1 /* $OpenBSD: ssl_tlsext.c,v 1.126 2022/07/22 13:10:31 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/socket.h> 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <ctype.h> 26 27 #include <openssl/ocsp.h> 28 #include <openssl/opensslconf.h> 29 30 #include "bytestring.h" 31 #include "ssl_locl.h" 32 #include "ssl_sigalgs.h" 33 #include "ssl_tlsext.h" 34 35 /* 36 * Supported Application-Layer Protocol Negotiation - RFC 7301 37 */ 38 39 int 40 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 41 { 42 /* ALPN protos have been specified and this is the initial handshake */ 43 return s->internal->alpn_client_proto_list != NULL && 44 s->s3->hs.finished_len == 0; 45 } 46 47 int 48 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 49 { 50 CBB protolist; 51 52 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 53 return 0; 54 55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 56 s->internal->alpn_client_proto_list_len)) 57 return 0; 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63 } 64 65 int 66 tlsext_alpn_check_format(CBS *cbs) 67 { 68 CBS proto_name_list; 69 70 if (CBS_len(cbs) == 0) 71 return 0; 72 73 CBS_dup(cbs, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 return 0; 79 if (CBS_len(&proto_name) == 0) 80 return 0; 81 } 82 83 return 1; 84 } 85 86 int 87 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 88 { 89 CBS alpn; 90 const unsigned char *selected; 91 unsigned char selected_len; 92 int r; 93 94 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 95 goto err; 96 97 if (!tlsext_alpn_check_format(&alpn)) 98 goto err; 99 100 if (s->ctx->internal->alpn_select_cb == NULL) 101 return 1; 102 103 /* 104 * XXX - A few things should be considered here: 105 * 1. Ensure that the same protocol is selected on session resumption. 106 * 2. Should the callback be called even if no ALPN extension was sent? 107 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 108 */ 109 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 110 CBS_data(&alpn), CBS_len(&alpn), 111 s->ctx->internal->alpn_select_cb_arg); 112 113 if (r == SSL_TLSEXT_ERR_OK) { 114 CBS cbs; 115 116 CBS_init(&cbs, selected, selected_len); 117 118 if (!CBS_stow(&cbs, &s->s3->alpn_selected, 119 &s->s3->alpn_selected_len)) { 120 *alert = SSL_AD_INTERNAL_ERROR; 121 return 0; 122 } 123 124 return 1; 125 } 126 127 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 128 if (r == SSL_TLSEXT_ERR_NOACK) 129 return 1; 130 131 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 132 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 133 134 return 0; 135 136 err: 137 *alert = SSL_AD_DECODE_ERROR; 138 return 0; 139 } 140 141 int 142 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 143 { 144 return s->s3->alpn_selected != NULL; 145 } 146 147 int 148 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 149 { 150 CBB list, selected; 151 152 if (!CBB_add_u16_length_prefixed(cbb, &list)) 153 return 0; 154 155 if (!CBB_add_u8_length_prefixed(&list, &selected)) 156 return 0; 157 158 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 159 s->s3->alpn_selected_len)) 160 return 0; 161 162 if (!CBB_flush(cbb)) 163 return 0; 164 165 return 1; 166 } 167 168 int 169 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 170 { 171 CBS list, proto; 172 173 if (s->internal->alpn_client_proto_list == NULL) { 174 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 175 return 0; 176 } 177 178 if (!CBS_get_u16_length_prefixed(cbs, &list)) 179 goto err; 180 181 if (!CBS_get_u8_length_prefixed(&list, &proto)) 182 goto err; 183 184 if (CBS_len(&list) != 0) 185 goto err; 186 if (CBS_len(&proto) == 0) 187 goto err; 188 189 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 190 goto err; 191 192 return 1; 193 194 err: 195 *alert = SSL_AD_DECODE_ERROR; 196 return 0; 197 } 198 199 /* 200 * Supported Groups - RFC 7919 section 2 201 */ 202 int 203 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 204 { 205 return ssl_has_ecc_ciphers(s) || 206 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 207 } 208 209 int 210 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 211 { 212 const uint16_t *groups; 213 size_t groups_len; 214 CBB grouplist; 215 int i; 216 217 tls1_get_group_list(s, 0, &groups, &groups_len); 218 if (groups_len == 0) { 219 SSLerror(s, ERR_R_INTERNAL_ERROR); 220 return 0; 221 } 222 223 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 224 return 0; 225 226 for (i = 0; i < groups_len; i++) { 227 if (!ssl_security_supported_group(s, groups[i])) 228 continue; 229 if (!CBB_add_u16(&grouplist, groups[i])) 230 return 0; 231 } 232 233 if (!CBB_flush(cbb)) 234 return 0; 235 236 return 1; 237 } 238 239 int 240 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 241 int *alert) 242 { 243 CBS grouplist; 244 uint16_t *groups; 245 size_t groups_len; 246 int i; 247 248 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 249 goto err; 250 251 groups_len = CBS_len(&grouplist); 252 if (groups_len == 0 || groups_len % 2 != 0) 253 goto err; 254 groups_len /= 2; 255 256 if (s->internal->hit) 257 return 1; 258 259 if (s->s3->hs.tls13.hrr) { 260 if (s->session->tlsext_supportedgroups == NULL) { 261 *alert = SSL_AD_HANDSHAKE_FAILURE; 262 return 0; 263 } 264 265 /* 266 * The ClientHello extension hashing ensures that the client 267 * did not change its list of supported groups. 268 */ 269 270 return 1; 271 } 272 273 if (s->session->tlsext_supportedgroups != NULL) 274 goto err; 275 276 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 277 *alert = SSL_AD_INTERNAL_ERROR; 278 return 0; 279 } 280 281 for (i = 0; i < groups_len; i++) { 282 if (!CBS_get_u16(&grouplist, &groups[i])) { 283 free(groups); 284 goto err; 285 } 286 } 287 288 if (CBS_len(&grouplist) != 0) { 289 free(groups); 290 goto err; 291 } 292 293 s->session->tlsext_supportedgroups = groups; 294 s->session->tlsext_supportedgroups_length = groups_len; 295 296 return 1; 297 298 err: 299 *alert = SSL_AD_DECODE_ERROR; 300 return 0; 301 } 302 303 /* This extension is never used by the server. */ 304 int 305 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 306 { 307 return 0; 308 } 309 310 int 311 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 312 { 313 return 0; 314 } 315 316 int 317 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 318 int *alert) 319 { 320 /* 321 * Servers should not send this extension per the RFC. 322 * 323 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 324 * from at least 2014 but as of 2017, there are still large sites with 325 * this unpatched in production. As a result, we need to currently skip 326 * over the extension and ignore its content: 327 * 328 * https://support.f5.com/csp/article/K37345003 329 */ 330 if (!CBS_skip(cbs, CBS_len(cbs))) { 331 *alert = SSL_AD_INTERNAL_ERROR; 332 return 0; 333 } 334 335 return 1; 336 } 337 338 /* 339 * Supported Point Formats Extension - RFC 4492 section 5.1.2 340 */ 341 static int 342 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 343 { 344 CBB ecpf; 345 size_t formats_len; 346 const uint8_t *formats; 347 348 tls1_get_formatlist(s, 0, &formats, &formats_len); 349 350 if (formats_len == 0) { 351 SSLerror(s, ERR_R_INTERNAL_ERROR); 352 return 0; 353 } 354 355 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 356 return 0; 357 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 358 return 0; 359 if (!CBB_flush(cbb)) 360 return 0; 361 362 return 1; 363 } 364 365 static int 366 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 367 { 368 CBS ecpf; 369 370 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 371 return 0; 372 if (CBS_len(&ecpf) == 0) 373 return 0; 374 375 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 376 if (!CBS_contains_zero_byte(&ecpf)) { 377 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 378 *alert = SSL_AD_ILLEGAL_PARAMETER; 379 return 0; 380 } 381 382 if (!s->internal->hit) { 383 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 384 &(s->session->tlsext_ecpointformatlist_length))) { 385 *alert = SSL_AD_INTERNAL_ERROR; 386 return 0; 387 } 388 } 389 390 return 1; 391 } 392 393 int 394 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 395 { 396 return ssl_has_ecc_ciphers(s); 397 } 398 399 int 400 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 401 { 402 return tlsext_ecpf_build(s, msg_type, cbb); 403 } 404 405 int 406 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 407 { 408 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 409 } 410 411 int 412 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 413 { 414 return ssl_using_ecc_cipher(s); 415 } 416 417 int 418 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 419 { 420 return tlsext_ecpf_build(s, msg_type, cbb); 421 } 422 423 int 424 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 425 { 426 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 427 } 428 429 /* 430 * Renegotiation Indication - RFC 5746. 431 */ 432 int 433 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 434 { 435 return (s->internal->renegotiate); 436 } 437 438 int 439 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 440 { 441 CBB reneg; 442 443 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 444 return 0; 445 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 446 s->s3->previous_client_finished_len)) 447 return 0; 448 if (!CBB_flush(cbb)) 449 return 0; 450 451 return 1; 452 } 453 454 int 455 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 456 { 457 CBS reneg; 458 459 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 460 goto err; 461 462 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 463 s->s3->previous_client_finished_len)) { 464 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 465 *alert = SSL_AD_HANDSHAKE_FAILURE; 466 return 0; 467 } 468 469 s->s3->renegotiate_seen = 1; 470 s->s3->send_connection_binding = 1; 471 472 return 1; 473 474 err: 475 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 476 *alert = SSL_AD_DECODE_ERROR; 477 return 0; 478 } 479 480 int 481 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 482 { 483 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 484 s->s3->send_connection_binding); 485 } 486 487 int 488 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 489 { 490 CBB reneg; 491 492 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 493 return 0; 494 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 495 s->s3->previous_client_finished_len)) 496 return 0; 497 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 498 s->s3->previous_server_finished_len)) 499 return 0; 500 if (!CBB_flush(cbb)) 501 return 0; 502 503 return 1; 504 } 505 506 int 507 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 508 { 509 CBS reneg, prev_client, prev_server; 510 511 /* 512 * Ensure that the previous client and server values are both not 513 * present, or that they are both present. 514 */ 515 if ((s->s3->previous_client_finished_len == 0 && 516 s->s3->previous_server_finished_len != 0) || 517 (s->s3->previous_client_finished_len != 0 && 518 s->s3->previous_server_finished_len == 0)) { 519 *alert = SSL_AD_INTERNAL_ERROR; 520 return 0; 521 } 522 523 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 524 goto err; 525 if (!CBS_get_bytes(&reneg, &prev_client, 526 s->s3->previous_client_finished_len)) 527 goto err; 528 if (!CBS_get_bytes(&reneg, &prev_server, 529 s->s3->previous_server_finished_len)) 530 goto err; 531 if (CBS_len(&reneg) != 0) 532 goto err; 533 534 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 535 s->s3->previous_client_finished_len)) { 536 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 537 *alert = SSL_AD_HANDSHAKE_FAILURE; 538 return 0; 539 } 540 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 541 s->s3->previous_server_finished_len)) { 542 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 543 *alert = SSL_AD_HANDSHAKE_FAILURE; 544 return 0; 545 } 546 547 s->s3->renegotiate_seen = 1; 548 s->s3->send_connection_binding = 1; 549 550 return 1; 551 552 err: 553 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 554 *alert = SSL_AD_DECODE_ERROR; 555 return 0; 556 } 557 558 /* 559 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 560 */ 561 int 562 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 563 { 564 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 565 } 566 567 int 568 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 569 { 570 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 571 CBB sigalgs; 572 573 if (msg_type == SSL_TLSEXT_MSG_CH) 574 tls_version = s->s3->hs.our_min_tls_version; 575 576 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 577 return 0; 578 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 579 return 0; 580 if (!CBB_flush(cbb)) 581 return 0; 582 583 return 1; 584 } 585 586 int 587 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 588 { 589 CBS sigalgs; 590 591 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 592 return 0; 593 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 594 return 0; 595 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 596 return 0; 597 598 return 1; 599 } 600 601 int 602 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 603 { 604 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 605 } 606 607 int 608 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 609 { 610 CBB sigalgs; 611 612 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 613 return 0; 614 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 615 SSL_get_security_level(s))) 616 return 0; 617 if (!CBB_flush(cbb)) 618 return 0; 619 620 return 1; 621 } 622 623 int 624 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 625 { 626 CBS sigalgs; 627 628 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 629 return 0; 630 631 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 632 return 0; 633 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 634 return 0; 635 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 636 return 0; 637 638 return 1; 639 } 640 641 /* 642 * Server Name Indication - RFC 6066, section 3. 643 */ 644 int 645 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 646 { 647 return (s->tlsext_hostname != NULL); 648 } 649 650 int 651 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 652 { 653 CBB server_name_list, host_name; 654 655 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 656 return 0; 657 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 658 return 0; 659 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 660 return 0; 661 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 662 strlen(s->tlsext_hostname))) 663 return 0; 664 if (!CBB_flush(cbb)) 665 return 0; 666 667 return 1; 668 } 669 670 static int 671 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 672 { 673 union { 674 struct in_addr ip4; 675 struct in6_addr ip6; 676 } addrbuf; 677 char *hostname = NULL; 678 679 *is_ip = 0; 680 681 if (!CBS_strdup(cbs, &hostname)) 682 return 0; 683 684 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 685 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 686 *is_ip = 1; 687 688 free(hostname); 689 690 return 1; 691 } 692 693 /* 694 * Validate that the CBS contains only a hostname consisting of RFC 5890 695 * compliant A-labels (see RFC 6066 section 3). Not a complete check 696 * since we don't parse punycode to verify its validity but limits to 697 * correct structure and character set. 698 */ 699 int 700 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 701 { 702 uint8_t prev, c = 0; 703 int component = 0; 704 CBS hostname; 705 706 *is_ip = 0; 707 708 CBS_dup(cbs, &hostname); 709 710 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 711 return 0; 712 713 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 714 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 715 return 0; 716 if (*is_ip) 717 return 0; 718 719 while (CBS_len(&hostname) > 0) { 720 prev = c; 721 if (!CBS_get_u8(&hostname, &c)) 722 return 0; 723 /* Everything has to be ASCII, with no NUL byte. */ 724 if (!isascii(c) || c == '\0') 725 return 0; 726 /* It must be alphanumeric, a '-', or a '.' */ 727 if (!isalnum(c) && c != '-' && c != '.') 728 return 0; 729 /* '-' and '.' must not start a component or be at the end. */ 730 if (component == 0 || CBS_len(&hostname) == 0) { 731 if (c == '-' || c == '.') 732 return 0; 733 } 734 if (c == '.') { 735 /* Components can not end with a dash. */ 736 if (prev == '-') 737 return 0; 738 /* Start new component */ 739 component = 0; 740 continue; 741 } 742 /* Components must be 63 chars or less. */ 743 if (++component > 63) 744 return 0; 745 } 746 747 return 1; 748 } 749 750 int 751 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 752 { 753 CBS server_name_list, host_name; 754 uint8_t name_type; 755 int is_ip; 756 757 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 758 goto err; 759 760 if (!CBS_get_u8(&server_name_list, &name_type)) 761 goto err; 762 763 /* 764 * RFC 6066 section 3, only one type (host_name) is specified. 765 * We do not tolerate unknown types, neither does BoringSSL. 766 * other implementations appear more tolerant. 767 */ 768 if (name_type != TLSEXT_NAMETYPE_host_name) { 769 *alert = SSL_AD_ILLEGAL_PARAMETER; 770 goto err; 771 } 772 773 /* 774 * RFC 6066 section 3 specifies a host name must be at least 1 byte 775 * so 0 length is a decode error. 776 */ 777 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 778 goto err; 779 if (CBS_len(&host_name) < 1) 780 goto err; 781 782 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 783 /* 784 * Various pieces of software have been known to set the SNI 785 * host name to an IP address, even though that violates the 786 * RFC. If this is the case, pretend the SNI extension does 787 * not exist. 788 */ 789 if (is_ip) 790 goto done; 791 792 *alert = SSL_AD_ILLEGAL_PARAMETER; 793 goto err; 794 } 795 796 if (s->internal->hit || s->s3->hs.tls13.hrr) { 797 if (s->session->tlsext_hostname == NULL) { 798 *alert = SSL_AD_UNRECOGNIZED_NAME; 799 goto err; 800 } 801 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 802 strlen(s->session->tlsext_hostname))) { 803 *alert = SSL_AD_UNRECOGNIZED_NAME; 804 goto err; 805 } 806 } else { 807 if (s->session->tlsext_hostname != NULL) 808 goto err; 809 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 810 *alert = SSL_AD_INTERNAL_ERROR; 811 goto err; 812 } 813 } 814 815 done: 816 /* 817 * RFC 6066 section 3 forbids multiple host names with the same type, 818 * therefore we allow only one entry. 819 */ 820 if (CBS_len(&server_name_list) != 0) { 821 *alert = SSL_AD_ILLEGAL_PARAMETER; 822 goto err; 823 } 824 825 return 1; 826 827 err: 828 return 0; 829 } 830 831 int 832 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 833 { 834 if (s->internal->hit) 835 return 0; 836 837 return (s->session->tlsext_hostname != NULL); 838 } 839 840 int 841 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 842 { 843 return 1; 844 } 845 846 int 847 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 848 { 849 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 850 *alert = SSL_AD_UNRECOGNIZED_NAME; 851 return 0; 852 } 853 854 if (s->internal->hit) { 855 if (s->session->tlsext_hostname == NULL) { 856 *alert = SSL_AD_UNRECOGNIZED_NAME; 857 return 0; 858 } 859 if (strcmp(s->tlsext_hostname, 860 s->session->tlsext_hostname) != 0) { 861 *alert = SSL_AD_UNRECOGNIZED_NAME; 862 return 0; 863 } 864 } else { 865 if (s->session->tlsext_hostname != NULL) { 866 *alert = SSL_AD_DECODE_ERROR; 867 return 0; 868 } 869 if ((s->session->tlsext_hostname = 870 strdup(s->tlsext_hostname)) == NULL) { 871 *alert = SSL_AD_INTERNAL_ERROR; 872 return 0; 873 } 874 } 875 876 return 1; 877 } 878 879 880 /* 881 * Certificate Status Request - RFC 6066 section 8. 882 */ 883 884 int 885 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 886 { 887 if (msg_type != SSL_TLSEXT_MSG_CH) 888 return 0; 889 890 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 891 } 892 893 int 894 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 895 { 896 CBB respid_list, respid, exts; 897 unsigned char *ext_data; 898 size_t ext_len; 899 int i; 900 901 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 902 return 0; 903 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 904 return 0; 905 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 906 unsigned char *respid_data; 907 OCSP_RESPID *id; 908 size_t id_len; 909 910 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 911 i)) == NULL) 912 return 0; 913 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 914 return 0; 915 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 916 return 0; 917 if (!CBB_add_space(&respid, &respid_data, id_len)) 918 return 0; 919 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 920 return 0; 921 } 922 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 923 return 0; 924 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 925 NULL)) == -1) 926 return 0; 927 if (!CBB_add_space(&exts, &ext_data, ext_len)) 928 return 0; 929 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 930 ext_len)) 931 return 0; 932 if (!CBB_flush(cbb)) 933 return 0; 934 return 1; 935 } 936 937 int 938 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 939 { 940 int alert_desc = SSL_AD_DECODE_ERROR; 941 CBS respid_list, respid, exts; 942 const unsigned char *p; 943 uint8_t status_type; 944 int ret = 0; 945 946 if (msg_type != SSL_TLSEXT_MSG_CH) 947 goto err; 948 949 if (!CBS_get_u8(cbs, &status_type)) 950 goto err; 951 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 952 /* ignore unknown status types */ 953 s->tlsext_status_type = -1; 954 955 if (!CBS_skip(cbs, CBS_len(cbs))) { 956 *alert = SSL_AD_INTERNAL_ERROR; 957 return 0; 958 } 959 return 1; 960 } 961 s->tlsext_status_type = status_type; 962 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 963 goto err; 964 965 /* XXX */ 966 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 967 s->internal->tlsext_ocsp_ids = NULL; 968 if (CBS_len(&respid_list) > 0) { 969 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 970 if (s->internal->tlsext_ocsp_ids == NULL) { 971 alert_desc = SSL_AD_INTERNAL_ERROR; 972 goto err; 973 } 974 } 975 976 while (CBS_len(&respid_list) > 0) { 977 OCSP_RESPID *id; 978 979 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 980 goto err; 981 p = CBS_data(&respid); 982 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 983 goto err; 984 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 985 alert_desc = SSL_AD_INTERNAL_ERROR; 986 OCSP_RESPID_free(id); 987 goto err; 988 } 989 } 990 991 /* Read in request_extensions */ 992 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 993 goto err; 994 if (CBS_len(&exts) > 0) { 995 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 996 X509_EXTENSION_free); 997 p = CBS_data(&exts); 998 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 999 &p, CBS_len(&exts))) == NULL) 1000 goto err; 1001 } 1002 1003 ret = 1; 1004 err: 1005 if (ret == 0) 1006 *alert = alert_desc; 1007 return ret; 1008 } 1009 1010 int 1011 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1012 { 1013 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1014 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1015 s->ctx->internal->tlsext_status_cb != NULL) { 1016 s->internal->tlsext_status_expected = 0; 1017 if (s->ctx->internal->tlsext_status_cb(s, 1018 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1019 s->internal->tlsext_ocsp_resp_len > 0) 1020 s->internal->tlsext_status_expected = 1; 1021 } 1022 return s->internal->tlsext_status_expected; 1023 } 1024 1025 int 1026 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1027 { 1028 CBB ocsp_response; 1029 1030 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1031 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1032 return 0; 1033 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1034 return 0; 1035 if (!CBB_add_bytes(&ocsp_response, 1036 s->internal->tlsext_ocsp_resp, 1037 s->internal->tlsext_ocsp_resp_len)) 1038 return 0; 1039 if (!CBB_flush(cbb)) 1040 return 0; 1041 } 1042 return 1; 1043 } 1044 1045 int 1046 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1047 { 1048 uint8_t status_type; 1049 CBS response; 1050 1051 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1052 if (msg_type == SSL_TLSEXT_MSG_CR) { 1053 /* 1054 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1055 * response with an empty status_request. 1056 */ 1057 if (CBS_len(cbs) == 0) 1058 return 1; 1059 1060 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1061 return 0; 1062 } 1063 if (!CBS_get_u8(cbs, &status_type)) { 1064 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1065 return 0; 1066 } 1067 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1068 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1069 return 0; 1070 } 1071 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1072 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1073 return 0; 1074 } 1075 if (CBS_len(&response) > 65536) { 1076 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1077 return 0; 1078 } 1079 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1080 &s->internal->tlsext_ocsp_resp_len)) { 1081 *alert = SSL_AD_INTERNAL_ERROR; 1082 return 0; 1083 } 1084 } else { 1085 if (s->tlsext_status_type == -1) { 1086 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1087 return 0; 1088 } 1089 /* Set flag to expect CertificateStatus message */ 1090 s->internal->tlsext_status_expected = 1; 1091 } 1092 return 1; 1093 } 1094 1095 /* 1096 * SessionTicket extension - RFC 5077 section 3.2 1097 */ 1098 int 1099 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1100 { 1101 /* 1102 * Send session ticket extension when enabled and not overridden. 1103 * 1104 * When renegotiating, send an empty session ticket to indicate support. 1105 */ 1106 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1107 return 0; 1108 1109 if (!ssl_security_tickets(s)) 1110 return 0; 1111 1112 if (s->internal->new_session) 1113 return 1; 1114 1115 if (s->internal->tlsext_session_ticket != NULL && 1116 s->internal->tlsext_session_ticket->data == NULL) 1117 return 0; 1118 1119 return 1; 1120 } 1121 1122 int 1123 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1124 { 1125 /* 1126 * Signal that we support session tickets by sending an empty 1127 * extension when renegotiating or no session found. 1128 */ 1129 if (s->internal->new_session || s->session == NULL) 1130 return 1; 1131 1132 if (s->session->tlsext_tick != NULL) { 1133 /* Attempt to resume with an existing session ticket */ 1134 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1135 s->session->tlsext_ticklen)) 1136 return 0; 1137 1138 } else if (s->internal->tlsext_session_ticket != NULL) { 1139 /* 1140 * Attempt to resume with a custom provided session ticket set 1141 * by SSL_set_session_ticket_ext(). 1142 */ 1143 if (s->internal->tlsext_session_ticket->length > 0) { 1144 size_t ticklen = s->internal->tlsext_session_ticket->length; 1145 1146 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1147 return 0; 1148 memcpy(s->session->tlsext_tick, 1149 s->internal->tlsext_session_ticket->data, 1150 ticklen); 1151 s->session->tlsext_ticklen = ticklen; 1152 1153 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1154 s->session->tlsext_ticklen)) 1155 return 0; 1156 } 1157 } 1158 1159 if (!CBB_flush(cbb)) 1160 return 0; 1161 1162 return 1; 1163 } 1164 1165 int 1166 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1167 int *alert) 1168 { 1169 if (s->internal->tls_session_ticket_ext_cb) { 1170 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1171 (int)CBS_len(cbs), 1172 s->internal->tls_session_ticket_ext_cb_arg)) { 1173 *alert = SSL_AD_INTERNAL_ERROR; 1174 return 0; 1175 } 1176 } 1177 1178 /* We need to signal that this was processed fully */ 1179 if (!CBS_skip(cbs, CBS_len(cbs))) { 1180 *alert = SSL_AD_INTERNAL_ERROR; 1181 return 0; 1182 } 1183 1184 return 1; 1185 } 1186 1187 int 1188 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1189 { 1190 return (s->internal->tlsext_ticket_expected && 1191 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1192 ssl_security_tickets(s)); 1193 } 1194 1195 int 1196 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1197 { 1198 /* Empty ticket */ 1199 return 1; 1200 } 1201 1202 int 1203 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1204 int *alert) 1205 { 1206 if (s->internal->tls_session_ticket_ext_cb) { 1207 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1208 (int)CBS_len(cbs), 1209 s->internal->tls_session_ticket_ext_cb_arg)) { 1210 *alert = SSL_AD_INTERNAL_ERROR; 1211 return 0; 1212 } 1213 } 1214 1215 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1216 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1217 return 0; 1218 } 1219 1220 s->internal->tlsext_ticket_expected = 1; 1221 1222 return 1; 1223 } 1224 1225 /* 1226 * DTLS extension for SRTP key establishment - RFC 5764 1227 */ 1228 1229 #ifndef OPENSSL_NO_SRTP 1230 1231 int 1232 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1233 { 1234 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1235 } 1236 1237 int 1238 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1239 { 1240 CBB profiles, mki; 1241 int ct, i; 1242 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1243 const SRTP_PROTECTION_PROFILE *prof; 1244 1245 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1246 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1247 return 0; 1248 } 1249 1250 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1251 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1252 return 0; 1253 } 1254 1255 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1256 return 0; 1257 1258 for (i = 0; i < ct; i++) { 1259 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1260 return 0; 1261 if (!CBB_add_u16(&profiles, prof->id)) 1262 return 0; 1263 } 1264 1265 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1266 return 0; 1267 1268 if (!CBB_flush(cbb)) 1269 return 0; 1270 1271 return 1; 1272 } 1273 1274 int 1275 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1276 { 1277 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1278 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1279 int i, j; 1280 int ret; 1281 uint16_t id; 1282 CBS profiles, mki; 1283 1284 ret = 0; 1285 1286 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1287 goto err; 1288 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1289 goto err; 1290 1291 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1292 goto err; 1293 1294 while (CBS_len(&profiles) > 0) { 1295 if (!CBS_get_u16(&profiles, &id)) 1296 goto err; 1297 1298 if (!srtp_find_profile_by_num(id, &cprof)) { 1299 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1300 goto err; 1301 } 1302 } 1303 1304 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1305 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1306 *alert = SSL_AD_DECODE_ERROR; 1307 goto done; 1308 } 1309 1310 /* 1311 * Per RFC 5764 section 4.1.1 1312 * 1313 * Find the server preferred profile using the client's list. 1314 * 1315 * The server MUST send a profile if it sends the use_srtp 1316 * extension. If one is not found, it should fall back to the 1317 * negotiated DTLS cipher suite or return a DTLS alert. 1318 */ 1319 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1320 goto err; 1321 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1322 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1323 == NULL) 1324 goto err; 1325 1326 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1327 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1328 == NULL) 1329 goto err; 1330 1331 if (cprof->id == sprof->id) { 1332 s->internal->srtp_profile = sprof; 1333 ret = 1; 1334 goto done; 1335 } 1336 } 1337 } 1338 1339 /* If we didn't find anything, fall back to the negotiated */ 1340 ret = 1; 1341 goto done; 1342 1343 err: 1344 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1345 *alert = SSL_AD_DECODE_ERROR; 1346 1347 done: 1348 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1349 return ret; 1350 } 1351 1352 int 1353 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1354 { 1355 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1356 } 1357 1358 int 1359 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1360 { 1361 SRTP_PROTECTION_PROFILE *profile; 1362 CBB srtp, mki; 1363 1364 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1365 return 0; 1366 1367 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1368 return 0; 1369 1370 if (!CBB_add_u16(&srtp, profile->id)) 1371 return 0; 1372 1373 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1374 return 0; 1375 1376 if (!CBB_flush(cbb)) 1377 return 0; 1378 1379 return 1; 1380 } 1381 1382 int 1383 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1384 { 1385 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1386 const SRTP_PROTECTION_PROFILE *prof; 1387 int i; 1388 uint16_t id; 1389 CBS profile_ids, mki; 1390 1391 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1392 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1393 goto err; 1394 } 1395 1396 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1397 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1398 goto err; 1399 } 1400 1401 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1402 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1403 *alert = SSL_AD_ILLEGAL_PARAMETER; 1404 return 0; 1405 } 1406 1407 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1408 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1409 goto err; 1410 } 1411 1412 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1413 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1414 == NULL) { 1415 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1416 goto err; 1417 } 1418 1419 if (prof->id == id) { 1420 s->internal->srtp_profile = prof; 1421 return 1; 1422 } 1423 } 1424 1425 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1426 err: 1427 *alert = SSL_AD_DECODE_ERROR; 1428 return 0; 1429 } 1430 1431 #endif /* OPENSSL_NO_SRTP */ 1432 1433 /* 1434 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1435 */ 1436 int 1437 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1438 { 1439 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1440 } 1441 1442 int 1443 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1444 { 1445 CBB client_shares, key_exchange; 1446 1447 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1448 return 0; 1449 1450 if (!CBB_add_u16(&client_shares, 1451 tls_key_share_group(s->s3->hs.key_share))) 1452 return 0; 1453 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1454 return 0; 1455 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1456 return 0; 1457 1458 if (!CBB_flush(cbb)) 1459 return 0; 1460 1461 return 1; 1462 } 1463 1464 int 1465 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1466 { 1467 CBS client_shares, key_exchange; 1468 int decode_error; 1469 uint16_t group; 1470 1471 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1472 return 0; 1473 1474 while (CBS_len(&client_shares) > 0) { 1475 1476 /* Unpack client share. */ 1477 if (!CBS_get_u16(&client_shares, &group)) 1478 return 0; 1479 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1480 return 0; 1481 1482 /* 1483 * XXX - check key exchange against supported groups from client. 1484 * XXX - check that groups only appear once. 1485 */ 1486 1487 /* 1488 * Ignore this client share if we're using earlier than TLSv1.3 1489 * or we've already selected a key share. 1490 */ 1491 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1492 continue; 1493 if (s->s3->hs.key_share != NULL) 1494 continue; 1495 1496 /* XXX - consider implementing server preference. */ 1497 if (!tls1_check_group(s, group)) 1498 continue; 1499 1500 /* Decode and store the selected key share. */ 1501 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1502 *alert = SSL_AD_INTERNAL_ERROR; 1503 return 0; 1504 } 1505 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1506 &key_exchange, &decode_error, NULL)) { 1507 if (!decode_error) 1508 *alert = SSL_AD_INTERNAL_ERROR; 1509 return 0; 1510 } 1511 } 1512 1513 return 1; 1514 } 1515 1516 int 1517 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1518 { 1519 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1520 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1521 } 1522 1523 int 1524 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1525 { 1526 CBB key_exchange; 1527 1528 /* In the case of a HRR, we only send the server selected group. */ 1529 if (s->s3->hs.tls13.hrr) { 1530 if (s->s3->hs.tls13.server_group == 0) 1531 return 0; 1532 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1533 } 1534 1535 if (s->s3->hs.key_share == NULL) 1536 return 0; 1537 1538 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1539 return 0; 1540 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1541 return 0; 1542 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1543 return 0; 1544 1545 if (!CBB_flush(cbb)) 1546 return 0; 1547 1548 return 1; 1549 } 1550 1551 int 1552 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1553 { 1554 CBS key_exchange; 1555 int decode_error; 1556 uint16_t group; 1557 1558 /* Unpack server share. */ 1559 if (!CBS_get_u16(cbs, &group)) 1560 return 0; 1561 1562 if (CBS_len(cbs) == 0) { 1563 /* HRR does not include an actual key share, only the group. */ 1564 if (msg_type != SSL_TLSEXT_MSG_HRR) 1565 return 0; 1566 1567 s->s3->hs.tls13.server_group = group; 1568 return 1; 1569 } 1570 1571 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1572 return 0; 1573 1574 if (s->s3->hs.key_share == NULL) { 1575 *alert = SSL_AD_INTERNAL_ERROR; 1576 return 0; 1577 } 1578 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1579 *alert = SSL_AD_INTERNAL_ERROR; 1580 return 0; 1581 } 1582 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1583 &key_exchange, &decode_error, NULL)) { 1584 if (!decode_error) 1585 *alert = SSL_AD_INTERNAL_ERROR; 1586 return 0; 1587 } 1588 1589 return 1; 1590 } 1591 1592 /* 1593 * Supported Versions - RFC 8446 section 4.2.1. 1594 */ 1595 int 1596 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1597 { 1598 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1599 } 1600 1601 int 1602 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1603 { 1604 uint16_t max, min; 1605 uint16_t version; 1606 CBB versions; 1607 1608 max = s->s3->hs.our_max_tls_version; 1609 min = s->s3->hs.our_min_tls_version; 1610 1611 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1612 return 0; 1613 1614 /* XXX - fix, but contiguous for now... */ 1615 for (version = max; version >= min; version--) { 1616 if (!CBB_add_u16(&versions, version)) 1617 return 0; 1618 } 1619 1620 if (!CBB_flush(cbb)) 1621 return 0; 1622 1623 return 1; 1624 } 1625 1626 int 1627 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1628 { 1629 CBS versions; 1630 uint16_t version; 1631 uint16_t max, min; 1632 uint16_t matched_version = 0; 1633 1634 max = s->s3->hs.our_max_tls_version; 1635 min = s->s3->hs.our_min_tls_version; 1636 1637 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1638 goto err; 1639 1640 while (CBS_len(&versions) > 0) { 1641 if (!CBS_get_u16(&versions, &version)) 1642 goto err; 1643 /* 1644 * XXX What is below implements client preference, and 1645 * ignores any server preference entirely. 1646 */ 1647 if (matched_version == 0 && version >= min && version <= max) 1648 matched_version = version; 1649 } 1650 1651 if (matched_version > 0) { 1652 /* XXX - this should be stored for later processing. */ 1653 s->version = matched_version; 1654 return 1; 1655 } 1656 1657 *alert = SSL_AD_PROTOCOL_VERSION; 1658 return 0; 1659 1660 err: 1661 *alert = SSL_AD_DECODE_ERROR; 1662 return 0; 1663 } 1664 1665 int 1666 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1667 { 1668 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1669 } 1670 1671 int 1672 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1673 { 1674 return CBB_add_u16(cbb, TLS1_3_VERSION); 1675 } 1676 1677 int 1678 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1679 { 1680 uint16_t selected_version; 1681 1682 if (!CBS_get_u16(cbs, &selected_version)) { 1683 *alert = SSL_AD_DECODE_ERROR; 1684 return 0; 1685 } 1686 1687 /* XXX - need to fix for DTLS 1.3 */ 1688 if (selected_version < TLS1_3_VERSION) { 1689 *alert = SSL_AD_ILLEGAL_PARAMETER; 1690 return 0; 1691 } 1692 1693 /* XXX test between min and max once initialization code goes in */ 1694 s->s3->hs.tls13.server_version = selected_version; 1695 1696 return 1; 1697 } 1698 1699 1700 /* 1701 * Cookie - RFC 8446 section 4.2.2. 1702 */ 1703 1704 int 1705 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1706 { 1707 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1708 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1709 } 1710 1711 int 1712 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1713 { 1714 CBB cookie; 1715 1716 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1717 return 0; 1718 1719 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1720 s->s3->hs.tls13.cookie_len)) 1721 return 0; 1722 1723 if (!CBB_flush(cbb)) 1724 return 0; 1725 1726 return 1; 1727 } 1728 1729 int 1730 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1731 { 1732 CBS cookie; 1733 1734 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1735 goto err; 1736 1737 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1738 goto err; 1739 1740 /* 1741 * Check provided cookie value against what server previously 1742 * sent - client *MUST* send the same cookie with new CR after 1743 * a cookie is sent by the server with an HRR. 1744 */ 1745 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1746 s->s3->hs.tls13.cookie_len)) { 1747 /* XXX special cookie mismatch alert? */ 1748 *alert = SSL_AD_ILLEGAL_PARAMETER; 1749 return 0; 1750 } 1751 1752 return 1; 1753 1754 err: 1755 *alert = SSL_AD_DECODE_ERROR; 1756 return 0; 1757 } 1758 1759 int 1760 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1761 { 1762 /* 1763 * Server needs to set cookie value in tls13 handshake 1764 * in order to send one, should only be sent with HRR. 1765 */ 1766 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1767 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1768 } 1769 1770 int 1771 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1772 { 1773 CBB cookie; 1774 1775 /* XXX deduplicate with client code */ 1776 1777 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1778 return 0; 1779 1780 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1781 s->s3->hs.tls13.cookie_len)) 1782 return 0; 1783 1784 if (!CBB_flush(cbb)) 1785 return 0; 1786 1787 return 1; 1788 } 1789 1790 int 1791 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1792 { 1793 CBS cookie; 1794 1795 /* 1796 * XXX This currently assumes we will not get a second 1797 * HRR from a server with a cookie to process after accepting 1798 * one from the server in the same handshake 1799 */ 1800 if (s->s3->hs.tls13.cookie != NULL || 1801 s->s3->hs.tls13.cookie_len != 0) { 1802 *alert = SSL_AD_ILLEGAL_PARAMETER; 1803 return 0; 1804 } 1805 1806 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1807 goto err; 1808 1809 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1810 &s->s3->hs.tls13.cookie_len)) 1811 goto err; 1812 1813 return 1; 1814 1815 err: 1816 *alert = SSL_AD_DECODE_ERROR; 1817 return 0; 1818 } 1819 1820 /* 1821 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1822 */ 1823 1824 int 1825 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1826 { 1827 return (s->s3->hs.tls13.use_psk_dhe_ke && 1828 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1829 } 1830 1831 int 1832 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1833 { 1834 CBB ke_modes; 1835 1836 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1837 return 0; 1838 1839 /* Only indicate support for PSK with DHE key establishment. */ 1840 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1841 return 0; 1842 1843 if (!CBB_flush(cbb)) 1844 return 0; 1845 1846 return 1; 1847 } 1848 1849 int 1850 tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1851 int *alert) 1852 { 1853 CBS ke_modes; 1854 uint8_t ke_mode; 1855 1856 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1857 return 0; 1858 1859 while (CBS_len(&ke_modes) > 0) { 1860 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1861 return 0; 1862 1863 if (ke_mode == TLS13_PSK_DHE_KE) 1864 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1865 } 1866 1867 return 1; 1868 } 1869 1870 int 1871 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1872 { 1873 /* Servers MUST NOT send this extension. */ 1874 return 0; 1875 } 1876 1877 int 1878 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1879 { 1880 return 0; 1881 } 1882 1883 int 1884 tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1885 int *alert) 1886 { 1887 return 0; 1888 } 1889 1890 /* 1891 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1892 */ 1893 1894 int 1895 tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1896 { 1897 return 0; 1898 } 1899 1900 int 1901 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1902 { 1903 return 0; 1904 } 1905 1906 int 1907 tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1908 { 1909 return CBS_skip(cbs, CBS_len(cbs)); 1910 } 1911 1912 int 1913 tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1914 { 1915 return 0; 1916 } 1917 1918 int 1919 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1920 { 1921 return 0; 1922 } 1923 1924 int 1925 tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1926 { 1927 return CBS_skip(cbs, CBS_len(cbs)); 1928 } 1929 1930 /* 1931 * QUIC transport parameters extension - RFC 9001 section 8.2. 1932 */ 1933 1934 int 1935 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1936 { 1937 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; 1938 } 1939 1940 int 1941 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 1942 CBB *cbb) 1943 { 1944 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, 1945 s->internal->quic_transport_params_len)) 1946 return 0; 1947 1948 return 1; 1949 } 1950 1951 int 1952 tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, 1953 CBS *cbs, int *alert) 1954 { 1955 if (!SSL_is_quic(s)) { 1956 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1957 return 0; 1958 } 1959 1960 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1961 &s->s3->peer_quic_transport_params_len)) 1962 return 0; 1963 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1964 return 0; 1965 1966 return 1; 1967 } 1968 1969 int 1970 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 1971 { 1972 return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0; 1973 } 1974 1975 int 1976 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 1977 CBB *cbb) 1978 { 1979 if (!CBB_add_bytes(cbb, s->internal->quic_transport_params, 1980 s->internal->quic_transport_params_len)) 1981 return 0; 1982 1983 return 1; 1984 } 1985 1986 int 1987 tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, 1988 CBS *cbs, int *alert) 1989 { 1990 if (!SSL_is_quic(s)) { 1991 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1992 return 0; 1993 } 1994 1995 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1996 &s->s3->peer_quic_transport_params_len)) 1997 return 0; 1998 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1999 return 0; 2000 2001 return 1; 2002 } 2003 2004 struct tls_extension_funcs { 2005 int (*needs)(SSL *s, uint16_t msg_type); 2006 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2007 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2008 }; 2009 2010 struct tls_extension { 2011 uint16_t type; 2012 uint16_t messages; 2013 struct tls_extension_funcs client; 2014 struct tls_extension_funcs server; 2015 }; 2016 2017 static const struct tls_extension tls_extensions[] = { 2018 { 2019 .type = TLSEXT_TYPE_supported_versions, 2020 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2021 SSL_TLSEXT_MSG_HRR, 2022 .client = { 2023 .needs = tlsext_versions_client_needs, 2024 .build = tlsext_versions_client_build, 2025 .parse = tlsext_versions_client_parse, 2026 }, 2027 .server = { 2028 .needs = tlsext_versions_server_needs, 2029 .build = tlsext_versions_server_build, 2030 .parse = tlsext_versions_server_parse, 2031 }, 2032 }, 2033 { 2034 .type = TLSEXT_TYPE_key_share, 2035 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2036 SSL_TLSEXT_MSG_HRR, 2037 .client = { 2038 .needs = tlsext_keyshare_client_needs, 2039 .build = tlsext_keyshare_client_build, 2040 .parse = tlsext_keyshare_client_parse, 2041 }, 2042 .server = { 2043 .needs = tlsext_keyshare_server_needs, 2044 .build = tlsext_keyshare_server_build, 2045 .parse = tlsext_keyshare_server_parse, 2046 }, 2047 }, 2048 { 2049 .type = TLSEXT_TYPE_server_name, 2050 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2051 .client = { 2052 .needs = tlsext_sni_client_needs, 2053 .build = tlsext_sni_client_build, 2054 .parse = tlsext_sni_client_parse, 2055 }, 2056 .server = { 2057 .needs = tlsext_sni_server_needs, 2058 .build = tlsext_sni_server_build, 2059 .parse = tlsext_sni_server_parse, 2060 }, 2061 }, 2062 { 2063 .type = TLSEXT_TYPE_renegotiate, 2064 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2065 .client = { 2066 .needs = tlsext_ri_client_needs, 2067 .build = tlsext_ri_client_build, 2068 .parse = tlsext_ri_client_parse, 2069 }, 2070 .server = { 2071 .needs = tlsext_ri_server_needs, 2072 .build = tlsext_ri_server_build, 2073 .parse = tlsext_ri_server_parse, 2074 }, 2075 }, 2076 { 2077 .type = TLSEXT_TYPE_status_request, 2078 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2079 SSL_TLSEXT_MSG_CT, 2080 .client = { 2081 .needs = tlsext_ocsp_client_needs, 2082 .build = tlsext_ocsp_client_build, 2083 .parse = tlsext_ocsp_client_parse, 2084 }, 2085 .server = { 2086 .needs = tlsext_ocsp_server_needs, 2087 .build = tlsext_ocsp_server_build, 2088 .parse = tlsext_ocsp_server_parse, 2089 }, 2090 }, 2091 { 2092 .type = TLSEXT_TYPE_ec_point_formats, 2093 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2094 .client = { 2095 .needs = tlsext_ecpf_client_needs, 2096 .build = tlsext_ecpf_client_build, 2097 .parse = tlsext_ecpf_client_parse, 2098 }, 2099 .server = { 2100 .needs = tlsext_ecpf_server_needs, 2101 .build = tlsext_ecpf_server_build, 2102 .parse = tlsext_ecpf_server_parse, 2103 }, 2104 }, 2105 { 2106 .type = TLSEXT_TYPE_supported_groups, 2107 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2108 .client = { 2109 .needs = tlsext_supportedgroups_client_needs, 2110 .build = tlsext_supportedgroups_client_build, 2111 .parse = tlsext_supportedgroups_client_parse, 2112 }, 2113 .server = { 2114 .needs = tlsext_supportedgroups_server_needs, 2115 .build = tlsext_supportedgroups_server_build, 2116 .parse = tlsext_supportedgroups_server_parse, 2117 }, 2118 }, 2119 { 2120 .type = TLSEXT_TYPE_session_ticket, 2121 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2122 .client = { 2123 .needs = tlsext_sessionticket_client_needs, 2124 .build = tlsext_sessionticket_client_build, 2125 .parse = tlsext_sessionticket_client_parse, 2126 }, 2127 .server = { 2128 .needs = tlsext_sessionticket_server_needs, 2129 .build = tlsext_sessionticket_server_build, 2130 .parse = tlsext_sessionticket_server_parse, 2131 }, 2132 }, 2133 { 2134 .type = TLSEXT_TYPE_signature_algorithms, 2135 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2136 .client = { 2137 .needs = tlsext_sigalgs_client_needs, 2138 .build = tlsext_sigalgs_client_build, 2139 .parse = tlsext_sigalgs_client_parse, 2140 }, 2141 .server = { 2142 .needs = tlsext_sigalgs_server_needs, 2143 .build = tlsext_sigalgs_server_build, 2144 .parse = tlsext_sigalgs_server_parse, 2145 }, 2146 }, 2147 { 2148 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 2149 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2150 .client = { 2151 .needs = tlsext_alpn_client_needs, 2152 .build = tlsext_alpn_client_build, 2153 .parse = tlsext_alpn_client_parse, 2154 }, 2155 .server = { 2156 .needs = tlsext_alpn_server_needs, 2157 .build = tlsext_alpn_server_build, 2158 .parse = tlsext_alpn_server_parse, 2159 }, 2160 }, 2161 { 2162 .type = TLSEXT_TYPE_cookie, 2163 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2164 .client = { 2165 .needs = tlsext_cookie_client_needs, 2166 .build = tlsext_cookie_client_build, 2167 .parse = tlsext_cookie_client_parse, 2168 }, 2169 .server = { 2170 .needs = tlsext_cookie_server_needs, 2171 .build = tlsext_cookie_server_build, 2172 .parse = tlsext_cookie_server_parse, 2173 }, 2174 }, 2175 #ifndef OPENSSL_NO_SRTP 2176 { 2177 .type = TLSEXT_TYPE_use_srtp, 2178 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2179 SSL_TLSEXT_MSG_EE, 2180 .client = { 2181 .needs = tlsext_srtp_client_needs, 2182 .build = tlsext_srtp_client_build, 2183 .parse = tlsext_srtp_client_parse, 2184 }, 2185 .server = { 2186 .needs = tlsext_srtp_server_needs, 2187 .build = tlsext_srtp_server_build, 2188 .parse = tlsext_srtp_server_parse, 2189 }, 2190 }, 2191 #endif /* OPENSSL_NO_SRTP */ 2192 { 2193 .type = TLSEXT_TYPE_quic_transport_parameters, 2194 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2195 .client = { 2196 .needs = tlsext_quic_transport_parameters_client_needs, 2197 .build = tlsext_quic_transport_parameters_client_build, 2198 .parse = tlsext_quic_transport_parameters_client_parse, 2199 }, 2200 .server = { 2201 .needs = tlsext_quic_transport_parameters_server_needs, 2202 .build = tlsext_quic_transport_parameters_server_build, 2203 .parse = tlsext_quic_transport_parameters_server_parse, 2204 }, 2205 }, 2206 { 2207 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2208 .messages = SSL_TLSEXT_MSG_CH, 2209 .client = { 2210 .needs = tlsext_psk_kex_modes_client_needs, 2211 .build = tlsext_psk_kex_modes_client_build, 2212 .parse = tlsext_psk_kex_modes_client_parse, 2213 }, 2214 .server = { 2215 .needs = tlsext_psk_kex_modes_server_needs, 2216 .build = tlsext_psk_kex_modes_server_build, 2217 .parse = tlsext_psk_kex_modes_server_parse, 2218 }, 2219 }, 2220 { 2221 /* MUST be last extension in CH per RFC 8446 section 4.2. */ 2222 2223 .type = TLSEXT_TYPE_pre_shared_key, 2224 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2225 .client = { 2226 .needs = tlsext_psk_client_needs, 2227 .build = tlsext_psk_client_build, 2228 .parse = tlsext_psk_client_parse, 2229 }, 2230 .server = { 2231 .needs = tlsext_psk_server_needs, 2232 .build = tlsext_psk_server_build, 2233 .parse = tlsext_psk_server_parse, 2234 }, 2235 }, 2236 }; 2237 2238 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2239 2240 /* Ensure that extensions fit in a uint32_t bitmask. */ 2241 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2242 2243 const struct tls_extension * 2244 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2245 { 2246 size_t i; 2247 2248 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2249 if (tls_extensions[i].type == type) { 2250 *tls_extensions_idx = i; 2251 return &tls_extensions[i]; 2252 } 2253 } 2254 2255 return NULL; 2256 } 2257 2258 int 2259 tlsext_extension_seen(SSL *s, uint16_t type) 2260 { 2261 size_t idx; 2262 2263 if (tls_extension_find(type, &idx) == NULL) 2264 return 0; 2265 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2266 } 2267 2268 static const struct tls_extension_funcs * 2269 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2270 { 2271 if (is_server) 2272 return &tlsext->server; 2273 2274 return &tlsext->client; 2275 } 2276 2277 static int 2278 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2279 { 2280 const struct tls_extension_funcs *ext; 2281 const struct tls_extension *tlsext; 2282 CBB extensions, extension_data; 2283 int extensions_present = 0; 2284 uint16_t tls_version; 2285 size_t i; 2286 2287 tls_version = ssl_effective_tls_version(s); 2288 2289 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2290 return 0; 2291 2292 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2293 tlsext = &tls_extensions[i]; 2294 ext = tlsext_funcs(tlsext, is_server); 2295 2296 /* RFC 8446 Section 4.2 */ 2297 if (tls_version >= TLS1_3_VERSION && 2298 !(tlsext->messages & msg_type)) 2299 continue; 2300 2301 if (!ext->needs(s, msg_type)) 2302 continue; 2303 2304 if (!CBB_add_u16(&extensions, tlsext->type)) 2305 return 0; 2306 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2307 return 0; 2308 2309 if (!ext->build(s, msg_type, &extension_data)) 2310 return 0; 2311 2312 extensions_present = 1; 2313 } 2314 2315 if (!extensions_present && 2316 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2317 CBB_discard_child(cbb); 2318 2319 if (!CBB_flush(cbb)) 2320 return 0; 2321 2322 return 1; 2323 } 2324 2325 int 2326 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2327 { 2328 /* 2329 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2330 * cookie may be added, padding may be removed. 2331 */ 2332 struct tls13_ctx *ctx = s->internal->tls13; 2333 2334 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2335 type == TLSEXT_TYPE_padding) 2336 return 1; 2337 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2338 sizeof(type))) 2339 return 0; 2340 /* 2341 * key_share data may be changed, and pre_shared_key data may 2342 * be changed 2343 */ 2344 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2345 return 1; 2346 if (!tls13_clienthello_hash_update(ctx, cbs)) 2347 return 0; 2348 2349 return 1; 2350 } 2351 2352 static int 2353 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2354 { 2355 const struct tls_extension_funcs *ext; 2356 const struct tls_extension *tlsext; 2357 CBS extensions, extension_data; 2358 uint16_t type; 2359 size_t idx; 2360 uint16_t tls_version; 2361 int alert_desc; 2362 2363 tls_version = ssl_effective_tls_version(s); 2364 2365 s->s3->hs.extensions_seen = 0; 2366 2367 /* An empty extensions block is valid. */ 2368 if (CBS_len(cbs) == 0) 2369 return 1; 2370 2371 alert_desc = SSL_AD_DECODE_ERROR; 2372 2373 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2374 goto err; 2375 2376 while (CBS_len(&extensions) > 0) { 2377 if (!CBS_get_u16(&extensions, &type)) 2378 goto err; 2379 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2380 goto err; 2381 2382 if (s->internal->tlsext_debug_cb != NULL) 2383 s->internal->tlsext_debug_cb(s, !is_server, type, 2384 (unsigned char *)CBS_data(&extension_data), 2385 CBS_len(&extension_data), 2386 s->internal->tlsext_debug_arg); 2387 2388 /* Unknown extensions are ignored. */ 2389 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2390 continue; 2391 2392 if (tls_version >= TLS1_3_VERSION && is_server && 2393 msg_type == SSL_TLSEXT_MSG_CH) { 2394 if (!tlsext_clienthello_hash_extension(s, type, 2395 &extension_data)) 2396 goto err; 2397 } 2398 2399 /* RFC 8446 Section 4.2 */ 2400 if (tls_version >= TLS1_3_VERSION && 2401 !(tlsext->messages & msg_type)) { 2402 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2403 goto err; 2404 } 2405 2406 /* Check for duplicate known extensions. */ 2407 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2408 goto err; 2409 s->s3->hs.extensions_seen |= (1 << idx); 2410 2411 ext = tlsext_funcs(tlsext, is_server); 2412 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2413 goto err; 2414 2415 if (CBS_len(&extension_data) != 0) 2416 goto err; 2417 } 2418 2419 return 1; 2420 2421 err: 2422 *alert = alert_desc; 2423 2424 return 0; 2425 } 2426 2427 static void 2428 tlsext_server_reset_state(SSL *s) 2429 { 2430 s->tlsext_status_type = -1; 2431 s->s3->renegotiate_seen = 0; 2432 free(s->s3->alpn_selected); 2433 s->s3->alpn_selected = NULL; 2434 s->s3->alpn_selected_len = 0; 2435 s->internal->srtp_profile = NULL; 2436 } 2437 2438 int 2439 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2440 { 2441 return tlsext_build(s, 1, msg_type, cbb); 2442 } 2443 2444 int 2445 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2446 { 2447 /* XXX - this should be done by the caller... */ 2448 if (msg_type == SSL_TLSEXT_MSG_CH) 2449 tlsext_server_reset_state(s); 2450 2451 return tlsext_parse(s, 1, msg_type, cbs, alert); 2452 } 2453 2454 static void 2455 tlsext_client_reset_state(SSL *s) 2456 { 2457 s->s3->renegotiate_seen = 0; 2458 free(s->s3->alpn_selected); 2459 s->s3->alpn_selected = NULL; 2460 s->s3->alpn_selected_len = 0; 2461 } 2462 2463 int 2464 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2465 { 2466 return tlsext_build(s, 0, msg_type, cbb); 2467 } 2468 2469 int 2470 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2471 { 2472 /* XXX - this should be done by the caller... */ 2473 if (msg_type == SSL_TLSEXT_MSG_SH) 2474 tlsext_client_reset_state(s); 2475 2476 return tlsext_parse(s, 0, msg_type, cbs, alert); 2477 } 2478