) 1384 { 1385 if (SSL_IS_DTLS(s)) 1386 return 0; 1387 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1388 } 1389 1390 int 1391 tlsext_versions_client_build(SSL *s, CBB *cbb) 1392 { 1393 uint16_t max, min; 1394 uint16_t version; 1395 CBB versions; 1396 1397 max = S3I(s)->hs_tls13.max_version; 1398 min = S3I(s)->hs_tls13.min_version; 1399 1400 if (min < TLS1_VERSION) 1401 return 0; 1402 1403 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1404 return 0; 1405 1406 /* XXX - fix, but contiguous for now... */ 1407 for (version = max; version >= min; version--) { 1408 if (!CBB_add_u16(&versions, version)) 1409 return 0; 1410 } 1411 1412 if (!CBB_flush(cbb)) 1413 return 0; 1414 1415 return 1; 1416 } 1417 1418 int 1419 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1420 { 1421 CBS versions; 1422 uint16_t version; 1423 uint16_t max, min; 1424 uint16_t matched_version = 0; 1425 1426 max = S3I(s)->hs_tls13.max_version; 1427 min = S3I(s)->hs_tls13.min_version; 1428 1429 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1430 goto err; 1431 1432 while (CBS_len(&versions) > 0) { 1433 if (!CBS_get_u16(&versions, &version)) 1434 goto err; 1435 /* 1436 * XXX What is below implements client preference, and 1437 * ignores any server preference entirely. 1438 */ 1439 if (matched_version == 0 && version >= min && version <= max) 1440 matched_version = version; 1441 } 1442 1443 /* 1444 * XXX if we haven't matched a version we should 1445 * fail - but we currently need to succeed to 1446 * ignore this before the server code for 1.3 1447 * is set up and initialized. 1448 */ 1449 if (max == 0) 1450 return 1; /* XXX */ 1451 1452 if (matched_version != 0) { 1453 s->version = matched_version; 1454 return 1; 1455 } 1456 1457 *alert = SSL_AD_PROTOCOL_VERSION; 1458 return 0; 1459 1460 err: 1461 *alert = SSL_AD_DECODE_ERROR; 1462 return 0; 1463 } 1464 1465 int 1466 tlsext_versions_server_needs(SSL *s) 1467 { 1468 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1469 } 1470 1471 int 1472 tlsext_versions_server_build(SSL *s, CBB *cbb) 1473 { 1474 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1475 return 0; 1476 /* XXX set 1.2 in legacy version? */ 1477 1478 return 1; 1479 } 1480 1481 int 1482 tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) 1483 { 1484 uint16_t selected_version; 1485 1486 if (!CBS_get_u16(cbs, &selected_version)) { 1487 *alert = SSL_AD_DECODE_ERROR; 1488 return 0; 1489 } 1490 1491 if (selected_version < TLS1_3_VERSION) { 1492 *alert = SSL_AD_ILLEGAL_PARAMETER; 1493 return 0; 1494 } 1495 1496 /* XXX test between min and max once initialization code goes in */ 1497 S3I(s)->hs_tls13.server_version = selected_version; 1498 1499 return 1; 1500 } 1501 1502 1503 /* 1504 * Cookie - RFC 8446 section 4.2.2. 1505 */ 1506 1507 int 1508 tlsext_cookie_client_needs(SSL *s) 1509 { 1510 if (SSL_IS_DTLS(s)) 1511 return 0; 1512 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1513 return 0; 1514 return (S3I(s)->hs_tls13.cookie_len > 0 && 1515 S3I(s)->hs_tls13.cookie != NULL); 1516 } 1517 1518 int 1519 tlsext_cookie_client_build(SSL *s, CBB *cbb) 1520 { 1521 CBB cookie; 1522 1523 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1524 return 0; 1525 1526 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1527 S3I(s)->hs_tls13.cookie_len)) 1528 return 0; 1529 1530 if (!CBB_flush(cbb)) 1531 return 0; 1532 1533 return 1; 1534 } 1535 1536 int 1537 tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) 1538 { 1539 CBS cookie; 1540 1541 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1542 goto err; 1543 1544 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1545 goto err; 1546 1547 /* 1548 * Check provided cookie value against what server previously 1549 * sent - client *MUST* send the same cookie with new CR after 1550 * a cookie is sent by the server with an HRR. 1551 */ 1552 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1553 S3I(s)->hs_tls13.cookie_len)) { 1554 /* XXX special cookie mismatch alert? */ 1555 *alert = SSL_AD_ILLEGAL_PARAMETER; 1556 return 0; 1557 } 1558 1559 return 1; 1560 1561 err: 1562 *alert = SSL_AD_DECODE_ERROR; 1563 return 0; 1564 } 1565 1566 int 1567 tlsext_cookie_server_needs(SSL *s) 1568 { 1569 1570 if (SSL_IS_DTLS(s)) 1571 return 0; 1572 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1573 return 0; 1574 /* 1575 * Server needs to set cookie value in tls13 handshake 1576 * in order to send one, should only be sent with HRR. 1577 */ 1578 return (S3I(s)->hs_tls13.cookie_len > 0 && 1579 S3I(s)->hs_tls13.cookie != NULL); 1580 } 1581 1582 int 1583 tlsext_cookie_server_build(SSL *s, CBB *cbb) 1584 { 1585 CBB cookie; 1586 1587 /* XXX deduplicate with client code */ 1588 1589 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1590 return 0; 1591 1592 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1593 S3I(s)->hs_tls13.cookie_len)) 1594 return 0; 1595 1596 if (!CBB_flush(cbb)) 1597 return 0; 1598 1599 return 1; 1600 } 1601 1602 int 1603 tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) 1604 { 1605 CBS cookie; 1606 1607 /* 1608 * XXX This currently assumes we will not get a second 1609 * HRR from a server with a cookie to process after accepting 1610 * one from the server in the same handshake 1611 */ 1612 if (S3I(s)->hs_tls13.cookie != NULL || 1613 S3I(s)->hs_tls13.cookie_len != 0) { 1614 *alert = SSL_AD_ILLEGAL_PARAMETER; 1615 return 0; 1616 } 1617 1618 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1619 goto err; 1620 1621 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1622 &S3I(s)->hs_tls13.cookie_len)) 1623 goto err; 1624 1625 return 1; 1626 1627 err: 1628 *alert = SSL_AD_DECODE_ERROR; 1629 return 0; 1630 } 1631 1632 struct tls_extension_funcs { 1633 int (*needs)(SSL *s); 1634 int (*build)(SSL *s, CBB *cbb); 1635 int (*parse)(SSL *s, CBS *cbs, int *alert); 1636 }; 1637 1638 struct tls_extension { 1639 uint16_t type; 1640 uint16_t messages; 1641 struct tls_extension_funcs client; 1642 struct tls_extension_funcs server; 1643 }; 1644 1645 static struct tls_extension tls_extensions[] = { 1646 { 1647 .type = TLSEXT_TYPE_supported_versions, 1648 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1649 SSL_TLSEXT_MSG_HRR, 1650 .client = { 1651 .needs = tlsext_versions_client_needs, 1652 .build = tlsext_versions_client_build, 1653 .parse = tlsext_versions_client_parse, 1654 }, 1655 .server = { 1656 .needs = tlsext_versions_server_needs, 1657 .build = tlsext_versions_server_build, 1658 .parse = tlsext_versions_server_parse, 1659 }, 1660 }, 1661 { 1662 .type = TLSEXT_TYPE_key_share, 1663 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1664 SSL_TLSEXT_MSG_HRR, 1665 .client = { 1666 .needs = tlsext_keyshare_client_needs, 1667 .build = tlsext_keyshare_client_build, 1668 .parse = tlsext_keyshare_client_parse, 1669 }, 1670 .server = { 1671 .needs = tlsext_keyshare_server_needs, 1672 .build = tlsext_keyshare_server_build, 1673 .parse = tlsext_keyshare_server_parse, 1674 }, 1675 }, 1676 { 1677 .type = TLSEXT_TYPE_server_name, 1678 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1679 .client = { 1680 .needs = tlsext_sni_client_needs, 1681 .build = tlsext_sni_client_build, 1682 .parse = tlsext_sni_client_parse, 1683 }, 1684 .server = { 1685 .needs = tlsext_sni_server_needs, 1686 .build = tlsext_sni_server_build, 1687 .parse = tlsext_sni_server_parse, 1688 }, 1689 }, 1690 { 1691 .type = TLSEXT_TYPE_renegotiate, 1692 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1693 .client = { 1694 .needs = tlsext_ri_client_needs, 1695 .build = tlsext_ri_client_build, 1696 .parse = tlsext_ri_client_parse, 1697 }, 1698 .server = { 1699 .needs = tlsext_ri_server_needs, 1700 .build = tlsext_ri_server_build, 1701 .parse = tlsext_ri_server_parse, 1702 }, 1703 }, 1704 { 1705 .type = TLSEXT_TYPE_status_request, 1706 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1707 SSL_TLSEXT_MSG_CT, 1708 .client = { 1709 .needs = tlsext_ocsp_client_needs, 1710 .build = tlsext_ocsp_client_build, 1711 .parse = tlsext_ocsp_client_parse, 1712 }, 1713 .server = { 1714 .needs = tlsext_ocsp_server_needs, 1715 .build = tlsext_ocsp_server_build, 1716 .parse = tlsext_ocsp_server_parse, 1717 }, 1718 }, 1719 { 1720 .type = TLSEXT_TYPE_ec_point_formats, 1721 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1722 .client = { 1723 .needs = tlsext_ecpf_client_needs, 1724 .build = tlsext_ecpf_client_build, 1725 .parse = tlsext_ecpf_client_parse, 1726 }, 1727 .server = { 1728 .needs = tlsext_ecpf_server_needs, 1729 .build = tlsext_ecpf_server_build, 1730 .parse = tlsext_ecpf_server_parse, 1731 }, 1732 }, 1733 { 1734 .type = TLSEXT_TYPE_supported_groups, 1735 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1736 .client = { 1737 .needs = tlsext_supportedgroups_client_needs, 1738 .build = tlsext_supportedgroups_client_build, 1739 .parse = tlsext_supportedgroups_client_parse, 1740 }, 1741 .server = { 1742 .needs = tlsext_supportedgroups_server_needs, 1743 .build = tlsext_supportedgroups_server_build, 1744 .parse = tlsext_supportedgroups_server_parse, 1745 }, 1746 }, 1747 { 1748 .type = TLSEXT_TYPE_session_ticket, 1749 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1750 .client = { 1751 .needs = tlsext_sessionticket_client_needs, 1752 .build = tlsext_sessionticket_client_build, 1753 .parse = tlsext_sessionticket_client_parse, 1754 }, 1755 .server = { 1756 .needs = tlsext_sessionticket_server_needs, 1757 .build = tlsext_sessionticket_server_build, 1758 .parse = tlsext_sessionticket_server_parse, 1759 }, 1760 }, 1761 { 1762 .type = TLSEXT_TYPE_signature_algorithms, 1763 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1764 .client = { 1765 .needs = tlsext_sigalgs_client_needs, 1766 .build = tlsext_sigalgs_client_build, 1767 .parse = tlsext_sigalgs_client_parse, 1768 }, 1769 .server = { 1770 .needs = tlsext_sigalgs_server_needs, 1771 .build = tlsext_sigalgs_server_build, 1772 .parse = tlsext_sigalgs_server_parse, 1773 }, 1774 }, 1775 { 1776 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1777 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1778 .client = { 1779 .needs = tlsext_alpn_client_needs, 1780 .build = tlsext_alpn_client_build, 1781 .parse = tlsext_alpn_client_parse, 1782 }, 1783 .server = { 1784 .needs = tlsext_alpn_server_needs, 1785 .build = tlsext_alpn_server_build, 1786 .parse = tlsext_alpn_server_parse, 1787 }, 1788 }, 1789 { 1790 .type = TLSEXT_TYPE_cookie, 1791 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1792 .client = { 1793 .needs = tlsext_cookie_client_needs, 1794 .build = tlsext_cookie_client_build, 1795 .parse = tlsext_cookie_client_parse, 1796 }, 1797 .server = { 1798 .needs = tlsext_cookie_server_needs, 1799 .build = tlsext_cookie_server_build, 1800 .parse = tlsext_cookie_server_parse, 1801 }, 1802 }, 1803 #ifndef OPENSSL_NO_SRTP 1804 { 1805 .type = TLSEXT_TYPE_use_srtp, 1806 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1807 SSL_TLSEXT_MSG_EE, 1808 .client = { 1809 .needs = tlsext_srtp_client_needs, 1810 .build = tlsext_srtp_client_build, 1811 .parse = tlsext_srtp_client_parse, 1812 }, 1813 .server = { 1814 .needs = tlsext_srtp_server_needs, 1815 .build = tlsext_srtp_server_build, 1816 .parse = tlsext_srtp_server_parse, 1817 }, 1818 } 1819 #endif /* OPENSSL_NO_SRTP */ 1820 }; 1821 1822 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1823 1824 /* Ensure that extensions fit in a uint32_t bitmask. */ 1825 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1826 1827 struct tls_extension * 1828 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1829 { 1830 size_t i; 1831 1832 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1833 if (tls_extensions[i].type == type) { 1834 *tls_extensions_idx = i; 1835 return &tls_extensions[i]; 1836 } 1837 } 1838 1839 return NULL; 1840 } 1841 1842 int 1843 tlsext_extension_seen(SSL *s, uint16_t type) 1844 { 1845 size_t idx; 1846 1847 if (tls_extension_find(type, &idx) == NULL) 1848 return 0; 1849 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1850 } 1851 1852 static struct tls_extension_funcs * 1853 tlsext_funcs(struct tls_extension *tlsext, int is_server) 1854 { 1855 if (is_server) 1856 return &tlsext->server; 1857 1858 return &tlsext->client; 1859 } 1860 1861 static int 1862 tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) 1863 { 1864 struct tls_extension_funcs *ext; 1865 struct tls_extension *tlsext; 1866 CBB extensions, extension_data; 1867 int extensions_present = 0; 1868 size_t i; 1869 uint16_t version; 1870 1871 if (is_server) 1872 version = s->version; 1873 else 1874 version = TLS1_get_client_version(s); 1875 1876 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1877 return 0; 1878 1879 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1880 tlsext = &tls_extensions[i]; 1881 ext = tlsext_funcs(tlsext, is_server); 1882 1883 /* RFC 8446 Section 4.2 */ 1884 if (version >= TLS1_3_VERSION && 1885 !(tlsext->messages & msg_type)) 1886 continue; 1887 1888 if (!ext->needs(s)) 1889 continue; 1890 1891 if (!CBB_add_u16(&extensions, tlsext->type)) 1892 return 0; 1893 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1894 return 0; 1895 1896 if (!ext->build(s, &extension_data)) 1897 return 0; 1898 1899 extensions_present = 1; 1900 } 1901 1902 if (!extensions_present && 1903 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 1904 CBB_discard_child(cbb); 1905 1906 if (!CBB_flush(cbb)) 1907 return 0; 1908 1909 return 1; 1910 } 1911 1912 static int 1913 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) 1914 { 1915 struct tls_extension_funcs *ext; 1916 struct tls_extension *tlsext; 1917 CBS extensions, extension_data; 1918 uint16_t type; 1919 size_t idx; 1920 uint16_t version; 1921 int alert_desc; 1922 1923 S3I(s)->hs.extensions_seen = 0; 1924 1925 if (is_server) 1926 version = s->version; 1927 else 1928 version = TLS1_get_client_version(s); 1929 1930 /* An empty extensions block is valid. */ 1931 if (CBS_len(cbs) == 0) 1932 return 1; 1933 1934 alert_desc = SSL_AD_DECODE_ERROR; 1935 1936 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 1937 goto err; 1938 1939 while (CBS_len(&extensions) > 0) { 1940 if (!CBS_get_u16(&extensions, &type)) 1941 goto err; 1942 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 1943 goto err; 1944 1945 if (s->internal->tlsext_debug_cb != NULL) 1946 s->internal->tlsext_debug_cb(s, is_server, type, 1947 (unsigned char *)CBS_data(&extension_data), 1948 CBS_len(&extension_data), 1949 s->internal->tlsext_debug_arg); 1950 1951 /* Unknown extensions are ignored. */ 1952 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 1953 continue; 1954 1955 /* RFC 8446 Section 4.2 */ 1956 if (version >= TLS1_3_VERSION && 1957 !(tlsext->messages & msg_type)) { 1958 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 1959 goto err; 1960 } 1961 1962 /* Check for duplicate known extensions. */ 1963 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 1964 goto err; 1965 S3I(s)->hs.extensions_seen |= (1 << idx); 1966 1967 ext = tlsext_funcs(tlsext, is_server); 1968 if (!ext->parse(s, &extension_data, &alert_desc)) 1969 goto err; 1970 1971 if (CBS_len(&extension_data) != 0) 1972 goto err; 1973 } 1974 1975 return 1; 1976 1977 err: 1978 *alert = alert_desc; 1979 1980 return 0; 1981 } 1982 1983 static void 1984 tlsext_server_reset_state(SSL *s) 1985 { 1986 s->internal->servername_done = 0; 1987 s->tlsext_status_type = -1; 1988 S3I(s)->renegotiate_seen = 0; 1989 free(S3I(s)->alpn_selected); 1990 S3I(s)->alpn_selected = NULL; 1991 s->internal->srtp_profile = NULL; 1992 } 1993 1994 int 1995 tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type) 1996 { 1997 return tlsext_build(s, cbb, 1, msg_type); 1998 } 1999 2000 int 2001 tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2002 { 2003 /* XXX - this possibly should be done by the caller... */ 2004 tlsext_server_reset_state(s); 2005 2006 return tlsext_parse(s, cbs, alert, 1, msg_type); 2007 } 2008 2009 static void 2010 tlsext_client_reset_state(SSL *s) 2011 { 2012 S3I(s)->renegotiate_seen = 0; 2013 free(S3I(s)->alpn_selected); 2014 S3I(s)->alpn_selected = NULL; 2015 } 2016 2017 int 2018 tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type) 2019 { 2020 return tlsext_build(s, cbb, 0, msg_type); 2021 } 2022 2023 int 2024 tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2025 { 2026 /* XXX - this possibly should be done by the caller... */ 2027 tlsext_client_reset_state(s); 2028 2029 return tlsext_parse(s, cbs, alert, 0, msg_type); 2030 } 2031