1 /* $OpenBSD: ssl_tlsext.c,v 1.99 2021/09/10 09:25:29 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <ctype.h> 21 22 #include <openssl/ocsp.h> 23 #include <openssl/opensslconf.h> 24 25 #include "bytestring.h" 26 #include "ssl_locl.h" 27 #include "ssl_sigalgs.h" 28 #include "ssl_tlsext.h" 29 30 /* 31 * Supported Application-Layer Protocol Negotiation - RFC 7301 32 */ 33 34 int 35 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 36 { 37 /* ALPN protos have been specified and this is the initial handshake */ 38 return s->internal->alpn_client_proto_list != NULL && 39 S3I(s)->hs.finished_len == 0; 40 } 41 42 int 43 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 44 { 45 CBB protolist; 46 47 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 48 return 0; 49 50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 51 s->internal->alpn_client_proto_list_len)) 52 return 0; 53 54 if (!CBB_flush(cbb)) 55 return 0; 56 57 return 1; 58 } 59 60 int 61 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 62 { 63 CBS proto_name_list, alpn; 64 const unsigned char *selected; 65 unsigned char selected_len; 66 int r; 67 68 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 69 goto err; 70 if (CBS_len(&alpn) < 2) 71 goto err; 72 if (CBS_len(cbs) != 0) 73 goto err; 74 75 CBS_dup(&alpn, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 goto err; 81 if (CBS_len(&proto_name) == 0) 82 goto err; 83 } 84 85 if (s->ctx->internal->alpn_select_cb == NULL) 86 return 1; 87 88 /* 89 * XXX - A few things should be considered here: 90 * 1. Ensure that the same protocol is selected on session resumption. 91 * 2. Should the callback be called even if no ALPN extension was sent? 92 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 93 */ 94 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 95 CBS_data(&alpn), CBS_len(&alpn), 96 s->ctx->internal->alpn_select_cb_arg); 97 98 if (r == SSL_TLSEXT_ERR_OK) { 99 free(S3I(s)->alpn_selected); 100 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 101 S3I(s)->alpn_selected_len = 0; 102 *alert = SSL_AD_INTERNAL_ERROR; 103 return 0; 104 } 105 memcpy(S3I(s)->alpn_selected, selected, selected_len); 106 S3I(s)->alpn_selected_len = selected_len; 107 108 return 1; 109 } 110 111 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 112 if (r == SSL_TLSEXT_ERR_NOACK) 113 return 1; 114 115 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 116 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 117 118 return 0; 119 120 err: 121 *alert = SSL_AD_DECODE_ERROR; 122 return 0; 123 } 124 125 int 126 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 127 { 128 return S3I(s)->alpn_selected != NULL; 129 } 130 131 int 132 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 133 { 134 CBB list, selected; 135 136 if (!CBB_add_u16_length_prefixed(cbb, &list)) 137 return 0; 138 139 if (!CBB_add_u8_length_prefixed(&list, &selected)) 140 return 0; 141 142 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 143 S3I(s)->alpn_selected_len)) 144 return 0; 145 146 if (!CBB_flush(cbb)) 147 return 0; 148 149 return 1; 150 } 151 152 int 153 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 154 { 155 CBS list, proto; 156 157 if (s->internal->alpn_client_proto_list == NULL) { 158 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 159 return 0; 160 } 161 162 if (!CBS_get_u16_length_prefixed(cbs, &list)) 163 goto err; 164 if (CBS_len(cbs) != 0) 165 goto err; 166 167 if (!CBS_get_u8_length_prefixed(&list, &proto)) 168 goto err; 169 170 if (CBS_len(&list) != 0) 171 goto err; 172 if (CBS_len(&proto) == 0) 173 goto err; 174 175 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 176 &(S3I(s)->alpn_selected_len))) 177 goto err; 178 179 return 1; 180 181 err: 182 *alert = SSL_AD_DECODE_ERROR; 183 return 0; 184 } 185 186 /* 187 * Supported Groups - RFC 7919 section 2 188 */ 189 int 190 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 191 { 192 return ssl_has_ecc_ciphers(s) || 193 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 194 } 195 196 int 197 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 198 { 199 const uint16_t *groups; 200 size_t groups_len; 201 CBB grouplist; 202 int i; 203 204 tls1_get_group_list(s, 0, &groups, &groups_len); 205 if (groups_len == 0) { 206 SSLerror(s, ERR_R_INTERNAL_ERROR); 207 return 0; 208 } 209 210 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 211 return 0; 212 213 for (i = 0; i < groups_len; i++) { 214 if (!CBB_add_u16(&grouplist, groups[i])) 215 return 0; 216 } 217 218 if (!CBB_flush(cbb)) 219 return 0; 220 221 return 1; 222 } 223 224 int 225 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 226 int *alert) 227 { 228 CBS grouplist; 229 size_t groups_len; 230 231 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 232 goto err; 233 if (CBS_len(cbs) != 0) 234 goto err; 235 236 groups_len = CBS_len(&grouplist); 237 if (groups_len == 0 || groups_len % 2 != 0) 238 goto err; 239 groups_len /= 2; 240 241 if (!s->internal->hit) { 242 uint16_t *groups; 243 int i; 244 245 if (S3I(s)->hs.tls13.hrr) { 246 if (SSI(s)->tlsext_supportedgroups == NULL) { 247 *alert = SSL_AD_HANDSHAKE_FAILURE; 248 return 0; 249 } 250 /* 251 * In the case of TLSv1.3 the client cannot change 252 * the supported groups. 253 */ 254 if (groups_len != SSI(s)->tlsext_supportedgroups_length) { 255 *alert = SSL_AD_ILLEGAL_PARAMETER; 256 return 0; 257 } 258 for (i = 0; i < groups_len; i++) { 259 uint16_t group; 260 261 if (!CBS_get_u16(&grouplist, &group)) 262 goto err; 263 if (SSI(s)->tlsext_supportedgroups[i] != group) { 264 *alert = SSL_AD_ILLEGAL_PARAMETER; 265 return 0; 266 } 267 } 268 269 return 1; 270 } 271 272 if (SSI(s)->tlsext_supportedgroups != NULL) 273 goto err; 274 275 if ((groups = reallocarray(NULL, groups_len, 276 sizeof(uint16_t))) == NULL) { 277 *alert = SSL_AD_INTERNAL_ERROR; 278 return 0; 279 } 280 281 for (i = 0; i < groups_len; i++) { 282 if (!CBS_get_u16(&grouplist, &groups[i])) { 283 free(groups); 284 goto err; 285 } 286 } 287 288 if (CBS_len(&grouplist) != 0) { 289 free(groups); 290 goto err; 291 } 292 293 SSI(s)->tlsext_supportedgroups = groups; 294 SSI(s)->tlsext_supportedgroups_length = groups_len; 295 } 296 297 return 1; 298 299 err: 300 *alert = SSL_AD_DECODE_ERROR; 301 return 0; 302 } 303 304 /* This extension is never used by the server. */ 305 int 306 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 307 { 308 return 0; 309 } 310 311 int 312 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 313 { 314 return 0; 315 } 316 317 int 318 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 319 int *alert) 320 { 321 /* 322 * Servers should not send this extension per the RFC. 323 * 324 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 325 * from at least 2014 but as of 2017, there are still large sites with 326 * this unpatched in production. As a result, we need to currently skip 327 * over the extension and ignore its content: 328 * 329 * https://support.f5.com/csp/article/K37345003 330 */ 331 if (!CBS_skip(cbs, CBS_len(cbs))) { 332 *alert = SSL_AD_INTERNAL_ERROR; 333 return 0; 334 } 335 336 return 1; 337 } 338 339 /* 340 * Supported Point Formats Extension - RFC 4492 section 5.1.2 341 */ 342 static int 343 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 344 { 345 CBB ecpf; 346 size_t formats_len; 347 const uint8_t *formats; 348 349 tls1_get_formatlist(s, 0, &formats, &formats_len); 350 351 if (formats_len == 0) { 352 SSLerror(s, ERR_R_INTERNAL_ERROR); 353 return 0; 354 } 355 356 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 357 return 0; 358 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 359 return 0; 360 if (!CBB_flush(cbb)) 361 return 0; 362 363 return 1; 364 } 365 366 static int 367 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 368 { 369 CBS ecpf; 370 371 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 372 return 0; 373 if (CBS_len(&ecpf) == 0) 374 return 0; 375 if (CBS_len(cbs) != 0) 376 return 0; 377 378 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 379 if (!CBS_contains_zero_byte(&ecpf)) { 380 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 381 *alert = SSL_AD_ILLEGAL_PARAMETER; 382 return 0; 383 } 384 385 if (!s->internal->hit) { 386 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 387 &(SSI(s)->tlsext_ecpointformatlist_length))) { 388 *alert = SSL_AD_INTERNAL_ERROR; 389 return 0; 390 } 391 } 392 393 return 1; 394 } 395 396 int 397 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 398 { 399 return ssl_has_ecc_ciphers(s); 400 } 401 402 int 403 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 404 { 405 return tlsext_ecpf_build(s, msg_type, cbb); 406 } 407 408 int 409 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 410 { 411 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 412 } 413 414 int 415 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 416 { 417 return ssl_using_ecc_cipher(s); 418 } 419 420 int 421 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 422 { 423 return tlsext_ecpf_build(s, msg_type, cbb); 424 } 425 426 int 427 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 428 { 429 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 430 } 431 432 /* 433 * Renegotiation Indication - RFC 5746. 434 */ 435 int 436 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 437 { 438 return (s->internal->renegotiate); 439 } 440 441 int 442 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 443 { 444 CBB reneg; 445 446 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 447 return 0; 448 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 449 S3I(s)->previous_client_finished_len)) 450 return 0; 451 if (!CBB_flush(cbb)) 452 return 0; 453 454 return 1; 455 } 456 457 int 458 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 459 { 460 CBS reneg; 461 462 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 463 goto err; 464 if (CBS_len(cbs) != 0) 465 goto err; 466 467 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 468 S3I(s)->previous_client_finished_len)) { 469 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 470 *alert = SSL_AD_HANDSHAKE_FAILURE; 471 return 0; 472 } 473 474 S3I(s)->renegotiate_seen = 1; 475 S3I(s)->send_connection_binding = 1; 476 477 return 1; 478 479 err: 480 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 481 *alert = SSL_AD_DECODE_ERROR; 482 return 0; 483 } 484 485 int 486 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 487 { 488 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && 489 S3I(s)->send_connection_binding); 490 } 491 492 int 493 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 494 { 495 CBB reneg; 496 497 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 498 return 0; 499 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 500 S3I(s)->previous_client_finished_len)) 501 return 0; 502 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 503 S3I(s)->previous_server_finished_len)) 504 return 0; 505 if (!CBB_flush(cbb)) 506 return 0; 507 508 return 1; 509 } 510 511 int 512 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 513 { 514 CBS reneg, prev_client, prev_server; 515 516 /* 517 * Ensure that the previous client and server values are both not 518 * present, or that they are both present. 519 */ 520 if ((S3I(s)->previous_client_finished_len == 0 && 521 S3I(s)->previous_server_finished_len != 0) || 522 (S3I(s)->previous_client_finished_len != 0 && 523 S3I(s)->previous_server_finished_len == 0)) { 524 *alert = SSL_AD_INTERNAL_ERROR; 525 return 0; 526 } 527 528 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 529 goto err; 530 if (!CBS_get_bytes(&reneg, &prev_client, 531 S3I(s)->previous_client_finished_len)) 532 goto err; 533 if (!CBS_get_bytes(&reneg, &prev_server, 534 S3I(s)->previous_server_finished_len)) 535 goto err; 536 if (CBS_len(&reneg) != 0) 537 goto err; 538 if (CBS_len(cbs) != 0) 539 goto err; 540 541 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 542 S3I(s)->previous_client_finished_len)) { 543 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 544 *alert = SSL_AD_HANDSHAKE_FAILURE; 545 return 0; 546 } 547 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 548 S3I(s)->previous_server_finished_len)) { 549 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 550 *alert = SSL_AD_HANDSHAKE_FAILURE; 551 return 0; 552 } 553 554 S3I(s)->renegotiate_seen = 1; 555 S3I(s)->send_connection_binding = 1; 556 557 return 1; 558 559 err: 560 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 561 *alert = SSL_AD_DECODE_ERROR; 562 return 0; 563 } 564 565 /* 566 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 567 */ 568 int 569 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 570 { 571 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); 572 } 573 574 int 575 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 576 { 577 uint16_t tls_version = S3I(s)->hs.negotiated_tls_version; 578 CBB sigalgs; 579 580 if (msg_type == SSL_TLSEXT_MSG_CH) 581 tls_version = S3I(s)->hs.our_min_tls_version; 582 583 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 584 return 0; 585 if (!ssl_sigalgs_build(tls_version, &sigalgs)) 586 return 0; 587 if (!CBB_flush(cbb)) 588 return 0; 589 590 return 1; 591 } 592 593 int 594 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 595 { 596 CBS sigalgs; 597 598 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 599 return 0; 600 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 601 return 0; 602 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 603 return 0; 604 605 return 1; 606 } 607 608 int 609 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 610 { 611 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 612 } 613 614 int 615 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 616 { 617 CBB sigalgs; 618 619 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 620 return 0; 621 if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs)) 622 return 0; 623 if (!CBB_flush(cbb)) 624 return 0; 625 626 return 1; 627 } 628 629 int 630 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 631 { 632 CBS sigalgs; 633 634 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 635 return 0; 636 637 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 638 return 0; 639 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 640 return 0; 641 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 642 return 0; 643 644 return 1; 645 } 646 647 /* 648 * Server Name Indication - RFC 6066, section 3. 649 */ 650 int 651 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 652 { 653 return (s->tlsext_hostname != NULL); 654 } 655 656 int 657 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 658 { 659 CBB server_name_list, host_name; 660 661 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 662 return 0; 663 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 664 return 0; 665 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 666 return 0; 667 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 668 strlen(s->tlsext_hostname))) 669 return 0; 670 if (!CBB_flush(cbb)) 671 return 0; 672 673 return 1; 674 } 675 676 /* 677 * Validate that the CBS contains only a hostname consisting of RFC 5890 678 * compliant A-labels (see RFC 6066 section 3). Not a complete check 679 * since we don't parse punycode to verify its validity but limits to 680 * correct structure and character set. 681 */ 682 int 683 tlsext_sni_is_valid_hostname(CBS *cbs) 684 { 685 uint8_t prev, c = 0; 686 int component = 0; 687 CBS hostname; 688 689 CBS_dup(cbs, &hostname); 690 691 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 692 return 0; 693 694 while(CBS_len(&hostname) > 0) { 695 prev = c; 696 if (!CBS_get_u8(&hostname, &c)) 697 return 0; 698 /* Everything has to be ASCII, with no NUL byte. */ 699 if (!isascii(c) || c == '\0') 700 return 0; 701 /* It must be alphanumeric, a '-', or a '.' */ 702 if (!isalnum(c) && c != '-' && c != '.') 703 return 0; 704 /* '-' and '.' must not start a component or be at the end. */ 705 if (component == 0 || CBS_len(&hostname) == 0) { 706 if (c == '-' || c == '.') 707 return 0; 708 } 709 if (c == '.') { 710 /* Components can not end with a dash. */ 711 if (prev == '-') 712 return 0; 713 /* Start new component */ 714 component = 0; 715 continue; 716 } 717 /* Components must be 63 chars or less. */ 718 if (++component > 63) 719 return 0; 720 } 721 722 return 1; 723 } 724 725 int 726 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 727 { 728 CBS server_name_list, host_name; 729 uint8_t name_type; 730 731 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 732 goto err; 733 734 if (!CBS_get_u8(&server_name_list, &name_type)) 735 goto err; 736 /* 737 * RFC 6066 section 3, only one type (host_name) is specified. 738 * We do not tolerate unknown types, neither does BoringSSL. 739 * other implementations appear more tolerant. 740 */ 741 if (name_type != TLSEXT_NAMETYPE_host_name) { 742 *alert = SSL_AD_ILLEGAL_PARAMETER; 743 goto err; 744 } 745 746 747 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 748 goto err; 749 /* 750 * RFC 6066 section 3 specifies a host name must be at least 1 byte 751 * so 0 length is a decode error. 752 */ 753 if (CBS_len(&host_name) < 1) 754 goto err; 755 756 if (!tlsext_sni_is_valid_hostname(&host_name)) { 757 *alert = SSL_AD_ILLEGAL_PARAMETER; 758 goto err; 759 } 760 761 if (s->internal->hit || S3I(s)->hs.tls13.hrr) { 762 if (s->session->tlsext_hostname == NULL) { 763 *alert = SSL_AD_UNRECOGNIZED_NAME; 764 goto err; 765 } 766 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 767 strlen(s->session->tlsext_hostname))) { 768 *alert = SSL_AD_UNRECOGNIZED_NAME; 769 goto err; 770 } 771 } else { 772 if (s->session->tlsext_hostname != NULL) 773 goto err; 774 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 775 *alert = SSL_AD_INTERNAL_ERROR; 776 goto err; 777 } 778 } 779 780 /* 781 * RFC 6066 section 3 forbids multiple host names with the same type, 782 * therefore we allow only one entry. 783 */ 784 if (CBS_len(&server_name_list) != 0) { 785 *alert = SSL_AD_ILLEGAL_PARAMETER; 786 goto err; 787 } 788 if (CBS_len(cbs) != 0) 789 goto err; 790 791 return 1; 792 793 err: 794 return 0; 795 } 796 797 int 798 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 799 { 800 if (s->internal->hit) 801 return 0; 802 803 return (s->session->tlsext_hostname != NULL); 804 } 805 806 int 807 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 808 { 809 return 1; 810 } 811 812 int 813 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 814 { 815 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 816 *alert = SSL_AD_UNRECOGNIZED_NAME; 817 return 0; 818 } 819 820 if (s->internal->hit) { 821 if (s->session->tlsext_hostname == NULL) { 822 *alert = SSL_AD_UNRECOGNIZED_NAME; 823 return 0; 824 } 825 if (strcmp(s->tlsext_hostname, 826 s->session->tlsext_hostname) != 0) { 827 *alert = SSL_AD_UNRECOGNIZED_NAME; 828 return 0; 829 } 830 } else { 831 if (s->session->tlsext_hostname != NULL) { 832 *alert = SSL_AD_DECODE_ERROR; 833 return 0; 834 } 835 if ((s->session->tlsext_hostname = 836 strdup(s->tlsext_hostname)) == NULL) { 837 *alert = SSL_AD_INTERNAL_ERROR; 838 return 0; 839 } 840 } 841 842 return 1; 843 } 844 845 846 /* 847 * Certificate Status Request - RFC 6066 section 8. 848 */ 849 850 int 851 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 852 { 853 if (msg_type != SSL_TLSEXT_MSG_CH) 854 return 0; 855 856 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 857 } 858 859 int 860 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 861 { 862 CBB respid_list, respid, exts; 863 unsigned char *ext_data; 864 size_t ext_len; 865 int i; 866 867 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 868 return 0; 869 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 870 return 0; 871 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 872 unsigned char *respid_data; 873 OCSP_RESPID *id; 874 size_t id_len; 875 876 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 877 i)) == NULL) 878 return 0; 879 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 880 return 0; 881 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 882 return 0; 883 if (!CBB_add_space(&respid, &respid_data, id_len)) 884 return 0; 885 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 886 return 0; 887 } 888 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 889 return 0; 890 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 891 NULL)) == -1) 892 return 0; 893 if (!CBB_add_space(&exts, &ext_data, ext_len)) 894 return 0; 895 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 896 ext_len)) 897 return 0; 898 if (!CBB_flush(cbb)) 899 return 0; 900 return 1; 901 } 902 903 int 904 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 905 { 906 int alert_desc = SSL_AD_DECODE_ERROR; 907 CBS respid_list, respid, exts; 908 const unsigned char *p; 909 uint8_t status_type; 910 int ret = 0; 911 912 if (msg_type != SSL_TLSEXT_MSG_CH) 913 goto err; 914 915 if (!CBS_get_u8(cbs, &status_type)) 916 goto err; 917 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 918 /* ignore unknown status types */ 919 s->tlsext_status_type = -1; 920 921 if (!CBS_skip(cbs, CBS_len(cbs))) { 922 *alert = SSL_AD_INTERNAL_ERROR; 923 return 0; 924 } 925 return 1; 926 } 927 s->tlsext_status_type = status_type; 928 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 929 goto err; 930 931 /* XXX */ 932 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 933 s->internal->tlsext_ocsp_ids = NULL; 934 if (CBS_len(&respid_list) > 0) { 935 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 936 if (s->internal->tlsext_ocsp_ids == NULL) { 937 alert_desc = SSL_AD_INTERNAL_ERROR; 938 goto err; 939 } 940 } 941 942 while (CBS_len(&respid_list) > 0) { 943 OCSP_RESPID *id; 944 945 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 946 goto err; 947 p = CBS_data(&respid); 948 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 949 goto err; 950 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 951 alert_desc = SSL_AD_INTERNAL_ERROR; 952 OCSP_RESPID_free(id); 953 goto err; 954 } 955 } 956 957 /* Read in request_extensions */ 958 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 959 goto err; 960 if (CBS_len(&exts) > 0) { 961 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 962 X509_EXTENSION_free); 963 p = CBS_data(&exts); 964 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 965 &p, CBS_len(&exts))) == NULL) 966 goto err; 967 } 968 969 /* should be nothing left */ 970 if (CBS_len(cbs) > 0) 971 goto err; 972 973 ret = 1; 974 err: 975 if (ret == 0) 976 *alert = alert_desc; 977 return ret; 978 } 979 980 int 981 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 982 { 983 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 984 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 985 s->ctx->internal->tlsext_status_cb != NULL) { 986 s->internal->tlsext_status_expected = 0; 987 if (s->ctx->internal->tlsext_status_cb(s, 988 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 989 s->internal->tlsext_ocsp_resp_len > 0) 990 s->internal->tlsext_status_expected = 1; 991 } 992 return s->internal->tlsext_status_expected; 993 } 994 995 int 996 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 997 { 998 CBB ocsp_response; 999 1000 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1001 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1002 return 0; 1003 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1004 return 0; 1005 if (!CBB_add_bytes(&ocsp_response, 1006 s->internal->tlsext_ocsp_resp, 1007 s->internal->tlsext_ocsp_resp_len)) 1008 return 0; 1009 if (!CBB_flush(cbb)) 1010 return 0; 1011 } 1012 return 1; 1013 } 1014 1015 int 1016 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1017 { 1018 uint8_t status_type; 1019 CBS response; 1020 1021 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1022 if (msg_type == SSL_TLSEXT_MSG_CR) { 1023 /* 1024 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1025 * response with an empty status_request. 1026 */ 1027 if (CBS_len(cbs) == 0) 1028 return 1; 1029 1030 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1031 return 0; 1032 } 1033 if (!CBS_get_u8(cbs, &status_type)) { 1034 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1035 return 0; 1036 } 1037 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1038 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1039 return 0; 1040 } 1041 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1042 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1043 return 0; 1044 } 1045 if (CBS_len(&response) > 65536) { 1046 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1047 return 0; 1048 } 1049 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1050 &s->internal->tlsext_ocsp_resp_len)) { 1051 *alert = SSL_AD_INTERNAL_ERROR; 1052 return 0; 1053 } 1054 } else { 1055 if (s->tlsext_status_type == -1) { 1056 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1057 return 0; 1058 } 1059 /* Set flag to expect CertificateStatus message */ 1060 s->internal->tlsext_status_expected = 1; 1061 } 1062 return 1; 1063 } 1064 1065 /* 1066 * SessionTicket extension - RFC 5077 section 3.2 1067 */ 1068 int 1069 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1070 { 1071 /* 1072 * Send session ticket extension when enabled and not overridden. 1073 * 1074 * When renegotiating, send an empty session ticket to indicate support. 1075 */ 1076 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1077 return 0; 1078 1079 if (s->internal->new_session) 1080 return 1; 1081 1082 if (s->internal->tlsext_session_ticket != NULL && 1083 s->internal->tlsext_session_ticket->data == NULL) 1084 return 0; 1085 1086 return 1; 1087 } 1088 1089 int 1090 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1091 { 1092 /* 1093 * Signal that we support session tickets by sending an empty 1094 * extension when renegotiating or no session found. 1095 */ 1096 if (s->internal->new_session || s->session == NULL) 1097 return 1; 1098 1099 if (s->session->tlsext_tick != NULL) { 1100 /* Attempt to resume with an existing session ticket */ 1101 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1102 s->session->tlsext_ticklen)) 1103 return 0; 1104 1105 } else if (s->internal->tlsext_session_ticket != NULL) { 1106 /* 1107 * Attempt to resume with a custom provided session ticket set 1108 * by SSL_set_session_ticket_ext(). 1109 */ 1110 if (s->internal->tlsext_session_ticket->length > 0) { 1111 size_t ticklen = s->internal->tlsext_session_ticket->length; 1112 1113 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1114 return 0; 1115 memcpy(s->session->tlsext_tick, 1116 s->internal->tlsext_session_ticket->data, 1117 ticklen); 1118 s->session->tlsext_ticklen = ticklen; 1119 1120 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1121 s->session->tlsext_ticklen)) 1122 return 0; 1123 } 1124 } 1125 1126 if (!CBB_flush(cbb)) 1127 return 0; 1128 1129 return 1; 1130 } 1131 1132 int 1133 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1134 int *alert) 1135 { 1136 if (s->internal->tls_session_ticket_ext_cb) { 1137 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1138 (int)CBS_len(cbs), 1139 s->internal->tls_session_ticket_ext_cb_arg)) { 1140 *alert = SSL_AD_INTERNAL_ERROR; 1141 return 0; 1142 } 1143 } 1144 1145 /* We need to signal that this was processed fully */ 1146 if (!CBS_skip(cbs, CBS_len(cbs))) { 1147 *alert = SSL_AD_INTERNAL_ERROR; 1148 return 0; 1149 } 1150 1151 return 1; 1152 } 1153 1154 int 1155 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1156 { 1157 return (s->internal->tlsext_ticket_expected && 1158 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1159 } 1160 1161 int 1162 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1163 { 1164 /* Empty ticket */ 1165 return 1; 1166 } 1167 1168 int 1169 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1170 int *alert) 1171 { 1172 if (s->internal->tls_session_ticket_ext_cb) { 1173 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1174 (int)CBS_len(cbs), 1175 s->internal->tls_session_ticket_ext_cb_arg)) { 1176 *alert = SSL_AD_INTERNAL_ERROR; 1177 return 0; 1178 } 1179 } 1180 1181 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1182 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1183 return 0; 1184 } 1185 1186 s->internal->tlsext_ticket_expected = 1; 1187 1188 return 1; 1189 } 1190 1191 /* 1192 * DTLS extension for SRTP key establishment - RFC 5764 1193 */ 1194 1195 #ifndef OPENSSL_NO_SRTP 1196 1197 int 1198 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1199 { 1200 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1201 } 1202 1203 int 1204 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1205 { 1206 CBB profiles, mki; 1207 int ct, i; 1208 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1209 const SRTP_PROTECTION_PROFILE *prof; 1210 1211 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1212 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1213 return 0; 1214 } 1215 1216 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1217 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1218 return 0; 1219 } 1220 1221 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1222 return 0; 1223 1224 for (i = 0; i < ct; i++) { 1225 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1226 return 0; 1227 if (!CBB_add_u16(&profiles, prof->id)) 1228 return 0; 1229 } 1230 1231 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1232 return 0; 1233 1234 if (!CBB_flush(cbb)) 1235 return 0; 1236 1237 return 1; 1238 } 1239 1240 int 1241 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1242 { 1243 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1244 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1245 int i, j; 1246 int ret; 1247 uint16_t id; 1248 CBS profiles, mki; 1249 1250 ret = 0; 1251 1252 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1253 goto err; 1254 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1255 goto err; 1256 1257 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1258 goto err; 1259 1260 while (CBS_len(&profiles) > 0) { 1261 if (!CBS_get_u16(&profiles, &id)) 1262 goto err; 1263 1264 if (!srtp_find_profile_by_num(id, &cprof)) { 1265 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1266 goto err; 1267 } 1268 } 1269 1270 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1271 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1272 *alert = SSL_AD_DECODE_ERROR; 1273 goto done; 1274 } 1275 if (CBS_len(cbs) != 0) 1276 goto err; 1277 1278 /* 1279 * Per RFC 5764 section 4.1.1 1280 * 1281 * Find the server preferred profile using the client's list. 1282 * 1283 * The server MUST send a profile if it sends the use_srtp 1284 * extension. If one is not found, it should fall back to the 1285 * negotiated DTLS cipher suite or return a DTLS alert. 1286 */ 1287 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1288 goto err; 1289 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1290 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1291 == NULL) 1292 goto err; 1293 1294 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1295 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1296 == NULL) 1297 goto err; 1298 1299 if (cprof->id == sprof->id) { 1300 s->internal->srtp_profile = sprof; 1301 ret = 1; 1302 goto done; 1303 } 1304 } 1305 } 1306 1307 /* If we didn't find anything, fall back to the negotiated */ 1308 ret = 1; 1309 goto done; 1310 1311 err: 1312 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1313 *alert = SSL_AD_DECODE_ERROR; 1314 1315 done: 1316 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1317 return ret; 1318 } 1319 1320 int 1321 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1322 { 1323 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1324 } 1325 1326 int 1327 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1328 { 1329 SRTP_PROTECTION_PROFILE *profile; 1330 CBB srtp, mki; 1331 1332 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1333 return 0; 1334 1335 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1336 return 0; 1337 1338 if (!CBB_add_u16(&srtp, profile->id)) 1339 return 0; 1340 1341 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1342 return 0; 1343 1344 if (!CBB_flush(cbb)) 1345 return 0; 1346 1347 return 1; 1348 } 1349 1350 int 1351 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1352 { 1353 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1354 const SRTP_PROTECTION_PROFILE *prof; 1355 int i; 1356 uint16_t id; 1357 CBS profile_ids, mki; 1358 1359 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1360 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1361 goto err; 1362 } 1363 1364 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1365 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1366 goto err; 1367 } 1368 1369 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1370 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1371 *alert = SSL_AD_ILLEGAL_PARAMETER; 1372 return 0; 1373 } 1374 1375 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1376 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1377 goto err; 1378 } 1379 1380 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1381 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1382 == NULL) { 1383 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1384 goto err; 1385 } 1386 1387 if (prof->id == id) { 1388 s->internal->srtp_profile = prof; 1389 return 1; 1390 } 1391 } 1392 1393 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1394 err: 1395 *alert = SSL_AD_DECODE_ERROR; 1396 return 0; 1397 } 1398 1399 #endif /* OPENSSL_NO_SRTP */ 1400 1401 /* 1402 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1403 */ 1404 int 1405 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1406 { 1407 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1408 } 1409 1410 int 1411 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1412 { 1413 CBB client_shares; 1414 1415 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1416 return 0; 1417 1418 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, 1419 &client_shares)) 1420 return 0; 1421 1422 if (!CBB_flush(cbb)) 1423 return 0; 1424 1425 return 1; 1426 } 1427 1428 int 1429 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1430 { 1431 CBS client_shares, key_exchange; 1432 uint16_t group; 1433 1434 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1435 goto err; 1436 1437 while (CBS_len(&client_shares) > 0) { 1438 1439 /* Unpack client share. */ 1440 if (!CBS_get_u16(&client_shares, &group)) 1441 goto err; 1442 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1443 return 0; 1444 1445 /* 1446 * XXX - check key exchange against supported groups from client. 1447 * XXX - check that groups only appear once. 1448 */ 1449 1450 /* 1451 * Ignore this client share if we're using earlier than TLSv1.3 1452 * or we've already selected a key share. 1453 */ 1454 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) 1455 continue; 1456 if (S3I(s)->hs.tls13.key_share != NULL) 1457 continue; 1458 1459 /* XXX - consider implementing server preference. */ 1460 if (!tls1_check_curve(s, group)) 1461 continue; 1462 1463 /* Decode and store the selected key share. */ 1464 S3I(s)->hs.tls13.key_share = tls13_key_share_new(group); 1465 if (S3I(s)->hs.tls13.key_share == NULL) 1466 goto err; 1467 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, 1468 group, &key_exchange)) 1469 goto err; 1470 } 1471 1472 return 1; 1473 1474 err: 1475 *alert = SSL_AD_DECODE_ERROR; 1476 return 0; 1477 } 1478 1479 int 1480 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1481 { 1482 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 1483 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1484 } 1485 1486 int 1487 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1488 { 1489 /* In the case of a HRR, we only send the server selected group. */ 1490 if (S3I(s)->hs.tls13.hrr) { 1491 if (S3I(s)->hs.tls13.server_group == 0) 1492 return 0; 1493 return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); 1494 } 1495 1496 if (S3I(s)->hs.tls13.key_share == NULL) 1497 return 0; 1498 1499 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb)) 1500 return 0; 1501 1502 return 1; 1503 } 1504 1505 int 1506 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1507 { 1508 CBS key_exchange; 1509 uint16_t group; 1510 1511 /* Unpack server share. */ 1512 if (!CBS_get_u16(cbs, &group)) 1513 goto err; 1514 1515 if (CBS_len(cbs) == 0) { 1516 /* HRR does not include an actual key share. */ 1517 /* XXX - we should know that we are in a HRR... */ 1518 S3I(s)->hs.tls13.server_group = group; 1519 return 1; 1520 } 1521 1522 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1523 return 0; 1524 1525 if (S3I(s)->hs.tls13.key_share == NULL) 1526 return 0; 1527 1528 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, 1529 group, &key_exchange)) 1530 goto err; 1531 1532 return 1; 1533 1534 err: 1535 *alert = SSL_AD_DECODE_ERROR; 1536 return 0; 1537 } 1538 1539 /* 1540 * Supported Versions - RFC 8446 section 4.2.1. 1541 */ 1542 int 1543 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1544 { 1545 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1546 } 1547 1548 int 1549 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1550 { 1551 uint16_t max, min; 1552 uint16_t version; 1553 CBB versions; 1554 1555 max = S3I(s)->hs.our_max_tls_version; 1556 min = S3I(s)->hs.our_min_tls_version; 1557 1558 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1559 return 0; 1560 1561 /* XXX - fix, but contiguous for now... */ 1562 for (version = max; version >= min; version--) { 1563 if (!CBB_add_u16(&versions, version)) 1564 return 0; 1565 } 1566 1567 if (!CBB_flush(cbb)) 1568 return 0; 1569 1570 return 1; 1571 } 1572 1573 int 1574 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1575 { 1576 CBS versions; 1577 uint16_t version; 1578 uint16_t max, min; 1579 uint16_t matched_version = 0; 1580 1581 max = S3I(s)->hs.our_max_tls_version; 1582 min = S3I(s)->hs.our_min_tls_version; 1583 1584 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1585 goto err; 1586 1587 while (CBS_len(&versions) > 0) { 1588 if (!CBS_get_u16(&versions, &version)) 1589 goto err; 1590 /* 1591 * XXX What is below implements client preference, and 1592 * ignores any server preference entirely. 1593 */ 1594 if (matched_version == 0 && version >= min && version <= max) 1595 matched_version = version; 1596 } 1597 1598 if (matched_version > 0) { 1599 /* XXX - this should be stored for later processing. */ 1600 s->version = matched_version; 1601 return 1; 1602 } 1603 1604 *alert = SSL_AD_PROTOCOL_VERSION; 1605 return 0; 1606 1607 err: 1608 *alert = SSL_AD_DECODE_ERROR; 1609 return 0; 1610 } 1611 1612 int 1613 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1614 { 1615 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 1616 } 1617 1618 int 1619 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1620 { 1621 return CBB_add_u16(cbb, TLS1_3_VERSION); 1622 } 1623 1624 int 1625 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1626 { 1627 uint16_t selected_version; 1628 1629 if (!CBS_get_u16(cbs, &selected_version)) { 1630 *alert = SSL_AD_DECODE_ERROR; 1631 return 0; 1632 } 1633 1634 /* XXX - need to fix for DTLS 1.3 */ 1635 if (selected_version < TLS1_3_VERSION) { 1636 *alert = SSL_AD_ILLEGAL_PARAMETER; 1637 return 0; 1638 } 1639 1640 /* XXX test between min and max once initialization code goes in */ 1641 S3I(s)->hs.tls13.server_version = selected_version; 1642 1643 return 1; 1644 } 1645 1646 1647 /* 1648 * Cookie - RFC 8446 section 4.2.2. 1649 */ 1650 1651 int 1652 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1653 { 1654 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1655 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1656 } 1657 1658 int 1659 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1660 { 1661 CBB cookie; 1662 1663 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1664 return 0; 1665 1666 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1667 S3I(s)->hs.tls13.cookie_len)) 1668 return 0; 1669 1670 if (!CBB_flush(cbb)) 1671 return 0; 1672 1673 return 1; 1674 } 1675 1676 int 1677 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1678 { 1679 CBS cookie; 1680 1681 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1682 goto err; 1683 1684 if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) 1685 goto err; 1686 1687 /* 1688 * Check provided cookie value against what server previously 1689 * sent - client *MUST* send the same cookie with new CR after 1690 * a cookie is sent by the server with an HRR. 1691 */ 1692 if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, 1693 S3I(s)->hs.tls13.cookie_len)) { 1694 /* XXX special cookie mismatch alert? */ 1695 *alert = SSL_AD_ILLEGAL_PARAMETER; 1696 return 0; 1697 } 1698 1699 return 1; 1700 1701 err: 1702 *alert = SSL_AD_DECODE_ERROR; 1703 return 0; 1704 } 1705 1706 int 1707 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1708 { 1709 /* 1710 * Server needs to set cookie value in tls13 handshake 1711 * in order to send one, should only be sent with HRR. 1712 */ 1713 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1714 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1715 } 1716 1717 int 1718 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1719 { 1720 CBB cookie; 1721 1722 /* XXX deduplicate with client code */ 1723 1724 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1725 return 0; 1726 1727 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1728 S3I(s)->hs.tls13.cookie_len)) 1729 return 0; 1730 1731 if (!CBB_flush(cbb)) 1732 return 0; 1733 1734 return 1; 1735 } 1736 1737 int 1738 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1739 { 1740 CBS cookie; 1741 1742 /* 1743 * XXX This currently assumes we will not get a second 1744 * HRR from a server with a cookie to process after accepting 1745 * one from the server in the same handshake 1746 */ 1747 if (S3I(s)->hs.tls13.cookie != NULL || 1748 S3I(s)->hs.tls13.cookie_len != 0) { 1749 *alert = SSL_AD_ILLEGAL_PARAMETER; 1750 return 0; 1751 } 1752 1753 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1754 goto err; 1755 1756 if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, 1757 &S3I(s)->hs.tls13.cookie_len)) 1758 goto err; 1759 1760 return 1; 1761 1762 err: 1763 *alert = SSL_AD_DECODE_ERROR; 1764 return 0; 1765 } 1766 1767 struct tls_extension_funcs { 1768 int (*needs)(SSL *s, uint16_t msg_type); 1769 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1770 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1771 }; 1772 1773 struct tls_extension { 1774 uint16_t type; 1775 uint16_t messages; 1776 struct tls_extension_funcs client; 1777 struct tls_extension_funcs server; 1778 }; 1779 1780 static const struct tls_extension tls_extensions[] = { 1781 { 1782 .type = TLSEXT_TYPE_supported_versions, 1783 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1784 SSL_TLSEXT_MSG_HRR, 1785 .client = { 1786 .needs = tlsext_versions_client_needs, 1787 .build = tlsext_versions_client_build, 1788 .parse = tlsext_versions_client_parse, 1789 }, 1790 .server = { 1791 .needs = tlsext_versions_server_needs, 1792 .build = tlsext_versions_server_build, 1793 .parse = tlsext_versions_server_parse, 1794 }, 1795 }, 1796 { 1797 .type = TLSEXT_TYPE_key_share, 1798 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1799 SSL_TLSEXT_MSG_HRR, 1800 .client = { 1801 .needs = tlsext_keyshare_client_needs, 1802 .build = tlsext_keyshare_client_build, 1803 .parse = tlsext_keyshare_client_parse, 1804 }, 1805 .server = { 1806 .needs = tlsext_keyshare_server_needs, 1807 .build = tlsext_keyshare_server_build, 1808 .parse = tlsext_keyshare_server_parse, 1809 }, 1810 }, 1811 { 1812 .type = TLSEXT_TYPE_server_name, 1813 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1814 .client = { 1815 .needs = tlsext_sni_client_needs, 1816 .build = tlsext_sni_client_build, 1817 .parse = tlsext_sni_client_parse, 1818 }, 1819 .server = { 1820 .needs = tlsext_sni_server_needs, 1821 .build = tlsext_sni_server_build, 1822 .parse = tlsext_sni_server_parse, 1823 }, 1824 }, 1825 { 1826 .type = TLSEXT_TYPE_renegotiate, 1827 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1828 .client = { 1829 .needs = tlsext_ri_client_needs, 1830 .build = tlsext_ri_client_build, 1831 .parse = tlsext_ri_client_parse, 1832 }, 1833 .server = { 1834 .needs = tlsext_ri_server_needs, 1835 .build = tlsext_ri_server_build, 1836 .parse = tlsext_ri_server_parse, 1837 }, 1838 }, 1839 { 1840 .type = TLSEXT_TYPE_status_request, 1841 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1842 SSL_TLSEXT_MSG_CT, 1843 .client = { 1844 .needs = tlsext_ocsp_client_needs, 1845 .build = tlsext_ocsp_client_build, 1846 .parse = tlsext_ocsp_client_parse, 1847 }, 1848 .server = { 1849 .needs = tlsext_ocsp_server_needs, 1850 .build = tlsext_ocsp_server_build, 1851 .parse = tlsext_ocsp_server_parse, 1852 }, 1853 }, 1854 { 1855 .type = TLSEXT_TYPE_ec_point_formats, 1856 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1857 .client = { 1858 .needs = tlsext_ecpf_client_needs, 1859 .build = tlsext_ecpf_client_build, 1860 .parse = tlsext_ecpf_client_parse, 1861 }, 1862 .server = { 1863 .needs = tlsext_ecpf_server_needs, 1864 .build = tlsext_ecpf_server_build, 1865 .parse = tlsext_ecpf_server_parse, 1866 }, 1867 }, 1868 { 1869 .type = TLSEXT_TYPE_supported_groups, 1870 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1871 .client = { 1872 .needs = tlsext_supportedgroups_client_needs, 1873 .build = tlsext_supportedgroups_client_build, 1874 .parse = tlsext_supportedgroups_client_parse, 1875 }, 1876 .server = { 1877 .needs = tlsext_supportedgroups_server_needs, 1878 .build = tlsext_supportedgroups_server_build, 1879 .parse = tlsext_supportedgroups_server_parse, 1880 }, 1881 }, 1882 { 1883 .type = TLSEXT_TYPE_session_ticket, 1884 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1885 .client = { 1886 .needs = tlsext_sessionticket_client_needs, 1887 .build = tlsext_sessionticket_client_build, 1888 .parse = tlsext_sessionticket_client_parse, 1889 }, 1890 .server = { 1891 .needs = tlsext_sessionticket_server_needs, 1892 .build = tlsext_sessionticket_server_build, 1893 .parse = tlsext_sessionticket_server_parse, 1894 }, 1895 }, 1896 { 1897 .type = TLSEXT_TYPE_signature_algorithms, 1898 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1899 .client = { 1900 .needs = tlsext_sigalgs_client_needs, 1901 .build = tlsext_sigalgs_client_build, 1902 .parse = tlsext_sigalgs_client_parse, 1903 }, 1904 .server = { 1905 .needs = tlsext_sigalgs_server_needs, 1906 .build = tlsext_sigalgs_server_build, 1907 .parse = tlsext_sigalgs_server_parse, 1908 }, 1909 }, 1910 { 1911 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1912 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1913 .client = { 1914 .needs = tlsext_alpn_client_needs, 1915 .build = tlsext_alpn_client_build, 1916 .parse = tlsext_alpn_client_parse, 1917 }, 1918 .server = { 1919 .needs = tlsext_alpn_server_needs, 1920 .build = tlsext_alpn_server_build, 1921 .parse = tlsext_alpn_server_parse, 1922 }, 1923 }, 1924 { 1925 .type = TLSEXT_TYPE_cookie, 1926 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1927 .client = { 1928 .needs = tlsext_cookie_client_needs, 1929 .build = tlsext_cookie_client_build, 1930 .parse = tlsext_cookie_client_parse, 1931 }, 1932 .server = { 1933 .needs = tlsext_cookie_server_needs, 1934 .build = tlsext_cookie_server_build, 1935 .parse = tlsext_cookie_server_parse, 1936 }, 1937 }, 1938 #ifndef OPENSSL_NO_SRTP 1939 { 1940 .type = TLSEXT_TYPE_use_srtp, 1941 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1942 SSL_TLSEXT_MSG_EE, 1943 .client = { 1944 .needs = tlsext_srtp_client_needs, 1945 .build = tlsext_srtp_client_build, 1946 .parse = tlsext_srtp_client_parse, 1947 }, 1948 .server = { 1949 .needs = tlsext_srtp_server_needs, 1950 .build = tlsext_srtp_server_build, 1951 .parse = tlsext_srtp_server_parse, 1952 }, 1953 } 1954 #endif /* OPENSSL_NO_SRTP */ 1955 }; 1956 1957 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1958 1959 /* Ensure that extensions fit in a uint32_t bitmask. */ 1960 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1961 1962 const struct tls_extension * 1963 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1964 { 1965 size_t i; 1966 1967 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1968 if (tls_extensions[i].type == type) { 1969 *tls_extensions_idx = i; 1970 return &tls_extensions[i]; 1971 } 1972 } 1973 1974 return NULL; 1975 } 1976 1977 int 1978 tlsext_extension_seen(SSL *s, uint16_t type) 1979 { 1980 size_t idx; 1981 1982 if (tls_extension_find(type, &idx) == NULL) 1983 return 0; 1984 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1985 } 1986 1987 static const struct tls_extension_funcs * 1988 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 1989 { 1990 if (is_server) 1991 return &tlsext->server; 1992 1993 return &tlsext->client; 1994 } 1995 1996 static int 1997 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 1998 { 1999 const struct tls_extension_funcs *ext; 2000 const struct tls_extension *tlsext; 2001 CBB extensions, extension_data; 2002 int extensions_present = 0; 2003 uint16_t tls_version; 2004 size_t i; 2005 2006 tls_version = ssl_effective_tls_version(s); 2007 2008 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2009 return 0; 2010 2011 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2012 tlsext = &tls_extensions[i]; 2013 ext = tlsext_funcs(tlsext, is_server); 2014 2015 /* RFC 8446 Section 4.2 */ 2016 if (tls_version >= TLS1_3_VERSION && 2017 !(tlsext->messages & msg_type)) 2018 continue; 2019 2020 if (!ext->needs(s, msg_type)) 2021 continue; 2022 2023 if (!CBB_add_u16(&extensions, tlsext->type)) 2024 return 0; 2025 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2026 return 0; 2027 2028 if (!ext->build(s, msg_type, &extension_data)) 2029 return 0; 2030 2031 extensions_present = 1; 2032 } 2033 2034 if (!extensions_present && 2035 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2036 CBB_discard_child(cbb); 2037 2038 if (!CBB_flush(cbb)) 2039 return 0; 2040 2041 return 1; 2042 } 2043 2044 int 2045 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2046 { 2047 /* 2048 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2049 * cookie may be added, padding may be removed. 2050 */ 2051 struct tls13_ctx *ctx = s->internal->tls13; 2052 2053 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2054 type == TLSEXT_TYPE_padding) 2055 return 1; 2056 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2057 sizeof(type))) 2058 return 0; 2059 /* 2060 * key_share data may be changed, and pre_shared_key data may 2061 * be changed 2062 */ 2063 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2064 return 1; 2065 if (!tls13_clienthello_hash_update(ctx, cbs)) 2066 return 0; 2067 2068 return 1; 2069 } 2070 2071 static int 2072 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2073 { 2074 const struct tls_extension_funcs *ext; 2075 const struct tls_extension *tlsext; 2076 CBS extensions, extension_data; 2077 uint16_t type; 2078 size_t idx; 2079 uint16_t tls_version; 2080 int alert_desc; 2081 2082 tls_version = ssl_effective_tls_version(s); 2083 2084 S3I(s)->hs.extensions_seen = 0; 2085 2086 /* An empty extensions block is valid. */ 2087 if (CBS_len(cbs) == 0) 2088 return 1; 2089 2090 alert_desc = SSL_AD_DECODE_ERROR; 2091 2092 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2093 goto err; 2094 2095 while (CBS_len(&extensions) > 0) { 2096 if (!CBS_get_u16(&extensions, &type)) 2097 goto err; 2098 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2099 goto err; 2100 2101 if (s->internal->tlsext_debug_cb != NULL) 2102 s->internal->tlsext_debug_cb(s, !is_server, type, 2103 (unsigned char *)CBS_data(&extension_data), 2104 CBS_len(&extension_data), 2105 s->internal->tlsext_debug_arg); 2106 2107 /* Unknown extensions are ignored. */ 2108 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2109 continue; 2110 2111 if (tls_version >= TLS1_3_VERSION && is_server && 2112 msg_type == SSL_TLSEXT_MSG_CH) { 2113 if (!tlsext_clienthello_hash_extension(s, type, 2114 &extension_data)) 2115 goto err; 2116 } 2117 2118 /* RFC 8446 Section 4.2 */ 2119 if (tls_version >= TLS1_3_VERSION && 2120 !(tlsext->messages & msg_type)) { 2121 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2122 goto err; 2123 } 2124 2125 /* Check for duplicate known extensions. */ 2126 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2127 goto err; 2128 S3I(s)->hs.extensions_seen |= (1 << idx); 2129 2130 ext = tlsext_funcs(tlsext, is_server); 2131 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2132 goto err; 2133 2134 if (CBS_len(&extension_data) != 0) 2135 goto err; 2136 } 2137 2138 return 1; 2139 2140 err: 2141 *alert = alert_desc; 2142 2143 return 0; 2144 } 2145 2146 static void 2147 tlsext_server_reset_state(SSL *s) 2148 { 2149 s->tlsext_status_type = -1; 2150 S3I(s)->renegotiate_seen = 0; 2151 free(S3I(s)->alpn_selected); 2152 S3I(s)->alpn_selected = NULL; 2153 S3I(s)->alpn_selected_len = 0; 2154 s->internal->srtp_profile = NULL; 2155 } 2156 2157 int 2158 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2159 { 2160 return tlsext_build(s, 1, msg_type, cbb); 2161 } 2162 2163 int 2164 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2165 { 2166 /* XXX - this should be done by the caller... */ 2167 if (msg_type == SSL_TLSEXT_MSG_CH) 2168 tlsext_server_reset_state(s); 2169 2170 return tlsext_parse(s, 1, msg_type, cbs, alert); 2171 } 2172 2173 static void 2174 tlsext_client_reset_state(SSL *s) 2175 { 2176 S3I(s)->renegotiate_seen = 0; 2177 free(S3I(s)->alpn_selected); 2178 S3I(s)->alpn_selected = NULL; 2179 S3I(s)->alpn_selected_len = 0; 2180 } 2181 2182 int 2183 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2184 { 2185 return tlsext_build(s, 0, msg_type, cbb); 2186 } 2187 2188 int 2189 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2190 { 2191 /* XXX - this should be done by the caller... */ 2192 if (msg_type == SSL_TLSEXT_MSG_SH) 2193 tlsext_client_reset_state(s); 2194 2195 return tlsext_parse(s, 0, msg_type, cbs, alert); 2196 } 2197