1 /* $OpenBSD: ssl_tlsext.c,v 1.148 2024/04/04 08:02:21 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019, 2024 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/socket.h> 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <ctype.h> 26 27 #include <openssl/ocsp.h> 28 #include <openssl/opensslconf.h> 29 30 #include "bytestring.h" 31 #include "ssl_local.h" 32 #include "ssl_sigalgs.h" 33 #include "ssl_tlsext.h" 34 35 #define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 36 #define TLSEXT_MAX_SUPPORTED_GROUPS 64 37 38 /* 39 * Supported Application-Layer Protocol Negotiation - RFC 7301 40 */ 41 42 static int 43 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 44 { 45 /* ALPN protos have been specified and this is the initial handshake */ 46 return s->alpn_client_proto_list != NULL && 47 s->s3->hs.finished_len == 0; 48 } 49 50 static int 51 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 52 { 53 CBB protolist; 54 55 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 56 return 0; 57 58 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, 59 s->alpn_client_proto_list_len)) 60 return 0; 61 62 if (!CBB_flush(cbb)) 63 return 0; 64 65 return 1; 66 } 67 68 int 69 tlsext_alpn_check_format(CBS *cbs) 70 { 71 CBS proto_name_list; 72 73 if (CBS_len(cbs) == 0) 74 return 0; 75 76 CBS_dup(cbs, &proto_name_list); 77 while (CBS_len(&proto_name_list) > 0) { 78 CBS proto_name; 79 80 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 81 return 0; 82 if (CBS_len(&proto_name) == 0) 83 return 0; 84 } 85 86 return 1; 87 } 88 89 static int 90 tlsext_alpn_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 91 { 92 CBS alpn, selected_cbs; 93 const unsigned char *selected; 94 unsigned char selected_len; 95 int r; 96 97 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 98 return 0; 99 if (!tlsext_alpn_check_format(&alpn)) 100 return 0; 101 102 if (s->ctx->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 113 114 if (r == SSL_TLSEXT_ERR_OK) { 115 CBS_init(&selected_cbs, selected, selected_len); 116 117 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 118 &s->s3->alpn_selected_len)) { 119 *alert = SSL_AD_INTERNAL_ERROR; 120 return 0; 121 } 122 123 return 1; 124 } 125 126 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 127 if (r == SSL_TLSEXT_ERR_NOACK) 128 return 1; 129 130 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 131 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 132 133 return 0; 134 } 135 136 static int 137 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 138 { 139 return s->s3->alpn_selected != NULL; 140 } 141 142 static int 143 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 144 { 145 CBB list, selected; 146 147 if (!CBB_add_u16_length_prefixed(cbb, &list)) 148 return 0; 149 150 if (!CBB_add_u8_length_prefixed(&list, &selected)) 151 return 0; 152 153 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 154 s->s3->alpn_selected_len)) 155 return 0; 156 157 if (!CBB_flush(cbb)) 158 return 0; 159 160 return 1; 161 } 162 163 static int 164 tlsext_alpn_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 165 { 166 CBS list, proto; 167 168 if (s->alpn_client_proto_list == NULL) { 169 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 170 return 0; 171 } 172 173 if (!CBS_get_u16_length_prefixed(cbs, &list)) 174 return 0; 175 176 if (!CBS_get_u8_length_prefixed(&list, &proto)) 177 return 0; 178 179 if (CBS_len(&list) != 0) 180 return 0; 181 if (CBS_len(&proto) == 0) 182 return 0; 183 184 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 185 return 0; 186 187 return 1; 188 } 189 190 /* 191 * Supported Groups - RFC 7919 section 2 192 */ 193 static int 194 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 195 { 196 return ssl_has_ecc_ciphers(s) || 197 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 198 } 199 200 static int 201 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 202 { 203 const uint16_t *groups; 204 size_t groups_len; 205 CBB grouplist; 206 int i; 207 208 tls1_get_group_list(s, 0, &groups, &groups_len); 209 if (groups_len == 0) { 210 SSLerror(s, ERR_R_INTERNAL_ERROR); 211 return 0; 212 } 213 214 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 215 return 0; 216 217 for (i = 0; i < groups_len; i++) { 218 if (!ssl_security_supported_group(s, groups[i])) 219 continue; 220 if (!CBB_add_u16(&grouplist, groups[i])) 221 return 0; 222 } 223 224 if (!CBB_flush(cbb)) 225 return 0; 226 227 return 1; 228 } 229 230 static int 231 tlsext_supportedgroups_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 232 int *alert) 233 { 234 uint16_t *groups = NULL; 235 size_t groups_len; 236 CBS grouplist; 237 int i, j; 238 int ret = 0; 239 240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 241 goto err; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 goto err; 246 groups_len /= 2; 247 248 if (groups_len > TLSEXT_MAX_SUPPORTED_GROUPS) 249 goto err; 250 251 if (s->hit) 252 goto done; 253 254 if (s->s3->hs.tls13.hrr) { 255 if (s->session->tlsext_supportedgroups == NULL) { 256 *alert = SSL_AD_HANDSHAKE_FAILURE; 257 return 0; 258 } 259 260 /* 261 * The ClientHello extension hashing ensures that the client 262 * did not change its list of supported groups. 263 */ 264 265 goto done; 266 } 267 268 if (s->session->tlsext_supportedgroups != NULL) 269 goto err; /* XXX internal error? */ 270 271 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 272 *alert = SSL_AD_INTERNAL_ERROR; 273 goto err; 274 } 275 276 for (i = 0; i < groups_len; i++) { 277 if (!CBS_get_u16(&grouplist, &groups[i])) 278 goto err; 279 /* 280 * Do not allow duplicate groups to be sent. This is not 281 * currently specified in RFC 8446 or earlier, but there is no 282 * legitimate justification for this to occur in TLS 1.2 or TLS 283 * 1.3. 284 */ 285 for (j = 0; j < i; j++) { 286 if (groups[i] == groups[j]) { 287 *alert = SSL_AD_ILLEGAL_PARAMETER; 288 goto err; 289 } 290 } 291 } 292 293 if (CBS_len(&grouplist) != 0) 294 goto err; 295 296 s->session->tlsext_supportedgroups = groups; 297 s->session->tlsext_supportedgroups_length = groups_len; 298 groups = NULL; 299 300 301 done: 302 ret = 1; 303 304 err: 305 free(groups); 306 307 return ret; 308 } 309 310 /* This extension is never used by the server. */ 311 static int 312 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 313 { 314 return 0; 315 } 316 317 static int 318 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 319 { 320 return 0; 321 } 322 323 static int 324 tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 325 int *alert) 326 { 327 /* 328 * This extension is only allowed in TLSv1.3 encrypted extensions. 329 * It is not permitted in a ServerHello in any version of TLS. 330 */ 331 if (msg_type != SSL_TLSEXT_MSG_EE) 332 return 0; 333 334 /* 335 * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but 336 * clients must not act on it during the handshake. This allows servers 337 * to advertise their preferences for subsequent handshakes. We ignore 338 * this complication. 339 */ 340 if (!CBS_skip(cbs, CBS_len(cbs))) { 341 *alert = SSL_AD_INTERNAL_ERROR; 342 return 0; 343 } 344 345 return 1; 346 } 347 348 /* 349 * Supported Point Formats Extension - RFC 4492 section 5.1.2 350 */ 351 static int 352 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 353 { 354 CBB ecpf; 355 size_t formats_len; 356 const uint8_t *formats; 357 358 tls1_get_formatlist(s, 0, &formats, &formats_len); 359 360 if (formats_len == 0) { 361 SSLerror(s, ERR_R_INTERNAL_ERROR); 362 return 0; 363 } 364 365 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 366 return 0; 367 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 368 return 0; 369 if (!CBB_flush(cbb)) 370 return 0; 371 372 return 1; 373 } 374 375 static int 376 tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 377 { 378 CBS ecpf; 379 380 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 381 return 0; 382 if (CBS_len(&ecpf) == 0) 383 return 0; 384 385 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 386 if (!CBS_contains_zero_byte(&ecpf)) { 387 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 388 *alert = SSL_AD_ILLEGAL_PARAMETER; 389 return 0; 390 } 391 392 if (!s->hit) { 393 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 394 &(s->session->tlsext_ecpointformatlist_length))) { 395 *alert = SSL_AD_INTERNAL_ERROR; 396 return 0; 397 } 398 } 399 400 return 1; 401 } 402 403 static int 404 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 405 { 406 return ssl_has_ecc_ciphers(s); 407 } 408 409 static int 410 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 411 { 412 return tlsext_ecpf_build(s, msg_type, cbb); 413 } 414 415 static int 416 tlsext_ecpf_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 417 { 418 return tlsext_ecpf_process(s, msg_type, cbs, alert); 419 } 420 421 static int 422 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 423 { 424 return ssl_using_ecc_cipher(s); 425 } 426 427 static int 428 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 429 { 430 return tlsext_ecpf_build(s, msg_type, cbb); 431 } 432 433 static int 434 tlsext_ecpf_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 435 { 436 return tlsext_ecpf_process(s, msg_type, cbs, alert); 437 } 438 439 /* 440 * Renegotiation Indication - RFC 5746. 441 */ 442 static int 443 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 444 { 445 return (s->renegotiate); 446 } 447 448 static int 449 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 450 { 451 CBB reneg; 452 453 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 454 return 0; 455 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 456 s->s3->previous_client_finished_len)) 457 return 0; 458 if (!CBB_flush(cbb)) 459 return 0; 460 461 return 1; 462 } 463 464 static int 465 tlsext_ri_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 466 { 467 CBS reneg; 468 469 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 470 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 471 return 0; 472 } 473 474 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 475 s->s3->previous_client_finished_len)) { 476 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 477 *alert = SSL_AD_HANDSHAKE_FAILURE; 478 return 0; 479 } 480 481 s->s3->renegotiate_seen = 1; 482 s->s3->send_connection_binding = 1; 483 484 return 1; 485 } 486 487 static int 488 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 489 { 490 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 491 s->s3->send_connection_binding); 492 } 493 494 static int 495 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 496 { 497 CBB reneg; 498 499 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 500 return 0; 501 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 502 s->s3->previous_client_finished_len)) 503 return 0; 504 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 505 s->s3->previous_server_finished_len)) 506 return 0; 507 if (!CBB_flush(cbb)) 508 return 0; 509 510 return 1; 511 } 512 513 static int 514 tlsext_ri_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 515 { 516 CBS reneg, prev_client, prev_server; 517 518 /* 519 * Ensure that the previous client and server values are both not 520 * present, or that they are both present. 521 */ 522 if ((s->s3->previous_client_finished_len == 0 && 523 s->s3->previous_server_finished_len != 0) || 524 (s->s3->previous_client_finished_len != 0 && 525 s->s3->previous_server_finished_len == 0)) { 526 *alert = SSL_AD_INTERNAL_ERROR; 527 return 0; 528 } 529 530 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 531 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 532 return 0; 533 } 534 if (!CBS_get_bytes(&reneg, &prev_client, 535 s->s3->previous_client_finished_len)) { 536 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 537 return 0; 538 } 539 if (!CBS_get_bytes(&reneg, &prev_server, 540 s->s3->previous_server_finished_len)) { 541 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 542 return 0; 543 } 544 if (CBS_len(&reneg) != 0) { 545 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 546 return 0; 547 } 548 549 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 550 s->s3->previous_client_finished_len)) { 551 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 552 *alert = SSL_AD_HANDSHAKE_FAILURE; 553 return 0; 554 } 555 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 556 s->s3->previous_server_finished_len)) { 557 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 558 *alert = SSL_AD_HANDSHAKE_FAILURE; 559 return 0; 560 } 561 562 s->s3->renegotiate_seen = 1; 563 s->s3->send_connection_binding = 1; 564 565 return 1; 566 } 567 568 /* 569 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 570 */ 571 static int 572 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 573 { 574 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 575 } 576 577 static int 578 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 579 { 580 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 581 CBB sigalgs; 582 583 if (msg_type == SSL_TLSEXT_MSG_CH) 584 tls_version = s->s3->hs.our_min_tls_version; 585 586 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 587 return 0; 588 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 589 return 0; 590 if (!CBB_flush(cbb)) 591 return 0; 592 593 return 1; 594 } 595 596 static int 597 tlsext_sigalgs_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 598 { 599 CBS sigalgs; 600 601 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 602 return 0; 603 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 604 return 0; 605 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 606 return 0; 607 608 return 1; 609 } 610 611 static int 612 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 613 { 614 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 615 } 616 617 static int 618 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 619 { 620 CBB sigalgs; 621 622 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 623 return 0; 624 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 625 SSL_get_security_level(s))) 626 return 0; 627 if (!CBB_flush(cbb)) 628 return 0; 629 630 return 1; 631 } 632 633 static int 634 tlsext_sigalgs_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 635 { 636 CBS sigalgs; 637 638 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 639 return 0; 640 641 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 642 return 0; 643 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 644 return 0; 645 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 646 return 0; 647 648 return 1; 649 } 650 651 /* 652 * Server Name Indication - RFC 6066, section 3. 653 */ 654 static int 655 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 656 { 657 return (s->tlsext_hostname != NULL); 658 } 659 660 static int 661 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 662 { 663 CBB server_name_list, host_name; 664 665 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 666 return 0; 667 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 668 return 0; 669 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 670 return 0; 671 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 672 strlen(s->tlsext_hostname))) 673 return 0; 674 if (!CBB_flush(cbb)) 675 return 0; 676 677 return 1; 678 } 679 680 static int 681 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 682 { 683 union { 684 struct in_addr ip4; 685 struct in6_addr ip6; 686 } addrbuf; 687 char *hostname = NULL; 688 689 *is_ip = 0; 690 691 if (!CBS_strdup(cbs, &hostname)) 692 return 0; 693 694 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 695 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 696 *is_ip = 1; 697 698 free(hostname); 699 700 return 1; 701 } 702 703 /* 704 * Validate that the CBS contains only a hostname consisting of RFC 5890 705 * compliant A-labels (see RFC 6066 section 3). Not a complete check 706 * since we don't parse punycode to verify its validity but limits to 707 * correct structure and character set. 708 */ 709 int 710 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 711 { 712 uint8_t prev, c = 0; 713 int component = 0; 714 CBS hostname; 715 716 *is_ip = 0; 717 718 CBS_dup(cbs, &hostname); 719 720 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 721 return 0; 722 723 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 724 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 725 return 0; 726 if (*is_ip) 727 return 0; 728 729 while (CBS_len(&hostname) > 0) { 730 prev = c; 731 if (!CBS_get_u8(&hostname, &c)) 732 return 0; 733 /* Everything has to be ASCII, with no NUL byte. */ 734 if (!isascii(c) || c == '\0') 735 return 0; 736 /* It must be alphanumeric, a '-', or a '.' */ 737 if (!isalnum(c) && c != '-' && c != '.') 738 return 0; 739 /* '-' and '.' must not start a component or be at the end. */ 740 if (component == 0 || CBS_len(&hostname) == 0) { 741 if (c == '-' || c == '.') 742 return 0; 743 } 744 if (c == '.') { 745 /* Components can not end with a dash. */ 746 if (prev == '-') 747 return 0; 748 /* Start new component */ 749 component = 0; 750 continue; 751 } 752 /* Components must be 63 chars or less. */ 753 if (++component > 63) 754 return 0; 755 } 756 757 return 1; 758 } 759 760 static int 761 tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 762 { 763 CBS server_name_list, host_name; 764 uint8_t name_type; 765 int is_ip; 766 767 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 768 goto err; 769 770 if (!CBS_get_u8(&server_name_list, &name_type)) 771 goto err; 772 773 /* 774 * RFC 6066 section 3, only one type (host_name) is specified. 775 * We do not tolerate unknown types, neither does BoringSSL. 776 * other implementations appear more tolerant. 777 */ 778 if (name_type != TLSEXT_NAMETYPE_host_name) { 779 *alert = SSL_AD_ILLEGAL_PARAMETER; 780 goto err; 781 } 782 783 /* 784 * RFC 6066 section 3 specifies a host name must be at least 1 byte 785 * so 0 length is a decode error. 786 */ 787 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 788 goto err; 789 if (CBS_len(&host_name) < 1) 790 goto err; 791 792 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 793 /* 794 * Various pieces of software have been known to set the SNI 795 * host name to an IP address, even though that violates the 796 * RFC. If this is the case, pretend the SNI extension does 797 * not exist. 798 */ 799 if (is_ip) 800 goto done; 801 802 *alert = SSL_AD_ILLEGAL_PARAMETER; 803 goto err; 804 } 805 806 if (s->hit || s->s3->hs.tls13.hrr) { 807 if (s->session->tlsext_hostname == NULL) { 808 *alert = SSL_AD_UNRECOGNIZED_NAME; 809 goto err; 810 } 811 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 812 strlen(s->session->tlsext_hostname))) { 813 *alert = SSL_AD_UNRECOGNIZED_NAME; 814 goto err; 815 } 816 } else { 817 if (s->session->tlsext_hostname != NULL) 818 goto err; 819 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 820 *alert = SSL_AD_INTERNAL_ERROR; 821 goto err; 822 } 823 } 824 825 done: 826 /* 827 * RFC 6066 section 3 forbids multiple host names with the same type, 828 * therefore we allow only one entry. 829 */ 830 if (CBS_len(&server_name_list) != 0) { 831 *alert = SSL_AD_ILLEGAL_PARAMETER; 832 goto err; 833 } 834 835 return 1; 836 837 err: 838 return 0; 839 } 840 841 static int 842 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 843 { 844 if (s->hit) 845 return 0; 846 847 return (s->session->tlsext_hostname != NULL); 848 } 849 850 static int 851 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 852 { 853 return 1; 854 } 855 856 static int 857 tlsext_sni_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 858 { 859 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 860 *alert = SSL_AD_UNRECOGNIZED_NAME; 861 return 0; 862 } 863 864 if (s->hit) { 865 if (s->session->tlsext_hostname == NULL) { 866 *alert = SSL_AD_UNRECOGNIZED_NAME; 867 return 0; 868 } 869 if (strcmp(s->tlsext_hostname, 870 s->session->tlsext_hostname) != 0) { 871 *alert = SSL_AD_UNRECOGNIZED_NAME; 872 return 0; 873 } 874 } else { 875 if (s->session->tlsext_hostname != NULL) 876 return 0; 877 if ((s->session->tlsext_hostname = 878 strdup(s->tlsext_hostname)) == NULL) { 879 *alert = SSL_AD_INTERNAL_ERROR; 880 return 0; 881 } 882 } 883 884 return 1; 885 } 886 887 /* 888 * Certificate Status Request - RFC 6066 section 8. 889 */ 890 891 static int 892 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 893 { 894 if (msg_type != SSL_TLSEXT_MSG_CH) 895 return 0; 896 897 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 898 } 899 900 static int 901 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 902 { 903 CBB respid_list, respid, exts; 904 unsigned char *ext_data; 905 size_t ext_len; 906 int i; 907 908 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 909 return 0; 910 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 911 return 0; 912 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 913 unsigned char *respid_data; 914 OCSP_RESPID *id; 915 size_t id_len; 916 917 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, 918 i)) == NULL) 919 return 0; 920 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 921 return 0; 922 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 923 return 0; 924 if (!CBB_add_space(&respid, &respid_data, id_len)) 925 return 0; 926 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 927 return 0; 928 } 929 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 930 return 0; 931 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, 932 NULL)) == -1) 933 return 0; 934 if (!CBB_add_space(&exts, &ext_data, ext_len)) 935 return 0; 936 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != 937 ext_len)) 938 return 0; 939 if (!CBB_flush(cbb)) 940 return 0; 941 return 1; 942 } 943 944 static int 945 tlsext_ocsp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 946 { 947 int alert_desc = SSL_AD_DECODE_ERROR; 948 CBS respid_list, respid, exts; 949 const unsigned char *p; 950 uint8_t status_type; 951 int ret = 0; 952 953 if (msg_type != SSL_TLSEXT_MSG_CH) 954 goto err; 955 956 if (!CBS_get_u8(cbs, &status_type)) 957 goto err; 958 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 959 /* ignore unknown status types */ 960 s->tlsext_status_type = -1; 961 962 if (!CBS_skip(cbs, CBS_len(cbs))) { 963 *alert = SSL_AD_INTERNAL_ERROR; 964 return 0; 965 } 966 return 1; 967 } 968 s->tlsext_status_type = status_type; 969 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 970 goto err; 971 972 /* XXX */ 973 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 974 s->tlsext_ocsp_ids = NULL; 975 if (CBS_len(&respid_list) > 0) { 976 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 977 if (s->tlsext_ocsp_ids == NULL) { 978 alert_desc = SSL_AD_INTERNAL_ERROR; 979 goto err; 980 } 981 } 982 983 while (CBS_len(&respid_list) > 0) { 984 OCSP_RESPID *id; 985 986 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 987 goto err; 988 p = CBS_data(&respid); 989 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 990 goto err; 991 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 992 alert_desc = SSL_AD_INTERNAL_ERROR; 993 OCSP_RESPID_free(id); 994 goto err; 995 } 996 } 997 998 /* Read in request_extensions */ 999 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1000 goto err; 1001 if (CBS_len(&exts) > 0) { 1002 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1003 X509_EXTENSION_free); 1004 p = CBS_data(&exts); 1005 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1006 &p, CBS_len(&exts))) == NULL) 1007 goto err; 1008 } 1009 1010 ret = 1; 1011 err: 1012 if (ret == 0) 1013 *alert = alert_desc; 1014 return ret; 1015 } 1016 1017 static int 1018 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1019 { 1020 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1021 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1022 s->ctx->tlsext_status_cb != NULL) { 1023 s->tlsext_status_expected = 0; 1024 if (s->ctx->tlsext_status_cb(s, 1025 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1026 s->tlsext_ocsp_resp_len > 0) 1027 s->tlsext_status_expected = 1; 1028 } 1029 return s->tlsext_status_expected; 1030 } 1031 1032 static int 1033 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1034 { 1035 CBB ocsp_response; 1036 1037 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1038 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1039 return 0; 1040 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1041 return 0; 1042 if (!CBB_add_bytes(&ocsp_response, 1043 s->tlsext_ocsp_resp, 1044 s->tlsext_ocsp_resp_len)) 1045 return 0; 1046 if (!CBB_flush(cbb)) 1047 return 0; 1048 } 1049 return 1; 1050 } 1051 1052 static int 1053 tlsext_ocsp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1054 { 1055 uint8_t status_type; 1056 CBS response; 1057 1058 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1059 if (msg_type == SSL_TLSEXT_MSG_CR) { 1060 /* 1061 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1062 * response with an empty status_request. 1063 */ 1064 if (CBS_len(cbs) == 0) 1065 return 1; 1066 1067 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1068 return 0; 1069 } 1070 if (!CBS_get_u8(cbs, &status_type)) { 1071 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1072 return 0; 1073 } 1074 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1075 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1076 return 0; 1077 } 1078 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1079 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1080 return 0; 1081 } 1082 if (CBS_len(&response) > 65536) { 1083 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1084 return 0; 1085 } 1086 if (!CBS_stow(&response, &s->tlsext_ocsp_resp, 1087 &s->tlsext_ocsp_resp_len)) { 1088 *alert = SSL_AD_INTERNAL_ERROR; 1089 return 0; 1090 } 1091 } else { 1092 if (s->tlsext_status_type == -1) { 1093 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1094 return 0; 1095 } 1096 /* Set flag to expect CertificateStatus message */ 1097 s->tlsext_status_expected = 1; 1098 } 1099 return 1; 1100 } 1101 1102 /* 1103 * SessionTicket extension - RFC 5077 section 3.2 1104 */ 1105 static int 1106 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1107 { 1108 /* 1109 * Send session ticket extension when enabled and not overridden. 1110 * 1111 * When renegotiating, send an empty session ticket to indicate support. 1112 */ 1113 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1114 return 0; 1115 1116 if (!ssl_security_tickets(s)) 1117 return 0; 1118 1119 if (s->new_session) 1120 return 1; 1121 1122 if (s->tlsext_session_ticket != NULL && 1123 s->tlsext_session_ticket->data == NULL) 1124 return 0; 1125 1126 return 1; 1127 } 1128 1129 static int 1130 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1131 { 1132 /* 1133 * Signal that we support session tickets by sending an empty 1134 * extension when renegotiating or no session found. 1135 */ 1136 if (s->new_session || s->session == NULL) 1137 return 1; 1138 1139 if (s->session->tlsext_tick != NULL) { 1140 /* Attempt to resume with an existing session ticket */ 1141 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1142 s->session->tlsext_ticklen)) 1143 return 0; 1144 1145 } else if (s->tlsext_session_ticket != NULL) { 1146 /* 1147 * Attempt to resume with a custom provided session ticket set 1148 * by SSL_set_session_ticket_ext(). 1149 */ 1150 if (s->tlsext_session_ticket->length > 0) { 1151 size_t ticklen = s->tlsext_session_ticket->length; 1152 1153 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1154 return 0; 1155 memcpy(s->session->tlsext_tick, 1156 s->tlsext_session_ticket->data, 1157 ticklen); 1158 s->session->tlsext_ticklen = ticklen; 1159 1160 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1161 s->session->tlsext_ticklen)) 1162 return 0; 1163 } 1164 } 1165 1166 if (!CBB_flush(cbb)) 1167 return 0; 1168 1169 return 1; 1170 } 1171 1172 static int 1173 tlsext_sessionticket_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1174 int *alert) 1175 { 1176 if (s->tls_session_ticket_ext_cb) { 1177 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1178 (int)CBS_len(cbs), 1179 s->tls_session_ticket_ext_cb_arg)) { 1180 *alert = SSL_AD_INTERNAL_ERROR; 1181 return 0; 1182 } 1183 } 1184 1185 /* We need to signal that this was processed fully */ 1186 if (!CBS_skip(cbs, CBS_len(cbs))) { 1187 *alert = SSL_AD_INTERNAL_ERROR; 1188 return 0; 1189 } 1190 1191 return 1; 1192 } 1193 1194 static int 1195 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1196 { 1197 return (s->tlsext_ticket_expected && 1198 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1199 ssl_security_tickets(s)); 1200 } 1201 1202 static int 1203 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1204 { 1205 /* Empty ticket */ 1206 return 1; 1207 } 1208 1209 static int 1210 tlsext_sessionticket_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1211 int *alert) 1212 { 1213 if (s->tls_session_ticket_ext_cb) { 1214 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1215 (int)CBS_len(cbs), 1216 s->tls_session_ticket_ext_cb_arg)) { 1217 *alert = SSL_AD_INTERNAL_ERROR; 1218 return 0; 1219 } 1220 } 1221 1222 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1223 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1224 return 0; 1225 } 1226 1227 s->tlsext_ticket_expected = 1; 1228 1229 return 1; 1230 } 1231 1232 /* 1233 * DTLS extension for SRTP key establishment - RFC 5764 1234 */ 1235 1236 #ifndef OPENSSL_NO_SRTP 1237 1238 static int 1239 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1240 { 1241 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1242 } 1243 1244 static int 1245 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1246 { 1247 CBB profiles, mki; 1248 int ct, i; 1249 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1250 const SRTP_PROTECTION_PROFILE *prof; 1251 1252 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1253 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1254 return 0; 1255 } 1256 1257 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1258 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1259 return 0; 1260 } 1261 1262 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1263 return 0; 1264 1265 for (i = 0; i < ct; i++) { 1266 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1267 return 0; 1268 if (!CBB_add_u16(&profiles, prof->id)) 1269 return 0; 1270 } 1271 1272 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1273 return 0; 1274 1275 if (!CBB_flush(cbb)) 1276 return 0; 1277 1278 return 1; 1279 } 1280 1281 static int 1282 tlsext_srtp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1283 { 1284 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1285 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1286 int i, j; 1287 int ret; 1288 uint16_t id; 1289 CBS profiles, mki; 1290 1291 ret = 0; 1292 1293 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1294 goto err; 1295 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1296 goto err; 1297 1298 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1299 goto err; 1300 1301 while (CBS_len(&profiles) > 0) { 1302 if (!CBS_get_u16(&profiles, &id)) 1303 goto err; 1304 1305 if (!srtp_find_profile_by_num(id, &cprof)) { 1306 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1307 goto err; 1308 } 1309 } 1310 1311 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1312 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1313 goto done; 1314 } 1315 1316 /* 1317 * Per RFC 5764 section 4.1.1 1318 * 1319 * Find the server preferred profile using the client's list. 1320 * 1321 * The server MUST send a profile if it sends the use_srtp 1322 * extension. If one is not found, it should fall back to the 1323 * negotiated DTLS cipher suite or return a DTLS alert. 1324 */ 1325 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1326 goto err; 1327 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1328 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1329 goto err; 1330 1331 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1332 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1333 == NULL) 1334 goto err; 1335 1336 if (cprof->id == sprof->id) { 1337 s->srtp_profile = sprof; 1338 ret = 1; 1339 goto done; 1340 } 1341 } 1342 } 1343 1344 /* If we didn't find anything, fall back to the negotiated */ 1345 ret = 1; 1346 goto done; 1347 1348 err: 1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1350 1351 done: 1352 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1353 return ret; 1354 } 1355 1356 static int 1357 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1358 { 1359 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1360 } 1361 1362 static int 1363 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1364 { 1365 SRTP_PROTECTION_PROFILE *profile; 1366 CBB srtp, mki; 1367 1368 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1369 return 0; 1370 1371 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1372 return 0; 1373 1374 if (!CBB_add_u16(&srtp, profile->id)) 1375 return 0; 1376 1377 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1378 return 0; 1379 1380 if (!CBB_flush(cbb)) 1381 return 0; 1382 1383 return 1; 1384 } 1385 1386 static int 1387 tlsext_srtp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1388 { 1389 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1390 const SRTP_PROTECTION_PROFILE *prof; 1391 int i; 1392 uint16_t id; 1393 CBS profile_ids, mki; 1394 1395 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1396 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1397 return 0; 1398 } 1399 1400 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1401 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1402 return 0; 1403 } 1404 1405 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1406 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1407 *alert = SSL_AD_ILLEGAL_PARAMETER; 1408 return 0; 1409 } 1410 1411 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1412 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1413 return 0; 1414 } 1415 1416 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1417 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1418 == NULL) { 1419 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1420 return 0; 1421 } 1422 1423 if (prof->id == id) { 1424 s->srtp_profile = prof; 1425 return 1; 1426 } 1427 } 1428 1429 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1430 1431 return 0; 1432 } 1433 1434 #endif /* OPENSSL_NO_SRTP */ 1435 1436 /* 1437 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1438 */ 1439 static int 1440 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1441 { 1442 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1443 } 1444 1445 static int 1446 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1447 { 1448 CBB client_shares, key_exchange; 1449 1450 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1451 return 0; 1452 1453 if (!CBB_add_u16(&client_shares, 1454 tls_key_share_group(s->s3->hs.key_share))) 1455 return 0; 1456 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1457 return 0; 1458 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1459 return 0; 1460 1461 if (!CBB_flush(cbb)) 1462 return 0; 1463 1464 return 1; 1465 } 1466 1467 static int 1468 tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1469 { 1470 const uint16_t *client_groups = NULL, *server_groups = NULL; 1471 size_t client_groups_len = 0, server_groups_len = 0; 1472 size_t i, j, client_groups_index; 1473 int preferred_group_found = 0; 1474 int decode_error; 1475 uint16_t group, client_preferred_group; 1476 CBS client_shares, key_exchange; 1477 1478 /* 1479 * RFC 8446 section 4.2.8: 1480 * 1481 * Each KeyShareEntry value MUST correspond to a group offered in the 1482 * "supported_groups" extension and MUST appear in the same order. 1483 * However, the values MAY be a non-contiguous subset of the 1484 * "supported_groups". 1485 */ 1486 1487 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) { 1488 *alert = SSL_AD_ILLEGAL_PARAMETER; 1489 return 0; 1490 } 1491 if (!tlsext_extension_processed(s, TLSEXT_TYPE_supported_groups)) { 1492 *alert = SSL_AD_INTERNAL_ERROR; 1493 return 0; 1494 } 1495 1496 /* 1497 * XXX similar to tls1_get_supported_group, but client pref 1498 * only - consider deduping later. 1499 */ 1500 /* 1501 * We are now assured of at least one client group. 1502 * Get the client and server group preference orders. 1503 */ 1504 tls1_get_group_list(s, 0, &server_groups, &server_groups_len); 1505 tls1_get_group_list(s, 1, &client_groups, &client_groups_len); 1506 1507 /* 1508 * Find the group that is most preferred by the client that 1509 * we also support. 1510 */ 1511 for (i = 0; i < client_groups_len && !preferred_group_found; i++) { 1512 if (!ssl_security_supported_group(s, client_groups[i])) 1513 continue; 1514 for (j = 0; j < server_groups_len; j++) { 1515 if (server_groups[j] == client_groups[i]) { 1516 client_preferred_group = client_groups[i]; 1517 preferred_group_found = 1; 1518 break; 1519 } 1520 } 1521 } 1522 1523 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1524 return 0; 1525 1526 client_groups_index = 0; 1527 while (CBS_len(&client_shares) > 0) { 1528 int client_sent_group; 1529 1530 /* Unpack client share. */ 1531 if (!CBS_get_u16(&client_shares, &group)) 1532 return 0; 1533 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1534 return 0; 1535 1536 /* 1537 * Ensure the client share group was sent in supported groups, 1538 * and was sent in the same order as supported groups. The 1539 * supported groups has already been checked for duplicates. 1540 */ 1541 client_sent_group = 0; 1542 while (client_groups_index < client_groups_len) { 1543 if (group == client_groups[client_groups_index++]) { 1544 client_sent_group = 1; 1545 break; 1546 } 1547 } 1548 if (!client_sent_group) { 1549 *alert = SSL_AD_ILLEGAL_PARAMETER; 1550 return 0; 1551 } 1552 1553 /* 1554 * Ignore this client share if we're using earlier than TLSv1.3 1555 * or we've already selected a key share. 1556 */ 1557 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1558 continue; 1559 if (s->s3->hs.key_share != NULL) 1560 continue; 1561 1562 /* 1563 * Ignore this client share if it is not for the most client 1564 * preferred supported group. This avoids a potential downgrade 1565 * situation where the client sends a client share for something 1566 * less preferred, and we choose to to use it instead of 1567 * requesting the more preferred group. 1568 */ 1569 if (!preferred_group_found || group != client_preferred_group) 1570 continue; 1571 1572 /* Decode and store the selected key share. */ 1573 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1574 *alert = SSL_AD_INTERNAL_ERROR; 1575 return 0; 1576 } 1577 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1578 &key_exchange, &decode_error, NULL)) { 1579 if (!decode_error) 1580 *alert = SSL_AD_INTERNAL_ERROR; 1581 return 0; 1582 } 1583 } 1584 1585 return 1; 1586 } 1587 1588 static int 1589 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1590 { 1591 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1592 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1593 } 1594 1595 static int 1596 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1597 { 1598 CBB key_exchange; 1599 1600 /* In the case of a HRR, we only send the server selected group. */ 1601 if (s->s3->hs.tls13.hrr) { 1602 if (s->s3->hs.tls13.server_group == 0) 1603 return 0; 1604 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1605 } 1606 1607 if (s->s3->hs.key_share == NULL) 1608 return 0; 1609 1610 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1611 return 0; 1612 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1613 return 0; 1614 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1615 return 0; 1616 1617 if (!CBB_flush(cbb)) 1618 return 0; 1619 1620 return 1; 1621 } 1622 1623 static int 1624 tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1625 { 1626 CBS key_exchange; 1627 int decode_error; 1628 uint16_t group; 1629 1630 /* Unpack server share. */ 1631 if (!CBS_get_u16(cbs, &group)) 1632 return 0; 1633 1634 if (CBS_len(cbs) == 0) { 1635 /* HRR does not include an actual key share, only the group. */ 1636 if (msg_type != SSL_TLSEXT_MSG_HRR) 1637 return 0; 1638 1639 s->s3->hs.tls13.server_group = group; 1640 return 1; 1641 } 1642 1643 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1644 return 0; 1645 1646 if (s->s3->hs.key_share == NULL) { 1647 *alert = SSL_AD_INTERNAL_ERROR; 1648 return 0; 1649 } 1650 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1651 *alert = SSL_AD_INTERNAL_ERROR; 1652 return 0; 1653 } 1654 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1655 &key_exchange, &decode_error, NULL)) { 1656 if (!decode_error) 1657 *alert = SSL_AD_INTERNAL_ERROR; 1658 return 0; 1659 } 1660 1661 return 1; 1662 } 1663 1664 /* 1665 * Supported Versions - RFC 8446 section 4.2.1. 1666 */ 1667 static int 1668 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1669 { 1670 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1671 } 1672 1673 static int 1674 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1675 { 1676 uint16_t max, min; 1677 uint16_t version; 1678 CBB versions; 1679 1680 max = s->s3->hs.our_max_tls_version; 1681 min = s->s3->hs.our_min_tls_version; 1682 1683 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1684 return 0; 1685 1686 /* XXX - fix, but contiguous for now... */ 1687 for (version = max; version >= min; version--) { 1688 if (!CBB_add_u16(&versions, version)) 1689 return 0; 1690 } 1691 1692 if (!CBB_flush(cbb)) 1693 return 0; 1694 1695 return 1; 1696 } 1697 1698 static int 1699 tlsext_versions_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1700 { 1701 CBS versions; 1702 uint16_t version; 1703 uint16_t max, min; 1704 uint16_t matched_version = 0; 1705 1706 max = s->s3->hs.our_max_tls_version; 1707 min = s->s3->hs.our_min_tls_version; 1708 1709 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1710 return 0; 1711 1712 while (CBS_len(&versions) > 0) { 1713 if (!CBS_get_u16(&versions, &version)) 1714 return 0; 1715 /* 1716 * XXX What is below implements client preference, and 1717 * ignores any server preference entirely. 1718 */ 1719 if (matched_version == 0 && version >= min && version <= max) 1720 matched_version = version; 1721 } 1722 1723 if (matched_version > 0) { 1724 /* XXX - this should be stored for later processing. */ 1725 s->version = matched_version; 1726 return 1; 1727 } 1728 1729 *alert = SSL_AD_PROTOCOL_VERSION; 1730 return 0; 1731 } 1732 1733 static int 1734 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1735 { 1736 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1737 } 1738 1739 static int 1740 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1741 { 1742 return CBB_add_u16(cbb, TLS1_3_VERSION); 1743 } 1744 1745 static int 1746 tlsext_versions_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1747 { 1748 uint16_t selected_version; 1749 1750 if (!CBS_get_u16(cbs, &selected_version)) 1751 return 0; 1752 1753 /* XXX - need to fix for DTLS 1.3 */ 1754 if (selected_version < TLS1_3_VERSION) { 1755 *alert = SSL_AD_ILLEGAL_PARAMETER; 1756 return 0; 1757 } 1758 1759 /* XXX test between min and max once initialization code goes in */ 1760 s->s3->hs.tls13.server_version = selected_version; 1761 1762 return 1; 1763 } 1764 1765 1766 /* 1767 * Cookie - RFC 8446 section 4.2.2. 1768 */ 1769 1770 static int 1771 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1772 { 1773 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1774 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1775 } 1776 1777 static int 1778 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1779 { 1780 CBB cookie; 1781 1782 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1783 return 0; 1784 1785 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1786 s->s3->hs.tls13.cookie_len)) 1787 return 0; 1788 1789 if (!CBB_flush(cbb)) 1790 return 0; 1791 1792 return 1; 1793 } 1794 1795 static int 1796 tlsext_cookie_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1797 { 1798 CBS cookie; 1799 1800 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1801 return 0; 1802 1803 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1804 return 0; 1805 1806 /* 1807 * Check provided cookie value against what server previously 1808 * sent - client *MUST* send the same cookie with new CR after 1809 * a cookie is sent by the server with an HRR. 1810 */ 1811 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1812 s->s3->hs.tls13.cookie_len)) { 1813 /* XXX special cookie mismatch alert? */ 1814 *alert = SSL_AD_ILLEGAL_PARAMETER; 1815 return 0; 1816 } 1817 1818 return 1; 1819 } 1820 1821 static int 1822 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1823 { 1824 /* 1825 * Server needs to set cookie value in tls13 handshake 1826 * in order to send one, should only be sent with HRR. 1827 */ 1828 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1829 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1830 } 1831 1832 static int 1833 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1834 { 1835 CBB cookie; 1836 1837 /* XXX deduplicate with client code */ 1838 1839 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1840 return 0; 1841 1842 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1843 s->s3->hs.tls13.cookie_len)) 1844 return 0; 1845 1846 if (!CBB_flush(cbb)) 1847 return 0; 1848 1849 return 1; 1850 } 1851 1852 static int 1853 tlsext_cookie_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1854 { 1855 CBS cookie; 1856 1857 /* 1858 * XXX This currently assumes we will not get a second 1859 * HRR from a server with a cookie to process after accepting 1860 * one from the server in the same handshake 1861 */ 1862 if (s->s3->hs.tls13.cookie != NULL || 1863 s->s3->hs.tls13.cookie_len != 0) { 1864 *alert = SSL_AD_ILLEGAL_PARAMETER; 1865 return 0; 1866 } 1867 1868 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1869 return 0; 1870 1871 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1872 &s->s3->hs.tls13.cookie_len)) 1873 return 0; 1874 1875 return 1; 1876 } 1877 1878 /* 1879 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1880 */ 1881 1882 static int 1883 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1884 { 1885 return (s->s3->hs.tls13.use_psk_dhe_ke && 1886 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1887 } 1888 1889 static int 1890 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1891 { 1892 CBB ke_modes; 1893 1894 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1895 return 0; 1896 1897 /* Only indicate support for PSK with DHE key establishment. */ 1898 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1899 return 0; 1900 1901 if (!CBB_flush(cbb)) 1902 return 0; 1903 1904 return 1; 1905 } 1906 1907 static int 1908 tlsext_psk_kex_modes_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1909 int *alert) 1910 { 1911 CBS ke_modes; 1912 uint8_t ke_mode; 1913 1914 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1915 return 0; 1916 1917 while (CBS_len(&ke_modes) > 0) { 1918 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1919 return 0; 1920 1921 if (ke_mode == TLS13_PSK_DHE_KE) 1922 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1923 } 1924 1925 return 1; 1926 } 1927 1928 static int 1929 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1930 { 1931 /* Servers MUST NOT send this extension. */ 1932 return 0; 1933 } 1934 1935 static int 1936 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1937 { 1938 return 0; 1939 } 1940 1941 static int 1942 tlsext_psk_kex_modes_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1943 int *alert) 1944 { 1945 return 0; 1946 } 1947 1948 /* 1949 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1950 */ 1951 1952 static int 1953 tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1954 { 1955 return 0; 1956 } 1957 1958 static int 1959 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1960 { 1961 return 0; 1962 } 1963 1964 static int 1965 tlsext_psk_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1966 { 1967 return CBS_skip(cbs, CBS_len(cbs)); 1968 } 1969 1970 static int 1971 tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1972 { 1973 return 0; 1974 } 1975 1976 static int 1977 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1978 { 1979 return 0; 1980 } 1981 1982 static int 1983 tlsext_psk_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1984 { 1985 return CBS_skip(cbs, CBS_len(cbs)); 1986 } 1987 1988 /* 1989 * QUIC transport parameters extension - RFC 9001 section 8.2. 1990 */ 1991 1992 static int 1993 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1994 { 1995 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 1996 } 1997 1998 static int 1999 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 2000 CBB *cbb) 2001 { 2002 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2003 s->quic_transport_params_len)) 2004 return 0; 2005 2006 return 1; 2007 } 2008 2009 static int 2010 tlsext_quic_transport_parameters_client_process(SSL *s, uint16_t msg_type, 2011 CBS *cbs, int *alert) 2012 { 2013 if (!SSL_is_quic(s)) { 2014 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2015 return 0; 2016 } 2017 2018 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2019 &s->s3->peer_quic_transport_params_len)) 2020 return 0; 2021 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2022 return 0; 2023 2024 return 1; 2025 } 2026 2027 static int 2028 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 2029 { 2030 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2031 } 2032 2033 static int 2034 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 2035 CBB *cbb) 2036 { 2037 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2038 s->quic_transport_params_len)) 2039 return 0; 2040 2041 return 1; 2042 } 2043 2044 static int 2045 tlsext_quic_transport_parameters_server_process(SSL *s, uint16_t msg_type, 2046 CBS *cbs, int *alert) 2047 { 2048 if (!SSL_is_quic(s)) { 2049 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2050 return 0; 2051 } 2052 2053 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2054 &s->s3->peer_quic_transport_params_len)) 2055 return 0; 2056 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2057 return 0; 2058 2059 return 1; 2060 } 2061 2062 struct tls_extension_funcs { 2063 int (*needs)(SSL *s, uint16_t msg_type); 2064 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2065 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2066 }; 2067 2068 struct tls_extension { 2069 uint16_t type; 2070 uint16_t messages; 2071 struct tls_extension_funcs client; 2072 struct tls_extension_funcs server; 2073 }; 2074 2075 /* 2076 * TLS extensions (in processing order). 2077 */ 2078 static const struct tls_extension tls_extensions[] = { 2079 { 2080 .type = TLSEXT_TYPE_supported_versions, 2081 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2082 SSL_TLSEXT_MSG_HRR, 2083 .client = { 2084 .needs = tlsext_versions_client_needs, 2085 .build = tlsext_versions_client_build, 2086 .process = tlsext_versions_client_process, 2087 }, 2088 .server = { 2089 .needs = tlsext_versions_server_needs, 2090 .build = tlsext_versions_server_build, 2091 .process = tlsext_versions_server_process, 2092 }, 2093 }, 2094 { 2095 .type = TLSEXT_TYPE_supported_groups, 2096 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2097 .client = { 2098 .needs = tlsext_supportedgroups_client_needs, 2099 .build = tlsext_supportedgroups_client_build, 2100 .process = tlsext_supportedgroups_client_process, 2101 }, 2102 .server = { 2103 .needs = tlsext_supportedgroups_server_needs, 2104 .build = tlsext_supportedgroups_server_build, 2105 .process = tlsext_supportedgroups_server_process, 2106 }, 2107 }, 2108 { 2109 .type = TLSEXT_TYPE_key_share, 2110 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2111 SSL_TLSEXT_MSG_HRR, 2112 .client = { 2113 .needs = tlsext_keyshare_client_needs, 2114 .build = tlsext_keyshare_client_build, 2115 .process = tlsext_keyshare_client_process, 2116 }, 2117 .server = { 2118 .needs = tlsext_keyshare_server_needs, 2119 .build = tlsext_keyshare_server_build, 2120 .process = tlsext_keyshare_server_process, 2121 }, 2122 }, 2123 { 2124 .type = TLSEXT_TYPE_server_name, 2125 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2126 .client = { 2127 .needs = tlsext_sni_client_needs, 2128 .build = tlsext_sni_client_build, 2129 .process = tlsext_sni_client_process, 2130 }, 2131 .server = { 2132 .needs = tlsext_sni_server_needs, 2133 .build = tlsext_sni_server_build, 2134 .process = tlsext_sni_server_process, 2135 }, 2136 }, 2137 { 2138 .type = TLSEXT_TYPE_renegotiate, 2139 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2140 .client = { 2141 .needs = tlsext_ri_client_needs, 2142 .build = tlsext_ri_client_build, 2143 .process = tlsext_ri_client_process, 2144 }, 2145 .server = { 2146 .needs = tlsext_ri_server_needs, 2147 .build = tlsext_ri_server_build, 2148 .process = tlsext_ri_server_process, 2149 }, 2150 }, 2151 { 2152 .type = TLSEXT_TYPE_status_request, 2153 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2154 SSL_TLSEXT_MSG_CT, 2155 .client = { 2156 .needs = tlsext_ocsp_client_needs, 2157 .build = tlsext_ocsp_client_build, 2158 .process = tlsext_ocsp_client_process, 2159 }, 2160 .server = { 2161 .needs = tlsext_ocsp_server_needs, 2162 .build = tlsext_ocsp_server_build, 2163 .process = tlsext_ocsp_server_process, 2164 }, 2165 }, 2166 { 2167 .type = TLSEXT_TYPE_ec_point_formats, 2168 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2169 .client = { 2170 .needs = tlsext_ecpf_client_needs, 2171 .build = tlsext_ecpf_client_build, 2172 .process = tlsext_ecpf_client_process, 2173 }, 2174 .server = { 2175 .needs = tlsext_ecpf_server_needs, 2176 .build = tlsext_ecpf_server_build, 2177 .process = tlsext_ecpf_server_process, 2178 }, 2179 }, 2180 { 2181 .type = TLSEXT_TYPE_session_ticket, 2182 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2183 .client = { 2184 .needs = tlsext_sessionticket_client_needs, 2185 .build = tlsext_sessionticket_client_build, 2186 .process = tlsext_sessionticket_client_process, 2187 }, 2188 .server = { 2189 .needs = tlsext_sessionticket_server_needs, 2190 .build = tlsext_sessionticket_server_build, 2191 .process = tlsext_sessionticket_server_process, 2192 }, 2193 }, 2194 { 2195 .type = TLSEXT_TYPE_signature_algorithms, 2196 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2197 .client = { 2198 .needs = tlsext_sigalgs_client_needs, 2199 .build = tlsext_sigalgs_client_build, 2200 .process = tlsext_sigalgs_client_process, 2201 }, 2202 .server = { 2203 .needs = tlsext_sigalgs_server_needs, 2204 .build = tlsext_sigalgs_server_build, 2205 .process = tlsext_sigalgs_server_process, 2206 }, 2207 }, 2208 { 2209 .type = TLSEXT_TYPE_alpn, 2210 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2211 .client = { 2212 .needs = tlsext_alpn_client_needs, 2213 .build = tlsext_alpn_client_build, 2214 .process = tlsext_alpn_client_process, 2215 }, 2216 .server = { 2217 .needs = tlsext_alpn_server_needs, 2218 .build = tlsext_alpn_server_build, 2219 .process = tlsext_alpn_server_process, 2220 }, 2221 }, 2222 { 2223 .type = TLSEXT_TYPE_cookie, 2224 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2225 .client = { 2226 .needs = tlsext_cookie_client_needs, 2227 .build = tlsext_cookie_client_build, 2228 .process = tlsext_cookie_client_process, 2229 }, 2230 .server = { 2231 .needs = tlsext_cookie_server_needs, 2232 .build = tlsext_cookie_server_build, 2233 .process = tlsext_cookie_server_process, 2234 }, 2235 }, 2236 #ifndef OPENSSL_NO_SRTP 2237 { 2238 .type = TLSEXT_TYPE_use_srtp, 2239 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2240 SSL_TLSEXT_MSG_EE, 2241 .client = { 2242 .needs = tlsext_srtp_client_needs, 2243 .build = tlsext_srtp_client_build, 2244 .process = tlsext_srtp_client_process, 2245 }, 2246 .server = { 2247 .needs = tlsext_srtp_server_needs, 2248 .build = tlsext_srtp_server_build, 2249 .process = tlsext_srtp_server_process, 2250 }, 2251 }, 2252 #endif /* OPENSSL_NO_SRTP */ 2253 { 2254 .type = TLSEXT_TYPE_quic_transport_parameters, 2255 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2256 .client = { 2257 .needs = tlsext_quic_transport_parameters_client_needs, 2258 .build = tlsext_quic_transport_parameters_client_build, 2259 .process = tlsext_quic_transport_parameters_client_process, 2260 }, 2261 .server = { 2262 .needs = tlsext_quic_transport_parameters_server_needs, 2263 .build = tlsext_quic_transport_parameters_server_build, 2264 .process = tlsext_quic_transport_parameters_server_process, 2265 }, 2266 }, 2267 { 2268 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2269 .messages = SSL_TLSEXT_MSG_CH, 2270 .client = { 2271 .needs = tlsext_psk_kex_modes_client_needs, 2272 .build = tlsext_psk_kex_modes_client_build, 2273 .process = tlsext_psk_kex_modes_client_process, 2274 }, 2275 .server = { 2276 .needs = tlsext_psk_kex_modes_server_needs, 2277 .build = tlsext_psk_kex_modes_server_build, 2278 .process = tlsext_psk_kex_modes_server_process, 2279 }, 2280 }, 2281 { 2282 .type = TLSEXT_TYPE_pre_shared_key, 2283 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2284 .client = { 2285 .needs = tlsext_psk_client_needs, 2286 .build = tlsext_psk_client_build, 2287 .process = tlsext_psk_client_process, 2288 }, 2289 .server = { 2290 .needs = tlsext_psk_server_needs, 2291 .build = tlsext_psk_server_build, 2292 .process = tlsext_psk_server_process, 2293 }, 2294 }, 2295 }; 2296 2297 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2298 2299 /* Ensure that extensions fit in a uint32_t bitmask. */ 2300 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2301 2302 struct tlsext_data { 2303 CBS extensions[N_TLS_EXTENSIONS]; 2304 }; 2305 2306 static struct tlsext_data * 2307 tlsext_data_new(void) 2308 { 2309 return calloc(1, sizeof(struct tlsext_data)); 2310 } 2311 2312 static void 2313 tlsext_data_free(struct tlsext_data *td) 2314 { 2315 freezero(td, sizeof(*td)); 2316 } 2317 2318 uint16_t 2319 tls_extension_type(const struct tls_extension *extension) 2320 { 2321 return extension->type; 2322 } 2323 2324 const struct tls_extension * 2325 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2326 { 2327 size_t i; 2328 2329 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2330 if (tls_extensions[i].type == type) { 2331 *tls_extensions_idx = i; 2332 return &tls_extensions[i]; 2333 } 2334 } 2335 2336 return NULL; 2337 } 2338 2339 int 2340 tlsext_extension_seen(SSL *s, uint16_t type) 2341 { 2342 size_t idx; 2343 2344 if (tls_extension_find(type, &idx) == NULL) 2345 return 0; 2346 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2347 } 2348 2349 int 2350 tlsext_extension_processed(SSL *s, uint16_t type) 2351 { 2352 size_t idx; 2353 2354 if (tls_extension_find(type, &idx) == NULL) 2355 return 0; 2356 return ((s->s3->hs.extensions_processed & (1 << idx)) != 0); 2357 } 2358 2359 const struct tls_extension_funcs * 2360 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2361 { 2362 if (is_server) 2363 return &tlsext->server; 2364 2365 return &tlsext->client; 2366 } 2367 2368 int 2369 tlsext_randomize_build_order(SSL *s) 2370 { 2371 const struct tls_extension *psk_ext; 2372 size_t idx, new_idx, psk_idx; 2373 size_t alpn_idx = 0, sni_idx = 0; 2374 2375 free(s->tlsext_build_order); 2376 s->tlsext_build_order_len = 0; 2377 2378 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2379 N_TLS_EXTENSIONS)) == NULL) 2380 return 0; 2381 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2382 2383 /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */ 2384 if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key, 2385 &psk_idx)) == NULL) 2386 return 0; 2387 s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext; 2388 2389 /* Fisher-Yates shuffle with PSK fixed. */ 2390 for (idx = 0; idx < psk_idx; idx++) { 2391 new_idx = arc4random_uniform(idx + 1); 2392 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; 2393 s->tlsext_build_order[new_idx] = &tls_extensions[idx]; 2394 } 2395 2396 /* 2397 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN 2398 * for clients so that virtual host setups work correctly. 2399 */ 2400 2401 if (s->server) 2402 return 1; 2403 2404 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2405 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) 2406 alpn_idx = idx; 2407 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) 2408 sni_idx = idx; 2409 } 2410 if (alpn_idx < sni_idx) { 2411 const struct tls_extension *tmp; 2412 2413 tmp = s->tlsext_build_order[alpn_idx]; 2414 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; 2415 s->tlsext_build_order[sni_idx] = tmp; 2416 } 2417 2418 return 1; 2419 } 2420 2421 int 2422 tlsext_linearize_build_order(SSL *s) 2423 { 2424 size_t idx; 2425 2426 free(s->tlsext_build_order); 2427 s->tlsext_build_order_len = 0; 2428 2429 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2430 N_TLS_EXTENSIONS)) == NULL) 2431 return 0; 2432 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2433 2434 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) 2435 s->tlsext_build_order[idx] = &tls_extensions[idx]; 2436 2437 return 1; 2438 } 2439 2440 static int 2441 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2442 { 2443 const struct tls_extension_funcs *ext; 2444 const struct tls_extension *tlsext; 2445 CBB extensions, extension_data; 2446 int extensions_present = 0; 2447 uint16_t tls_version; 2448 size_t i; 2449 2450 tls_version = ssl_effective_tls_version(s); 2451 2452 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2453 return 0; 2454 2455 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2456 tlsext = s->tlsext_build_order[i]; 2457 ext = tlsext_funcs(tlsext, is_server); 2458 2459 /* RFC 8446 Section 4.2 */ 2460 if (tls_version >= TLS1_3_VERSION && 2461 !(tlsext->messages & msg_type)) 2462 continue; 2463 2464 if (!ext->needs(s, msg_type)) 2465 continue; 2466 2467 if (!CBB_add_u16(&extensions, tlsext->type)) 2468 return 0; 2469 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2470 return 0; 2471 2472 if (!ext->build(s, msg_type, &extension_data)) 2473 return 0; 2474 2475 extensions_present = 1; 2476 } 2477 2478 if (!extensions_present && 2479 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2480 CBB_discard_child(cbb); 2481 2482 if (!CBB_flush(cbb)) 2483 return 0; 2484 2485 return 1; 2486 } 2487 2488 int 2489 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2490 { 2491 /* 2492 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2493 * cookie may be added, padding may be removed. 2494 */ 2495 struct tls13_ctx *ctx = s->tls13; 2496 2497 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2498 type == TLSEXT_TYPE_padding) 2499 return 1; 2500 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2501 sizeof(type))) 2502 return 0; 2503 /* 2504 * key_share data may be changed, and pre_shared_key data may 2505 * be changed. 2506 */ 2507 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2508 return 1; 2509 if (!tls13_clienthello_hash_update(ctx, cbs)) 2510 return 0; 2511 2512 return 1; 2513 } 2514 2515 static int 2516 tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2517 CBS *cbs, int *alert) 2518 { 2519 const struct tls_extension *tlsext; 2520 CBS extensions, extension_data; 2521 uint16_t type; 2522 size_t idx; 2523 uint16_t tls_version; 2524 int alert_desc; 2525 2526 tls_version = ssl_effective_tls_version(s); 2527 2528 s->s3->hs.extensions_seen = 0; 2529 2530 /* An empty extensions block is valid. */ 2531 if (CBS_len(cbs) == 0) 2532 return 1; 2533 2534 alert_desc = SSL_AD_DECODE_ERROR; 2535 2536 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2537 goto err; 2538 2539 while (CBS_len(&extensions) > 0) { 2540 if (!CBS_get_u16(&extensions, &type)) 2541 goto err; 2542 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2543 goto err; 2544 2545 if (s->tlsext_debug_cb != NULL) 2546 s->tlsext_debug_cb(s, !is_server, type, 2547 (unsigned char *)CBS_data(&extension_data), 2548 CBS_len(&extension_data), 2549 s->tlsext_debug_arg); 2550 2551 /* Unknown extensions are ignored. */ 2552 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2553 continue; 2554 2555 if (tls_version >= TLS1_3_VERSION && is_server && 2556 msg_type == SSL_TLSEXT_MSG_CH) { 2557 if (!tlsext_clienthello_hash_extension(s, type, 2558 &extension_data)) 2559 goto err; 2560 } 2561 2562 /* RFC 8446 Section 4.2 */ 2563 if (tls_version >= TLS1_3_VERSION && 2564 !(tlsext->messages & msg_type)) { 2565 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2566 goto err; 2567 } 2568 2569 /* Check for duplicate known extensions. */ 2570 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2571 goto err; 2572 s->s3->hs.extensions_seen |= (1 << idx); 2573 2574 CBS_dup(&extension_data, &td->extensions[idx]); 2575 } 2576 2577 return 1; 2578 2579 err: 2580 *alert = alert_desc; 2581 2582 return 0; 2583 } 2584 2585 static int 2586 tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2587 int *alert) 2588 { 2589 const struct tls_extension_funcs *ext; 2590 const struct tls_extension *tlsext; 2591 int alert_desc; 2592 size_t idx; 2593 2594 alert_desc = SSL_AD_DECODE_ERROR; 2595 2596 s->s3->hs.extensions_processed = 0; 2597 2598 /* Run processing for present TLS extensions, in a defined order. */ 2599 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2600 tlsext = &tls_extensions[idx]; 2601 if ((s->s3->hs.extensions_seen & (1 << idx)) == 0) 2602 continue; 2603 ext = tlsext_funcs(tlsext, is_server); 2604 if (ext->process == NULL) 2605 continue; 2606 if (!ext->process(s, msg_type, &td->extensions[idx], &alert_desc)) 2607 goto err; 2608 2609 if (CBS_len(&td->extensions[idx]) != 0) 2610 goto err; 2611 2612 s->s3->hs.extensions_processed |= (1 << idx); 2613 } 2614 2615 return 1; 2616 2617 err: 2618 *alert = alert_desc; 2619 2620 return 0; 2621 } 2622 2623 static void 2624 tlsext_server_reset_state(SSL *s) 2625 { 2626 s->tlsext_status_type = -1; 2627 s->s3->renegotiate_seen = 0; 2628 free(s->s3->alpn_selected); 2629 s->s3->alpn_selected = NULL; 2630 s->s3->alpn_selected_len = 0; 2631 s->srtp_profile = NULL; 2632 } 2633 2634 int 2635 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2636 { 2637 return tlsext_build(s, 1, msg_type, cbb); 2638 } 2639 2640 int 2641 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2642 { 2643 struct tlsext_data *td; 2644 int ret = 0; 2645 2646 if ((td = tlsext_data_new()) == NULL) 2647 goto err; 2648 2649 /* XXX - this should be done by the caller... */ 2650 if (msg_type == SSL_TLSEXT_MSG_CH) 2651 tlsext_server_reset_state(s); 2652 2653 if (!tlsext_parse(s, td, 1, msg_type, cbs, alert)) 2654 goto err; 2655 if (!tlsext_process(s, td, 1, msg_type, alert)) 2656 goto err; 2657 2658 ret = 1; 2659 2660 err: 2661 tlsext_data_free(td); 2662 2663 return ret; 2664 } 2665 2666 static void 2667 tlsext_client_reset_state(SSL *s) 2668 { 2669 s->s3->renegotiate_seen = 0; 2670 free(s->s3->alpn_selected); 2671 s->s3->alpn_selected = NULL; 2672 s->s3->alpn_selected_len = 0; 2673 } 2674 2675 int 2676 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2677 { 2678 return tlsext_build(s, 0, msg_type, cbb); 2679 } 2680 2681 int 2682 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2683 { 2684 struct tlsext_data *td; 2685 int ret = 0; 2686 2687 if ((td = tlsext_data_new()) == NULL) 2688 goto err; 2689 2690 /* XXX - this should be done by the caller... */ 2691 if (msg_type == SSL_TLSEXT_MSG_SH) 2692 tlsext_client_reset_state(s); 2693 2694 if (!tlsext_parse(s, td, 0, msg_type, cbs, alert)) 2695 goto err; 2696 if (!tlsext_process(s, td, 0, msg_type, alert)) 2697 goto err; 2698 2699 ret = 1; 2700 2701 err: 2702 tlsext_data_free(td); 2703 2704 return ret; 2705 } 2706