1 /* $OpenBSD: ssl_tlsext.c,v 1.129 2022/08/15 10:46:53 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/socket.h> 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <ctype.h> 26 27 #include <openssl/ocsp.h> 28 #include <openssl/opensslconf.h> 29 30 #include "bytestring.h" 31 #include "ssl_locl.h" 32 #include "ssl_sigalgs.h" 33 #include "ssl_tlsext.h" 34 35 /* 36 * Supported Application-Layer Protocol Negotiation - RFC 7301 37 */ 38 39 static int 40 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 41 { 42 /* ALPN protos have been specified and this is the initial handshake */ 43 return s->internal->alpn_client_proto_list != NULL && 44 s->s3->hs.finished_len == 0; 45 } 46 47 static int 48 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 49 { 50 CBB protolist; 51 52 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 53 return 0; 54 55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 56 s->internal->alpn_client_proto_list_len)) 57 return 0; 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63 } 64 65 int 66 tlsext_alpn_check_format(CBS *cbs) 67 { 68 CBS proto_name_list; 69 70 if (CBS_len(cbs) == 0) 71 return 0; 72 73 CBS_dup(cbs, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 return 0; 79 if (CBS_len(&proto_name) == 0) 80 return 0; 81 } 82 83 return 1; 84 } 85 86 static int 87 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 88 { 89 CBS alpn, selected_cbs; 90 const unsigned char *selected; 91 unsigned char selected_len; 92 int r; 93 94 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 95 return 0; 96 97 if (!tlsext_alpn_check_format(&alpn)) 98 return 0; 99 100 if (s->ctx->internal->alpn_select_cb == NULL) 101 return 1; 102 103 /* 104 * XXX - A few things should be considered here: 105 * 1. Ensure that the same protocol is selected on session resumption. 106 * 2. Should the callback be called even if no ALPN extension was sent? 107 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 108 */ 109 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 110 CBS_data(&alpn), CBS_len(&alpn), 111 s->ctx->internal->alpn_select_cb_arg); 112 113 if (r == SSL_TLSEXT_ERR_OK) { 114 CBS_init(&selected_cbs, selected, selected_len); 115 116 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 117 &s->s3->alpn_selected_len)) { 118 *alert = SSL_AD_INTERNAL_ERROR; 119 return 0; 120 } 121 122 return 1; 123 } 124 125 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 126 if (r == SSL_TLSEXT_ERR_NOACK) 127 return 1; 128 129 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 130 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 131 132 return 0; 133 } 134 135 static int 136 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 137 { 138 return s->s3->alpn_selected != NULL; 139 } 140 141 static int 142 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 143 { 144 CBB list, selected; 145 146 if (!CBB_add_u16_length_prefixed(cbb, &list)) 147 return 0; 148 149 if (!CBB_add_u8_length_prefixed(&list, &selected)) 150 return 0; 151 152 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 153 s->s3->alpn_selected_len)) 154 return 0; 155 156 if (!CBB_flush(cbb)) 157 return 0; 158 159 return 1; 160 } 161 162 static int 163 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 164 { 165 CBS list, proto; 166 167 if (s->internal->alpn_client_proto_list == NULL) { 168 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 169 return 0; 170 } 171 172 if (!CBS_get_u16_length_prefixed(cbs, &list)) 173 return 0; 174 175 if (!CBS_get_u8_length_prefixed(&list, &proto)) 176 return 0; 177 178 if (CBS_len(&list) != 0) 179 return 0; 180 if (CBS_len(&proto) == 0) 181 return 0; 182 183 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 184 return 0; 185 186 return 1; 187 } 188 189 /* 190 * Supported Groups - RFC 7919 section 2 191 */ 192 static int 193 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 194 { 195 return ssl_has_ecc_ciphers(s) || 196 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 197 } 198 199 static int 200 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 201 { 202 const uint16_t *groups; 203 size_t groups_len; 204 CBB grouplist; 205 int i; 206 207 tls1_get_group_list(s, 0, &groups, &groups_len); 208 if (groups_len == 0) { 209 SSLerror(s, ERR_R_INTERNAL_ERROR); 210 return 0; 211 } 212 213 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 214 return 0; 215 216 for (i = 0; i < groups_len; i++) { 217 if (!ssl_security_supported_group(s, groups[i])) 218 continue; 219 if (!CBB_add_u16(&grouplist, groups[i])) 220 return 0; 221 } 222 223 if (!CBB_flush(cbb)) 224 return 0; 225 226 return 1; 227 } 228 229 static int 230 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 231 int *alert) 232 { 233 CBS grouplist; 234 uint16_t *groups; 235 size_t groups_len; 236 int i; 237 238 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 239 return 0; 240 241 groups_len = CBS_len(&grouplist); 242 if (groups_len == 0 || groups_len % 2 != 0) 243 return 0; 244 groups_len /= 2; 245 246 if (s->internal->hit) 247 return 1; 248 249 if (s->s3->hs.tls13.hrr) { 250 if (s->session->tlsext_supportedgroups == NULL) { 251 *alert = SSL_AD_HANDSHAKE_FAILURE; 252 return 0; 253 } 254 255 /* 256 * The ClientHello extension hashing ensures that the client 257 * did not change its list of supported groups. 258 */ 259 260 return 1; 261 } 262 263 if (s->session->tlsext_supportedgroups != NULL) 264 return 0; /* XXX internal error? */ 265 266 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 267 *alert = SSL_AD_INTERNAL_ERROR; 268 return 0; 269 } 270 271 for (i = 0; i < groups_len; i++) { 272 if (!CBS_get_u16(&grouplist, &groups[i])) { 273 free(groups); 274 return 0; 275 } 276 } 277 278 if (CBS_len(&grouplist) != 0) { 279 free(groups); 280 return 0; 281 } 282 283 s->session->tlsext_supportedgroups = groups; 284 s->session->tlsext_supportedgroups_length = groups_len; 285 286 return 1; 287 } 288 289 /* This extension is never used by the server. */ 290 static int 291 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 292 { 293 return 0; 294 } 295 296 static int 297 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 298 { 299 return 0; 300 } 301 302 static int 303 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 304 int *alert) 305 { 306 /* 307 * Servers should not send this extension per the RFC. 308 * 309 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 310 * from at least 2014 but as of 2017, there are still large sites with 311 * this unpatched in production. As a result, we need to currently skip 312 * over the extension and ignore its content: 313 * 314 * https://support.f5.com/csp/article/K37345003 315 */ 316 if (!CBS_skip(cbs, CBS_len(cbs))) { 317 *alert = SSL_AD_INTERNAL_ERROR; 318 return 0; 319 } 320 321 return 1; 322 } 323 324 /* 325 * Supported Point Formats Extension - RFC 4492 section 5.1.2 326 */ 327 static int 328 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 329 { 330 CBB ecpf; 331 size_t formats_len; 332 const uint8_t *formats; 333 334 tls1_get_formatlist(s, 0, &formats, &formats_len); 335 336 if (formats_len == 0) { 337 SSLerror(s, ERR_R_INTERNAL_ERROR); 338 return 0; 339 } 340 341 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 342 return 0; 343 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 344 return 0; 345 if (!CBB_flush(cbb)) 346 return 0; 347 348 return 1; 349 } 350 351 static int 352 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 353 { 354 CBS ecpf; 355 356 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 357 return 0; 358 if (CBS_len(&ecpf) == 0) 359 return 0; 360 361 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 362 if (!CBS_contains_zero_byte(&ecpf)) { 363 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 364 *alert = SSL_AD_ILLEGAL_PARAMETER; 365 return 0; 366 } 367 368 if (!s->internal->hit) { 369 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 370 &(s->session->tlsext_ecpointformatlist_length))) { 371 *alert = SSL_AD_INTERNAL_ERROR; 372 return 0; 373 } 374 } 375 376 return 1; 377 } 378 379 static int 380 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 381 { 382 return ssl_has_ecc_ciphers(s); 383 } 384 385 static int 386 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 387 { 388 return tlsext_ecpf_build(s, msg_type, cbb); 389 } 390 391 static int 392 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 393 { 394 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 395 } 396 397 static int 398 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 399 { 400 return ssl_using_ecc_cipher(s); 401 } 402 403 static int 404 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 405 { 406 return tlsext_ecpf_build(s, msg_type, cbb); 407 } 408 409 static int 410 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 411 { 412 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 413 } 414 415 /* 416 * Renegotiation Indication - RFC 5746. 417 */ 418 static int 419 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 420 { 421 return (s->internal->renegotiate); 422 } 423 424 static int 425 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 426 { 427 CBB reneg; 428 429 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 430 return 0; 431 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 432 s->s3->previous_client_finished_len)) 433 return 0; 434 if (!CBB_flush(cbb)) 435 return 0; 436 437 return 1; 438 } 439 440 static int 441 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 442 { 443 CBS reneg; 444 445 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 446 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 447 return 0; 448 } 449 450 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 451 s->s3->previous_client_finished_len)) { 452 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 453 *alert = SSL_AD_HANDSHAKE_FAILURE; 454 return 0; 455 } 456 457 s->s3->renegotiate_seen = 1; 458 s->s3->send_connection_binding = 1; 459 460 return 1; 461 } 462 463 static int 464 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 465 { 466 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 467 s->s3->send_connection_binding); 468 } 469 470 static int 471 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 472 { 473 CBB reneg; 474 475 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 476 return 0; 477 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 478 s->s3->previous_client_finished_len)) 479 return 0; 480 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 481 s->s3->previous_server_finished_len)) 482 return 0; 483 if (!CBB_flush(cbb)) 484 return 0; 485 486 return 1; 487 } 488 489 static int 490 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 491 { 492 CBS reneg, prev_client, prev_server; 493 494 /* 495 * Ensure that the previous client and server values are both not 496 * present, or that they are both present. 497 */ 498 if ((s->s3->previous_client_finished_len == 0 && 499 s->s3->previous_server_finished_len != 0) || 500 (s->s3->previous_client_finished_len != 0 && 501 s->s3->previous_server_finished_len == 0)) { 502 *alert = SSL_AD_INTERNAL_ERROR; 503 return 0; 504 } 505 506 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 507 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 508 return 0; 509 } 510 if (!CBS_get_bytes(&reneg, &prev_client, 511 s->s3->previous_client_finished_len)) { 512 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 513 return 0; 514 } 515 if (!CBS_get_bytes(&reneg, &prev_server, 516 s->s3->previous_server_finished_len)) { 517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 518 return 0; 519 } 520 if (CBS_len(&reneg) != 0) { 521 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 522 return 0; 523 } 524 525 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 526 s->s3->previous_client_finished_len)) { 527 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 528 *alert = SSL_AD_HANDSHAKE_FAILURE; 529 return 0; 530 } 531 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 532 s->s3->previous_server_finished_len)) { 533 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 534 *alert = SSL_AD_HANDSHAKE_FAILURE; 535 return 0; 536 } 537 538 s->s3->renegotiate_seen = 1; 539 s->s3->send_connection_binding = 1; 540 541 return 1; 542 } 543 544 /* 545 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 546 */ 547 static int 548 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 549 { 550 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 551 } 552 553 static int 554 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 555 { 556 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 557 CBB sigalgs; 558 559 if (msg_type == SSL_TLSEXT_MSG_CH) 560 tls_version = s->s3->hs.our_min_tls_version; 561 562 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 563 return 0; 564 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 565 return 0; 566 if (!CBB_flush(cbb)) 567 return 0; 568 569 return 1; 570 } 571 572 static int 573 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 574 { 575 CBS sigalgs; 576 577 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 578 return 0; 579 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 580 return 0; 581 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 582 return 0; 583 584 return 1; 585 } 586 587 static int 588 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 589 { 590 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 591 } 592 593 static int 594 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 595 { 596 CBB sigalgs; 597 598 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 599 return 0; 600 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 601 SSL_get_security_level(s))) 602 return 0; 603 if (!CBB_flush(cbb)) 604 return 0; 605 606 return 1; 607 } 608 609 static int 610 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 611 { 612 CBS sigalgs; 613 614 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 615 return 0; 616 617 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 618 return 0; 619 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 620 return 0; 621 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 622 return 0; 623 624 return 1; 625 } 626 627 /* 628 * Server Name Indication - RFC 6066, section 3. 629 */ 630 static int 631 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 632 { 633 return (s->tlsext_hostname != NULL); 634 } 635 636 static int 637 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 638 { 639 CBB server_name_list, host_name; 640 641 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 642 return 0; 643 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 644 return 0; 645 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 646 return 0; 647 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 648 strlen(s->tlsext_hostname))) 649 return 0; 650 if (!CBB_flush(cbb)) 651 return 0; 652 653 return 1; 654 } 655 656 static int 657 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 658 { 659 union { 660 struct in_addr ip4; 661 struct in6_addr ip6; 662 } addrbuf; 663 char *hostname = NULL; 664 665 *is_ip = 0; 666 667 if (!CBS_strdup(cbs, &hostname)) 668 return 0; 669 670 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 671 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 672 *is_ip = 1; 673 674 free(hostname); 675 676 return 1; 677 } 678 679 /* 680 * Validate that the CBS contains only a hostname consisting of RFC 5890 681 * compliant A-labels (see RFC 6066 section 3). Not a complete check 682 * since we don't parse punycode to verify its validity but limits to 683 * correct structure and character set. 684 */ 685 int 686 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 687 { 688 uint8_t prev, c = 0; 689 int component = 0; 690 CBS hostname; 691 692 *is_ip = 0; 693 694 CBS_dup(cbs, &hostname); 695 696 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 697 return 0; 698 699 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 700 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 701 return 0; 702 if (*is_ip) 703 return 0; 704 705 while (CBS_len(&hostname) > 0) { 706 prev = c; 707 if (!CBS_get_u8(&hostname, &c)) 708 return 0; 709 /* Everything has to be ASCII, with no NUL byte. */ 710 if (!isascii(c) || c == '\0') 711 return 0; 712 /* It must be alphanumeric, a '-', or a '.' */ 713 if (!isalnum(c) && c != '-' && c != '.') 714 return 0; 715 /* '-' and '.' must not start a component or be at the end. */ 716 if (component == 0 || CBS_len(&hostname) == 0) { 717 if (c == '-' || c == '.') 718 return 0; 719 } 720 if (c == '.') { 721 /* Components can not end with a dash. */ 722 if (prev == '-') 723 return 0; 724 /* Start new component */ 725 component = 0; 726 continue; 727 } 728 /* Components must be 63 chars or less. */ 729 if (++component > 63) 730 return 0; 731 } 732 733 return 1; 734 } 735 736 static int 737 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 738 { 739 CBS server_name_list, host_name; 740 uint8_t name_type; 741 int is_ip; 742 743 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 744 goto err; 745 746 if (!CBS_get_u8(&server_name_list, &name_type)) 747 goto err; 748 749 /* 750 * RFC 6066 section 3, only one type (host_name) is specified. 751 * We do not tolerate unknown types, neither does BoringSSL. 752 * other implementations appear more tolerant. 753 */ 754 if (name_type != TLSEXT_NAMETYPE_host_name) { 755 *alert = SSL_AD_ILLEGAL_PARAMETER; 756 goto err; 757 } 758 759 /* 760 * RFC 6066 section 3 specifies a host name must be at least 1 byte 761 * so 0 length is a decode error. 762 */ 763 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 764 goto err; 765 if (CBS_len(&host_name) < 1) 766 goto err; 767 768 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 769 /* 770 * Various pieces of software have been known to set the SNI 771 * host name to an IP address, even though that violates the 772 * RFC. If this is the case, pretend the SNI extension does 773 * not exist. 774 */ 775 if (is_ip) 776 goto done; 777 778 *alert = SSL_AD_ILLEGAL_PARAMETER; 779 goto err; 780 } 781 782 if (s->internal->hit || s->s3->hs.tls13.hrr) { 783 if (s->session->tlsext_hostname == NULL) { 784 *alert = SSL_AD_UNRECOGNIZED_NAME; 785 goto err; 786 } 787 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 788 strlen(s->session->tlsext_hostname))) { 789 *alert = SSL_AD_UNRECOGNIZED_NAME; 790 goto err; 791 } 792 } else { 793 if (s->session->tlsext_hostname != NULL) 794 goto err; 795 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 796 *alert = SSL_AD_INTERNAL_ERROR; 797 goto err; 798 } 799 } 800 801 done: 802 /* 803 * RFC 6066 section 3 forbids multiple host names with the same type, 804 * therefore we allow only one entry. 805 */ 806 if (CBS_len(&server_name_list) != 0) { 807 *alert = SSL_AD_ILLEGAL_PARAMETER; 808 goto err; 809 } 810 811 return 1; 812 813 err: 814 return 0; 815 } 816 817 static int 818 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 819 { 820 if (s->internal->hit) 821 return 0; 822 823 return (s->session->tlsext_hostname != NULL); 824 } 825 826 static int 827 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 828 { 829 return 1; 830 } 831 832 static int 833 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 834 { 835 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 836 *alert = SSL_AD_UNRECOGNIZED_NAME; 837 return 0; 838 } 839 840 if (s->internal->hit) { 841 if (s->session->tlsext_hostname == NULL) { 842 *alert = SSL_AD_UNRECOGNIZED_NAME; 843 return 0; 844 } 845 if (strcmp(s->tlsext_hostname, 846 s->session->tlsext_hostname) != 0) { 847 *alert = SSL_AD_UNRECOGNIZED_NAME; 848 return 0; 849 } 850 } else { 851 if (s->session->tlsext_hostname != NULL) 852 return 0; 853 if ((s->session->tlsext_hostname = 854 strdup(s->tlsext_hostname)) == NULL) { 855 *alert = SSL_AD_INTERNAL_ERROR; 856 return 0; 857 } 858 } 859 860 return 1; 861 } 862 863 /* 864 * Certificate Status Request - RFC 6066 section 8. 865 */ 866 867 static int 868 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 869 { 870 if (msg_type != SSL_TLSEXT_MSG_CH) 871 return 0; 872 873 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 874 } 875 876 static int 877 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 878 { 879 CBB respid_list, respid, exts; 880 unsigned char *ext_data; 881 size_t ext_len; 882 int i; 883 884 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 885 return 0; 886 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 887 return 0; 888 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 889 unsigned char *respid_data; 890 OCSP_RESPID *id; 891 size_t id_len; 892 893 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 894 i)) == NULL) 895 return 0; 896 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 897 return 0; 898 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 899 return 0; 900 if (!CBB_add_space(&respid, &respid_data, id_len)) 901 return 0; 902 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 903 return 0; 904 } 905 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 906 return 0; 907 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 908 NULL)) == -1) 909 return 0; 910 if (!CBB_add_space(&exts, &ext_data, ext_len)) 911 return 0; 912 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 913 ext_len)) 914 return 0; 915 if (!CBB_flush(cbb)) 916 return 0; 917 return 1; 918 } 919 920 static int 921 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 922 { 923 int alert_desc = SSL_AD_DECODE_ERROR; 924 CBS respid_list, respid, exts; 925 const unsigned char *p; 926 uint8_t status_type; 927 int ret = 0; 928 929 if (msg_type != SSL_TLSEXT_MSG_CH) 930 goto err; 931 932 if (!CBS_get_u8(cbs, &status_type)) 933 goto err; 934 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 935 /* ignore unknown status types */ 936 s->tlsext_status_type = -1; 937 938 if (!CBS_skip(cbs, CBS_len(cbs))) { 939 *alert = SSL_AD_INTERNAL_ERROR; 940 return 0; 941 } 942 return 1; 943 } 944 s->tlsext_status_type = status_type; 945 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 946 goto err; 947 948 /* XXX */ 949 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 950 s->internal->tlsext_ocsp_ids = NULL; 951 if (CBS_len(&respid_list) > 0) { 952 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 953 if (s->internal->tlsext_ocsp_ids == NULL) { 954 alert_desc = SSL_AD_INTERNAL_ERROR; 955 goto err; 956 } 957 } 958 959 while (CBS_len(&respid_list) > 0) { 960 OCSP_RESPID *id; 961 962 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 963 goto err; 964 p = CBS_data(&respid); 965 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 966 goto err; 967 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 968 alert_desc = SSL_AD_INTERNAL_ERROR; 969 OCSP_RESPID_free(id); 970 goto err; 971 } 972 } 973 974 /* Read in request_extensions */ 975 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 976 goto err; 977 if (CBS_len(&exts) > 0) { 978 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 979 X509_EXTENSION_free); 980 p = CBS_data(&exts); 981 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 982 &p, CBS_len(&exts))) == NULL) 983 goto err; 984 } 985 986 ret = 1; 987 err: 988 if (ret == 0) 989 *alert = alert_desc; 990 return ret; 991 } 992 993 static int 994 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 995 { 996 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 997 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 998 s->ctx->internal->tlsext_status_cb != NULL) { 999 s->internal->tlsext_status_expected = 0; 1000 if (s->ctx->internal->tlsext_status_cb(s, 1001 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1002 s->internal->tlsext_ocsp_resp_len > 0) 1003 s->internal->tlsext_status_expected = 1; 1004 } 1005 return s->internal->tlsext_status_expected; 1006 } 1007 1008 static int 1009 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1010 { 1011 CBB ocsp_response; 1012 1013 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1014 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1015 return 0; 1016 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1017 return 0; 1018 if (!CBB_add_bytes(&ocsp_response, 1019 s->internal->tlsext_ocsp_resp, 1020 s->internal->tlsext_ocsp_resp_len)) 1021 return 0; 1022 if (!CBB_flush(cbb)) 1023 return 0; 1024 } 1025 return 1; 1026 } 1027 1028 static int 1029 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1030 { 1031 uint8_t status_type; 1032 CBS response; 1033 1034 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1035 if (msg_type == SSL_TLSEXT_MSG_CR) { 1036 /* 1037 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1038 * response with an empty status_request. 1039 */ 1040 if (CBS_len(cbs) == 0) 1041 return 1; 1042 1043 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1044 return 0; 1045 } 1046 if (!CBS_get_u8(cbs, &status_type)) { 1047 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1048 return 0; 1049 } 1050 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1051 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1052 return 0; 1053 } 1054 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1055 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1056 return 0; 1057 } 1058 if (CBS_len(&response) > 65536) { 1059 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1060 return 0; 1061 } 1062 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1063 &s->internal->tlsext_ocsp_resp_len)) { 1064 *alert = SSL_AD_INTERNAL_ERROR; 1065 return 0; 1066 } 1067 } else { 1068 if (s->tlsext_status_type == -1) { 1069 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1070 return 0; 1071 } 1072 /* Set flag to expect CertificateStatus message */ 1073 s->internal->tlsext_status_expected = 1; 1074 } 1075 return 1; 1076 } 1077 1078 /* 1079 * SessionTicket extension - RFC 5077 section 3.2 1080 */ 1081 static int 1082 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1083 { 1084 /* 1085 * Send session ticket extension when enabled and not overridden. 1086 * 1087 * When renegotiating, send an empty session ticket to indicate support. 1088 */ 1089 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1090 return 0; 1091 1092 if (!ssl_security_tickets(s)) 1093 return 0; 1094 1095 if (s->internal->new_session) 1096 return 1; 1097 1098 if (s->internal->tlsext_session_ticket != NULL && 1099 s->internal->tlsext_session_ticket->data == NULL) 1100 return 0; 1101 1102 return 1; 1103 } 1104 1105 static int 1106 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1107 { 1108 /* 1109 * Signal that we support session tickets by sending an empty 1110 * extension when renegotiating or no session found. 1111 */ 1112 if (s->internal->new_session || s->session == NULL) 1113 return 1; 1114 1115 if (s->session->tlsext_tick != NULL) { 1116 /* Attempt to resume with an existing session ticket */ 1117 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1118 s->session->tlsext_ticklen)) 1119 return 0; 1120 1121 } else if (s->internal->tlsext_session_ticket != NULL) { 1122 /* 1123 * Attempt to resume with a custom provided session ticket set 1124 * by SSL_set_session_ticket_ext(). 1125 */ 1126 if (s->internal->tlsext_session_ticket->length > 0) { 1127 size_t ticklen = s->internal->tlsext_session_ticket->length; 1128 1129 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1130 return 0; 1131 memcpy(s->session->tlsext_tick, 1132 s->internal->tlsext_session_ticket->data, 1133 ticklen); 1134 s->session->tlsext_ticklen = ticklen; 1135 1136 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1137 s->session->tlsext_ticklen)) 1138 return 0; 1139 } 1140 } 1141 1142 if (!CBB_flush(cbb)) 1143 return 0; 1144 1145 return 1; 1146 } 1147 1148 static int 1149 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1150 int *alert) 1151 { 1152 if (s->internal->tls_session_ticket_ext_cb) { 1153 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1154 (int)CBS_len(cbs), 1155 s->internal->tls_session_ticket_ext_cb_arg)) { 1156 *alert = SSL_AD_INTERNAL_ERROR; 1157 return 0; 1158 } 1159 } 1160 1161 /* We need to signal that this was processed fully */ 1162 if (!CBS_skip(cbs, CBS_len(cbs))) { 1163 *alert = SSL_AD_INTERNAL_ERROR; 1164 return 0; 1165 } 1166 1167 return 1; 1168 } 1169 1170 static int 1171 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1172 { 1173 return (s->internal->tlsext_ticket_expected && 1174 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1175 ssl_security_tickets(s)); 1176 } 1177 1178 static int 1179 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1180 { 1181 /* Empty ticket */ 1182 return 1; 1183 } 1184 1185 static int 1186 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1187 int *alert) 1188 { 1189 if (s->internal->tls_session_ticket_ext_cb) { 1190 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1191 (int)CBS_len(cbs), 1192 s->internal->tls_session_ticket_ext_cb_arg)) { 1193 *alert = SSL_AD_INTERNAL_ERROR; 1194 return 0; 1195 } 1196 } 1197 1198 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1199 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1200 return 0; 1201 } 1202 1203 s->internal->tlsext_ticket_expected = 1; 1204 1205 return 1; 1206 } 1207 1208 /* 1209 * DTLS extension for SRTP key establishment - RFC 5764 1210 */ 1211 1212 #ifndef OPENSSL_NO_SRTP 1213 1214 static int 1215 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1216 { 1217 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1218 } 1219 1220 static int 1221 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1222 { 1223 CBB profiles, mki; 1224 int ct, i; 1225 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1226 const SRTP_PROTECTION_PROFILE *prof; 1227 1228 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1229 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1230 return 0; 1231 } 1232 1233 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1234 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1235 return 0; 1236 } 1237 1238 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1239 return 0; 1240 1241 for (i = 0; i < ct; i++) { 1242 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1243 return 0; 1244 if (!CBB_add_u16(&profiles, prof->id)) 1245 return 0; 1246 } 1247 1248 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1249 return 0; 1250 1251 if (!CBB_flush(cbb)) 1252 return 0; 1253 1254 return 1; 1255 } 1256 1257 static int 1258 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1259 { 1260 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1261 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1262 int i, j; 1263 int ret; 1264 uint16_t id; 1265 CBS profiles, mki; 1266 1267 ret = 0; 1268 1269 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1270 goto err; 1271 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1272 goto err; 1273 1274 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1275 goto err; 1276 1277 while (CBS_len(&profiles) > 0) { 1278 if (!CBS_get_u16(&profiles, &id)) 1279 goto err; 1280 1281 if (!srtp_find_profile_by_num(id, &cprof)) { 1282 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1283 goto err; 1284 } 1285 } 1286 1287 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1288 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1289 goto done; 1290 } 1291 1292 /* 1293 * Per RFC 5764 section 4.1.1 1294 * 1295 * Find the server preferred profile using the client's list. 1296 * 1297 * The server MUST send a profile if it sends the use_srtp 1298 * extension. If one is not found, it should fall back to the 1299 * negotiated DTLS cipher suite or return a DTLS alert. 1300 */ 1301 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1302 goto err; 1303 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1304 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1305 goto err; 1306 1307 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1308 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1309 == NULL) 1310 goto err; 1311 1312 if (cprof->id == sprof->id) { 1313 s->internal->srtp_profile = sprof; 1314 ret = 1; 1315 goto done; 1316 } 1317 } 1318 } 1319 1320 /* If we didn't find anything, fall back to the negotiated */ 1321 ret = 1; 1322 goto done; 1323 1324 err: 1325 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1326 1327 done: 1328 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1329 return ret; 1330 } 1331 1332 static int 1333 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1334 { 1335 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1336 } 1337 1338 static int 1339 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1340 { 1341 SRTP_PROTECTION_PROFILE *profile; 1342 CBB srtp, mki; 1343 1344 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1345 return 0; 1346 1347 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1348 return 0; 1349 1350 if (!CBB_add_u16(&srtp, profile->id)) 1351 return 0; 1352 1353 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1354 return 0; 1355 1356 if (!CBB_flush(cbb)) 1357 return 0; 1358 1359 return 1; 1360 } 1361 1362 static int 1363 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1364 { 1365 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1366 const SRTP_PROTECTION_PROFILE *prof; 1367 int i; 1368 uint16_t id; 1369 CBS profile_ids, mki; 1370 1371 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1372 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1373 return 0; 1374 } 1375 1376 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1377 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1378 return 0; 1379 } 1380 1381 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1382 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1383 *alert = SSL_AD_ILLEGAL_PARAMETER; 1384 return 0; 1385 } 1386 1387 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1388 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1389 return 0; 1390 } 1391 1392 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1393 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1394 == NULL) { 1395 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1396 return 0; 1397 } 1398 1399 if (prof->id == id) { 1400 s->internal->srtp_profile = prof; 1401 return 1; 1402 } 1403 } 1404 1405 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1406 1407 return 0; 1408 } 1409 1410 #endif /* OPENSSL_NO_SRTP */ 1411 1412 /* 1413 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1414 */ 1415 static int 1416 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1417 { 1418 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1419 } 1420 1421 static int 1422 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1423 { 1424 CBB client_shares, key_exchange; 1425 1426 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1427 return 0; 1428 1429 if (!CBB_add_u16(&client_shares, 1430 tls_key_share_group(s->s3->hs.key_share))) 1431 return 0; 1432 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1433 return 0; 1434 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1435 return 0; 1436 1437 if (!CBB_flush(cbb)) 1438 return 0; 1439 1440 return 1; 1441 } 1442 1443 static int 1444 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1445 { 1446 CBS client_shares, key_exchange; 1447 int decode_error; 1448 uint16_t group; 1449 1450 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1451 return 0; 1452 1453 while (CBS_len(&client_shares) > 0) { 1454 1455 /* Unpack client share. */ 1456 if (!CBS_get_u16(&client_shares, &group)) 1457 return 0; 1458 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1459 return 0; 1460 1461 /* 1462 * XXX - check key exchange against supported groups from client. 1463 * XXX - check that groups only appear once. 1464 */ 1465 1466 /* 1467 * Ignore this client share if we're using earlier than TLSv1.3 1468 * or we've already selected a key share. 1469 */ 1470 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1471 continue; 1472 if (s->s3->hs.key_share != NULL) 1473 continue; 1474 1475 /* XXX - consider implementing server preference. */ 1476 if (!tls1_check_group(s, group)) 1477 continue; 1478 1479 /* Decode and store the selected key share. */ 1480 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1481 *alert = SSL_AD_INTERNAL_ERROR; 1482 return 0; 1483 } 1484 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1485 &key_exchange, &decode_error, NULL)) { 1486 if (!decode_error) 1487 *alert = SSL_AD_INTERNAL_ERROR; 1488 return 0; 1489 } 1490 } 1491 1492 return 1; 1493 } 1494 1495 static int 1496 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1497 { 1498 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1499 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1500 } 1501 1502 static int 1503 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1504 { 1505 CBB key_exchange; 1506 1507 /* In the case of a HRR, we only send the server selected group. */ 1508 if (s->s3->hs.tls13.hrr) { 1509 if (s->s3->hs.tls13.server_group == 0) 1510 return 0; 1511 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1512 } 1513 1514 if (s->s3->hs.key_share == NULL) 1515 return 0; 1516 1517 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1518 return 0; 1519 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1520 return 0; 1521 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1522 return 0; 1523 1524 if (!CBB_flush(cbb)) 1525 return 0; 1526 1527 return 1; 1528 } 1529 1530 static int 1531 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1532 { 1533 CBS key_exchange; 1534 int decode_error; 1535 uint16_t group; 1536 1537 /* Unpack server share. */ 1538 if (!CBS_get_u16(cbs, &group)) 1539 return 0; 1540 1541 if (CBS_len(cbs) == 0) { 1542 /* HRR does not include an actual key share, only the group. */ 1543 if (msg_type != SSL_TLSEXT_MSG_HRR) 1544 return 0; 1545 1546 s->s3->hs.tls13.server_group = group; 1547 return 1; 1548 } 1549 1550 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1551 return 0; 1552 1553 if (s->s3->hs.key_share == NULL) { 1554 *alert = SSL_AD_INTERNAL_ERROR; 1555 return 0; 1556 } 1557 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1558 *alert = SSL_AD_INTERNAL_ERROR; 1559 return 0; 1560 } 1561 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1562 &key_exchange, &decode_error, NULL)) { 1563 if (!decode_error) 1564 *alert = SSL_AD_INTERNAL_ERROR; 1565 return 0; 1566 } 1567 1568 return 1; 1569 } 1570 1571 /* 1572 * Supported Versions - RFC 8446 section 4.2.1. 1573 */ 1574 static int 1575 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1576 { 1577 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1578 } 1579 1580 static int 1581 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1582 { 1583 uint16_t max, min; 1584 uint16_t version; 1585 CBB versions; 1586 1587 max = s->s3->hs.our_max_tls_version; 1588 min = s->s3->hs.our_min_tls_version; 1589 1590 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1591 return 0; 1592 1593 /* XXX - fix, but contiguous for now... */ 1594 for (version = max; version >= min; version--) { 1595 if (!CBB_add_u16(&versions, version)) 1596 return 0; 1597 } 1598 1599 if (!CBB_flush(cbb)) 1600 return 0; 1601 1602 return 1; 1603 } 1604 1605 static int 1606 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1607 { 1608 CBS versions; 1609 uint16_t version; 1610 uint16_t max, min; 1611 uint16_t matched_version = 0; 1612 1613 max = s->s3->hs.our_max_tls_version; 1614 min = s->s3->hs.our_min_tls_version; 1615 1616 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1617 return 0; 1618 1619 while (CBS_len(&versions) > 0) { 1620 if (!CBS_get_u16(&versions, &version)) 1621 return 0; 1622 /* 1623 * XXX What is below implements client preference, and 1624 * ignores any server preference entirely. 1625 */ 1626 if (matched_version == 0 && version >= min && version <= max) 1627 matched_version = version; 1628 } 1629 1630 if (matched_version > 0) { 1631 /* XXX - this should be stored for later processing. */ 1632 s->version = matched_version; 1633 return 1; 1634 } 1635 1636 *alert = SSL_AD_PROTOCOL_VERSION; 1637 return 0; 1638 } 1639 1640 static int 1641 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1642 { 1643 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1644 } 1645 1646 static int 1647 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1648 { 1649 return CBB_add_u16(cbb, TLS1_3_VERSION); 1650 } 1651 1652 static int 1653 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1654 { 1655 uint16_t selected_version; 1656 1657 if (!CBS_get_u16(cbs, &selected_version)) 1658 return 0; 1659 1660 /* XXX - need to fix for DTLS 1.3 */ 1661 if (selected_version < TLS1_3_VERSION) { 1662 *alert = SSL_AD_ILLEGAL_PARAMETER; 1663 return 0; 1664 } 1665 1666 /* XXX test between min and max once initialization code goes in */ 1667 s->s3->hs.tls13.server_version = selected_version; 1668 1669 return 1; 1670 } 1671 1672 1673 /* 1674 * Cookie - RFC 8446 section 4.2.2. 1675 */ 1676 1677 static int 1678 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1679 { 1680 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1681 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1682 } 1683 1684 static int 1685 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1686 { 1687 CBB cookie; 1688 1689 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1690 return 0; 1691 1692 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1693 s->s3->hs.tls13.cookie_len)) 1694 return 0; 1695 1696 if (!CBB_flush(cbb)) 1697 return 0; 1698 1699 return 1; 1700 } 1701 1702 static int 1703 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1704 { 1705 CBS cookie; 1706 1707 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1708 return 0; 1709 1710 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1711 return 0; 1712 1713 /* 1714 * Check provided cookie value against what server previously 1715 * sent - client *MUST* send the same cookie with new CR after 1716 * a cookie is sent by the server with an HRR. 1717 */ 1718 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1719 s->s3->hs.tls13.cookie_len)) { 1720 /* XXX special cookie mismatch alert? */ 1721 *alert = SSL_AD_ILLEGAL_PARAMETER; 1722 return 0; 1723 } 1724 1725 return 1; 1726 } 1727 1728 static int 1729 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1730 { 1731 /* 1732 * Server needs to set cookie value in tls13 handshake 1733 * in order to send one, should only be sent with HRR. 1734 */ 1735 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1736 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1737 } 1738 1739 static int 1740 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1741 { 1742 CBB cookie; 1743 1744 /* XXX deduplicate with client code */ 1745 1746 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1747 return 0; 1748 1749 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1750 s->s3->hs.tls13.cookie_len)) 1751 return 0; 1752 1753 if (!CBB_flush(cbb)) 1754 return 0; 1755 1756 return 1; 1757 } 1758 1759 static int 1760 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1761 { 1762 CBS cookie; 1763 1764 /* 1765 * XXX This currently assumes we will not get a second 1766 * HRR from a server with a cookie to process after accepting 1767 * one from the server in the same handshake 1768 */ 1769 if (s->s3->hs.tls13.cookie != NULL || 1770 s->s3->hs.tls13.cookie_len != 0) { 1771 *alert = SSL_AD_ILLEGAL_PARAMETER; 1772 return 0; 1773 } 1774 1775 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1776 return 0; 1777 1778 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1779 &s->s3->hs.tls13.cookie_len)) 1780 return 0; 1781 1782 return 1; 1783 } 1784 1785 /* 1786 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1787 */ 1788 1789 static int 1790 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1791 { 1792 return (s->s3->hs.tls13.use_psk_dhe_ke && 1793 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1794 } 1795 1796 static int 1797 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1798 { 1799 CBB ke_modes; 1800 1801 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1802 return 0; 1803 1804 /* Only indicate support for PSK with DHE key establishment. */ 1805 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1806 return 0; 1807 1808 if (!CBB_flush(cbb)) 1809 return 0; 1810 1811 return 1; 1812 } 1813 1814 static int 1815 tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1816 int *alert) 1817 { 1818 CBS ke_modes; 1819 uint8_t ke_mode; 1820 1821 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1822 return 0; 1823 1824 while (CBS_len(&ke_modes) > 0) { 1825 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1826 return 0; 1827 1828 if (ke_mode == TLS13_PSK_DHE_KE) 1829 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1830 } 1831 1832 return 1; 1833 } 1834 1835 static int 1836 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1837 { 1838 /* Servers MUST NOT send this extension. */ 1839 return 0; 1840 } 1841 1842 static int 1843 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1844 { 1845 return 0; 1846 } 1847 1848 static int 1849 tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1850 int *alert) 1851 { 1852 return 0; 1853 } 1854 1855 /* 1856 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1857 */ 1858 1859 static int 1860 tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1861 { 1862 return 0; 1863 } 1864 1865 static int 1866 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1867 { 1868 return 0; 1869 } 1870 1871 static int 1872 tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1873 { 1874 return CBS_skip(cbs, CBS_len(cbs)); 1875 } 1876 1877 static int 1878 tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1879 { 1880 return 0; 1881 } 1882 1883 static int 1884 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1885 { 1886 return 0; 1887 } 1888 1889 static int 1890 tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1891 { 1892 return CBS_skip(cbs, CBS_len(cbs)); 1893 } 1894 1895 /* 1896 * QUIC transport parameters extension - RFC 9001 section 8.2. 1897 */ 1898 1899 static int 1900 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1901 { 1902 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; 1903 } 1904 1905 static int 1906 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 1907 CBB *cbb) 1908 { 1909 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, 1910 s->internal->quic_transport_params_len)) 1911 return 0; 1912 1913 return 1; 1914 } 1915 1916 static int 1917 tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, 1918 CBS *cbs, int *alert) 1919 { 1920 if (!SSL_is_quic(s)) { 1921 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1922 return 0; 1923 } 1924 1925 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1926 &s->s3->peer_quic_transport_params_len)) 1927 return 0; 1928 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1929 return 0; 1930 1931 return 1; 1932 } 1933 1934 static int 1935 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 1936 { 1937 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; 1938 } 1939 1940 static int 1941 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 1942 CBB *cbb) 1943 { 1944 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, 1945 s->internal->quic_transport_params_len)) 1946 return 0; 1947 1948 return 1; 1949 } 1950 1951 static int 1952 tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, 1953 CBS *cbs, int *alert) 1954 { 1955 if (!SSL_is_quic(s)) { 1956 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1957 return 0; 1958 } 1959 1960 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1961 &s->s3->peer_quic_transport_params_len)) 1962 return 0; 1963 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1964 return 0; 1965 1966 return 1; 1967 } 1968 1969 struct tls_extension_funcs { 1970 int (*needs)(SSL *s, uint16_t msg_type); 1971 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1972 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1973 }; 1974 1975 struct tls_extension { 1976 uint16_t type; 1977 uint16_t messages; 1978 struct tls_extension_funcs client; 1979 struct tls_extension_funcs server; 1980 }; 1981 1982 static const struct tls_extension tls_extensions[] = { 1983 { 1984 .type = TLSEXT_TYPE_supported_versions, 1985 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1986 SSL_TLSEXT_MSG_HRR, 1987 .client = { 1988 .needs = tlsext_versions_client_needs, 1989 .build = tlsext_versions_client_build, 1990 .parse = tlsext_versions_client_parse, 1991 }, 1992 .server = { 1993 .needs = tlsext_versions_server_needs, 1994 .build = tlsext_versions_server_build, 1995 .parse = tlsext_versions_server_parse, 1996 }, 1997 }, 1998 { 1999 .type = TLSEXT_TYPE_key_share, 2000 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2001 SSL_TLSEXT_MSG_HRR, 2002 .client = { 2003 .needs = tlsext_keyshare_client_needs, 2004 .build = tlsext_keyshare_client_build, 2005 .parse = tlsext_keyshare_client_parse, 2006 }, 2007 .server = { 2008 .needs = tlsext_keyshare_server_needs, 2009 .build = tlsext_keyshare_server_build, 2010 .parse = tlsext_keyshare_server_parse, 2011 }, 2012 }, 2013 { 2014 .type = TLSEXT_TYPE_server_name, 2015 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2016 .client = { 2017 .needs = tlsext_sni_client_needs, 2018 .build = tlsext_sni_client_build, 2019 .parse = tlsext_sni_client_parse, 2020 }, 2021 .server = { 2022 .needs = tlsext_sni_server_needs, 2023 .build = tlsext_sni_server_build, 2024 .parse = tlsext_sni_server_parse, 2025 }, 2026 }, 2027 { 2028 .type = TLSEXT_TYPE_renegotiate, 2029 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2030 .client = { 2031 .needs = tlsext_ri_client_needs, 2032 .build = tlsext_ri_client_build, 2033 .parse = tlsext_ri_client_parse, 2034 }, 2035 .server = { 2036 .needs = tlsext_ri_server_needs, 2037 .build = tlsext_ri_server_build, 2038 .parse = tlsext_ri_server_parse, 2039 }, 2040 }, 2041 { 2042 .type = TLSEXT_TYPE_status_request, 2043 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2044 SSL_TLSEXT_MSG_CT, 2045 .client = { 2046 .needs = tlsext_ocsp_client_needs, 2047 .build = tlsext_ocsp_client_build, 2048 .parse = tlsext_ocsp_client_parse, 2049 }, 2050 .server = { 2051 .needs = tlsext_ocsp_server_needs, 2052 .build = tlsext_ocsp_server_build, 2053 .parse = tlsext_ocsp_server_parse, 2054 }, 2055 }, 2056 { 2057 .type = TLSEXT_TYPE_ec_point_formats, 2058 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2059 .client = { 2060 .needs = tlsext_ecpf_client_needs, 2061 .build = tlsext_ecpf_client_build, 2062 .parse = tlsext_ecpf_client_parse, 2063 }, 2064 .server = { 2065 .needs = tlsext_ecpf_server_needs, 2066 .build = tlsext_ecpf_server_build, 2067 .parse = tlsext_ecpf_server_parse, 2068 }, 2069 }, 2070 { 2071 .type = TLSEXT_TYPE_supported_groups, 2072 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2073 .client = { 2074 .needs = tlsext_supportedgroups_client_needs, 2075 .build = tlsext_supportedgroups_client_build, 2076 .parse = tlsext_supportedgroups_client_parse, 2077 }, 2078 .server = { 2079 .needs = tlsext_supportedgroups_server_needs, 2080 .build = tlsext_supportedgroups_server_build, 2081 .parse = tlsext_supportedgroups_server_parse, 2082 }, 2083 }, 2084 { 2085 .type = TLSEXT_TYPE_session_ticket, 2086 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2087 .client = { 2088 .needs = tlsext_sessionticket_client_needs, 2089 .build = tlsext_sessionticket_client_build, 2090 .parse = tlsext_sessionticket_client_parse, 2091 }, 2092 .server = { 2093 .needs = tlsext_sessionticket_server_needs, 2094 .build = tlsext_sessionticket_server_build, 2095 .parse = tlsext_sessionticket_server_parse, 2096 }, 2097 }, 2098 { 2099 .type = TLSEXT_TYPE_signature_algorithms, 2100 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2101 .client = { 2102 .needs = tlsext_sigalgs_client_needs, 2103 .build = tlsext_sigalgs_client_build, 2104 .parse = tlsext_sigalgs_client_parse, 2105 }, 2106 .server = { 2107 .needs = tlsext_sigalgs_server_needs, 2108 .build = tlsext_sigalgs_server_build, 2109 .parse = tlsext_sigalgs_server_parse, 2110 }, 2111 }, 2112 { 2113 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 2114 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2115 .client = { 2116 .needs = tlsext_alpn_client_needs, 2117 .build = tlsext_alpn_client_build, 2118 .parse = tlsext_alpn_client_parse, 2119 }, 2120 .server = { 2121 .needs = tlsext_alpn_server_needs, 2122 .build = tlsext_alpn_server_build, 2123 .parse = tlsext_alpn_server_parse, 2124 }, 2125 }, 2126 { 2127 .type = TLSEXT_TYPE_cookie, 2128 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2129 .client = { 2130 .needs = tlsext_cookie_client_needs, 2131 .build = tlsext_cookie_client_build, 2132 .parse = tlsext_cookie_client_parse, 2133 }, 2134 .server = { 2135 .needs = tlsext_cookie_server_needs, 2136 .build = tlsext_cookie_server_build, 2137 .parse = tlsext_cookie_server_parse, 2138 }, 2139 }, 2140 #ifndef OPENSSL_NO_SRTP 2141 { 2142 .type = TLSEXT_TYPE_use_srtp, 2143 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2144 SSL_TLSEXT_MSG_EE, 2145 .client = { 2146 .needs = tlsext_srtp_client_needs, 2147 .build = tlsext_srtp_client_build, 2148 .parse = tlsext_srtp_client_parse, 2149 }, 2150 .server = { 2151 .needs = tlsext_srtp_server_needs, 2152 .build = tlsext_srtp_server_build, 2153 .parse = tlsext_srtp_server_parse, 2154 }, 2155 }, 2156 #endif /* OPENSSL_NO_SRTP */ 2157 { 2158 .type = TLSEXT_TYPE_quic_transport_parameters, 2159 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2160 .client = { 2161 .needs = tlsext_quic_transport_parameters_client_needs, 2162 .build = tlsext_quic_transport_parameters_client_build, 2163 .parse = tlsext_quic_transport_parameters_client_parse, 2164 }, 2165 .server = { 2166 .needs = tlsext_quic_transport_parameters_server_needs, 2167 .build = tlsext_quic_transport_parameters_server_build, 2168 .parse = tlsext_quic_transport_parameters_server_parse, 2169 }, 2170 }, 2171 { 2172 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2173 .messages = SSL_TLSEXT_MSG_CH, 2174 .client = { 2175 .needs = tlsext_psk_kex_modes_client_needs, 2176 .build = tlsext_psk_kex_modes_client_build, 2177 .parse = tlsext_psk_kex_modes_client_parse, 2178 }, 2179 .server = { 2180 .needs = tlsext_psk_kex_modes_server_needs, 2181 .build = tlsext_psk_kex_modes_server_build, 2182 .parse = tlsext_psk_kex_modes_server_parse, 2183 }, 2184 }, 2185 { 2186 /* MUST be last extension in CH per RFC 8446 section 4.2. */ 2187 2188 .type = TLSEXT_TYPE_pre_shared_key, 2189 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2190 .client = { 2191 .needs = tlsext_psk_client_needs, 2192 .build = tlsext_psk_client_build, 2193 .parse = tlsext_psk_client_parse, 2194 }, 2195 .server = { 2196 .needs = tlsext_psk_server_needs, 2197 .build = tlsext_psk_server_build, 2198 .parse = tlsext_psk_server_parse, 2199 }, 2200 }, 2201 }; 2202 2203 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2204 2205 /* Ensure that extensions fit in a uint32_t bitmask. */ 2206 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2207 2208 const struct tls_extension * 2209 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2210 { 2211 size_t i; 2212 2213 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2214 if (tls_extensions[i].type == type) { 2215 *tls_extensions_idx = i; 2216 return &tls_extensions[i]; 2217 } 2218 } 2219 2220 return NULL; 2221 } 2222 2223 int 2224 tlsext_extension_seen(SSL *s, uint16_t type) 2225 { 2226 size_t idx; 2227 2228 if (tls_extension_find(type, &idx) == NULL) 2229 return 0; 2230 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2231 } 2232 2233 const struct tls_extension_funcs * 2234 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2235 { 2236 if (is_server) 2237 return &tlsext->server; 2238 2239 return &tlsext->client; 2240 } 2241 2242 static int 2243 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2244 { 2245 const struct tls_extension_funcs *ext; 2246 const struct tls_extension *tlsext; 2247 CBB extensions, extension_data; 2248 int extensions_present = 0; 2249 uint16_t tls_version; 2250 size_t i; 2251 2252 tls_version = ssl_effective_tls_version(s); 2253 2254 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2255 return 0; 2256 2257 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2258 tlsext = &tls_extensions[i]; 2259 ext = tlsext_funcs(tlsext, is_server); 2260 2261 /* RFC 8446 Section 4.2 */ 2262 if (tls_version >= TLS1_3_VERSION && 2263 !(tlsext->messages & msg_type)) 2264 continue; 2265 2266 if (!ext->needs(s, msg_type)) 2267 continue; 2268 2269 if (!CBB_add_u16(&extensions, tlsext->type)) 2270 return 0; 2271 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2272 return 0; 2273 2274 if (!ext->build(s, msg_type, &extension_data)) 2275 return 0; 2276 2277 extensions_present = 1; 2278 } 2279 2280 if (!extensions_present && 2281 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2282 CBB_discard_child(cbb); 2283 2284 if (!CBB_flush(cbb)) 2285 return 0; 2286 2287 return 1; 2288 } 2289 2290 int 2291 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2292 { 2293 /* 2294 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2295 * cookie may be added, padding may be removed. 2296 */ 2297 struct tls13_ctx *ctx = s->internal->tls13; 2298 2299 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2300 type == TLSEXT_TYPE_padding) 2301 return 1; 2302 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2303 sizeof(type))) 2304 return 0; 2305 /* 2306 * key_share data may be changed, and pre_shared_key data may 2307 * be changed 2308 */ 2309 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2310 return 1; 2311 if (!tls13_clienthello_hash_update(ctx, cbs)) 2312 return 0; 2313 2314 return 1; 2315 } 2316 2317 static int 2318 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2319 { 2320 const struct tls_extension_funcs *ext; 2321 const struct tls_extension *tlsext; 2322 CBS extensions, extension_data; 2323 uint16_t type; 2324 size_t idx; 2325 uint16_t tls_version; 2326 int alert_desc; 2327 2328 tls_version = ssl_effective_tls_version(s); 2329 2330 s->s3->hs.extensions_seen = 0; 2331 2332 /* An empty extensions block is valid. */ 2333 if (CBS_len(cbs) == 0) 2334 return 1; 2335 2336 alert_desc = SSL_AD_DECODE_ERROR; 2337 2338 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2339 goto err; 2340 2341 while (CBS_len(&extensions) > 0) { 2342 if (!CBS_get_u16(&extensions, &type)) 2343 goto err; 2344 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2345 goto err; 2346 2347 if (s->internal->tlsext_debug_cb != NULL) 2348 s->internal->tlsext_debug_cb(s, !is_server, type, 2349 (unsigned char *)CBS_data(&extension_data), 2350 CBS_len(&extension_data), 2351 s->internal->tlsext_debug_arg); 2352 2353 /* Unknown extensions are ignored. */ 2354 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2355 continue; 2356 2357 if (tls_version >= TLS1_3_VERSION && is_server && 2358 msg_type == SSL_TLSEXT_MSG_CH) { 2359 if (!tlsext_clienthello_hash_extension(s, type, 2360 &extension_data)) 2361 goto err; 2362 } 2363 2364 /* RFC 8446 Section 4.2 */ 2365 if (tls_version >= TLS1_3_VERSION && 2366 !(tlsext->messages & msg_type)) { 2367 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2368 goto err; 2369 } 2370 2371 /* Check for duplicate known extensions. */ 2372 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2373 goto err; 2374 s->s3->hs.extensions_seen |= (1 << idx); 2375 2376 ext = tlsext_funcs(tlsext, is_server); 2377 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2378 goto err; 2379 2380 if (CBS_len(&extension_data) != 0) 2381 goto err; 2382 } 2383 2384 return 1; 2385 2386 err: 2387 *alert = alert_desc; 2388 2389 return 0; 2390 } 2391 2392 static void 2393 tlsext_server_reset_state(SSL *s) 2394 { 2395 s->tlsext_status_type = -1; 2396 s->s3->renegotiate_seen = 0; 2397 free(s->s3->alpn_selected); 2398 s->s3->alpn_selected = NULL; 2399 s->s3->alpn_selected_len = 0; 2400 s->internal->srtp_profile = NULL; 2401 } 2402 2403 int 2404 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2405 { 2406 return tlsext_build(s, 1, msg_type, cbb); 2407 } 2408 2409 int 2410 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2411 { 2412 /* XXX - this should be done by the caller... */ 2413 if (msg_type == SSL_TLSEXT_MSG_CH) 2414 tlsext_server_reset_state(s); 2415 2416 return tlsext_parse(s, 1, msg_type, cbs, alert); 2417 } 2418 2419 static void 2420 tlsext_client_reset_state(SSL *s) 2421 { 2422 s->s3->renegotiate_seen = 0; 2423 free(s->s3->alpn_selected); 2424 s->s3->alpn_selected = NULL; 2425 s->s3->alpn_selected_len = 0; 2426 } 2427 2428 int 2429 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2430 { 2431 return tlsext_build(s, 0, msg_type, cbb); 2432 } 2433 2434 int 2435 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2436 { 2437 /* XXX - this should be done by the caller... */ 2438 if (msg_type == SSL_TLSEXT_MSG_SH) 2439 tlsext_client_reset_state(s); 2440 2441 return tlsext_parse(s, 0, msg_type, cbs, alert); 2442 } 2443