1 /* $OpenBSD: ssl_tlsext.c,v 1.63.4.1 2020/08/10 18:59:47 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <openssl/ocsp.h> 21 22 #include "ssl_locl.h" 23 24 #include "bytestring.h" 25 #include "ssl_sigalgs.h" 26 #include "ssl_tlsext.h" 27 28 /* 29 * Supported Application-Layer Protocol Negotiation - RFC 7301 30 */ 31 32 int 33 tlsext_alpn_client_needs(SSL *s) 34 { 35 /* ALPN protos have been specified and this is the initial handshake */ 36 return s->internal->alpn_client_proto_list != NULL && 37 S3I(s)->tmp.finish_md_len == 0; 38 } 39 40 int 41 tlsext_alpn_client_build(SSL *s, CBB *cbb) 42 { 43 CBB protolist; 44 45 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 46 return 0; 47 48 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 49 s->internal->alpn_client_proto_list_len)) 50 return 0; 51 52 if (!CBB_flush(cbb)) 53 return 0; 54 55 return 1; 56 } 57 58 int 59 tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) 60 { 61 CBS proto_name_list, alpn; 62 const unsigned char *selected; 63 unsigned char selected_len; 64 int r; 65 66 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 67 goto err; 68 if (CBS_len(&alpn) < 2) 69 goto err; 70 if (CBS_len(cbs) != 0) 71 goto err; 72 73 CBS_dup(&alpn, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 goto err; 79 if (CBS_len(&proto_name) == 0) 80 goto err; 81 } 82 83 if (s->ctx->internal->alpn_select_cb == NULL) 84 return 1; 85 86 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 87 CBS_data(&alpn), CBS_len(&alpn), 88 s->ctx->internal->alpn_select_cb_arg); 89 if (r == SSL_TLSEXT_ERR_OK) { 90 free(S3I(s)->alpn_selected); 91 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 92 *alert = SSL_AD_INTERNAL_ERROR; 93 return 0; 94 } 95 memcpy(S3I(s)->alpn_selected, selected, selected_len); 96 S3I(s)->alpn_selected_len = selected_len; 97 } 98 99 return 1; 100 101 err: 102 *alert = SSL_AD_DECODE_ERROR; 103 return 0; 104 } 105 106 int 107 tlsext_alpn_server_needs(SSL *s) 108 { 109 return S3I(s)->alpn_selected != NULL; 110 } 111 112 int 113 tlsext_alpn_server_build(SSL *s, CBB *cbb) 114 { 115 CBB list, selected; 116 117 if (!CBB_add_u16_length_prefixed(cbb, &list)) 118 return 0; 119 120 if (!CBB_add_u8_length_prefixed(&list, &selected)) 121 return 0; 122 123 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 124 S3I(s)->alpn_selected_len)) 125 return 0; 126 127 if (!CBB_flush(cbb)) 128 return 0; 129 130 return 1; 131 } 132 133 int 134 tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) 135 { 136 CBS list, proto; 137 138 if (s->internal->alpn_client_proto_list == NULL) { 139 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 140 return 0; 141 } 142 143 if (!CBS_get_u16_length_prefixed(cbs, &list)) 144 goto err; 145 if (CBS_len(cbs) != 0) 146 goto err; 147 148 if (!CBS_get_u8_length_prefixed(&list, &proto)) 149 goto err; 150 151 if (CBS_len(&list) != 0) 152 goto err; 153 if (CBS_len(&proto) == 0) 154 goto err; 155 156 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 157 &(S3I(s)->alpn_selected_len))) 158 goto err; 159 160 return 1; 161 162 err: 163 *alert = TLS1_AD_DECODE_ERROR; 164 return 0; 165 } 166 167 /* 168 * Supported Groups - RFC 7919 section 2 169 */ 170 int 171 tlsext_supportedgroups_client_needs(SSL *s) 172 { 173 return ssl_has_ecc_ciphers(s) || 174 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 175 } 176 177 int 178 tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) 179 { 180 const uint16_t *groups; 181 size_t groups_len; 182 CBB grouplist; 183 int i; 184 185 tls1_get_group_list(s, 0, &groups, &groups_len); 186 if (groups_len == 0) { 187 SSLerror(s, ERR_R_INTERNAL_ERROR); 188 return 0; 189 } 190 191 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 192 return 0; 193 194 for (i = 0; i < groups_len; i++) { 195 if (!CBB_add_u16(&grouplist, groups[i])) 196 return 0; 197 } 198 199 if (!CBB_flush(cbb)) 200 return 0; 201 202 return 1; 203 } 204 205 int 206 tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) 207 { 208 CBS grouplist; 209 size_t groups_len; 210 211 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 212 goto err; 213 if (CBS_len(cbs) != 0) 214 goto err; 215 216 groups_len = CBS_len(&grouplist); 217 if (groups_len == 0 || groups_len % 2 != 0) 218 goto err; 219 groups_len /= 2; 220 221 if (!s->internal->hit) { 222 uint16_t *groups; 223 int i; 224 225 if (SSI(s)->tlsext_supportedgroups != NULL) 226 goto err; 227 228 if ((groups = reallocarray(NULL, groups_len, 229 sizeof(uint16_t))) == NULL) { 230 *alert = TLS1_AD_INTERNAL_ERROR; 231 return 0; 232 } 233 234 for (i = 0; i < groups_len; i++) { 235 if (!CBS_get_u16(&grouplist, &groups[i])) { 236 free(groups); 237 goto err; 238 } 239 } 240 241 if (CBS_len(&grouplist) != 0) { 242 free(groups); 243 goto err; 244 } 245 246 SSI(s)->tlsext_supportedgroups = groups; 247 SSI(s)->tlsext_supportedgroups_length = groups_len; 248 } 249 250 return 1; 251 252 err: 253 *alert = TLS1_AD_DECODE_ERROR; 254 return 0; 255 } 256 257 /* This extension is never used by the server. */ 258 int 259 tlsext_supportedgroups_server_needs(SSL *s) 260 { 261 return 0; 262 } 263 264 int 265 tlsext_supportedgroups_server_build(SSL *s, CBB *cbb) 266 { 267 return 0; 268 } 269 270 int 271 tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) 272 { 273 /* 274 * Servers should not send this extension per the RFC. 275 * 276 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 277 * from at least 2014 but as of 2017, there are still large sites with 278 * this unpatched in production. As a result, we need to currently skip 279 * over the extension and ignore its content: 280 * 281 * https://support.f5.com/csp/article/K37345003 282 */ 283 if (!CBS_skip(cbs, CBS_len(cbs))) { 284 *alert = TLS1_AD_INTERNAL_ERROR; 285 return 0; 286 } 287 288 return 1; 289 } 290 291 /* 292 * Supported Point Formats Extension - RFC 4492 section 5.1.2 293 */ 294 static int 295 tlsext_ecpf_build(SSL *s, CBB *cbb) 296 { 297 CBB ecpf; 298 size_t formats_len; 299 const uint8_t *formats; 300 301 tls1_get_formatlist(s, 0, &formats, &formats_len); 302 303 if (formats_len == 0) { 304 SSLerror(s, ERR_R_INTERNAL_ERROR); 305 return 0; 306 } 307 308 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 309 return 0; 310 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 311 return 0; 312 if (!CBB_flush(cbb)) 313 return 0; 314 315 return 1; 316 } 317 318 static int 319 tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 320 { 321 CBS ecpf; 322 323 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 324 goto err; 325 if (CBS_len(&ecpf) == 0) 326 goto err; 327 if (CBS_len(cbs) != 0) 328 goto err; 329 330 /* Must contain uncompressed (0) */ 331 if (!CBS_contains_zero_byte(&ecpf)) { 332 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 333 goto err; 334 } 335 336 if (!s->internal->hit) { 337 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 338 &(SSI(s)->tlsext_ecpointformatlist_length))) { 339 *alert = TLS1_AD_INTERNAL_ERROR; 340 return 0; 341 } 342 } 343 344 return 1; 345 346 err: 347 *alert = SSL_AD_DECODE_ERROR; 348 return 0; 349 } 350 351 int 352 tlsext_ecpf_client_needs(SSL *s) 353 { 354 return ssl_has_ecc_ciphers(s); 355 } 356 357 int 358 tlsext_ecpf_client_build(SSL *s, CBB *cbb) 359 { 360 return tlsext_ecpf_build(s, cbb); 361 } 362 363 int 364 tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert) 365 { 366 return tlsext_ecpf_parse(s, cbs, alert); 367 } 368 369 int 370 tlsext_ecpf_server_needs(SSL *s) 371 { 372 if (s->version == DTLS1_VERSION) 373 return 0; 374 375 return ssl_using_ecc_cipher(s); 376 } 377 378 int 379 tlsext_ecpf_server_build(SSL *s, CBB *cbb) 380 { 381 return tlsext_ecpf_build(s, cbb); 382 } 383 384 int 385 tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert) 386 { 387 return tlsext_ecpf_parse(s, cbs, alert); 388 } 389 390 /* 391 * Renegotiation Indication - RFC 5746. 392 */ 393 int 394 tlsext_ri_client_needs(SSL *s) 395 { 396 return (s->internal->renegotiate); 397 } 398 399 int 400 tlsext_ri_client_build(SSL *s, CBB *cbb) 401 { 402 CBB reneg; 403 404 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 405 return 0; 406 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 407 S3I(s)->previous_client_finished_len)) 408 return 0; 409 if (!CBB_flush(cbb)) 410 return 0; 411 412 return 1; 413 } 414 415 int 416 tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) 417 { 418 CBS reneg; 419 420 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 421 goto err; 422 if (CBS_len(cbs) != 0) 423 goto err; 424 425 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 426 S3I(s)->previous_client_finished_len)) { 427 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 428 *alert = SSL_AD_HANDSHAKE_FAILURE; 429 return 0; 430 } 431 432 S3I(s)->renegotiate_seen = 1; 433 S3I(s)->send_connection_binding = 1; 434 435 return 1; 436 437 err: 438 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 439 *alert = SSL_AD_DECODE_ERROR; 440 return 0; 441 } 442 443 int 444 tlsext_ri_server_needs(SSL *s) 445 { 446 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 447 } 448 449 int 450 tlsext_ri_server_build(SSL *s, CBB *cbb) 451 { 452 CBB reneg; 453 454 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 455 return 0; 456 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 457 S3I(s)->previous_client_finished_len)) 458 return 0; 459 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 460 S3I(s)->previous_server_finished_len)) 461 return 0; 462 if (!CBB_flush(cbb)) 463 return 0; 464 465 return 1; 466 } 467 468 int 469 tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) 470 { 471 CBS reneg, prev_client, prev_server; 472 473 /* 474 * Ensure that the previous client and server values are both not 475 * present, or that they are both present. 476 */ 477 if ((S3I(s)->previous_client_finished_len == 0 && 478 S3I(s)->previous_server_finished_len != 0) || 479 (S3I(s)->previous_client_finished_len != 0 && 480 S3I(s)->previous_server_finished_len == 0)) { 481 *alert = TLS1_AD_INTERNAL_ERROR; 482 return 0; 483 } 484 485 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 486 goto err; 487 if (!CBS_get_bytes(&reneg, &prev_client, 488 S3I(s)->previous_client_finished_len)) 489 goto err; 490 if (!CBS_get_bytes(&reneg, &prev_server, 491 S3I(s)->previous_server_finished_len)) 492 goto err; 493 if (CBS_len(&reneg) != 0) 494 goto err; 495 if (CBS_len(cbs) != 0) 496 goto err; 497 498 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 499 S3I(s)->previous_client_finished_len)) { 500 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 501 *alert = SSL_AD_HANDSHAKE_FAILURE; 502 return 0; 503 } 504 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 505 S3I(s)->previous_server_finished_len)) { 506 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 507 *alert = SSL_AD_HANDSHAKE_FAILURE; 508 return 0; 509 } 510 511 S3I(s)->renegotiate_seen = 1; 512 S3I(s)->send_connection_binding = 1; 513 514 return 1; 515 516 err: 517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 518 *alert = SSL_AD_DECODE_ERROR; 519 return 0; 520 } 521 522 /* 523 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 524 */ 525 int 526 tlsext_sigalgs_client_needs(SSL *s) 527 { 528 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 529 } 530 531 int 532 tlsext_sigalgs_client_build(SSL *s, CBB *cbb) 533 { 534 uint16_t *tls_sigalgs = tls12_sigalgs; 535 size_t tls_sigalgs_len = tls12_sigalgs_len; 536 CBB sigalgs; 537 538 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 539 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 540 tls_sigalgs = tls13_sigalgs; 541 tls_sigalgs_len = tls13_sigalgs_len; 542 } 543 544 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 545 return 0; 546 547 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 548 return 0; 549 550 if (!CBB_flush(cbb)) 551 return 0; 552 553 return 1; 554 } 555 556 int 557 tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) 558 { 559 CBS sigalgs; 560 561 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 562 return 0; 563 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 564 return 0; 565 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 566 return 0; 567 568 return 1; 569 } 570 571 int 572 tlsext_sigalgs_server_needs(SSL *s) 573 { 574 return (s->version >= TLS1_3_VERSION); 575 } 576 577 int 578 tlsext_sigalgs_server_build(SSL *s, CBB *cbb) 579 { 580 uint16_t *tls_sigalgs = tls12_sigalgs; 581 size_t tls_sigalgs_len = tls12_sigalgs_len; 582 CBB sigalgs; 583 584 if (s->version >= TLS1_3_VERSION) { 585 tls_sigalgs = tls13_sigalgs; 586 tls_sigalgs_len = tls13_sigalgs_len; 587 } 588 589 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 590 return 0; 591 592 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 593 return 0; 594 595 if (!CBB_flush(cbb)) 596 return 0; 597 598 return 1; 599 } 600 601 int 602 tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert) 603 { 604 CBS sigalgs; 605 606 if (s->version < TLS1_3_VERSION) 607 return 0; 608 609 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 610 return 0; 611 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 612 return 0; 613 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 614 return 0; 615 616 return 1; 617 } 618 619 /* 620 * Server Name Indication - RFC 6066, section 3. 621 */ 622 int 623 tlsext_sni_client_needs(SSL *s) 624 { 625 return (s->tlsext_hostname != NULL); 626 } 627 628 int 629 tlsext_sni_client_build(SSL *s, CBB *cbb) 630 { 631 CBB server_name_list, host_name; 632 633 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 634 return 0; 635 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 636 return 0; 637 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 638 return 0; 639 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 640 strlen(s->tlsext_hostname))) 641 return 0; 642 if (!CBB_flush(cbb)) 643 return 0; 644 645 return 1; 646 } 647 648 int 649 tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) 650 { 651 CBS server_name_list, host_name; 652 uint8_t name_type; 653 654 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 655 goto err; 656 657 /* 658 * RFC 6066 section 3 forbids multiple host names with the same type. 659 * Additionally, only one type (host_name) is specified. 660 */ 661 if (!CBS_get_u8(&server_name_list, &name_type)) 662 goto err; 663 if (name_type != TLSEXT_NAMETYPE_host_name) 664 goto err; 665 666 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 667 goto err; 668 if (CBS_len(&host_name) == 0 || 669 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 670 CBS_contains_zero_byte(&host_name)) { 671 *alert = TLS1_AD_UNRECOGNIZED_NAME; 672 return 0; 673 } 674 675 if (s->internal->hit) { 676 if (s->session->tlsext_hostname == NULL) { 677 *alert = TLS1_AD_UNRECOGNIZED_NAME; 678 return 0; 679 } 680 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 681 strlen(s->session->tlsext_hostname))) { 682 *alert = TLS1_AD_UNRECOGNIZED_NAME; 683 return 0; 684 } 685 } else { 686 if (s->session->tlsext_hostname != NULL) 687 goto err; 688 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 689 *alert = TLS1_AD_INTERNAL_ERROR; 690 return 0; 691 } 692 } 693 694 if (CBS_len(&server_name_list) != 0) 695 goto err; 696 if (CBS_len(cbs) != 0) 697 goto err; 698 699 return 1; 700 701 err: 702 *alert = SSL_AD_DECODE_ERROR; 703 return 0; 704 } 705 706 int 707 tlsext_sni_server_needs(SSL *s) 708 { 709 if (s->internal->hit) 710 return 0; 711 712 return (s->session->tlsext_hostname != NULL); 713 } 714 715 int 716 tlsext_sni_server_build(SSL *s, CBB *cbb) 717 { 718 return 1; 719 } 720 721 int 722 tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) 723 { 724 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 725 *alert = TLS1_AD_UNRECOGNIZED_NAME; 726 return 0; 727 } 728 729 if (s->internal->hit) { 730 if (s->session->tlsext_hostname == NULL) { 731 *alert = TLS1_AD_UNRECOGNIZED_NAME; 732 return 0; 733 } 734 if (strcmp(s->tlsext_hostname, 735 s->session->tlsext_hostname) != 0) { 736 *alert = TLS1_AD_UNRECOGNIZED_NAME; 737 return 0; 738 } 739 } else { 740 if (s->session->tlsext_hostname != NULL) { 741 *alert = SSL_AD_DECODE_ERROR; 742 return 0; 743 } 744 if ((s->session->tlsext_hostname = 745 strdup(s->tlsext_hostname)) == NULL) { 746 *alert = TLS1_AD_INTERNAL_ERROR; 747 return 0; 748 } 749 } 750 751 return 1; 752 } 753 754 755 /* 756 *Certificate Status Request - RFC 6066 section 8. 757 */ 758 759 int 760 tlsext_ocsp_client_needs(SSL *s) 761 { 762 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 763 s->version != DTLS1_VERSION); 764 } 765 766 int 767 tlsext_ocsp_client_build(SSL *s, CBB *cbb) 768 { 769 CBB respid_list, respid, exts; 770 unsigned char *ext_data; 771 size_t ext_len; 772 int i; 773 774 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 775 return 0; 776 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 777 return 0; 778 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 779 unsigned char *respid_data; 780 OCSP_RESPID *id; 781 size_t id_len; 782 783 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 784 i)) == NULL) 785 return 0; 786 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 787 return 0; 788 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 789 return 0; 790 if (!CBB_add_space(&respid, &respid_data, id_len)) 791 return 0; 792 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 793 return 0; 794 } 795 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 796 return 0; 797 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 798 NULL)) == -1) 799 return 0; 800 if (!CBB_add_space(&exts, &ext_data, ext_len)) 801 return 0; 802 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 803 ext_len)) 804 return 0; 805 if (!CBB_flush(cbb)) 806 return 0; 807 return 1; 808 } 809 810 int 811 tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) 812 { 813 int alert_desc = SSL_AD_DECODE_ERROR; 814 CBS respid_list, respid, exts; 815 const unsigned char *p; 816 uint8_t status_type; 817 int ret = 0; 818 819 if (!CBS_get_u8(cbs, &status_type)) 820 goto err; 821 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 822 /* ignore unknown status types */ 823 s->tlsext_status_type = -1; 824 825 if (!CBS_skip(cbs, CBS_len(cbs))) { 826 *alert = TLS1_AD_INTERNAL_ERROR; 827 return 0; 828 } 829 return 1; 830 } 831 s->tlsext_status_type = status_type; 832 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 833 goto err; 834 835 /* XXX */ 836 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 837 s->internal->tlsext_ocsp_ids = NULL; 838 if (CBS_len(&respid_list) > 0) { 839 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 840 if (s->internal->tlsext_ocsp_ids == NULL) { 841 alert_desc = SSL_AD_INTERNAL_ERROR; 842 goto err; 843 } 844 } 845 846 while (CBS_len(&respid_list) > 0) { 847 OCSP_RESPID *id; 848 849 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 850 goto err; 851 p = CBS_data(&respid); 852 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 853 goto err; 854 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 855 alert_desc = SSL_AD_INTERNAL_ERROR; 856 OCSP_RESPID_free(id); 857 goto err; 858 } 859 } 860 861 /* Read in request_extensions */ 862 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 863 goto err; 864 if (CBS_len(&exts) > 0) { 865 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 866 X509_EXTENSION_free); 867 p = CBS_data(&exts); 868 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 869 &p, CBS_len(&exts))) == NULL) 870 goto err; 871 } 872 873 /* should be nothing left */ 874 if (CBS_len(cbs) > 0) 875 goto err; 876 877 ret = 1; 878 err: 879 if (ret == 0) 880 *alert = alert_desc; 881 return ret; 882 } 883 884 int 885 tlsext_ocsp_server_needs(SSL *s) 886 { 887 return s->internal->tlsext_status_expected; 888 } 889 890 int 891 tlsext_ocsp_server_build(SSL *s, CBB *cbb) 892 { 893 return 1; 894 } 895 896 int 897 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) 898 { 899 CBS response; 900 size_t resp_len; 901 uint16_t version = TLS1_get_client_version(s); 902 uint8_t status_type; 903 904 if (version >= TLS1_3_VERSION) { 905 /* 906 * RFC 8446, 4.4.2.1 - the server may request an OCSP 907 * response with an empty status_request. 908 */ 909 if (CBS_len(cbs) == 0) 910 return 1; 911 912 if (!CBS_get_u8(cbs, &status_type)) { 913 SSLerror(s, SSL_R_LENGTH_MISMATCH); 914 return 0; 915 } 916 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 917 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 918 return 0; 919 } 920 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 921 SSLerror(s, SSL_R_LENGTH_MISMATCH); 922 return 0; 923 } 924 if (CBS_len(&response) > 65536) { 925 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 926 return 0; 927 } 928 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 929 &resp_len)) { 930 *alert = SSL_AD_INTERNAL_ERROR; 931 return 0; 932 } 933 s->internal->tlsext_ocsp_resplen = (int)resp_len; 934 } else { 935 if (s->tlsext_status_type == -1) { 936 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 937 return 0; 938 } 939 /* Set flag to expect CertificateStatus message */ 940 s->internal->tlsext_status_expected = 1; 941 } 942 return 1; 943 } 944 945 /* 946 * SessionTicket extension - RFC 5077 section 3.2 947 */ 948 int 949 tlsext_sessionticket_client_needs(SSL *s) 950 { 951 /* 952 * Send session ticket extension when enabled and not overridden. 953 * 954 * When renegotiating, send an empty session ticket to indicate support. 955 */ 956 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 957 return 0; 958 959 if (s->internal->new_session) 960 return 1; 961 962 if (s->internal->tlsext_session_ticket != NULL && 963 s->internal->tlsext_session_ticket->data == NULL) 964 return 0; 965 966 return 1; 967 } 968 969 int 970 tlsext_sessionticket_client_build(SSL *s, CBB *cbb) 971 { 972 /* 973 * Signal that we support session tickets by sending an empty 974 * extension when renegotiating or no session found. 975 */ 976 if (s->internal->new_session || s->session == NULL) 977 return 1; 978 979 if (s->session->tlsext_tick != NULL) { 980 /* Attempt to resume with an existing session ticket */ 981 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 982 s->session->tlsext_ticklen)) 983 return 0; 984 985 } else if (s->internal->tlsext_session_ticket != NULL) { 986 /* 987 * Attempt to resume with a custom provided session ticket set 988 * by SSL_set_session_ticket_ext(). 989 */ 990 if (s->internal->tlsext_session_ticket->length > 0) { 991 size_t ticklen = s->internal->tlsext_session_ticket->length; 992 993 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 994 return 0; 995 memcpy(s->session->tlsext_tick, 996 s->internal->tlsext_session_ticket->data, 997 ticklen); 998 s->session->tlsext_ticklen = ticklen; 999 1000 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1001 s->session->tlsext_ticklen)) 1002 return 0; 1003 } 1004 } 1005 1006 if (!CBB_flush(cbb)) 1007 return 0; 1008 1009 return 1; 1010 } 1011 1012 int 1013 tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) 1014 { 1015 if (s->internal->tls_session_ticket_ext_cb) { 1016 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1017 (int)CBS_len(cbs), 1018 s->internal->tls_session_ticket_ext_cb_arg)) { 1019 *alert = TLS1_AD_INTERNAL_ERROR; 1020 return 0; 1021 } 1022 } 1023 1024 /* We need to signal that this was processed fully */ 1025 if (!CBS_skip(cbs, CBS_len(cbs))) { 1026 *alert = TLS1_AD_INTERNAL_ERROR; 1027 return 0; 1028 } 1029 1030 return 1; 1031 } 1032 1033 int 1034 tlsext_sessionticket_server_needs(SSL *s) 1035 { 1036 return (s->internal->tlsext_ticket_expected && 1037 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1038 } 1039 1040 int 1041 tlsext_sessionticket_server_build(SSL *s, CBB *cbb) 1042 { 1043 /* Empty ticket */ 1044 return 1; 1045 } 1046 1047 int 1048 tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) 1049 { 1050 if (s->internal->tls_session_ticket_ext_cb) { 1051 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1052 (int)CBS_len(cbs), 1053 s->internal->tls_session_ticket_ext_cb_arg)) { 1054 *alert = TLS1_AD_INTERNAL_ERROR; 1055 return 0; 1056 } 1057 } 1058 1059 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1060 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1061 return 0; 1062 } 1063 1064 s->internal->tlsext_ticket_expected = 1; 1065 1066 return 1; 1067 } 1068 1069 /* 1070 * DTLS extension for SRTP key establishment - RFC 5764 1071 */ 1072 1073 #ifndef OPENSSL_NO_SRTP 1074 1075 int 1076 tlsext_srtp_client_needs(SSL *s) 1077 { 1078 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1079 } 1080 1081 int 1082 tlsext_srtp_client_build(SSL *s, CBB *cbb) 1083 { 1084 CBB profiles, mki; 1085 int ct, i; 1086 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1087 SRTP_PROTECTION_PROFILE *prof; 1088 1089 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1090 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1091 return 0; 1092 } 1093 1094 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1095 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1096 return 0; 1097 } 1098 1099 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1100 return 0; 1101 1102 for (i = 0; i < ct; i++) { 1103 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1104 return 0; 1105 if (!CBB_add_u16(&profiles, prof->id)) 1106 return 0; 1107 } 1108 1109 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1110 return 0; 1111 1112 if (!CBB_flush(cbb)) 1113 return 0; 1114 1115 return 1; 1116 } 1117 1118 int 1119 tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) 1120 { 1121 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1122 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1123 int i, j; 1124 int ret; 1125 uint16_t id; 1126 CBS profiles, mki; 1127 1128 ret = 0; 1129 1130 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1131 goto err; 1132 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1133 goto err; 1134 1135 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1136 goto err; 1137 1138 while (CBS_len(&profiles) > 0) { 1139 if (!CBS_get_u16(&profiles, &id)) 1140 goto err; 1141 1142 if (!srtp_find_profile_by_num(id, &cprof)) { 1143 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1144 goto err; 1145 } 1146 } 1147 1148 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1149 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1150 *alert = SSL_AD_DECODE_ERROR; 1151 goto done; 1152 } 1153 if (CBS_len(cbs) != 0) 1154 goto err; 1155 1156 /* 1157 * Per RFC 5764 section 4.1.1 1158 * 1159 * Find the server preferred profile using the client's list. 1160 * 1161 * The server MUST send a profile if it sends the use_srtp 1162 * extension. If one is not found, it should fall back to the 1163 * negotiated DTLS cipher suite or return a DTLS alert. 1164 */ 1165 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1166 goto err; 1167 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1168 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1169 == NULL) 1170 goto err; 1171 1172 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1173 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1174 == NULL) 1175 goto err; 1176 1177 if (cprof->id == sprof->id) { 1178 s->internal->srtp_profile = sprof; 1179 ret = 1; 1180 goto done; 1181 } 1182 } 1183 } 1184 1185 /* If we didn't find anything, fall back to the negotiated */ 1186 ret = 1; 1187 goto done; 1188 1189 err: 1190 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1191 *alert = SSL_AD_DECODE_ERROR; 1192 1193 done: 1194 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1195 return ret; 1196 } 1197 1198 int 1199 tlsext_srtp_server_needs(SSL *s) 1200 { 1201 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1202 } 1203 1204 int 1205 tlsext_srtp_server_build(SSL *s, CBB *cbb) 1206 { 1207 SRTP_PROTECTION_PROFILE *profile; 1208 CBB srtp, mki; 1209 1210 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1211 return 0; 1212 1213 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1214 return 0; 1215 1216 if (!CBB_add_u16(&srtp, profile->id)) 1217 return 0; 1218 1219 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1220 return 0; 1221 1222 if (!CBB_flush(cbb)) 1223 return 0; 1224 1225 return 1; 1226 } 1227 1228 int 1229 tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) 1230 { 1231 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1232 SRTP_PROTECTION_PROFILE *prof; 1233 int i; 1234 uint16_t id; 1235 CBS profile_ids, mki; 1236 1237 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1238 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1239 goto err; 1240 } 1241 1242 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1243 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1244 goto err; 1245 } 1246 1247 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1248 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1249 *alert = SSL_AD_ILLEGAL_PARAMETER; 1250 return 0; 1251 } 1252 1253 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1254 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1255 goto err; 1256 } 1257 1258 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1259 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1260 == NULL) { 1261 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1262 goto err; 1263 } 1264 1265 if (prof->id == id) { 1266 s->internal->srtp_profile = prof; 1267 return 1; 1268 } 1269 } 1270 1271 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1272 err: 1273 *alert = SSL_AD_DECODE_ERROR; 1274 return 0; 1275 } 1276 1277 #endif /* OPENSSL_NO_SRTP */ 1278 1279 /* 1280 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1281 */ 1282 int 1283 tlsext_keyshare_client_needs(SSL *s) 1284 { 1285 /* XXX once this gets initialized when we get tls13_client.c */ 1286 if (S3I(s)->hs_tls13.max_version == 0) 1287 return 0; 1288 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1289 TLS1_3_VERSION); 1290 } 1291 1292 int 1293 tlsext_keyshare_client_build(SSL *s, CBB *cbb) 1294 { 1295 CBB client_shares; 1296 1297 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1298 return 0; 1299 1300 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, 1301 &client_shares)) 1302 return 0; 1303 1304 if (!CBB_flush(cbb)) 1305 return 0; 1306 1307 return 1; 1308 } 1309 1310 int 1311 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1312 { 1313 CBS client_shares, key_exchange; 1314 uint16_t group; 1315 1316 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1317 goto err; 1318 1319 while (CBS_len(&client_shares) > 0) { 1320 1321 /* Unpack client share. */ 1322 if (!CBS_get_u16(&client_shares, &group)) 1323 goto err; 1324 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1325 return 0; 1326 1327 /* 1328 * XXX - check key exchange against supported groups from client. 1329 * XXX - check that groups only appear once. 1330 */ 1331 1332 /* 1333 * Ignore this client share if we're using earlier than TLSv1.3 1334 * or we've already selected a key share. 1335 */ 1336 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1337 continue; 1338 if (S3I(s)->hs_tls13.key_share != NULL) 1339 continue; 1340 1341 /* XXX - consider implementing server preference. */ 1342 if (!tls1_check_curve(s, group)) 1343 continue; 1344 1345 /* Decode and store the selected key share. */ 1346 S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); 1347 if (S3I(s)->hs_tls13.key_share == NULL) 1348 goto err; 1349 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1350 group, &key_exchange)) 1351 goto err; 1352 } 1353 1354 return 1; 1355 1356 err: 1357 *alert = SSL_AD_DECODE_ERROR; 1358 return 0; 1359 } 1360 1361 int 1362 tlsext_keyshare_server_needs(SSL *s) 1363 { 1364 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1365 return 0; 1366 1367 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1368 } 1369 1370 int 1371 tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1372 { 1373 if (S3I(s)->hs_tls13.key_share == NULL) 1374 return 0; 1375 1376 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) 1377 return 0; 1378 1379 return 1; 1380 } 1381 1382 int 1383 tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) 1384 { 1385 CBS key_exchange; 1386 uint16_t group; 1387 1388 /* Unpack server share. */ 1389 if (!CBS_get_u16(cbs, &group)) 1390 goto err; 1391 1392 if (CBS_len(cbs) == 0) { 1393 /* HRR does not include an actual key share. */ 1394 /* XXX - we should know that we are in a HRR... */ 1395 S3I(s)->hs_tls13.server_group = group; 1396 return 1; 1397 } 1398 1399 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1400 return 0; 1401 1402 if (S3I(s)->hs_tls13.key_share == NULL) 1403 return 0; 1404 1405 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1406 group, &key_exchange)) 1407 goto err; 1408 1409 return 1; 1410 1411 err: 1412 *alert = SSL_AD_DECODE_ERROR; 1413 return 0; 1414 } 1415 1416 /* 1417 * Supported Versions - RFC 8446 section 4.2.1. 1418 */ 1419 int 1420 tlsext_versions_client_needs(SSL *s) 1421 { 1422 if (SSL_IS_DTLS(s)) 1423 return 0; 1424 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1425 } 1426 1427 int 1428 tlsext_versions_client_build(SSL *s, CBB *cbb) 1429 { 1430 uint16_t max, min; 1431 uint16_t version; 1432 CBB versions; 1433 1434 max = S3I(s)->hs_tls13.max_version; 1435 min = S3I(s)->hs_tls13.min_version; 1436 1437 if (min < TLS1_VERSION) 1438 return 0; 1439 1440 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1441 return 0; 1442 1443 /* XXX - fix, but contiguous for now... */ 1444 for (version = max; version >= min; version--) { 1445 if (!CBB_add_u16(&versions, version)) 1446 return 0; 1447 } 1448 1449 if (!CBB_flush(cbb)) 1450 return 0; 1451 1452 return 1; 1453 } 1454 1455 int 1456 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1457 { 1458 CBS versions; 1459 uint16_t version; 1460 uint16_t max, min; 1461 uint16_t matched_version = 0; 1462 1463 max = S3I(s)->hs_tls13.max_version; 1464 min = S3I(s)->hs_tls13.min_version; 1465 1466 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1467 goto err; 1468 1469 while (CBS_len(&versions) > 0) { 1470 if (!CBS_get_u16(&versions, &version)) 1471 goto err; 1472 /* 1473 * XXX What is below implements client preference, and 1474 * ignores any server preference entirely. 1475 */ 1476 if (matched_version == 0 && version >= min && version <= max) 1477 matched_version = version; 1478 } 1479 1480 /* 1481 * XXX if we haven't matched a version we should 1482 * fail - but we currently need to succeed to 1483 * ignore this before the server code for 1.3 1484 * is set up and initialized. 1485 */ 1486 if (max == 0) 1487 return 1; /* XXX */ 1488 1489 if (matched_version != 0) { 1490 s->version = matched_version; 1491 return 1; 1492 } 1493 1494 *alert = SSL_AD_PROTOCOL_VERSION; 1495 return 0; 1496 1497 err: 1498 *alert = SSL_AD_DECODE_ERROR; 1499 return 0; 1500 } 1501 1502 int 1503 tlsext_versions_server_needs(SSL *s) 1504 { 1505 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1506 } 1507 1508 int 1509 tlsext_versions_server_build(SSL *s, CBB *cbb) 1510 { 1511 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1512 return 0; 1513 /* XXX set 1.2 in legacy version? */ 1514 1515 return 1; 1516 } 1517 1518 int 1519 tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) 1520 { 1521 uint16_t selected_version; 1522 1523 if (!CBS_get_u16(cbs, &selected_version)) { 1524 *alert = SSL_AD_DECODE_ERROR; 1525 return 0; 1526 } 1527 1528 if (selected_version < TLS1_3_VERSION) { 1529 *alert = SSL_AD_ILLEGAL_PARAMETER; 1530 return 0; 1531 } 1532 1533 /* XXX test between min and max once initialization code goes in */ 1534 S3I(s)->hs_tls13.server_version = selected_version; 1535 1536 return 1; 1537 } 1538 1539 1540 /* 1541 * Cookie - RFC 8446 section 4.2.2. 1542 */ 1543 1544 int 1545 tlsext_cookie_client_needs(SSL *s) 1546 { 1547 if (SSL_IS_DTLS(s)) 1548 return 0; 1549 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1550 return 0; 1551 return (S3I(s)->hs_tls13.cookie_len > 0 && 1552 S3I(s)->hs_tls13.cookie != NULL); 1553 } 1554 1555 int 1556 tlsext_cookie_client_build(SSL *s, CBB *cbb) 1557 { 1558 CBB cookie; 1559 1560 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1561 return 0; 1562 1563 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1564 S3I(s)->hs_tls13.cookie_len)) 1565 return 0; 1566 1567 if (!CBB_flush(cbb)) 1568 return 0; 1569 1570 return 1; 1571 } 1572 1573 int 1574 tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) 1575 { 1576 CBS cookie; 1577 1578 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1579 goto err; 1580 1581 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1582 goto err; 1583 1584 /* 1585 * Check provided cookie value against what server previously 1586 * sent - client *MUST* send the same cookie with new CR after 1587 * a cookie is sent by the server with an HRR. 1588 */ 1589 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1590 S3I(s)->hs_tls13.cookie_len)) { 1591 /* XXX special cookie mismatch alert? */ 1592 *alert = SSL_AD_ILLEGAL_PARAMETER; 1593 return 0; 1594 } 1595 1596 return 1; 1597 1598 err: 1599 *alert = SSL_AD_DECODE_ERROR; 1600 return 0; 1601 } 1602 1603 int 1604 tlsext_cookie_server_needs(SSL *s) 1605 { 1606 1607 if (SSL_IS_DTLS(s)) 1608 return 0; 1609 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1610 return 0; 1611 /* 1612 * Server needs to set cookie value in tls13 handshake 1613 * in order to send one, should only be sent with HRR. 1614 */ 1615 return (S3I(s)->hs_tls13.cookie_len > 0 && 1616 S3I(s)->hs_tls13.cookie != NULL); 1617 } 1618 1619 int 1620 tlsext_cookie_server_build(SSL *s, CBB *cbb) 1621 { 1622 CBB cookie; 1623 1624 /* XXX deduplicate with client code */ 1625 1626 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1627 return 0; 1628 1629 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1630 S3I(s)->hs_tls13.cookie_len)) 1631 return 0; 1632 1633 if (!CBB_flush(cbb)) 1634 return 0; 1635 1636 return 1; 1637 } 1638 1639 int 1640 tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) 1641 { 1642 CBS cookie; 1643 1644 /* 1645 * XXX This currently assumes we will not get a second 1646 * HRR from a server with a cookie to process after accepting 1647 * one from the server in the same handshake 1648 */ 1649 if (S3I(s)->hs_tls13.cookie != NULL || 1650 S3I(s)->hs_tls13.cookie_len != 0) { 1651 *alert = SSL_AD_ILLEGAL_PARAMETER; 1652 return 0; 1653 } 1654 1655 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1656 goto err; 1657 1658 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1659 &S3I(s)->hs_tls13.cookie_len)) 1660 goto err; 1661 1662 return 1; 1663 1664 err: 1665 *alert = SSL_AD_DECODE_ERROR; 1666 return 0; 1667 } 1668 1669 struct tls_extension_funcs { 1670 int (*needs)(SSL *s); 1671 int (*build)(SSL *s, CBB *cbb); 1672 int (*parse)(SSL *s, CBS *cbs, int *alert); 1673 }; 1674 1675 struct tls_extension { 1676 uint16_t type; 1677 uint16_t messages; 1678 struct tls_extension_funcs client; 1679 struct tls_extension_funcs server; 1680 }; 1681 1682 static struct tls_extension tls_extensions[] = { 1683 { 1684 .type = TLSEXT_TYPE_supported_versions, 1685 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1686 SSL_TLSEXT_MSG_HRR, 1687 .client = { 1688 .needs = tlsext_versions_client_needs, 1689 .build = tlsext_versions_client_build, 1690 .parse = tlsext_versions_client_parse, 1691 }, 1692 .server = { 1693 .needs = tlsext_versions_server_needs, 1694 .build = tlsext_versions_server_build, 1695 .parse = tlsext_versions_server_parse, 1696 }, 1697 }, 1698 { 1699 .type = TLSEXT_TYPE_key_share, 1700 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1701 SSL_TLSEXT_MSG_HRR, 1702 .client = { 1703 .needs = tlsext_keyshare_client_needs, 1704 .build = tlsext_keyshare_client_build, 1705 .parse = tlsext_keyshare_client_parse, 1706 }, 1707 .server = { 1708 .needs = tlsext_keyshare_server_needs, 1709 .build = tlsext_keyshare_server_build, 1710 .parse = tlsext_keyshare_server_parse, 1711 }, 1712 }, 1713 { 1714 .type = TLSEXT_TYPE_server_name, 1715 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1716 .client = { 1717 .needs = tlsext_sni_client_needs, 1718 .build = tlsext_sni_client_build, 1719 .parse = tlsext_sni_client_parse, 1720 }, 1721 .server = { 1722 .needs = tlsext_sni_server_needs, 1723 .build = tlsext_sni_server_build, 1724 .parse = tlsext_sni_server_parse, 1725 }, 1726 }, 1727 { 1728 .type = TLSEXT_TYPE_renegotiate, 1729 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1730 .client = { 1731 .needs = tlsext_ri_client_needs, 1732 .build = tlsext_ri_client_build, 1733 .parse = tlsext_ri_client_parse, 1734 }, 1735 .server = { 1736 .needs = tlsext_ri_server_needs, 1737 .build = tlsext_ri_server_build, 1738 .parse = tlsext_ri_server_parse, 1739 }, 1740 }, 1741 { 1742 .type = TLSEXT_TYPE_status_request, 1743 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1744 SSL_TLSEXT_MSG_CT, 1745 .client = { 1746 .needs = tlsext_ocsp_client_needs, 1747 .build = tlsext_ocsp_client_build, 1748 .parse = tlsext_ocsp_client_parse, 1749 }, 1750 .server = { 1751 .needs = tlsext_ocsp_server_needs, 1752 .build = tlsext_ocsp_server_build, 1753 .parse = tlsext_ocsp_server_parse, 1754 }, 1755 }, 1756 { 1757 .type = TLSEXT_TYPE_ec_point_formats, 1758 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1759 .client = { 1760 .needs = tlsext_ecpf_client_needs, 1761 .build = tlsext_ecpf_client_build, 1762 .parse = tlsext_ecpf_client_parse, 1763 }, 1764 .server = { 1765 .needs = tlsext_ecpf_server_needs, 1766 .build = tlsext_ecpf_server_build, 1767 .parse = tlsext_ecpf_server_parse, 1768 }, 1769 }, 1770 { 1771 .type = TLSEXT_TYPE_supported_groups, 1772 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1773 .client = { 1774 .needs = tlsext_supportedgroups_client_needs, 1775 .build = tlsext_supportedgroups_client_build, 1776 .parse = tlsext_supportedgroups_client_parse, 1777 }, 1778 .server = { 1779 .needs = tlsext_supportedgroups_server_needs, 1780 .build = tlsext_supportedgroups_server_build, 1781 .parse = tlsext_supportedgroups_server_parse, 1782 }, 1783 }, 1784 { 1785 .type = TLSEXT_TYPE_session_ticket, 1786 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1787 .client = { 1788 .needs = tlsext_sessionticket_client_needs, 1789 .build = tlsext_sessionticket_client_build, 1790 .parse = tlsext_sessionticket_client_parse, 1791 }, 1792 .server = { 1793 .needs = tlsext_sessionticket_server_needs, 1794 .build = tlsext_sessionticket_server_build, 1795 .parse = tlsext_sessionticket_server_parse, 1796 }, 1797 }, 1798 { 1799 .type = TLSEXT_TYPE_signature_algorithms, 1800 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1801 .client = { 1802 .needs = tlsext_sigalgs_client_needs, 1803 .build = tlsext_sigalgs_client_build, 1804 .parse = tlsext_sigalgs_client_parse, 1805 }, 1806 .server = { 1807 .needs = tlsext_sigalgs_server_needs, 1808 .build = tlsext_sigalgs_server_build, 1809 .parse = tlsext_sigalgs_server_parse, 1810 }, 1811 }, 1812 { 1813 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1814 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1815 .client = { 1816 .needs = tlsext_alpn_client_needs, 1817 .build = tlsext_alpn_client_build, 1818 .parse = tlsext_alpn_client_parse, 1819 }, 1820 .server = { 1821 .needs = tlsext_alpn_server_needs, 1822 .build = tlsext_alpn_server_build, 1823 .parse = tlsext_alpn_server_parse, 1824 }, 1825 }, 1826 { 1827 .type = TLSEXT_TYPE_cookie, 1828 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1829 .client = { 1830 .needs = tlsext_cookie_client_needs, 1831 .build = tlsext_cookie_client_build, 1832 .parse = tlsext_cookie_client_parse, 1833 }, 1834 .server = { 1835 .needs = tlsext_cookie_server_needs, 1836 .build = tlsext_cookie_server_build, 1837 .parse = tlsext_cookie_server_parse, 1838 }, 1839 }, 1840 #ifndef OPENSSL_NO_SRTP 1841 { 1842 .type = TLSEXT_TYPE_use_srtp, 1843 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1844 SSL_TLSEXT_MSG_EE, 1845 .client = { 1846 .needs = tlsext_srtp_client_needs, 1847 .build = tlsext_srtp_client_build, 1848 .parse = tlsext_srtp_client_parse, 1849 }, 1850 .server = { 1851 .needs = tlsext_srtp_server_needs, 1852 .build = tlsext_srtp_server_build, 1853 .parse = tlsext_srtp_server_parse, 1854 }, 1855 } 1856 #endif /* OPENSSL_NO_SRTP */ 1857 }; 1858 1859 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1860 1861 /* Ensure that extensions fit in a uint32_t bitmask. */ 1862 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1863 1864 struct tls_extension * 1865 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1866 { 1867 size_t i; 1868 1869 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1870 if (tls_extensions[i].type == type) { 1871 *tls_extensions_idx = i; 1872 return &tls_extensions[i]; 1873 } 1874 } 1875 1876 return NULL; 1877 } 1878 1879 int 1880 tlsext_extension_seen(SSL *s, uint16_t type) 1881 { 1882 size_t idx; 1883 1884 if (tls_extension_find(type, &idx) == NULL) 1885 return 0; 1886 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1887 } 1888 1889 static struct tls_extension_funcs * 1890 tlsext_funcs(struct tls_extension *tlsext, int is_server) 1891 { 1892 if (is_server) 1893 return &tlsext->server; 1894 1895 return &tlsext->client; 1896 } 1897 1898 static int 1899 tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) 1900 { 1901 struct tls_extension_funcs *ext; 1902 struct tls_extension *tlsext; 1903 CBB extensions, extension_data; 1904 int extensions_present = 0; 1905 size_t i; 1906 uint16_t version; 1907 1908 if (is_server) 1909 version = s->version; 1910 else 1911 version = TLS1_get_client_version(s); 1912 1913 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1914 return 0; 1915 1916 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1917 tlsext = &tls_extensions[i]; 1918 ext = tlsext_funcs(tlsext, is_server); 1919 1920 /* RFC 8446 Section 4.2 */ 1921 if (version >= TLS1_3_VERSION && 1922 !(tlsext->messages & msg_type)) 1923 continue; 1924 1925 if (!ext->needs(s)) 1926 continue; 1927 1928 if (!CBB_add_u16(&extensions, tlsext->type)) 1929 return 0; 1930 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1931 return 0; 1932 1933 if (!ext->build(s, &extension_data)) 1934 return 0; 1935 1936 extensions_present = 1; 1937 } 1938 1939 if (!extensions_present && 1940 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 1941 CBB_discard_child(cbb); 1942 1943 if (!CBB_flush(cbb)) 1944 return 0; 1945 1946 return 1; 1947 } 1948 1949 static int 1950 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) 1951 { 1952 struct tls_extension_funcs *ext; 1953 struct tls_extension *tlsext; 1954 CBS extensions, extension_data; 1955 uint16_t type; 1956 size_t idx; 1957 uint16_t version; 1958 int alert_desc; 1959 1960 S3I(s)->hs.extensions_seen = 0; 1961 1962 if (is_server) 1963 version = s->version; 1964 else 1965 version = TLS1_get_client_version(s); 1966 1967 /* An empty extensions block is valid. */ 1968 if (CBS_len(cbs) == 0) 1969 return 1; 1970 1971 alert_desc = SSL_AD_DECODE_ERROR; 1972 1973 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 1974 goto err; 1975 1976 while (CBS_len(&extensions) > 0) { 1977 if (!CBS_get_u16(&extensions, &type)) 1978 goto err; 1979 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 1980 goto err; 1981 1982 if (s->internal->tlsext_debug_cb != NULL) 1983 s->internal->tlsext_debug_cb(s, is_server, type, 1984 (unsigned char *)CBS_data(&extension_data), 1985 CBS_len(&extension_data), 1986 s->internal->tlsext_debug_arg); 1987 1988 /* Unknown extensions are ignored. */ 1989 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 1990 continue; 1991 1992 /* RFC 8446 Section 4.2 */ 1993 if (version >= TLS1_3_VERSION && 1994 !(tlsext->messages & msg_type)) { 1995 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 1996 goto err; 1997 } 1998 1999 /* Check for duplicate known extensions. */ 2000 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2001 goto err; 2002 S3I(s)->hs.extensions_seen |= (1 << idx); 2003 2004 ext = tlsext_funcs(tlsext, is_server); 2005 if (!ext->parse(s, &extension_data, &alert_desc)) 2006 goto err; 2007 2008 if (CBS_len(&extension_data) != 0) 2009 goto err; 2010 } 2011 2012 return 1; 2013 2014 err: 2015 *alert = alert_desc; 2016 2017 return 0; 2018 } 2019 2020 static void 2021 tlsext_server_reset_state(SSL *s) 2022 { 2023 s->internal->servername_done = 0; 2024 s->tlsext_status_type = -1; 2025 S3I(s)->renegotiate_seen = 0; 2026 free(S3I(s)->alpn_selected); 2027 S3I(s)->alpn_selected = NULL; 2028 s->internal->srtp_profile = NULL; 2029 } 2030 2031 int 2032 tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type) 2033 { 2034 return tlsext_build(s, cbb, 1, msg_type); 2035 } 2036 2037 int 2038 tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2039 { 2040 /* XXX - this possibly should be done by the caller... */ 2041 tlsext_server_reset_state(s); 2042 2043 return tlsext_parse(s, cbs, alert, 1, msg_type); 2044 } 2045 2046 static void 2047 tlsext_client_reset_state(SSL *s) 2048 { 2049 S3I(s)->renegotiate_seen = 0; 2050 free(S3I(s)->alpn_selected); 2051 S3I(s)->alpn_selected = NULL; 2052 } 2053 2054 int 2055 tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type) 2056 { 2057 return tlsext_build(s, cbb, 0, msg_type); 2058 } 2059 2060 int 2061 tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2062 { 2063 /* XXX - this possibly should be done by the caller... */ 2064 tlsext_client_reset_state(s); 2065 2066 return tlsext_parse(s, cbs, alert, 0, msg_type); 2067 } 2068