1 /* $OpenBSD: ssl_tlsext.c,v 1.82 2020/09/09 12:31:23 inoguchi Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <ctype.h> 21 22 #include <openssl/ocsp.h> 23 24 #include "ssl_locl.h" 25 26 #include "bytestring.h" 27 #include "ssl_sigalgs.h" 28 #include "ssl_tlsext.h" 29 30 /* 31 * Supported Application-Layer Protocol Negotiation - RFC 7301 32 */ 33 34 int 35 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 36 { 37 /* ALPN protos have been specified and this is the initial handshake */ 38 return s->internal->alpn_client_proto_list != NULL && 39 S3I(s)->tmp.finish_md_len == 0; 40 } 41 42 int 43 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 44 { 45 CBB protolist; 46 47 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 48 return 0; 49 50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 51 s->internal->alpn_client_proto_list_len)) 52 return 0; 53 54 if (!CBB_flush(cbb)) 55 return 0; 56 57 return 1; 58 } 59 60 int 61 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 62 { 63 CBS proto_name_list, alpn; 64 const unsigned char *selected; 65 unsigned char selected_len; 66 int r; 67 68 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 69 goto err; 70 if (CBS_len(&alpn) < 2) 71 goto err; 72 if (CBS_len(cbs) != 0) 73 goto err; 74 75 CBS_dup(&alpn, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 goto err; 81 if (CBS_len(&proto_name) == 0) 82 goto err; 83 } 84 85 if (s->ctx->internal->alpn_select_cb == NULL) 86 return 1; 87 88 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 89 CBS_data(&alpn), CBS_len(&alpn), 90 s->ctx->internal->alpn_select_cb_arg); 91 if (r == SSL_TLSEXT_ERR_OK) { 92 free(S3I(s)->alpn_selected); 93 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 94 S3I(s)->alpn_selected_len = 0; 95 *alert = SSL_AD_INTERNAL_ERROR; 96 return 0; 97 } 98 memcpy(S3I(s)->alpn_selected, selected, selected_len); 99 S3I(s)->alpn_selected_len = selected_len; 100 } 101 102 return 1; 103 104 err: 105 *alert = SSL_AD_DECODE_ERROR; 106 return 0; 107 } 108 109 int 110 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 111 { 112 return S3I(s)->alpn_selected != NULL; 113 } 114 115 int 116 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 117 { 118 CBB list, selected; 119 120 if (!CBB_add_u16_length_prefixed(cbb, &list)) 121 return 0; 122 123 if (!CBB_add_u8_length_prefixed(&list, &selected)) 124 return 0; 125 126 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 127 S3I(s)->alpn_selected_len)) 128 return 0; 129 130 if (!CBB_flush(cbb)) 131 return 0; 132 133 return 1; 134 } 135 136 int 137 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 138 { 139 CBS list, proto; 140 141 if (s->internal->alpn_client_proto_list == NULL) { 142 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 143 return 0; 144 } 145 146 if (!CBS_get_u16_length_prefixed(cbs, &list)) 147 goto err; 148 if (CBS_len(cbs) != 0) 149 goto err; 150 151 if (!CBS_get_u8_length_prefixed(&list, &proto)) 152 goto err; 153 154 if (CBS_len(&list) != 0) 155 goto err; 156 if (CBS_len(&proto) == 0) 157 goto err; 158 159 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 160 &(S3I(s)->alpn_selected_len))) 161 goto err; 162 163 return 1; 164 165 err: 166 *alert = TLS1_AD_DECODE_ERROR; 167 return 0; 168 } 169 170 /* 171 * Supported Groups - RFC 7919 section 2 172 */ 173 int 174 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 175 { 176 return ssl_has_ecc_ciphers(s) || 177 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 178 } 179 180 int 181 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 182 { 183 const uint16_t *groups; 184 size_t groups_len; 185 CBB grouplist; 186 int i; 187 188 tls1_get_group_list(s, 0, &groups, &groups_len); 189 if (groups_len == 0) { 190 SSLerror(s, ERR_R_INTERNAL_ERROR); 191 return 0; 192 } 193 194 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 195 return 0; 196 197 for (i = 0; i < groups_len; i++) { 198 if (!CBB_add_u16(&grouplist, groups[i])) 199 return 0; 200 } 201 202 if (!CBB_flush(cbb)) 203 return 0; 204 205 return 1; 206 } 207 208 int 209 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 210 int *alert) 211 { 212 CBS grouplist; 213 size_t groups_len; 214 215 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 216 goto err; 217 if (CBS_len(cbs) != 0) 218 goto err; 219 220 groups_len = CBS_len(&grouplist); 221 if (groups_len == 0 || groups_len % 2 != 0) 222 goto err; 223 groups_len /= 2; 224 225 if (!s->internal->hit) { 226 uint16_t *groups; 227 int i; 228 229 if (S3I(s)->hs_tls13.hrr) { 230 if (SSI(s)->tlsext_supportedgroups == NULL) { 231 *alert = SSL_AD_HANDSHAKE_FAILURE; 232 return 0; 233 } 234 /* 235 * In the case of TLSv1.3 the client cannot change 236 * the supported groups. 237 */ 238 if (groups_len != SSI(s)->tlsext_supportedgroups_length) { 239 *alert = SSL_AD_ILLEGAL_PARAMETER; 240 return 0; 241 } 242 for (i = 0; i < groups_len; i++) { 243 uint16_t group; 244 245 if (!CBS_get_u16(&grouplist, &group)) 246 goto err; 247 if (SSI(s)->tlsext_supportedgroups[i] != group) { 248 *alert = SSL_AD_ILLEGAL_PARAMETER; 249 return 0; 250 } 251 } 252 253 return 1; 254 } 255 256 if (SSI(s)->tlsext_supportedgroups != NULL) 257 goto err; 258 259 if ((groups = reallocarray(NULL, groups_len, 260 sizeof(uint16_t))) == NULL) { 261 *alert = TLS1_AD_INTERNAL_ERROR; 262 return 0; 263 } 264 265 for (i = 0; i < groups_len; i++) { 266 if (!CBS_get_u16(&grouplist, &groups[i])) { 267 free(groups); 268 goto err; 269 } 270 } 271 272 if (CBS_len(&grouplist) != 0) { 273 free(groups); 274 goto err; 275 } 276 277 SSI(s)->tlsext_supportedgroups = groups; 278 SSI(s)->tlsext_supportedgroups_length = groups_len; 279 } 280 281 return 1; 282 283 err: 284 *alert = TLS1_AD_DECODE_ERROR; 285 return 0; 286 } 287 288 /* This extension is never used by the server. */ 289 int 290 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 291 { 292 return 0; 293 } 294 295 int 296 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 297 { 298 return 0; 299 } 300 301 int 302 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 303 int *alert) 304 { 305 /* 306 * Servers should not send this extension per the RFC. 307 * 308 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 309 * from at least 2014 but as of 2017, there are still large sites with 310 * this unpatched in production. As a result, we need to currently skip 311 * over the extension and ignore its content: 312 * 313 * https://support.f5.com/csp/article/K37345003 314 */ 315 if (!CBS_skip(cbs, CBS_len(cbs))) { 316 *alert = TLS1_AD_INTERNAL_ERROR; 317 return 0; 318 } 319 320 return 1; 321 } 322 323 /* 324 * Supported Point Formats Extension - RFC 4492 section 5.1.2 325 */ 326 static int 327 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 328 { 329 CBB ecpf; 330 size_t formats_len; 331 const uint8_t *formats; 332 333 tls1_get_formatlist(s, 0, &formats, &formats_len); 334 335 if (formats_len == 0) { 336 SSLerror(s, ERR_R_INTERNAL_ERROR); 337 return 0; 338 } 339 340 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 341 return 0; 342 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 343 return 0; 344 if (!CBB_flush(cbb)) 345 return 0; 346 347 return 1; 348 } 349 350 static int 351 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 352 { 353 CBS ecpf; 354 355 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 356 goto err; 357 if (CBS_len(&ecpf) == 0) 358 goto err; 359 if (CBS_len(cbs) != 0) 360 goto err; 361 362 /* Must contain uncompressed (0) */ 363 if (!CBS_contains_zero_byte(&ecpf)) { 364 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 365 goto err; 366 } 367 368 if (!s->internal->hit) { 369 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 370 &(SSI(s)->tlsext_ecpointformatlist_length))) { 371 *alert = TLS1_AD_INTERNAL_ERROR; 372 return 0; 373 } 374 } 375 376 return 1; 377 378 err: 379 *alert = SSL_AD_DECODE_ERROR; 380 return 0; 381 } 382 383 int 384 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 385 { 386 return ssl_has_ecc_ciphers(s); 387 } 388 389 int 390 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 391 { 392 return tlsext_ecpf_build(s, msg_type, cbb); 393 } 394 395 int 396 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 397 { 398 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 399 } 400 401 int 402 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 403 { 404 if (s->version == DTLS1_VERSION) 405 return 0; 406 407 return ssl_using_ecc_cipher(s); 408 } 409 410 int 411 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 412 { 413 return tlsext_ecpf_build(s, msg_type, cbb); 414 } 415 416 int 417 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 418 { 419 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 420 } 421 422 /* 423 * Renegotiation Indication - RFC 5746. 424 */ 425 int 426 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 427 { 428 return (s->internal->renegotiate); 429 } 430 431 int 432 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 433 { 434 CBB reneg; 435 436 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 437 return 0; 438 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 439 S3I(s)->previous_client_finished_len)) 440 return 0; 441 if (!CBB_flush(cbb)) 442 return 0; 443 444 return 1; 445 } 446 447 int 448 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 449 { 450 CBS reneg; 451 452 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 453 goto err; 454 if (CBS_len(cbs) != 0) 455 goto err; 456 457 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 458 S3I(s)->previous_client_finished_len)) { 459 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 460 *alert = SSL_AD_HANDSHAKE_FAILURE; 461 return 0; 462 } 463 464 S3I(s)->renegotiate_seen = 1; 465 S3I(s)->send_connection_binding = 1; 466 467 return 1; 468 469 err: 470 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 471 *alert = SSL_AD_DECODE_ERROR; 472 return 0; 473 } 474 475 int 476 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 477 { 478 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 479 } 480 481 int 482 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 483 { 484 CBB reneg; 485 486 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 487 return 0; 488 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 489 S3I(s)->previous_client_finished_len)) 490 return 0; 491 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 492 S3I(s)->previous_server_finished_len)) 493 return 0; 494 if (!CBB_flush(cbb)) 495 return 0; 496 497 return 1; 498 } 499 500 int 501 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 502 { 503 CBS reneg, prev_client, prev_server; 504 505 /* 506 * Ensure that the previous client and server values are both not 507 * present, or that they are both present. 508 */ 509 if ((S3I(s)->previous_client_finished_len == 0 && 510 S3I(s)->previous_server_finished_len != 0) || 511 (S3I(s)->previous_client_finished_len != 0 && 512 S3I(s)->previous_server_finished_len == 0)) { 513 *alert = TLS1_AD_INTERNAL_ERROR; 514 return 0; 515 } 516 517 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 518 goto err; 519 if (!CBS_get_bytes(&reneg, &prev_client, 520 S3I(s)->previous_client_finished_len)) 521 goto err; 522 if (!CBS_get_bytes(&reneg, &prev_server, 523 S3I(s)->previous_server_finished_len)) 524 goto err; 525 if (CBS_len(&reneg) != 0) 526 goto err; 527 if (CBS_len(cbs) != 0) 528 goto err; 529 530 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 531 S3I(s)->previous_client_finished_len)) { 532 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 533 *alert = SSL_AD_HANDSHAKE_FAILURE; 534 return 0; 535 } 536 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 537 S3I(s)->previous_server_finished_len)) { 538 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 539 *alert = SSL_AD_HANDSHAKE_FAILURE; 540 return 0; 541 } 542 543 S3I(s)->renegotiate_seen = 1; 544 S3I(s)->send_connection_binding = 1; 545 546 return 1; 547 548 err: 549 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 550 *alert = SSL_AD_DECODE_ERROR; 551 return 0; 552 } 553 554 /* 555 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 556 */ 557 int 558 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 559 { 560 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 561 } 562 563 int 564 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 565 { 566 uint16_t *tls_sigalgs = tls12_sigalgs; 567 size_t tls_sigalgs_len = tls12_sigalgs_len; 568 CBB sigalgs; 569 570 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 571 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 572 tls_sigalgs = tls13_sigalgs; 573 tls_sigalgs_len = tls13_sigalgs_len; 574 } 575 576 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 577 return 0; 578 579 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 580 return 0; 581 582 if (!CBB_flush(cbb)) 583 return 0; 584 585 return 1; 586 } 587 588 int 589 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 590 { 591 CBS sigalgs; 592 593 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 594 return 0; 595 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 596 return 0; 597 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 598 return 0; 599 600 return 1; 601 } 602 603 int 604 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 605 { 606 return (s->version >= TLS1_3_VERSION); 607 } 608 609 int 610 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 611 { 612 uint16_t *tls_sigalgs = tls12_sigalgs; 613 size_t tls_sigalgs_len = tls12_sigalgs_len; 614 CBB sigalgs; 615 616 if (s->version >= TLS1_3_VERSION) { 617 tls_sigalgs = tls13_sigalgs; 618 tls_sigalgs_len = tls13_sigalgs_len; 619 } 620 621 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 622 return 0; 623 624 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 625 return 0; 626 627 if (!CBB_flush(cbb)) 628 return 0; 629 630 return 1; 631 } 632 633 int 634 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 635 { 636 CBS sigalgs; 637 638 if (s->version < TLS1_3_VERSION) 639 return 0; 640 641 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 642 return 0; 643 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 644 return 0; 645 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 646 return 0; 647 648 return 1; 649 } 650 651 /* 652 * Server Name Indication - RFC 6066, section 3. 653 */ 654 int 655 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 656 { 657 return (s->tlsext_hostname != NULL); 658 } 659 660 int 661 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 662 { 663 CBB server_name_list, host_name; 664 665 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 666 return 0; 667 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 668 return 0; 669 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 670 return 0; 671 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 672 strlen(s->tlsext_hostname))) 673 return 0; 674 if (!CBB_flush(cbb)) 675 return 0; 676 677 return 1; 678 } 679 680 /* 681 * Validate that the CBS contains only a hostname consisting of RFC 5890 682 * compliant A-labels (see RFC 6066 section 3). Not a complete check 683 * since we don't parse punycode to verify its validity but limits to 684 * correct structure and character set. 685 */ 686 int 687 tlsext_sni_is_valid_hostname(CBS *cbs) 688 { 689 uint8_t prev, c = 0; 690 int component = 0; 691 CBS hostname; 692 693 CBS_dup(cbs, &hostname); 694 695 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 696 return 0; 697 698 while(CBS_len(&hostname) > 0) { 699 prev = c; 700 if (!CBS_get_u8(&hostname, &c)) 701 return 0; 702 /* Everything has to be ASCII, with no NUL byte. */ 703 if (!isascii(c) || c == '\0') 704 return 0; 705 /* It must be alphanumeric, a '-', or a '.' */ 706 if (!isalnum(c) && c != '-' && c != '.') 707 return 0; 708 /* '-' and '.' must not start a component or be at the end. */ 709 if (component == 0 || CBS_len(&hostname) == 0) { 710 if (c == '-' || c == '.') 711 return 0; 712 } 713 if (c == '.') { 714 /* Components can not end with a dash. */ 715 if (prev == '-') 716 return 0; 717 /* Start new component */ 718 component = 0; 719 continue; 720 } 721 /* Components must be 63 chars or less. */ 722 if (++component > 63) 723 return 0; 724 } 725 726 return 1; 727 } 728 729 int 730 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 731 { 732 CBS server_name_list, host_name; 733 uint8_t name_type; 734 735 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 736 goto err; 737 738 if (!CBS_get_u8(&server_name_list, &name_type)) 739 goto err; 740 /* 741 * RFC 6066 section 3, only one type (host_name) is specified. 742 * We do not tolerate unknown types, neither does BoringSSL. 743 * other implementations appear more tolerant. 744 */ 745 if (name_type != TLSEXT_NAMETYPE_host_name) { 746 *alert = SSL3_AD_ILLEGAL_PARAMETER; 747 goto err; 748 } 749 750 751 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 752 goto err; 753 /* 754 * RFC 6066 section 3 specifies a host name must be at least 1 byte 755 * so 0 length is a decode error. 756 */ 757 if (CBS_len(&host_name) < 1) 758 goto err; 759 760 if (!tlsext_sni_is_valid_hostname(&host_name)) { 761 *alert = SSL3_AD_ILLEGAL_PARAMETER; 762 goto err; 763 } 764 765 if (s->internal->hit || S3I(s)->hs_tls13.hrr) { 766 if (s->session->tlsext_hostname == NULL) { 767 *alert = TLS1_AD_UNRECOGNIZED_NAME; 768 goto err; 769 } 770 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 771 strlen(s->session->tlsext_hostname))) { 772 *alert = TLS1_AD_UNRECOGNIZED_NAME; 773 goto err; 774 } 775 } else { 776 if (s->session->tlsext_hostname != NULL) 777 goto err; 778 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 779 *alert = TLS1_AD_INTERNAL_ERROR; 780 goto err; 781 } 782 } 783 784 /* 785 * RFC 6066 section 3 forbids multiple host names with the same type, 786 * therefore we allow only one entry. 787 */ 788 if (CBS_len(&server_name_list) != 0) { 789 *alert = SSL3_AD_ILLEGAL_PARAMETER; 790 goto err; 791 } 792 if (CBS_len(cbs) != 0) 793 goto err; 794 795 return 1; 796 797 err: 798 return 0; 799 } 800 801 int 802 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 803 { 804 if (s->internal->hit) 805 return 0; 806 807 return (s->session->tlsext_hostname != NULL); 808 } 809 810 int 811 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 812 { 813 return 1; 814 } 815 816 int 817 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 818 { 819 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 820 *alert = TLS1_AD_UNRECOGNIZED_NAME; 821 return 0; 822 } 823 824 if (s->internal->hit) { 825 if (s->session->tlsext_hostname == NULL) { 826 *alert = TLS1_AD_UNRECOGNIZED_NAME; 827 return 0; 828 } 829 if (strcmp(s->tlsext_hostname, 830 s->session->tlsext_hostname) != 0) { 831 *alert = TLS1_AD_UNRECOGNIZED_NAME; 832 return 0; 833 } 834 } else { 835 if (s->session->tlsext_hostname != NULL) { 836 *alert = SSL_AD_DECODE_ERROR; 837 return 0; 838 } 839 if ((s->session->tlsext_hostname = 840 strdup(s->tlsext_hostname)) == NULL) { 841 *alert = TLS1_AD_INTERNAL_ERROR; 842 return 0; 843 } 844 } 845 846 return 1; 847 } 848 849 850 /* 851 *Certificate Status Request - RFC 6066 section 8. 852 */ 853 854 int 855 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 856 { 857 if (SSL_IS_DTLS(s)) 858 return 0; 859 if (msg_type != SSL_TLSEXT_MSG_CH) 860 return 0; 861 862 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 863 } 864 865 int 866 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 867 { 868 CBB respid_list, respid, exts; 869 unsigned char *ext_data; 870 size_t ext_len; 871 int i; 872 873 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 874 return 0; 875 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 876 return 0; 877 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 878 unsigned char *respid_data; 879 OCSP_RESPID *id; 880 size_t id_len; 881 882 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 883 i)) == NULL) 884 return 0; 885 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 886 return 0; 887 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 888 return 0; 889 if (!CBB_add_space(&respid, &respid_data, id_len)) 890 return 0; 891 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 892 return 0; 893 } 894 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 895 return 0; 896 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 897 NULL)) == -1) 898 return 0; 899 if (!CBB_add_space(&exts, &ext_data, ext_len)) 900 return 0; 901 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 902 ext_len)) 903 return 0; 904 if (!CBB_flush(cbb)) 905 return 0; 906 return 1; 907 } 908 909 int 910 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 911 { 912 int alert_desc = SSL_AD_DECODE_ERROR; 913 CBS respid_list, respid, exts; 914 const unsigned char *p; 915 uint8_t status_type; 916 int ret = 0; 917 918 if (msg_type != SSL_TLSEXT_MSG_CH) 919 goto err; 920 921 if (!CBS_get_u8(cbs, &status_type)) 922 goto err; 923 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 924 /* ignore unknown status types */ 925 s->tlsext_status_type = -1; 926 927 if (!CBS_skip(cbs, CBS_len(cbs))) { 928 *alert = TLS1_AD_INTERNAL_ERROR; 929 return 0; 930 } 931 return 1; 932 } 933 s->tlsext_status_type = status_type; 934 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 935 goto err; 936 937 /* XXX */ 938 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 939 s->internal->tlsext_ocsp_ids = NULL; 940 if (CBS_len(&respid_list) > 0) { 941 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 942 if (s->internal->tlsext_ocsp_ids == NULL) { 943 alert_desc = SSL_AD_INTERNAL_ERROR; 944 goto err; 945 } 946 } 947 948 while (CBS_len(&respid_list) > 0) { 949 OCSP_RESPID *id; 950 951 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 952 goto err; 953 p = CBS_data(&respid); 954 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 955 goto err; 956 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 957 alert_desc = SSL_AD_INTERNAL_ERROR; 958 OCSP_RESPID_free(id); 959 goto err; 960 } 961 } 962 963 /* Read in request_extensions */ 964 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 965 goto err; 966 if (CBS_len(&exts) > 0) { 967 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 968 X509_EXTENSION_free); 969 p = CBS_data(&exts); 970 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 971 &p, CBS_len(&exts))) == NULL) 972 goto err; 973 } 974 975 /* should be nothing left */ 976 if (CBS_len(cbs) > 0) 977 goto err; 978 979 ret = 1; 980 err: 981 if (ret == 0) 982 *alert = alert_desc; 983 return ret; 984 } 985 986 int 987 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 988 { 989 if (s->version >= TLS1_3_VERSION && 990 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 991 s->ctx->internal->tlsext_status_cb != NULL) { 992 s->internal->tlsext_status_expected = 0; 993 if (s->ctx->internal->tlsext_status_cb(s, 994 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 995 s->internal->tlsext_ocsp_resp_len > 0) 996 s->internal->tlsext_status_expected = 1; 997 } 998 return s->internal->tlsext_status_expected; 999 } 1000 1001 int 1002 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1003 { 1004 CBB ocsp_response; 1005 1006 if (s->version >= TLS1_3_VERSION) { 1007 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1008 return 0; 1009 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1010 return 0; 1011 if (!CBB_add_bytes(&ocsp_response, 1012 s->internal->tlsext_ocsp_resp, 1013 s->internal->tlsext_ocsp_resp_len)) 1014 return 0; 1015 if (!CBB_flush(cbb)) 1016 return 0; 1017 } 1018 return 1; 1019 } 1020 1021 int 1022 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1023 { 1024 CBS response; 1025 uint16_t version = TLS1_get_client_version(s); 1026 uint8_t status_type; 1027 1028 if (version >= TLS1_3_VERSION) { 1029 if (msg_type == SSL_TLSEXT_MSG_CR) { 1030 /* 1031 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1032 * response with an empty status_request. 1033 */ 1034 if (CBS_len(cbs) == 0) 1035 return 1; 1036 1037 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1038 return 0; 1039 } 1040 if (!CBS_get_u8(cbs, &status_type)) { 1041 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1042 return 0; 1043 } 1044 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1045 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1046 return 0; 1047 } 1048 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1049 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1050 return 0; 1051 } 1052 if (CBS_len(&response) > 65536) { 1053 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1054 return 0; 1055 } 1056 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1057 &s->internal->tlsext_ocsp_resp_len)) { 1058 *alert = SSL_AD_INTERNAL_ERROR; 1059 return 0; 1060 } 1061 } else { 1062 if (s->tlsext_status_type == -1) { 1063 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1064 return 0; 1065 } 1066 /* Set flag to expect CertificateStatus message */ 1067 s->internal->tlsext_status_expected = 1; 1068 } 1069 return 1; 1070 } 1071 1072 /* 1073 * SessionTicket extension - RFC 5077 section 3.2 1074 */ 1075 int 1076 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1077 { 1078 /* 1079 * Send session ticket extension when enabled and not overridden. 1080 * 1081 * When renegotiating, send an empty session ticket to indicate support. 1082 */ 1083 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1084 return 0; 1085 1086 if (s->internal->new_session) 1087 return 1; 1088 1089 if (s->internal->tlsext_session_ticket != NULL && 1090 s->internal->tlsext_session_ticket->data == NULL) 1091 return 0; 1092 1093 return 1; 1094 } 1095 1096 int 1097 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1098 { 1099 /* 1100 * Signal that we support session tickets by sending an empty 1101 * extension when renegotiating or no session found. 1102 */ 1103 if (s->internal->new_session || s->session == NULL) 1104 return 1; 1105 1106 if (s->session->tlsext_tick != NULL) { 1107 /* Attempt to resume with an existing session ticket */ 1108 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1109 s->session->tlsext_ticklen)) 1110 return 0; 1111 1112 } else if (s->internal->tlsext_session_ticket != NULL) { 1113 /* 1114 * Attempt to resume with a custom provided session ticket set 1115 * by SSL_set_session_ticket_ext(). 1116 */ 1117 if (s->internal->tlsext_session_ticket->length > 0) { 1118 size_t ticklen = s->internal->tlsext_session_ticket->length; 1119 1120 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1121 return 0; 1122 memcpy(s->session->tlsext_tick, 1123 s->internal->tlsext_session_ticket->data, 1124 ticklen); 1125 s->session->tlsext_ticklen = ticklen; 1126 1127 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1128 s->session->tlsext_ticklen)) 1129 return 0; 1130 } 1131 } 1132 1133 if (!CBB_flush(cbb)) 1134 return 0; 1135 1136 return 1; 1137 } 1138 1139 int 1140 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1141 int *alert) 1142 { 1143 if (s->internal->tls_session_ticket_ext_cb) { 1144 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1145 (int)CBS_len(cbs), 1146 s->internal->tls_session_ticket_ext_cb_arg)) { 1147 *alert = TLS1_AD_INTERNAL_ERROR; 1148 return 0; 1149 } 1150 } 1151 1152 /* We need to signal that this was processed fully */ 1153 if (!CBS_skip(cbs, CBS_len(cbs))) { 1154 *alert = TLS1_AD_INTERNAL_ERROR; 1155 return 0; 1156 } 1157 1158 return 1; 1159 } 1160 1161 int 1162 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1163 { 1164 return (s->internal->tlsext_ticket_expected && 1165 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1166 } 1167 1168 int 1169 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1170 { 1171 /* Empty ticket */ 1172 return 1; 1173 } 1174 1175 int 1176 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1177 int *alert) 1178 { 1179 if (s->internal->tls_session_ticket_ext_cb) { 1180 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1181 (int)CBS_len(cbs), 1182 s->internal->tls_session_ticket_ext_cb_arg)) { 1183 *alert = TLS1_AD_INTERNAL_ERROR; 1184 return 0; 1185 } 1186 } 1187 1188 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1189 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1190 return 0; 1191 } 1192 1193 s->internal->tlsext_ticket_expected = 1; 1194 1195 return 1; 1196 } 1197 1198 /* 1199 * DTLS extension for SRTP key establishment - RFC 5764 1200 */ 1201 1202 #ifndef OPENSSL_NO_SRTP 1203 1204 int 1205 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1206 { 1207 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1208 } 1209 1210 int 1211 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1212 { 1213 CBB profiles, mki; 1214 int ct, i; 1215 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1216 SRTP_PROTECTION_PROFILE *prof; 1217 1218 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1219 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1220 return 0; 1221 } 1222 1223 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1224 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1225 return 0; 1226 } 1227 1228 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1229 return 0; 1230 1231 for (i = 0; i < ct; i++) { 1232 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1233 return 0; 1234 if (!CBB_add_u16(&profiles, prof->id)) 1235 return 0; 1236 } 1237 1238 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1239 return 0; 1240 1241 if (!CBB_flush(cbb)) 1242 return 0; 1243 1244 return 1; 1245 } 1246 1247 int 1248 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1249 { 1250 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1251 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1252 int i, j; 1253 int ret; 1254 uint16_t id; 1255 CBS profiles, mki; 1256 1257 ret = 0; 1258 1259 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1260 goto err; 1261 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1262 goto err; 1263 1264 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1265 goto err; 1266 1267 while (CBS_len(&profiles) > 0) { 1268 if (!CBS_get_u16(&profiles, &id)) 1269 goto err; 1270 1271 if (!srtp_find_profile_by_num(id, &cprof)) { 1272 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1273 goto err; 1274 } 1275 } 1276 1277 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1278 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1279 *alert = SSL_AD_DECODE_ERROR; 1280 goto done; 1281 } 1282 if (CBS_len(cbs) != 0) 1283 goto err; 1284 1285 /* 1286 * Per RFC 5764 section 4.1.1 1287 * 1288 * Find the server preferred profile using the client's list. 1289 * 1290 * The server MUST send a profile if it sends the use_srtp 1291 * extension. If one is not found, it should fall back to the 1292 * negotiated DTLS cipher suite or return a DTLS alert. 1293 */ 1294 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1295 goto err; 1296 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1297 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1298 == NULL) 1299 goto err; 1300 1301 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1302 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1303 == NULL) 1304 goto err; 1305 1306 if (cprof->id == sprof->id) { 1307 s->internal->srtp_profile = sprof; 1308 ret = 1; 1309 goto done; 1310 } 1311 } 1312 } 1313 1314 /* If we didn't find anything, fall back to the negotiated */ 1315 ret = 1; 1316 goto done; 1317 1318 err: 1319 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1320 *alert = SSL_AD_DECODE_ERROR; 1321 1322 done: 1323 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1324 return ret; 1325 } 1326 1327 int 1328 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1329 { 1330 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1331 } 1332 1333 int 1334 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1335 { 1336 SRTP_PROTECTION_PROFILE *profile; 1337 CBB srtp, mki; 1338 1339 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1340 return 0; 1341 1342 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1343 return 0; 1344 1345 if (!CBB_add_u16(&srtp, profile->id)) 1346 return 0; 1347 1348 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1349 return 0; 1350 1351 if (!CBB_flush(cbb)) 1352 return 0; 1353 1354 return 1; 1355 } 1356 1357 int 1358 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1359 { 1360 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1361 SRTP_PROTECTION_PROFILE *prof; 1362 int i; 1363 uint16_t id; 1364 CBS profile_ids, mki; 1365 1366 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1367 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1368 goto err; 1369 } 1370 1371 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1372 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1373 goto err; 1374 } 1375 1376 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1377 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1378 *alert = SSL_AD_ILLEGAL_PARAMETER; 1379 return 0; 1380 } 1381 1382 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1383 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1384 goto err; 1385 } 1386 1387 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1388 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1389 == NULL) { 1390 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1391 goto err; 1392 } 1393 1394 if (prof->id == id) { 1395 s->internal->srtp_profile = prof; 1396 return 1; 1397 } 1398 } 1399 1400 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1401 err: 1402 *alert = SSL_AD_DECODE_ERROR; 1403 return 0; 1404 } 1405 1406 #endif /* OPENSSL_NO_SRTP */ 1407 1408 /* 1409 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1410 */ 1411 int 1412 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1413 { 1414 /* XXX once this gets initialized when we get tls13_client.c */ 1415 if (S3I(s)->hs_tls13.max_version == 0) 1416 return 0; 1417 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1418 TLS1_3_VERSION); 1419 } 1420 1421 int 1422 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1423 { 1424 CBB client_shares; 1425 1426 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1427 return 0; 1428 1429 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, 1430 &client_shares)) 1431 return 0; 1432 1433 if (!CBB_flush(cbb)) 1434 return 0; 1435 1436 return 1; 1437 } 1438 1439 int 1440 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1441 { 1442 CBS client_shares, key_exchange; 1443 uint16_t group; 1444 1445 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1446 goto err; 1447 1448 while (CBS_len(&client_shares) > 0) { 1449 1450 /* Unpack client share. */ 1451 if (!CBS_get_u16(&client_shares, &group)) 1452 goto err; 1453 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1454 return 0; 1455 1456 /* 1457 * XXX - check key exchange against supported groups from client. 1458 * XXX - check that groups only appear once. 1459 */ 1460 1461 /* 1462 * Ignore this client share if we're using earlier than TLSv1.3 1463 * or we've already selected a key share. 1464 */ 1465 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1466 continue; 1467 if (S3I(s)->hs_tls13.key_share != NULL) 1468 continue; 1469 1470 /* XXX - consider implementing server preference. */ 1471 if (!tls1_check_curve(s, group)) 1472 continue; 1473 1474 /* Decode and store the selected key share. */ 1475 S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); 1476 if (S3I(s)->hs_tls13.key_share == NULL) 1477 goto err; 1478 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1479 group, &key_exchange)) 1480 goto err; 1481 } 1482 1483 return 1; 1484 1485 err: 1486 *alert = SSL_AD_DECODE_ERROR; 1487 return 0; 1488 } 1489 1490 int 1491 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1492 { 1493 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1494 return 0; 1495 1496 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1497 } 1498 1499 int 1500 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1501 { 1502 /* In the case of a HRR, we only send the server selected group. */ 1503 if (S3I(s)->hs_tls13.hrr) { 1504 if (S3I(s)->hs_tls13.server_group == 0) 1505 return 0; 1506 return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); 1507 } 1508 1509 if (S3I(s)->hs_tls13.key_share == NULL) 1510 return 0; 1511 1512 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) 1513 return 0; 1514 1515 return 1; 1516 } 1517 1518 int 1519 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1520 { 1521 CBS key_exchange; 1522 uint16_t group; 1523 1524 /* Unpack server share. */ 1525 if (!CBS_get_u16(cbs, &group)) 1526 goto err; 1527 1528 if (CBS_len(cbs) == 0) { 1529 /* HRR does not include an actual key share. */ 1530 /* XXX - we should know that we are in a HRR... */ 1531 S3I(s)->hs_tls13.server_group = group; 1532 return 1; 1533 } 1534 1535 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1536 return 0; 1537 1538 if (S3I(s)->hs_tls13.key_share == NULL) 1539 return 0; 1540 1541 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1542 group, &key_exchange)) 1543 goto err; 1544 1545 return 1; 1546 1547 err: 1548 *alert = SSL_AD_DECODE_ERROR; 1549 return 0; 1550 } 1551 1552 /* 1553 * Supported Versions - RFC 8446 section 4.2.1. 1554 */ 1555 int 1556 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1557 { 1558 if (SSL_IS_DTLS(s)) 1559 return 0; 1560 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1561 } 1562 1563 int 1564 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1565 { 1566 uint16_t max, min; 1567 uint16_t version; 1568 CBB versions; 1569 1570 max = S3I(s)->hs_tls13.max_version; 1571 min = S3I(s)->hs_tls13.min_version; 1572 1573 if (min < TLS1_VERSION) 1574 return 0; 1575 1576 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1577 return 0; 1578 1579 /* XXX - fix, but contiguous for now... */ 1580 for (version = max; version >= min; version--) { 1581 if (!CBB_add_u16(&versions, version)) 1582 return 0; 1583 } 1584 1585 if (!CBB_flush(cbb)) 1586 return 0; 1587 1588 return 1; 1589 } 1590 1591 int 1592 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1593 { 1594 CBS versions; 1595 uint16_t version; 1596 uint16_t max, min; 1597 uint16_t matched_version = 0; 1598 1599 max = S3I(s)->hs_tls13.max_version; 1600 min = S3I(s)->hs_tls13.min_version; 1601 1602 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1603 goto err; 1604 1605 while (CBS_len(&versions) > 0) { 1606 if (!CBS_get_u16(&versions, &version)) 1607 goto err; 1608 /* 1609 * XXX What is below implements client preference, and 1610 * ignores any server preference entirely. 1611 */ 1612 if (matched_version == 0 && version >= min && version <= max) 1613 matched_version = version; 1614 } 1615 1616 /* 1617 * XXX if we haven't matched a version we should 1618 * fail - but we currently need to succeed to 1619 * ignore this before the server code for 1.3 1620 * is set up and initialized. 1621 */ 1622 if (max == 0) 1623 return 1; /* XXX */ 1624 1625 if (matched_version != 0) { 1626 s->version = matched_version; 1627 return 1; 1628 } 1629 1630 *alert = SSL_AD_PROTOCOL_VERSION; 1631 return 0; 1632 1633 err: 1634 *alert = SSL_AD_DECODE_ERROR; 1635 return 0; 1636 } 1637 1638 int 1639 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1640 { 1641 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1642 } 1643 1644 int 1645 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1646 { 1647 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1648 return 0; 1649 /* XXX set 1.2 in legacy version? */ 1650 1651 return 1; 1652 } 1653 1654 int 1655 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1656 { 1657 uint16_t selected_version; 1658 1659 if (!CBS_get_u16(cbs, &selected_version)) { 1660 *alert = SSL_AD_DECODE_ERROR; 1661 return 0; 1662 } 1663 1664 if (selected_version < TLS1_3_VERSION) { 1665 *alert = SSL_AD_ILLEGAL_PARAMETER; 1666 return 0; 1667 } 1668 1669 /* XXX test between min and max once initialization code goes in */ 1670 S3I(s)->hs_tls13.server_version = selected_version; 1671 1672 return 1; 1673 } 1674 1675 1676 /* 1677 * Cookie - RFC 8446 section 4.2.2. 1678 */ 1679 1680 int 1681 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1682 { 1683 if (SSL_IS_DTLS(s)) 1684 return 0; 1685 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1686 return 0; 1687 return (S3I(s)->hs_tls13.cookie_len > 0 && 1688 S3I(s)->hs_tls13.cookie != NULL); 1689 } 1690 1691 int 1692 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1693 { 1694 CBB cookie; 1695 1696 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1697 return 0; 1698 1699 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1700 S3I(s)->hs_tls13.cookie_len)) 1701 return 0; 1702 1703 if (!CBB_flush(cbb)) 1704 return 0; 1705 1706 return 1; 1707 } 1708 1709 int 1710 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1711 { 1712 CBS cookie; 1713 1714 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1715 goto err; 1716 1717 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1718 goto err; 1719 1720 /* 1721 * Check provided cookie value against what server previously 1722 * sent - client *MUST* send the same cookie with new CR after 1723 * a cookie is sent by the server with an HRR. 1724 */ 1725 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1726 S3I(s)->hs_tls13.cookie_len)) { 1727 /* XXX special cookie mismatch alert? */ 1728 *alert = SSL_AD_ILLEGAL_PARAMETER; 1729 return 0; 1730 } 1731 1732 return 1; 1733 1734 err: 1735 *alert = SSL_AD_DECODE_ERROR; 1736 return 0; 1737 } 1738 1739 int 1740 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1741 { 1742 1743 if (SSL_IS_DTLS(s)) 1744 return 0; 1745 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1746 return 0; 1747 /* 1748 * Server needs to set cookie value in tls13 handshake 1749 * in order to send one, should only be sent with HRR. 1750 */ 1751 return (S3I(s)->hs_tls13.cookie_len > 0 && 1752 S3I(s)->hs_tls13.cookie != NULL); 1753 } 1754 1755 int 1756 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1757 { 1758 CBB cookie; 1759 1760 /* XXX deduplicate with client code */ 1761 1762 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1763 return 0; 1764 1765 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1766 S3I(s)->hs_tls13.cookie_len)) 1767 return 0; 1768 1769 if (!CBB_flush(cbb)) 1770 return 0; 1771 1772 return 1; 1773 } 1774 1775 int 1776 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1777 { 1778 CBS cookie; 1779 1780 /* 1781 * XXX This currently assumes we will not get a second 1782 * HRR from a server with a cookie to process after accepting 1783 * one from the server in the same handshake 1784 */ 1785 if (S3I(s)->hs_tls13.cookie != NULL || 1786 S3I(s)->hs_tls13.cookie_len != 0) { 1787 *alert = SSL_AD_ILLEGAL_PARAMETER; 1788 return 0; 1789 } 1790 1791 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1792 goto err; 1793 1794 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1795 &S3I(s)->hs_tls13.cookie_len)) 1796 goto err; 1797 1798 return 1; 1799 1800 err: 1801 *alert = SSL_AD_DECODE_ERROR; 1802 return 0; 1803 } 1804 1805 struct tls_extension_funcs { 1806 int (*needs)(SSL *s, uint16_t msg_type); 1807 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1808 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1809 }; 1810 1811 struct tls_extension { 1812 uint16_t type; 1813 uint16_t messages; 1814 struct tls_extension_funcs client; 1815 struct tls_extension_funcs server; 1816 }; 1817 1818 static struct tls_extension tls_extensions[] = { 1819 { 1820 .type = TLSEXT_TYPE_supported_versions, 1821 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1822 SSL_TLSEXT_MSG_HRR, 1823 .client = { 1824 .needs = tlsext_versions_client_needs, 1825 .build = tlsext_versions_client_build, 1826 .parse = tlsext_versions_client_parse, 1827 }, 1828 .server = { 1829 .needs = tlsext_versions_server_needs, 1830 .build = tlsext_versions_server_build, 1831 .parse = tlsext_versions_server_parse, 1832 }, 1833 }, 1834 { 1835 .type = TLSEXT_TYPE_key_share, 1836 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1837 SSL_TLSEXT_MSG_HRR, 1838 .client = { 1839 .needs = tlsext_keyshare_client_needs, 1840 .build = tlsext_keyshare_client_build, 1841 .parse = tlsext_keyshare_client_parse, 1842 }, 1843 .server = { 1844 .needs = tlsext_keyshare_server_needs, 1845 .build = tlsext_keyshare_server_build, 1846 .parse = tlsext_keyshare_server_parse, 1847 }, 1848 }, 1849 { 1850 .type = TLSEXT_TYPE_server_name, 1851 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1852 .client = { 1853 .needs = tlsext_sni_client_needs, 1854 .build = tlsext_sni_client_build, 1855 .parse = tlsext_sni_client_parse, 1856 }, 1857 .server = { 1858 .needs = tlsext_sni_server_needs, 1859 .build = tlsext_sni_server_build, 1860 .parse = tlsext_sni_server_parse, 1861 }, 1862 }, 1863 { 1864 .type = TLSEXT_TYPE_renegotiate, 1865 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1866 .client = { 1867 .needs = tlsext_ri_client_needs, 1868 .build = tlsext_ri_client_build, 1869 .parse = tlsext_ri_client_parse, 1870 }, 1871 .server = { 1872 .needs = tlsext_ri_server_needs, 1873 .build = tlsext_ri_server_build, 1874 .parse = tlsext_ri_server_parse, 1875 }, 1876 }, 1877 { 1878 .type = TLSEXT_TYPE_status_request, 1879 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1880 SSL_TLSEXT_MSG_CT, 1881 .client = { 1882 .needs = tlsext_ocsp_client_needs, 1883 .build = tlsext_ocsp_client_build, 1884 .parse = tlsext_ocsp_client_parse, 1885 }, 1886 .server = { 1887 .needs = tlsext_ocsp_server_needs, 1888 .build = tlsext_ocsp_server_build, 1889 .parse = tlsext_ocsp_server_parse, 1890 }, 1891 }, 1892 { 1893 .type = TLSEXT_TYPE_ec_point_formats, 1894 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1895 .client = { 1896 .needs = tlsext_ecpf_client_needs, 1897 .build = tlsext_ecpf_client_build, 1898 .parse = tlsext_ecpf_client_parse, 1899 }, 1900 .server = { 1901 .needs = tlsext_ecpf_server_needs, 1902 .build = tlsext_ecpf_server_build, 1903 .parse = tlsext_ecpf_server_parse, 1904 }, 1905 }, 1906 { 1907 .type = TLSEXT_TYPE_supported_groups, 1908 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1909 .client = { 1910 .needs = tlsext_supportedgroups_client_needs, 1911 .build = tlsext_supportedgroups_client_build, 1912 .parse = tlsext_supportedgroups_client_parse, 1913 }, 1914 .server = { 1915 .needs = tlsext_supportedgroups_server_needs, 1916 .build = tlsext_supportedgroups_server_build, 1917 .parse = tlsext_supportedgroups_server_parse, 1918 }, 1919 }, 1920 { 1921 .type = TLSEXT_TYPE_session_ticket, 1922 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1923 .client = { 1924 .needs = tlsext_sessionticket_client_needs, 1925 .build = tlsext_sessionticket_client_build, 1926 .parse = tlsext_sessionticket_client_parse, 1927 }, 1928 .server = { 1929 .needs = tlsext_sessionticket_server_needs, 1930 .build = tlsext_sessionticket_server_build, 1931 .parse = tlsext_sessionticket_server_parse, 1932 }, 1933 }, 1934 { 1935 .type = TLSEXT_TYPE_signature_algorithms, 1936 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1937 .client = { 1938 .needs = tlsext_sigalgs_client_needs, 1939 .build = tlsext_sigalgs_client_build, 1940 .parse = tlsext_sigalgs_client_parse, 1941 }, 1942 .server = { 1943 .needs = tlsext_sigalgs_server_needs, 1944 .build = tlsext_sigalgs_server_build, 1945 .parse = tlsext_sigalgs_server_parse, 1946 }, 1947 }, 1948 { 1949 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1950 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1951 .client = { 1952 .needs = tlsext_alpn_client_needs, 1953 .build = tlsext_alpn_client_build, 1954 .parse = tlsext_alpn_client_parse, 1955 }, 1956 .server = { 1957 .needs = tlsext_alpn_server_needs, 1958 .build = tlsext_alpn_server_build, 1959 .parse = tlsext_alpn_server_parse, 1960 }, 1961 }, 1962 { 1963 .type = TLSEXT_TYPE_cookie, 1964 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1965 .client = { 1966 .needs = tlsext_cookie_client_needs, 1967 .build = tlsext_cookie_client_build, 1968 .parse = tlsext_cookie_client_parse, 1969 }, 1970 .server = { 1971 .needs = tlsext_cookie_server_needs, 1972 .build = tlsext_cookie_server_build, 1973 .parse = tlsext_cookie_server_parse, 1974 }, 1975 }, 1976 #ifndef OPENSSL_NO_SRTP 1977 { 1978 .type = TLSEXT_TYPE_use_srtp, 1979 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1980 SSL_TLSEXT_MSG_EE, 1981 .client = { 1982 .needs = tlsext_srtp_client_needs, 1983 .build = tlsext_srtp_client_build, 1984 .parse = tlsext_srtp_client_parse, 1985 }, 1986 .server = { 1987 .needs = tlsext_srtp_server_needs, 1988 .build = tlsext_srtp_server_build, 1989 .parse = tlsext_srtp_server_parse, 1990 }, 1991 } 1992 #endif /* OPENSSL_NO_SRTP */ 1993 }; 1994 1995 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1996 1997 /* Ensure that extensions fit in a uint32_t bitmask. */ 1998 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1999 2000 struct tls_extension * 2001 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2002 { 2003 size_t i; 2004 2005 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2006 if (tls_extensions[i].type == type) { 2007 *tls_extensions_idx = i; 2008 return &tls_extensions[i]; 2009 } 2010 } 2011 2012 return NULL; 2013 } 2014 2015 int 2016 tlsext_extension_seen(SSL *s, uint16_t type) 2017 { 2018 size_t idx; 2019 2020 if (tls_extension_find(type, &idx) == NULL) 2021 return 0; 2022 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 2023 } 2024 2025 static struct tls_extension_funcs * 2026 tlsext_funcs(struct tls_extension *tlsext, int is_server) 2027 { 2028 if (is_server) 2029 return &tlsext->server; 2030 2031 return &tlsext->client; 2032 } 2033 2034 static int 2035 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2036 { 2037 struct tls_extension_funcs *ext; 2038 struct tls_extension *tlsext; 2039 CBB extensions, extension_data; 2040 int extensions_present = 0; 2041 size_t i; 2042 uint16_t version; 2043 2044 if (is_server) 2045 version = s->version; 2046 else 2047 version = TLS1_get_client_version(s); 2048 2049 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2050 return 0; 2051 2052 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2053 tlsext = &tls_extensions[i]; 2054 ext = tlsext_funcs(tlsext, is_server); 2055 2056 /* RFC 8446 Section 4.2 */ 2057 if (version >= TLS1_3_VERSION && 2058 !(tlsext->messages & msg_type)) 2059 continue; 2060 2061 if (!ext->needs(s, msg_type)) 2062 continue; 2063 2064 if (!CBB_add_u16(&extensions, tlsext->type)) 2065 return 0; 2066 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2067 return 0; 2068 2069 if (!ext->build(s, msg_type, &extension_data)) 2070 return 0; 2071 2072 extensions_present = 1; 2073 } 2074 2075 if (!extensions_present && 2076 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2077 CBB_discard_child(cbb); 2078 2079 if (!CBB_flush(cbb)) 2080 return 0; 2081 2082 return 1; 2083 } 2084 2085 int 2086 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2087 { 2088 /* 2089 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2090 * cookie may be added, padding may be removed. 2091 */ 2092 struct tls13_ctx *ctx = s->internal->tls13; 2093 2094 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2095 type == TLSEXT_TYPE_padding) 2096 return 1; 2097 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2098 sizeof(type))) 2099 return 0; 2100 /* 2101 * key_share data may be changed, and pre_shared_key data may 2102 * be changed 2103 */ 2104 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2105 return 1; 2106 if (!tls13_clienthello_hash_update(ctx, cbs)) 2107 return 0; 2108 2109 return 1; 2110 } 2111 2112 static int 2113 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2114 { 2115 struct tls_extension_funcs *ext; 2116 struct tls_extension *tlsext; 2117 CBS extensions, extension_data; 2118 uint16_t type; 2119 size_t idx; 2120 uint16_t version; 2121 int alert_desc; 2122 2123 S3I(s)->hs.extensions_seen = 0; 2124 2125 if (is_server) 2126 version = s->version; 2127 else 2128 version = TLS1_get_client_version(s); 2129 2130 /* An empty extensions block is valid. */ 2131 if (CBS_len(cbs) == 0) 2132 return 1; 2133 2134 alert_desc = SSL_AD_DECODE_ERROR; 2135 2136 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2137 goto err; 2138 2139 while (CBS_len(&extensions) > 0) { 2140 if (!CBS_get_u16(&extensions, &type)) 2141 goto err; 2142 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2143 goto err; 2144 2145 if (s->internal->tlsext_debug_cb != NULL) 2146 s->internal->tlsext_debug_cb(s, is_server, type, 2147 (unsigned char *)CBS_data(&extension_data), 2148 CBS_len(&extension_data), 2149 s->internal->tlsext_debug_arg); 2150 2151 if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server && 2152 msg_type == SSL_TLSEXT_MSG_CH) { 2153 if (!tlsext_clienthello_hash_extension(s, type, 2154 &extension_data)) 2155 goto err; 2156 } 2157 2158 /* Unknown extensions are ignored. */ 2159 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2160 continue; 2161 2162 /* RFC 8446 Section 4.2 */ 2163 if (version >= TLS1_3_VERSION && 2164 !(tlsext->messages & msg_type)) { 2165 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2166 goto err; 2167 } 2168 2169 /* Check for duplicate known extensions. */ 2170 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2171 goto err; 2172 S3I(s)->hs.extensions_seen |= (1 << idx); 2173 2174 ext = tlsext_funcs(tlsext, is_server); 2175 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2176 goto err; 2177 2178 if (CBS_len(&extension_data) != 0) 2179 goto err; 2180 } 2181 2182 return 1; 2183 2184 err: 2185 *alert = alert_desc; 2186 2187 return 0; 2188 } 2189 2190 static void 2191 tlsext_server_reset_state(SSL *s) 2192 { 2193 s->tlsext_status_type = -1; 2194 S3I(s)->renegotiate_seen = 0; 2195 free(S3I(s)->alpn_selected); 2196 S3I(s)->alpn_selected = NULL; 2197 S3I(s)->alpn_selected_len = 0; 2198 s->internal->srtp_profile = NULL; 2199 } 2200 2201 int 2202 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2203 { 2204 return tlsext_build(s, 1, msg_type, cbb); 2205 } 2206 2207 int 2208 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2209 { 2210 /* XXX - this should be done by the caller... */ 2211 if (msg_type == SSL_TLSEXT_MSG_CH) 2212 tlsext_server_reset_state(s); 2213 2214 return tlsext_parse(s, 1, msg_type, cbs, alert); 2215 } 2216 2217 static void 2218 tlsext_client_reset_state(SSL *s) 2219 { 2220 S3I(s)->renegotiate_seen = 0; 2221 free(S3I(s)->alpn_selected); 2222 S3I(s)->alpn_selected = NULL; 2223 S3I(s)->alpn_selected_len = 0; 2224 } 2225 2226 int 2227 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2228 { 2229 return tlsext_build(s, 0, msg_type, cbb); 2230 } 2231 2232 int 2233 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2234 { 2235 /* XXX - this should be done by the caller... */ 2236 if (msg_type == SSL_TLSEXT_MSG_SH) 2237 tlsext_client_reset_state(s); 2238 2239 return tlsext_parse(s, 0, msg_type, cbs, alert); 2240 } 2241