1 /* $OpenBSD: ssl_tlsext.c,v 1.44 2019/03/25 17:21:18 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 #include <openssl/curve25519.h> 20 #include <openssl/ocsp.h> 21 22 #include "ssl_locl.h" 23 24 #include "bytestring.h" 25 #include "ssl_sigalgs.h" 26 #include "ssl_tlsext.h" 27 28 /* 29 * Supported Application-Layer Protocol Negotiation - RFC 7301 30 */ 31 32 int 33 tlsext_alpn_client_needs(SSL *s) 34 { 35 /* ALPN protos have been specified and this is the initial handshake */ 36 return s->internal->alpn_client_proto_list != NULL && 37 S3I(s)->tmp.finish_md_len == 0; 38 } 39 40 int 41 tlsext_alpn_client_build(SSL *s, CBB *cbb) 42 { 43 CBB protolist; 44 45 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 46 return 0; 47 48 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 49 s->internal->alpn_client_proto_list_len)) 50 return 0; 51 52 if (!CBB_flush(cbb)) 53 return 0; 54 55 return 1; 56 } 57 58 int 59 tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) 60 { 61 CBS proto_name_list, alpn; 62 const unsigned char *selected; 63 unsigned char selected_len; 64 int r; 65 66 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 67 goto err; 68 if (CBS_len(&alpn) < 2) 69 goto err; 70 if (CBS_len(cbs) != 0) 71 goto err; 72 73 CBS_dup(&alpn, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 goto err; 79 if (CBS_len(&proto_name) == 0) 80 goto err; 81 } 82 83 if (s->ctx->internal->alpn_select_cb == NULL) 84 return 1; 85 86 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 87 CBS_data(&alpn), CBS_len(&alpn), 88 s->ctx->internal->alpn_select_cb_arg); 89 if (r == SSL_TLSEXT_ERR_OK) { 90 free(S3I(s)->alpn_selected); 91 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 92 *alert = SSL_AD_INTERNAL_ERROR; 93 return 0; 94 } 95 memcpy(S3I(s)->alpn_selected, selected, selected_len); 96 S3I(s)->alpn_selected_len = selected_len; 97 } 98 99 return 1; 100 101 err: 102 *alert = SSL_AD_DECODE_ERROR; 103 return 0; 104 } 105 106 int 107 tlsext_alpn_server_needs(SSL *s) 108 { 109 return S3I(s)->alpn_selected != NULL; 110 } 111 112 int 113 tlsext_alpn_server_build(SSL *s, CBB *cbb) 114 { 115 CBB list, selected; 116 117 if (!CBB_add_u16_length_prefixed(cbb, &list)) 118 return 0; 119 120 if (!CBB_add_u8_length_prefixed(&list, &selected)) 121 return 0; 122 123 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 124 S3I(s)->alpn_selected_len)) 125 return 0; 126 127 if (!CBB_flush(cbb)) 128 return 0; 129 130 return 1; 131 } 132 133 int 134 tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) 135 { 136 CBS list, proto; 137 138 if (s->internal->alpn_client_proto_list == NULL) { 139 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 140 return 0; 141 } 142 143 if (!CBS_get_u16_length_prefixed(cbs, &list)) 144 goto err; 145 if (CBS_len(cbs) != 0) 146 goto err; 147 148 if (!CBS_get_u8_length_prefixed(&list, &proto)) 149 goto err; 150 151 if (CBS_len(&list) != 0) 152 goto err; 153 if (CBS_len(&proto) == 0) 154 goto err; 155 156 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 157 &(S3I(s)->alpn_selected_len))) 158 goto err; 159 160 return 1; 161 162 err: 163 *alert = TLS1_AD_DECODE_ERROR; 164 return 0; 165 } 166 167 /* 168 * Supported Groups - RFC 7919 section 2 169 */ 170 int 171 tlsext_supportedgroups_client_needs(SSL *s) 172 { 173 return ssl_has_ecc_ciphers(s) || 174 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 175 } 176 177 int 178 tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) 179 { 180 const uint16_t *groups; 181 size_t groups_len; 182 CBB grouplist; 183 int i; 184 185 tls1_get_group_list(s, 0, &groups, &groups_len); 186 if (groups_len == 0) { 187 SSLerror(s, ERR_R_INTERNAL_ERROR); 188 return 0; 189 } 190 191 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 192 return 0; 193 194 for (i = 0; i < groups_len; i++) { 195 if (!CBB_add_u16(&grouplist, groups[i])) 196 return 0; 197 } 198 199 if (!CBB_flush(cbb)) 200 return 0; 201 202 return 1; 203 } 204 205 int 206 tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) 207 { 208 CBS grouplist; 209 size_t groups_len; 210 211 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 212 goto err; 213 if (CBS_len(cbs) != 0) 214 goto err; 215 216 groups_len = CBS_len(&grouplist); 217 if (groups_len == 0 || groups_len % 2 != 0) 218 goto err; 219 groups_len /= 2; 220 221 if (!s->internal->hit) { 222 uint16_t *groups; 223 int i; 224 225 if (SSI(s)->tlsext_supportedgroups != NULL) 226 goto err; 227 228 if ((groups = reallocarray(NULL, groups_len, 229 sizeof(uint16_t))) == NULL) { 230 *alert = TLS1_AD_INTERNAL_ERROR; 231 return 0; 232 } 233 234 for (i = 0; i < groups_len; i++) { 235 if (!CBS_get_u16(&grouplist, &groups[i])) { 236 free(groups); 237 goto err; 238 } 239 } 240 241 if (CBS_len(&grouplist) != 0) { 242 free(groups); 243 goto err; 244 } 245 246 SSI(s)->tlsext_supportedgroups = groups; 247 SSI(s)->tlsext_supportedgroups_length = groups_len; 248 } 249 250 return 1; 251 252 err: 253 *alert = TLS1_AD_DECODE_ERROR; 254 return 0; 255 } 256 257 /* This extension is never used by the server. */ 258 int 259 tlsext_supportedgroups_server_needs(SSL *s) 260 { 261 return 0; 262 } 263 264 int 265 tlsext_supportedgroups_server_build(SSL *s, CBB *cbb) 266 { 267 return 0; 268 } 269 270 int 271 tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) 272 { 273 /* 274 * Servers should not send this extension per the RFC. 275 * 276 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 277 * from at least 2014 but as of 2017, there are still large sites with 278 * this unpatched in production. As a result, we need to currently skip 279 * over the extension and ignore its content: 280 * 281 * https://support.f5.com/csp/article/K37345003 282 */ 283 if (!CBS_skip(cbs, CBS_len(cbs))) { 284 *alert = TLS1_AD_INTERNAL_ERROR; 285 return 0; 286 } 287 288 return 1; 289 } 290 291 /* 292 * Supported Point Formats Extension - RFC 4492 section 5.1.2 293 */ 294 static int 295 tlsext_ecpf_build(SSL *s, CBB *cbb) 296 { 297 CBB ecpf; 298 size_t formats_len; 299 const uint8_t *formats; 300 301 tls1_get_formatlist(s, 0, &formats, &formats_len); 302 303 if (formats_len == 0) { 304 SSLerror(s, ERR_R_INTERNAL_ERROR); 305 return 0; 306 } 307 308 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 309 return 0; 310 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 311 return 0; 312 if (!CBB_flush(cbb)) 313 return 0; 314 315 return 1; 316 } 317 318 static int 319 tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 320 { 321 CBS ecpf; 322 323 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 324 goto err; 325 if (CBS_len(&ecpf) == 0) 326 goto err; 327 if (CBS_len(cbs) != 0) 328 goto err; 329 330 /* Must contain uncompressed (0) */ 331 if (!CBS_contains_zero_byte(&ecpf)) { 332 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 333 goto err; 334 } 335 336 if (!s->internal->hit) { 337 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 338 &(SSI(s)->tlsext_ecpointformatlist_length))) { 339 *alert = TLS1_AD_INTERNAL_ERROR; 340 return 0; 341 } 342 } 343 344 return 1; 345 346 err: 347 *alert = SSL_AD_DECODE_ERROR; 348 return 0; 349 } 350 351 int 352 tlsext_ecpf_client_needs(SSL *s) 353 { 354 return ssl_has_ecc_ciphers(s); 355 } 356 357 int 358 tlsext_ecpf_client_build(SSL *s, CBB *cbb) 359 { 360 return tlsext_ecpf_build(s, cbb); 361 } 362 363 int 364 tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert) 365 { 366 return tlsext_ecpf_parse(s, cbs, alert); 367 } 368 369 int 370 tlsext_ecpf_server_needs(SSL *s) 371 { 372 if (s->version == DTLS1_VERSION) 373 return 0; 374 375 return ssl_using_ecc_cipher(s); 376 } 377 378 int 379 tlsext_ecpf_server_build(SSL *s, CBB *cbb) 380 { 381 return tlsext_ecpf_build(s, cbb); 382 } 383 384 int 385 tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert) 386 { 387 return tlsext_ecpf_parse(s, cbs, alert); 388 } 389 390 /* 391 * Renegotiation Indication - RFC 5746. 392 */ 393 int 394 tlsext_ri_client_needs(SSL *s) 395 { 396 return (s->internal->renegotiate); 397 } 398 399 int 400 tlsext_ri_client_build(SSL *s, CBB *cbb) 401 { 402 CBB reneg; 403 404 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 405 return 0; 406 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 407 S3I(s)->previous_client_finished_len)) 408 return 0; 409 if (!CBB_flush(cbb)) 410 return 0; 411 412 return 1; 413 } 414 415 int 416 tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) 417 { 418 CBS reneg; 419 420 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 421 goto err; 422 if (CBS_len(cbs) != 0) 423 goto err; 424 425 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 426 S3I(s)->previous_client_finished_len)) { 427 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 428 *alert = SSL_AD_HANDSHAKE_FAILURE; 429 return 0; 430 } 431 432 S3I(s)->renegotiate_seen = 1; 433 S3I(s)->send_connection_binding = 1; 434 435 return 1; 436 437 err: 438 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 439 *alert = SSL_AD_DECODE_ERROR; 440 return 0; 441 } 442 443 int 444 tlsext_ri_server_needs(SSL *s) 445 { 446 return (S3I(s)->send_connection_binding); 447 } 448 449 int 450 tlsext_ri_server_build(SSL *s, CBB *cbb) 451 { 452 CBB reneg; 453 454 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 455 return 0; 456 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 457 S3I(s)->previous_client_finished_len)) 458 return 0; 459 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 460 S3I(s)->previous_server_finished_len)) 461 return 0; 462 if (!CBB_flush(cbb)) 463 return 0; 464 465 return 1; 466 } 467 468 int 469 tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) 470 { 471 CBS reneg, prev_client, prev_server; 472 473 /* 474 * Ensure that the previous client and server values are both not 475 * present, or that they are both present. 476 */ 477 if ((S3I(s)->previous_client_finished_len == 0 && 478 S3I(s)->previous_server_finished_len != 0) || 479 (S3I(s)->previous_client_finished_len != 0 && 480 S3I(s)->previous_server_finished_len == 0)) { 481 *alert = TLS1_AD_INTERNAL_ERROR; 482 return 0; 483 } 484 485 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 486 goto err; 487 if (!CBS_get_bytes(&reneg, &prev_client, 488 S3I(s)->previous_client_finished_len)) 489 goto err; 490 if (!CBS_get_bytes(&reneg, &prev_server, 491 S3I(s)->previous_server_finished_len)) 492 goto err; 493 if (CBS_len(&reneg) != 0) 494 goto err; 495 if (CBS_len(cbs) != 0) 496 goto err; 497 498 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 499 S3I(s)->previous_client_finished_len)) { 500 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 501 *alert = SSL_AD_HANDSHAKE_FAILURE; 502 return 0; 503 } 504 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 505 S3I(s)->previous_server_finished_len)) { 506 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 507 *alert = SSL_AD_HANDSHAKE_FAILURE; 508 return 0; 509 } 510 511 S3I(s)->renegotiate_seen = 1; 512 S3I(s)->send_connection_binding = 1; 513 514 return 1; 515 516 err: 517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 518 *alert = SSL_AD_DECODE_ERROR; 519 return 0; 520 } 521 522 /* 523 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 524 */ 525 int 526 tlsext_sigalgs_client_needs(SSL *s) 527 { 528 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 529 } 530 531 int 532 tlsext_sigalgs_client_build(SSL *s, CBB *cbb) 533 { 534 uint16_t *tls_sigalgs = tls12_sigalgs; 535 size_t tls_sigalgs_len = tls12_sigalgs_len; 536 CBB sigalgs; 537 538 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 539 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 540 tls_sigalgs = tls13_sigalgs; 541 tls_sigalgs_len = tls13_sigalgs_len; 542 } 543 544 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 545 return 0; 546 547 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 548 return 0; 549 550 if (!CBB_flush(cbb)) 551 return 0; 552 553 return 1; 554 } 555 556 int 557 tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) 558 { 559 CBS sigalgs; 560 561 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 562 return 0; 563 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 564 return 0; 565 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 566 return 0; 567 568 return 1; 569 } 570 571 int 572 tlsext_sigalgs_server_needs(SSL *s) 573 { 574 return 0; 575 } 576 577 int 578 tlsext_sigalgs_server_build(SSL *s, CBB *cbb) 579 { 580 return 0; 581 } 582 583 int 584 tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert) 585 { 586 /* As per the RFC, servers must not send this extension. */ 587 return 0; 588 } 589 590 /* 591 * Server Name Indication - RFC 6066, section 3. 592 */ 593 int 594 tlsext_sni_client_needs(SSL *s) 595 { 596 return (s->tlsext_hostname != NULL); 597 } 598 599 int 600 tlsext_sni_client_build(SSL *s, CBB *cbb) 601 { 602 CBB server_name_list, host_name; 603 604 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 605 return 0; 606 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 607 return 0; 608 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 609 return 0; 610 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 611 strlen(s->tlsext_hostname))) 612 return 0; 613 if (!CBB_flush(cbb)) 614 return 0; 615 616 return 1; 617 } 618 619 int 620 tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) 621 { 622 CBS server_name_list, host_name; 623 uint8_t name_type; 624 625 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 626 goto err; 627 628 /* 629 * RFC 6066 section 3 forbids multiple host names with the same type. 630 * Additionally, only one type (host_name) is specified. 631 */ 632 if (!CBS_get_u8(&server_name_list, &name_type)) 633 goto err; 634 if (name_type != TLSEXT_NAMETYPE_host_name) 635 goto err; 636 637 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 638 goto err; 639 if (CBS_len(&host_name) == 0 || 640 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 641 CBS_contains_zero_byte(&host_name)) { 642 *alert = TLS1_AD_UNRECOGNIZED_NAME; 643 return 0; 644 } 645 646 if (s->internal->hit) { 647 if (s->session->tlsext_hostname == NULL) { 648 *alert = TLS1_AD_UNRECOGNIZED_NAME; 649 return 0; 650 } 651 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 652 strlen(s->session->tlsext_hostname))) { 653 *alert = TLS1_AD_UNRECOGNIZED_NAME; 654 return 0; 655 } 656 } else { 657 if (s->session->tlsext_hostname != NULL) 658 goto err; 659 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 660 *alert = TLS1_AD_INTERNAL_ERROR; 661 return 0; 662 } 663 } 664 665 if (CBS_len(&server_name_list) != 0) 666 goto err; 667 if (CBS_len(cbs) != 0) 668 goto err; 669 670 return 1; 671 672 err: 673 *alert = SSL_AD_DECODE_ERROR; 674 return 0; 675 } 676 677 int 678 tlsext_sni_server_needs(SSL *s) 679 { 680 return (s->session->tlsext_hostname != NULL); 681 } 682 683 int 684 tlsext_sni_server_build(SSL *s, CBB *cbb) 685 { 686 return 1; 687 } 688 689 int 690 tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) 691 { 692 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 693 *alert = TLS1_AD_UNRECOGNIZED_NAME; 694 return 0; 695 } 696 697 if (s->internal->hit) { 698 if (s->session->tlsext_hostname == NULL) { 699 *alert = TLS1_AD_UNRECOGNIZED_NAME; 700 return 0; 701 } 702 if (strcmp(s->tlsext_hostname, 703 s->session->tlsext_hostname) != 0) { 704 *alert = TLS1_AD_UNRECOGNIZED_NAME; 705 return 0; 706 } 707 } else { 708 if (s->session->tlsext_hostname != NULL) { 709 *alert = SSL_AD_DECODE_ERROR; 710 return 0; 711 } 712 if ((s->session->tlsext_hostname = 713 strdup(s->tlsext_hostname)) == NULL) { 714 *alert = TLS1_AD_INTERNAL_ERROR; 715 return 0; 716 } 717 } 718 719 return 1; 720 } 721 722 723 /* 724 *Certificate Status Request - RFC 6066 section 8. 725 */ 726 727 int 728 tlsext_ocsp_client_needs(SSL *s) 729 { 730 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 731 s->version != DTLS1_VERSION); 732 } 733 734 int 735 tlsext_ocsp_client_build(SSL *s, CBB *cbb) 736 { 737 CBB respid_list, respid, exts; 738 unsigned char *ext_data; 739 size_t ext_len; 740 int i; 741 742 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 743 return 0; 744 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 745 return 0; 746 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 747 unsigned char *respid_data; 748 OCSP_RESPID *id; 749 size_t id_len; 750 751 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 752 i)) == NULL) 753 return 0; 754 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 755 return 0; 756 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 757 return 0; 758 if (!CBB_add_space(&respid, &respid_data, id_len)) 759 return 0; 760 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 761 return 0; 762 } 763 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 764 return 0; 765 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 766 NULL)) == -1) 767 return 0; 768 if (!CBB_add_space(&exts, &ext_data, ext_len)) 769 return 0; 770 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 771 ext_len)) 772 return 0; 773 if (!CBB_flush(cbb)) 774 return 0; 775 return 1; 776 } 777 778 int 779 tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) 780 { 781 int failure = SSL_AD_DECODE_ERROR; 782 CBS respid_list, respid, exts; 783 const unsigned char *p; 784 uint8_t status_type; 785 int ret = 0; 786 787 if (!CBS_get_u8(cbs, &status_type)) 788 goto err; 789 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 790 /* ignore unknown status types */ 791 s->tlsext_status_type = -1; 792 793 if (!CBS_skip(cbs, CBS_len(cbs))) { 794 *alert = TLS1_AD_INTERNAL_ERROR; 795 return 0; 796 } 797 return 1; 798 } 799 s->tlsext_status_type = status_type; 800 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 801 goto err; 802 803 /* XXX */ 804 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 805 s->internal->tlsext_ocsp_ids = NULL; 806 if (CBS_len(&respid_list) > 0) { 807 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 808 if (s->internal->tlsext_ocsp_ids == NULL) { 809 failure = SSL_AD_INTERNAL_ERROR; 810 goto err; 811 } 812 } 813 814 while (CBS_len(&respid_list) > 0) { 815 OCSP_RESPID *id; 816 817 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 818 goto err; 819 p = CBS_data(&respid); 820 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 821 goto err; 822 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 823 failure = SSL_AD_INTERNAL_ERROR; 824 OCSP_RESPID_free(id); 825 goto err; 826 } 827 } 828 829 /* Read in request_extensions */ 830 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 831 goto err; 832 if (CBS_len(&exts) > 0) { 833 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 834 X509_EXTENSION_free); 835 p = CBS_data(&exts); 836 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 837 &p, CBS_len(&exts))) == NULL) 838 goto err; 839 } 840 841 /* should be nothing left */ 842 if (CBS_len(cbs) > 0) 843 goto err; 844 845 ret = 1; 846 err: 847 if (ret == 0) 848 *alert = failure; 849 return ret; 850 } 851 852 int 853 tlsext_ocsp_server_needs(SSL *s) 854 { 855 return s->internal->tlsext_status_expected; 856 } 857 858 int 859 tlsext_ocsp_server_build(SSL *s, CBB *cbb) 860 { 861 return 1; 862 } 863 864 int 865 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) 866 { 867 if (s->tlsext_status_type == -1) { 868 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 869 return 0; 870 } 871 /* Set flag to expect CertificateStatus message */ 872 s->internal->tlsext_status_expected = 1; 873 return 1; 874 } 875 876 /* 877 * SessionTicket extension - RFC 5077 section 3.2 878 */ 879 int 880 tlsext_sessionticket_client_needs(SSL *s) 881 { 882 /* 883 * Send session ticket extension when enabled and not overridden. 884 * 885 * When renegotiating, send an empty session ticket to indicate support. 886 */ 887 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 888 return 0; 889 890 if (s->internal->new_session) 891 return 1; 892 893 if (s->internal->tlsext_session_ticket != NULL && 894 s->internal->tlsext_session_ticket->data == NULL) 895 return 0; 896 897 return 1; 898 } 899 900 int 901 tlsext_sessionticket_client_build(SSL *s, CBB *cbb) 902 { 903 /* 904 * Signal that we support session tickets by sending an empty 905 * extension when renegotiating or no session found. 906 */ 907 if (s->internal->new_session || s->session == NULL) 908 return 1; 909 910 if (s->session->tlsext_tick != NULL) { 911 /* Attempt to resume with an existing session ticket */ 912 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 913 s->session->tlsext_ticklen)) 914 return 0; 915 916 } else if (s->internal->tlsext_session_ticket != NULL) { 917 /* 918 * Attempt to resume with a custom provided session ticket set 919 * by SSL_set_session_ticket_ext(). 920 */ 921 if (s->internal->tlsext_session_ticket->length > 0) { 922 size_t ticklen = s->internal->tlsext_session_ticket->length; 923 924 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 925 return 0; 926 memcpy(s->session->tlsext_tick, 927 s->internal->tlsext_session_ticket->data, 928 ticklen); 929 s->session->tlsext_ticklen = ticklen; 930 931 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 932 s->session->tlsext_ticklen)) 933 return 0; 934 } 935 } 936 937 if (!CBB_flush(cbb)) 938 return 0; 939 940 return 1; 941 } 942 943 int 944 tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) 945 { 946 if (s->internal->tls_session_ticket_ext_cb) { 947 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 948 (int)CBS_len(cbs), 949 s->internal->tls_session_ticket_ext_cb_arg)) { 950 *alert = TLS1_AD_INTERNAL_ERROR; 951 return 0; 952 } 953 } 954 955 /* We need to signal that this was processed fully */ 956 if (!CBS_skip(cbs, CBS_len(cbs))) { 957 *alert = TLS1_AD_INTERNAL_ERROR; 958 return 0; 959 } 960 961 return 1; 962 } 963 964 int 965 tlsext_sessionticket_server_needs(SSL *s) 966 { 967 return (s->internal->tlsext_ticket_expected && 968 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 969 } 970 971 int 972 tlsext_sessionticket_server_build(SSL *s, CBB *cbb) 973 { 974 /* Empty ticket */ 975 return 1; 976 } 977 978 int 979 tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) 980 { 981 if (s->internal->tls_session_ticket_ext_cb) { 982 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 983 (int)CBS_len(cbs), 984 s->internal->tls_session_ticket_ext_cb_arg)) { 985 *alert = TLS1_AD_INTERNAL_ERROR; 986 return 0; 987 } 988 } 989 990 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 991 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 992 return 0; 993 } 994 995 s->internal->tlsext_ticket_expected = 1; 996 997 return 1; 998 } 999 1000 /* 1001 * DTLS extension for SRTP key establishment - RFC 5764 1002 */ 1003 1004 #ifndef OPENSSL_NO_SRTP 1005 1006 int 1007 tlsext_srtp_client_needs(SSL *s) 1008 { 1009 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1010 } 1011 1012 int 1013 tlsext_srtp_client_build(SSL *s, CBB *cbb) 1014 { 1015 CBB profiles, mki; 1016 int ct, i; 1017 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1018 SRTP_PROTECTION_PROFILE *prof; 1019 1020 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1021 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1022 return 0; 1023 } 1024 1025 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1026 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1027 return 0; 1028 } 1029 1030 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1031 return 0; 1032 1033 for (i = 0; i < ct; i++) { 1034 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1035 return 0; 1036 if (!CBB_add_u16(&profiles, prof->id)) 1037 return 0; 1038 } 1039 1040 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1041 return 0; 1042 1043 if (!CBB_flush(cbb)) 1044 return 0; 1045 1046 return 1; 1047 } 1048 1049 int 1050 tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) 1051 { 1052 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1053 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1054 int i, j; 1055 int ret; 1056 uint16_t id; 1057 CBS profiles, mki; 1058 1059 ret = 0; 1060 1061 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1062 goto err; 1063 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1064 goto err; 1065 1066 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1067 goto err; 1068 1069 while (CBS_len(&profiles) > 0) { 1070 if (!CBS_get_u16(&profiles, &id)) 1071 goto err; 1072 1073 if (!srtp_find_profile_by_num(id, &cprof)) { 1074 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1075 goto err; 1076 } 1077 } 1078 1079 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1080 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1081 *alert = SSL_AD_DECODE_ERROR; 1082 goto done; 1083 } 1084 if (CBS_len(cbs) != 0) 1085 goto err; 1086 1087 /* 1088 * Per RFC 5764 section 4.1.1 1089 * 1090 * Find the server preferred profile using the client's list. 1091 * 1092 * The server MUST send a profile if it sends the use_srtp 1093 * extension. If one is not found, it should fall back to the 1094 * negotiated DTLS cipher suite or return a DTLS alert. 1095 */ 1096 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1097 goto err; 1098 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1099 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1100 == NULL) 1101 goto err; 1102 1103 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1104 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1105 == NULL) 1106 goto err; 1107 1108 if (cprof->id == sprof->id) { 1109 s->internal->srtp_profile = sprof; 1110 ret = 1; 1111 goto done; 1112 } 1113 } 1114 } 1115 1116 /* If we didn't find anything, fall back to the negotiated */ 1117 ret = 1; 1118 goto done; 1119 1120 err: 1121 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1122 *alert = SSL_AD_DECODE_ERROR; 1123 1124 done: 1125 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1126 return ret; 1127 } 1128 1129 int 1130 tlsext_srtp_server_needs(SSL *s) 1131 { 1132 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1133 } 1134 1135 int 1136 tlsext_srtp_server_build(SSL *s, CBB *cbb) 1137 { 1138 SRTP_PROTECTION_PROFILE *profile; 1139 CBB srtp, mki; 1140 1141 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1142 return 0; 1143 1144 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1145 return 0; 1146 1147 if (!CBB_add_u16(&srtp, profile->id)) 1148 return 0; 1149 1150 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1151 return 0; 1152 1153 if (!CBB_flush(cbb)) 1154 return 0; 1155 1156 return 1; 1157 } 1158 1159 int 1160 tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) 1161 { 1162 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1163 SRTP_PROTECTION_PROFILE *prof; 1164 int i; 1165 uint16_t id; 1166 CBS profile_ids, mki; 1167 1168 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1169 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1170 goto err; 1171 } 1172 1173 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1174 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1175 goto err; 1176 } 1177 1178 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1179 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1180 *alert = SSL_AD_ILLEGAL_PARAMETER; 1181 return 0; 1182 } 1183 1184 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1185 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1186 goto err; 1187 } 1188 1189 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1190 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1191 == NULL) { 1192 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1193 goto err; 1194 } 1195 1196 if (prof->id == id) { 1197 s->internal->srtp_profile = prof; 1198 return 1; 1199 } 1200 } 1201 1202 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1203 err: 1204 *alert = SSL_AD_DECODE_ERROR; 1205 return 0; 1206 } 1207 1208 #endif /* OPENSSL_NO_SRTP */ 1209 1210 /* 1211 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1212 */ 1213 int 1214 tlsext_keyshare_client_needs(SSL *s) 1215 { 1216 /* XXX once this gets initialized when we get tls13_client.c */ 1217 if (S3I(s)->hs_tls13.max_version == 0) 1218 return 0; 1219 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1220 TLS1_3_VERSION); 1221 } 1222 1223 int 1224 tlsext_keyshare_client_build(SSL *s, CBB *cbb) 1225 { 1226 uint8_t *public_key = NULL, *private_key = NULL; 1227 CBB client_shares, key_exchange; 1228 1229 /* Generate and provide key shares. */ 1230 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1231 return 0; 1232 1233 /* XXX - other groups. */ 1234 1235 /* Generate X25519 key pair. */ 1236 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) 1237 goto err; 1238 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) 1239 goto err; 1240 X25519_keypair(public_key, private_key); 1241 1242 /* Add the group and serialize the public key. */ 1243 if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519))) 1244 goto err; 1245 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1246 goto err; 1247 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) 1248 goto err; 1249 1250 if (!CBB_flush(cbb)) 1251 goto err; 1252 1253 S3I(s)->hs_tls13.x25519_public = public_key; 1254 S3I(s)->hs_tls13.x25519_private = private_key; 1255 1256 return 1; 1257 1258 err: 1259 freezero(public_key, X25519_KEY_LENGTH); 1260 freezero(private_key, X25519_KEY_LENGTH); 1261 1262 return 0; 1263 } 1264 1265 int 1266 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1267 { 1268 CBS client_shares; 1269 CBS key_exchange; 1270 uint16_t group; 1271 size_t out_len; 1272 int ret = 0; 1273 1274 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1275 goto err; 1276 1277 if (CBS_len(cbs) != 0) 1278 goto err; 1279 1280 while (CBS_len(&client_shares) > 0) { 1281 1282 /* Unpack client share. */ 1283 if (!CBS_get_u16(&client_shares, &group)) 1284 goto err; 1285 1286 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1287 goto err; 1288 1289 /* 1290 * Skip this client share if not X25519 1291 * XXX support other groups later. 1292 * XXX enforce group can only appear once. 1293 */ 1294 if (S3I(s)->hs_tls13.x25519_peer_public != NULL || 1295 group != tls1_ec_nid2curve_id(NID_X25519)) 1296 continue; 1297 1298 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1299 goto err; 1300 1301 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1302 &out_len)) 1303 goto err; 1304 1305 ret = 1; 1306 } 1307 1308 return ret; 1309 1310 err: 1311 *alert = SSL_AD_DECODE_ERROR; 1312 return 0; 1313 } 1314 1315 int 1316 tlsext_keyshare_server_needs(SSL *s) 1317 { 1318 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1319 return 0; 1320 1321 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1322 } 1323 1324 int 1325 tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1326 { 1327 uint8_t *public_key = NULL, *private_key = NULL; 1328 CBB key_exchange; 1329 1330 /* XXX deduplicate with client code */ 1331 1332 /* X25519 */ 1333 if (S3I(s)->hs_tls13.x25519_peer_public == NULL) 1334 return 0; 1335 1336 /* Generate X25519 key pair. */ 1337 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) 1338 goto err; 1339 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) 1340 goto err; 1341 X25519_keypair(public_key, private_key); 1342 1343 /* Add the group and serialize the public key. */ 1344 if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519))) 1345 goto err; 1346 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1347 goto err; 1348 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH)) 1349 goto err; 1350 1351 if (!CBB_flush(cbb)) 1352 goto err; 1353 1354 S3I(s)->hs_tls13.x25519_public = public_key; 1355 S3I(s)->hs_tls13.x25519_private = private_key; 1356 1357 return 1; 1358 1359 err: 1360 freezero(public_key, X25519_KEY_LENGTH); 1361 freezero(private_key, X25519_KEY_LENGTH); 1362 1363 return 0; 1364 } 1365 1366 int 1367 tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) 1368 { 1369 CBS key_exchange; 1370 uint16_t group; 1371 size_t out_len; 1372 1373 /* Unpack server share. */ 1374 if (!CBS_get_u16(cbs, &group)) 1375 goto err; 1376 1377 /* Handle other groups and verify that they're valid. */ 1378 if (group != tls1_ec_nid2curve_id(NID_X25519)) 1379 goto err; 1380 1381 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1382 goto err; 1383 1384 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1385 goto err; 1386 1387 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1388 &out_len)) 1389 goto err; 1390 1391 return 1; 1392 1393 err: 1394 *alert = SSL_AD_DECODE_ERROR; 1395 return 0; 1396 } 1397 1398 /* 1399 * Supported Versions - RFC 8446 section 4.2.1. 1400 */ 1401 int 1402 tlsext_versions_client_needs(SSL *s) 1403 { 1404 if (SSL_IS_DTLS(s)) 1405 return 0; 1406 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1407 } 1408 1409 int 1410 tlsext_versions_client_build(SSL *s, CBB *cbb) 1411 { 1412 uint16_t max, min; 1413 uint16_t version; 1414 CBB versions; 1415 1416 max = S3I(s)->hs_tls13.max_version; 1417 min = S3I(s)->hs_tls13.min_version; 1418 1419 if (min < TLS1_VERSION) 1420 return 0; 1421 1422 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1423 return 0; 1424 1425 /* XXX - fix, but contiguous for now... */ 1426 for (version = max; version >= min; version--) { 1427 if (!CBB_add_u16(&versions, version)) 1428 return 0; 1429 } 1430 1431 if (!CBB_flush(cbb)) 1432 return 0; 1433 1434 return 1; 1435 } 1436 1437 int 1438 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1439 { 1440 CBS versions; 1441 uint16_t version; 1442 uint16_t max, min; 1443 uint16_t matched_version = 0; 1444 1445 max = S3I(s)->hs_tls13.max_version; 1446 min = S3I(s)->hs_tls13.min_version; 1447 1448 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1449 goto err; 1450 1451 while (CBS_len(&versions) > 0) { 1452 if (!CBS_get_u16(&versions, &version)) 1453 goto err; 1454 /* 1455 * XXX What is below implements client preference, and 1456 * ignores any server preference entirely. 1457 */ 1458 if (matched_version == 0 && version >= min && version <= max) 1459 matched_version = version; 1460 } 1461 1462 /* 1463 * XXX if we haven't mached a version we should 1464 * fail - but we currently need to succeed to 1465 * ignore this before the server code for 1.3 1466 * is set up and initialized. 1467 */ 1468 if (max == 0) 1469 return 1; /* XXX */ 1470 1471 if (matched_version != 0) { 1472 s->version = matched_version; 1473 return 1; 1474 } 1475 1476 *alert = SSL_AD_PROTOCOL_VERSION; 1477 return 0; 1478 1479 err: 1480 *alert = SSL_AD_DECODE_ERROR; 1481 return 0; 1482 } 1483 1484 int 1485 tlsext_versions_server_needs(SSL *s) 1486 { 1487 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1488 } 1489 1490 int 1491 tlsext_versions_server_build(SSL *s, CBB *cbb) 1492 { 1493 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1494 return 0; 1495 /* XXX set 1.2 in legacy version? */ 1496 1497 return 1; 1498 } 1499 1500 int 1501 tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) 1502 { 1503 uint16_t selected_version; 1504 1505 if (!CBS_get_u16(cbs, &selected_version)) { 1506 *alert = SSL_AD_DECODE_ERROR; 1507 return 0; 1508 } 1509 1510 if (selected_version < TLS1_3_VERSION) { 1511 *alert = SSL_AD_ILLEGAL_PARAMETER; 1512 return 0; 1513 } 1514 1515 /* XXX test between min and max once initialization code goes in */ 1516 S3I(s)->hs_tls13.server_version = selected_version; 1517 1518 return 1; 1519 } 1520 1521 1522 /* 1523 * Cookie - RFC 8446 section 4.2.2. 1524 */ 1525 1526 int 1527 tlsext_cookie_client_needs(SSL *s) 1528 { 1529 if (SSL_IS_DTLS(s)) 1530 return 0; 1531 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1532 return 0; 1533 return (S3I(s)->hs_tls13.cookie_len > 0 && 1534 S3I(s)->hs_tls13.cookie != NULL); 1535 } 1536 1537 int 1538 tlsext_cookie_client_build(SSL *s, CBB *cbb) 1539 { 1540 CBB cookie; 1541 1542 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1543 return 0; 1544 1545 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1546 S3I(s)->hs_tls13.cookie_len)) 1547 return 0; 1548 1549 if (!CBB_flush(cbb)) 1550 return 0; 1551 1552 return 1; 1553 } 1554 1555 int 1556 tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) 1557 { 1558 CBS cookie; 1559 1560 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1561 goto err; 1562 1563 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1564 goto err; 1565 1566 /* 1567 * Check provided cookie value against what server previously 1568 * sent - client *MUST* send the same cookie with new CR after 1569 * a cookie is sent by the server with an HRR. 1570 */ 1571 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1572 S3I(s)->hs_tls13.cookie_len)) { 1573 /* XXX special cookie mismatch alert? */ 1574 *alert = SSL_AD_ILLEGAL_PARAMETER; 1575 return 0; 1576 } 1577 1578 return 1; 1579 1580 err: 1581 *alert = SSL_AD_DECODE_ERROR; 1582 return 0; 1583 } 1584 1585 int 1586 tlsext_cookie_server_needs(SSL *s) 1587 { 1588 1589 if (SSL_IS_DTLS(s)) 1590 return 0; 1591 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1592 return 0; 1593 /* 1594 * Server needs to set cookie value in tls13 handshake 1595 * in order to send one, should only be sent with HRR. 1596 */ 1597 return (S3I(s)->hs_tls13.cookie_len > 0 && 1598 S3I(s)->hs_tls13.cookie != NULL); 1599 } 1600 1601 int 1602 tlsext_cookie_server_build(SSL *s, CBB *cbb) 1603 { 1604 CBB cookie; 1605 1606 /* XXX deduplicate with client code */ 1607 1608 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1609 return 0; 1610 1611 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1612 S3I(s)->hs_tls13.cookie_len)) 1613 return 0; 1614 1615 if (!CBB_flush(cbb)) 1616 return 0; 1617 1618 return 1; 1619 } 1620 1621 int 1622 tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) 1623 { 1624 CBS cookie; 1625 1626 /* 1627 * XXX This currently assumes we will not get a second 1628 * HRR from a server with a cookie to process after accepting 1629 * one from the server in the same handshake 1630 */ 1631 if (S3I(s)->hs_tls13.cookie != NULL || 1632 S3I(s)->hs_tls13.cookie_len != 0) { 1633 *alert = SSL_AD_ILLEGAL_PARAMETER; 1634 return 0; 1635 } 1636 1637 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1638 goto err; 1639 1640 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1641 &S3I(s)->hs_tls13.cookie_len)) 1642 goto err; 1643 1644 return 1; 1645 1646 err: 1647 *alert = SSL_AD_DECODE_ERROR; 1648 return 0; 1649 } 1650 1651 struct tls_extension_funcs { 1652 int (*needs)(SSL *s); 1653 int (*build)(SSL *s, CBB *cbb); 1654 int (*parse)(SSL *s, CBS *cbs, int *alert); 1655 }; 1656 1657 struct tls_extension { 1658 uint16_t type; 1659 uint16_t messages; 1660 struct tls_extension_funcs client; 1661 struct tls_extension_funcs server; 1662 }; 1663 1664 static struct tls_extension tls_extensions[] = { 1665 { 1666 .type = TLSEXT_TYPE_supported_versions, 1667 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1668 SSL_TLSEXT_MSG_HRR, 1669 .client = { 1670 .needs = tlsext_versions_client_needs, 1671 .build = tlsext_versions_client_build, 1672 .parse = tlsext_versions_server_parse, 1673 }, 1674 .server = { 1675 .needs = tlsext_versions_server_needs, 1676 .build = tlsext_versions_server_build, 1677 .parse = tlsext_versions_client_parse, 1678 }, 1679 }, 1680 { 1681 .type = TLSEXT_TYPE_key_share, 1682 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1683 SSL_TLSEXT_MSG_HRR, 1684 .client = { 1685 .needs = tlsext_keyshare_client_needs, 1686 .build = tlsext_keyshare_client_build, 1687 .parse = tlsext_keyshare_server_parse, 1688 }, 1689 .server = { 1690 .needs = tlsext_keyshare_server_needs, 1691 .build = tlsext_keyshare_server_build, 1692 .parse = tlsext_keyshare_client_parse, 1693 }, 1694 }, 1695 { 1696 .type = TLSEXT_TYPE_server_name, 1697 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1698 .client = { 1699 .needs = tlsext_sni_client_needs, 1700 .build = tlsext_sni_client_build, 1701 .parse = tlsext_sni_server_parse, 1702 }, 1703 .server = { 1704 .needs = tlsext_sni_server_needs, 1705 .build = tlsext_sni_server_build, 1706 .parse = tlsext_sni_client_parse, 1707 }, 1708 }, 1709 { 1710 .type = TLSEXT_TYPE_renegotiate, 1711 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1712 .client = { 1713 .needs = tlsext_ri_client_needs, 1714 .build = tlsext_ri_client_build, 1715 .parse = tlsext_ri_server_parse, 1716 }, 1717 .server = { 1718 .needs = tlsext_ri_server_needs, 1719 .build = tlsext_ri_server_build, 1720 .parse = tlsext_ri_client_parse, 1721 }, 1722 }, 1723 { 1724 .type = TLSEXT_TYPE_status_request, 1725 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1726 SSL_TLSEXT_MSG_CT, 1727 .client = { 1728 .needs = tlsext_ocsp_client_needs, 1729 .build = tlsext_ocsp_client_build, 1730 .parse = tlsext_ocsp_server_parse, 1731 }, 1732 .server = { 1733 .needs = tlsext_ocsp_server_needs, 1734 .build = tlsext_ocsp_server_build, 1735 .parse = tlsext_ocsp_client_parse, 1736 }, 1737 }, 1738 { 1739 .type = TLSEXT_TYPE_ec_point_formats, 1740 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1741 .client = { 1742 .needs = tlsext_ecpf_client_needs, 1743 .build = tlsext_ecpf_client_build, 1744 .parse = tlsext_ecpf_server_parse, 1745 }, 1746 .server = { 1747 .needs = tlsext_ecpf_server_needs, 1748 .build = tlsext_ecpf_server_build, 1749 .parse = tlsext_ecpf_client_parse, 1750 }, 1751 }, 1752 { 1753 .type = TLSEXT_TYPE_supported_groups, 1754 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1755 .client = { 1756 .needs = tlsext_supportedgroups_client_needs, 1757 .build = tlsext_supportedgroups_client_build, 1758 .parse = tlsext_supportedgroups_server_parse, 1759 }, 1760 .server = { 1761 .needs = tlsext_supportedgroups_server_needs, 1762 .build = tlsext_supportedgroups_server_build, 1763 .parse = tlsext_supportedgroups_client_parse, 1764 }, 1765 }, 1766 { 1767 .type = TLSEXT_TYPE_session_ticket, 1768 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1769 .client = { 1770 .needs = tlsext_sessionticket_client_needs, 1771 .build = tlsext_sessionticket_client_build, 1772 .parse = tlsext_sessionticket_server_parse, 1773 }, 1774 .server = { 1775 .needs = tlsext_sessionticket_server_needs, 1776 .build = tlsext_sessionticket_server_build, 1777 .parse = tlsext_sessionticket_client_parse, 1778 }, 1779 }, 1780 { 1781 .type = TLSEXT_TYPE_signature_algorithms, 1782 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1783 .client = { 1784 .needs = tlsext_sigalgs_client_needs, 1785 .build = tlsext_sigalgs_client_build, 1786 .parse = tlsext_sigalgs_server_parse, 1787 }, 1788 .server = { 1789 .needs = tlsext_sigalgs_server_needs, 1790 .build = tlsext_sigalgs_server_build, 1791 .parse = tlsext_sigalgs_client_parse, 1792 }, 1793 }, 1794 { 1795 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1796 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1797 .client = { 1798 .needs = tlsext_alpn_client_needs, 1799 .build = tlsext_alpn_client_build, 1800 .parse = tlsext_alpn_server_parse, 1801 }, 1802 .server = { 1803 .needs = tlsext_alpn_server_needs, 1804 .build = tlsext_alpn_server_build, 1805 .parse = tlsext_alpn_client_parse, 1806 }, 1807 }, 1808 { 1809 .type = TLSEXT_TYPE_cookie, 1810 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1811 .client = { 1812 .needs = tlsext_cookie_client_needs, 1813 .build = tlsext_cookie_client_build, 1814 .parse = tlsext_cookie_server_parse, 1815 }, 1816 .server = { 1817 .needs = tlsext_cookie_server_needs, 1818 .build = tlsext_cookie_server_build, 1819 .parse = tlsext_cookie_client_parse, 1820 }, 1821 }, 1822 #ifndef OPENSSL_NO_SRTP 1823 { 1824 .type = TLSEXT_TYPE_use_srtp, 1825 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1826 .client = { 1827 .needs = tlsext_srtp_client_needs, 1828 .build = tlsext_srtp_client_build, 1829 .parse = tlsext_srtp_server_parse, 1830 }, 1831 .server = { 1832 .needs = tlsext_srtp_server_needs, 1833 .build = tlsext_srtp_server_build, 1834 .parse = tlsext_srtp_client_parse, 1835 }, 1836 } 1837 #endif /* OPENSSL_NO_SRTP */ 1838 }; 1839 1840 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1841 1842 /* Ensure that extensions fit in a uint32_t bitmask. */ 1843 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1844 1845 struct tls_extension * 1846 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1847 { 1848 size_t i; 1849 1850 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1851 if (tls_extensions[i].type == type) { 1852 *tls_extensions_idx = i; 1853 return &tls_extensions[i]; 1854 } 1855 } 1856 1857 return NULL; 1858 } 1859 1860 int 1861 tlsext_extension_seen(SSL *s, uint16_t type) 1862 { 1863 size_t idx; 1864 1865 if (tls_extension_find(type, &idx) == NULL) 1866 return 0; 1867 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1868 } 1869 1870 static struct tls_extension_funcs * 1871 tlsext_funcs(struct tls_extension *tlsext, int is_server) 1872 { 1873 if (is_server) 1874 return &tlsext->server; 1875 1876 return &tlsext->client; 1877 } 1878 1879 static int 1880 tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) 1881 { 1882 struct tls_extension_funcs *ext; 1883 struct tls_extension *tlsext; 1884 CBB extensions, extension_data; 1885 int extensions_present = 0; 1886 size_t i; 1887 uint16_t version; 1888 1889 if (is_server) 1890 version = s->version; 1891 else 1892 version = TLS1_get_client_version(s); 1893 1894 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1895 return 0; 1896 1897 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1898 tlsext = &tls_extensions[i]; 1899 ext = tlsext_funcs(tlsext, is_server); 1900 1901 /* RFC 8446 Section 4.2 */ 1902 if (version >= TLS1_3_VERSION && 1903 !(tlsext->messages & msg_type)) 1904 continue; 1905 1906 if (!ext->needs(s)) 1907 continue; 1908 1909 if (!CBB_add_u16(&extensions, tlsext->type)) 1910 return 0; 1911 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1912 return 0; 1913 1914 if (!ext->build(s, &extension_data)) 1915 return 0; 1916 1917 extensions_present = 1; 1918 } 1919 1920 if (!extensions_present) 1921 CBB_discard_child(cbb); 1922 1923 if (!CBB_flush(cbb)) 1924 return 0; 1925 1926 return 1; 1927 } 1928 1929 static int 1930 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) 1931 { 1932 struct tls_extension_funcs *ext; 1933 struct tls_extension *tlsext; 1934 CBS extensions, extension_data; 1935 uint16_t type; 1936 size_t idx; 1937 uint16_t version; 1938 1939 S3I(s)->hs.extensions_seen = 0; 1940 1941 if (is_server) 1942 version = s->version; 1943 else 1944 version = TLS1_get_client_version(s); 1945 1946 /* An empty extensions block is valid. */ 1947 if (CBS_len(cbs) == 0) 1948 return 1; 1949 1950 *alert = SSL_AD_DECODE_ERROR; 1951 1952 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 1953 return 0; 1954 1955 while (CBS_len(&extensions) > 0) { 1956 if (!CBS_get_u16(&extensions, &type)) 1957 return 0; 1958 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 1959 return 0; 1960 1961 if (s->internal->tlsext_debug_cb != NULL) 1962 s->internal->tlsext_debug_cb(s, is_server, type, 1963 (unsigned char *)CBS_data(&extension_data), 1964 CBS_len(&extension_data), 1965 s->internal->tlsext_debug_arg); 1966 1967 /* Unknown extensions are ignored. */ 1968 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 1969 continue; 1970 1971 /* RFC 8446 Section 4.2 */ 1972 if (version >= TLS1_3_VERSION && 1973 !(tlsext->messages & msg_type)) { 1974 *alert = SSL_AD_ILLEGAL_PARAMETER; 1975 return 0; 1976 } 1977 1978 /* Check for duplicate known extensions. */ 1979 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 1980 return 0; 1981 S3I(s)->hs.extensions_seen |= (1 << idx); 1982 1983 ext = tlsext_funcs(tlsext, is_server); 1984 if (!ext->parse(s, &extension_data, alert)) 1985 return 0; 1986 1987 if (CBS_len(&extension_data) != 0) 1988 return 0; 1989 } 1990 1991 return 1; 1992 } 1993 1994 static void 1995 tlsext_client_reset_state(SSL *s) 1996 { 1997 s->internal->servername_done = 0; 1998 s->tlsext_status_type = -1; 1999 S3I(s)->renegotiate_seen = 0; 2000 free(S3I(s)->alpn_selected); 2001 S3I(s)->alpn_selected = NULL; 2002 s->internal->srtp_profile = NULL; 2003 } 2004 2005 int 2006 tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type) 2007 { 2008 return tlsext_build(s, cbb, 0, msg_type); 2009 } 2010 2011 int 2012 tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2013 { 2014 /* XXX - this possibly should be done by the caller... */ 2015 tlsext_client_reset_state(s); 2016 2017 return tlsext_parse(s, cbs, alert, 0, msg_type); 2018 } 2019 2020 static void 2021 tlsext_server_reset_state(SSL *s) 2022 { 2023 S3I(s)->renegotiate_seen = 0; 2024 free(S3I(s)->alpn_selected); 2025 S3I(s)->alpn_selected = NULL; 2026 } 2027 2028 int 2029 tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type) 2030 { 2031 return tlsext_build(s, cbb, 1, msg_type); 2032 } 2033 2034 int 2035 tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2036 { 2037 /* XXX - this possibly should be done by the caller... */ 2038 tlsext_server_reset_state(s); 2039 2040 return tlsext_parse(s, cbs, alert, 1, msg_type); 2041 } 2042