1 /* $OpenBSD: ssl_tlsext.c,v 1.78 2020/07/03 07:17:26 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <ctype.h> 21 22 #include <openssl/ocsp.h> 23 24 #include "ssl_locl.h" 25 26 #include "bytestring.h" 27 #include "ssl_sigalgs.h" 28 #include "ssl_tlsext.h" 29 30 /* 31 * Supported Application-Layer Protocol Negotiation - RFC 7301 32 */ 33 34 int 35 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 36 { 37 /* ALPN protos have been specified and this is the initial handshake */ 38 return s->internal->alpn_client_proto_list != NULL && 39 S3I(s)->tmp.finish_md_len == 0; 40 } 41 42 int 43 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 44 { 45 CBB protolist; 46 47 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 48 return 0; 49 50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 51 s->internal->alpn_client_proto_list_len)) 52 return 0; 53 54 if (!CBB_flush(cbb)) 55 return 0; 56 57 return 1; 58 } 59 60 int 61 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 62 { 63 CBS proto_name_list, alpn; 64 const unsigned char *selected; 65 unsigned char selected_len; 66 int r; 67 68 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 69 goto err; 70 if (CBS_len(&alpn) < 2) 71 goto err; 72 if (CBS_len(cbs) != 0) 73 goto err; 74 75 CBS_dup(&alpn, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 goto err; 81 if (CBS_len(&proto_name) == 0) 82 goto err; 83 } 84 85 if (s->ctx->internal->alpn_select_cb == NULL) 86 return 1; 87 88 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 89 CBS_data(&alpn), CBS_len(&alpn), 90 s->ctx->internal->alpn_select_cb_arg); 91 if (r == SSL_TLSEXT_ERR_OK) { 92 free(S3I(s)->alpn_selected); 93 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 94 *alert = SSL_AD_INTERNAL_ERROR; 95 return 0; 96 } 97 memcpy(S3I(s)->alpn_selected, selected, selected_len); 98 S3I(s)->alpn_selected_len = selected_len; 99 } 100 101 return 1; 102 103 err: 104 *alert = SSL_AD_DECODE_ERROR; 105 return 0; 106 } 107 108 int 109 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 110 { 111 return S3I(s)->alpn_selected != NULL; 112 } 113 114 int 115 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 116 { 117 CBB list, selected; 118 119 if (!CBB_add_u16_length_prefixed(cbb, &list)) 120 return 0; 121 122 if (!CBB_add_u8_length_prefixed(&list, &selected)) 123 return 0; 124 125 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 126 S3I(s)->alpn_selected_len)) 127 return 0; 128 129 if (!CBB_flush(cbb)) 130 return 0; 131 132 return 1; 133 } 134 135 int 136 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 137 { 138 CBS list, proto; 139 140 if (s->internal->alpn_client_proto_list == NULL) { 141 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 142 return 0; 143 } 144 145 if (!CBS_get_u16_length_prefixed(cbs, &list)) 146 goto err; 147 if (CBS_len(cbs) != 0) 148 goto err; 149 150 if (!CBS_get_u8_length_prefixed(&list, &proto)) 151 goto err; 152 153 if (CBS_len(&list) != 0) 154 goto err; 155 if (CBS_len(&proto) == 0) 156 goto err; 157 158 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 159 &(S3I(s)->alpn_selected_len))) 160 goto err; 161 162 return 1; 163 164 err: 165 *alert = TLS1_AD_DECODE_ERROR; 166 return 0; 167 } 168 169 /* 170 * Supported Groups - RFC 7919 section 2 171 */ 172 int 173 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 174 { 175 return ssl_has_ecc_ciphers(s) || 176 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 177 } 178 179 int 180 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 181 { 182 const uint16_t *groups; 183 size_t groups_len; 184 CBB grouplist; 185 int i; 186 187 tls1_get_group_list(s, 0, &groups, &groups_len); 188 if (groups_len == 0) { 189 SSLerror(s, ERR_R_INTERNAL_ERROR); 190 return 0; 191 } 192 193 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 194 return 0; 195 196 for (i = 0; i < groups_len; i++) { 197 if (!CBB_add_u16(&grouplist, groups[i])) 198 return 0; 199 } 200 201 if (!CBB_flush(cbb)) 202 return 0; 203 204 return 1; 205 } 206 207 int 208 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 209 int *alert) 210 { 211 CBS grouplist; 212 size_t groups_len; 213 214 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 215 goto err; 216 if (CBS_len(cbs) != 0) 217 goto err; 218 219 groups_len = CBS_len(&grouplist); 220 if (groups_len == 0 || groups_len % 2 != 0) 221 goto err; 222 groups_len /= 2; 223 224 if (!s->internal->hit) { 225 uint16_t *groups; 226 int i; 227 228 if (S3I(s)->hs_tls13.hrr) { 229 if (SSI(s)->tlsext_supportedgroups == NULL) { 230 *alert = SSL_AD_HANDSHAKE_FAILURE; 231 return 0; 232 } 233 /* 234 * In the case of TLSv1.3 the client cannot change 235 * the supported groups. 236 */ 237 if (groups_len != SSI(s)->tlsext_supportedgroups_length) { 238 *alert = SSL_AD_ILLEGAL_PARAMETER; 239 return 0; 240 } 241 for (i = 0; i < groups_len; i++) { 242 uint16_t group; 243 244 if (!CBS_get_u16(&grouplist, &group)) 245 goto err; 246 if (SSI(s)->tlsext_supportedgroups[i] != group) { 247 *alert = SSL_AD_ILLEGAL_PARAMETER; 248 return 0; 249 } 250 } 251 252 return 1; 253 } 254 255 if (SSI(s)->tlsext_supportedgroups != NULL) 256 goto err; 257 258 if ((groups = reallocarray(NULL, groups_len, 259 sizeof(uint16_t))) == NULL) { 260 *alert = TLS1_AD_INTERNAL_ERROR; 261 return 0; 262 } 263 264 for (i = 0; i < groups_len; i++) { 265 if (!CBS_get_u16(&grouplist, &groups[i])) { 266 free(groups); 267 goto err; 268 } 269 } 270 271 if (CBS_len(&grouplist) != 0) { 272 free(groups); 273 goto err; 274 } 275 276 SSI(s)->tlsext_supportedgroups = groups; 277 SSI(s)->tlsext_supportedgroups_length = groups_len; 278 } 279 280 return 1; 281 282 err: 283 *alert = TLS1_AD_DECODE_ERROR; 284 return 0; 285 } 286 287 /* This extension is never used by the server. */ 288 int 289 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 290 { 291 return 0; 292 } 293 294 int 295 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 296 { 297 return 0; 298 } 299 300 int 301 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 302 int *alert) 303 { 304 /* 305 * Servers should not send this extension per the RFC. 306 * 307 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 308 * from at least 2014 but as of 2017, there are still large sites with 309 * this unpatched in production. As a result, we need to currently skip 310 * over the extension and ignore its content: 311 * 312 * https://support.f5.com/csp/article/K37345003 313 */ 314 if (!CBS_skip(cbs, CBS_len(cbs))) { 315 *alert = TLS1_AD_INTERNAL_ERROR; 316 return 0; 317 } 318 319 return 1; 320 } 321 322 /* 323 * Supported Point Formats Extension - RFC 4492 section 5.1.2 324 */ 325 static int 326 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 327 { 328 CBB ecpf; 329 size_t formats_len; 330 const uint8_t *formats; 331 332 tls1_get_formatlist(s, 0, &formats, &formats_len); 333 334 if (formats_len == 0) { 335 SSLerror(s, ERR_R_INTERNAL_ERROR); 336 return 0; 337 } 338 339 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 340 return 0; 341 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 342 return 0; 343 if (!CBB_flush(cbb)) 344 return 0; 345 346 return 1; 347 } 348 349 static int 350 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 351 { 352 CBS ecpf; 353 354 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 355 goto err; 356 if (CBS_len(&ecpf) == 0) 357 goto err; 358 if (CBS_len(cbs) != 0) 359 goto err; 360 361 /* Must contain uncompressed (0) */ 362 if (!CBS_contains_zero_byte(&ecpf)) { 363 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 364 goto err; 365 } 366 367 if (!s->internal->hit) { 368 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 369 &(SSI(s)->tlsext_ecpointformatlist_length))) { 370 *alert = TLS1_AD_INTERNAL_ERROR; 371 return 0; 372 } 373 } 374 375 return 1; 376 377 err: 378 *alert = SSL_AD_DECODE_ERROR; 379 return 0; 380 } 381 382 int 383 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 384 { 385 return ssl_has_ecc_ciphers(s); 386 } 387 388 int 389 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 390 { 391 return tlsext_ecpf_build(s, msg_type, cbb); 392 } 393 394 int 395 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 396 { 397 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 398 } 399 400 int 401 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 402 { 403 if (s->version == DTLS1_VERSION) 404 return 0; 405 406 return ssl_using_ecc_cipher(s); 407 } 408 409 int 410 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 411 { 412 return tlsext_ecpf_build(s, msg_type, cbb); 413 } 414 415 int 416 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 417 { 418 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 419 } 420 421 /* 422 * Renegotiation Indication - RFC 5746. 423 */ 424 int 425 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 426 { 427 return (s->internal->renegotiate); 428 } 429 430 int 431 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 432 { 433 CBB reneg; 434 435 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 436 return 0; 437 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 438 S3I(s)->previous_client_finished_len)) 439 return 0; 440 if (!CBB_flush(cbb)) 441 return 0; 442 443 return 1; 444 } 445 446 int 447 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 448 { 449 CBS reneg; 450 451 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 452 goto err; 453 if (CBS_len(cbs) != 0) 454 goto err; 455 456 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 457 S3I(s)->previous_client_finished_len)) { 458 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 459 *alert = SSL_AD_HANDSHAKE_FAILURE; 460 return 0; 461 } 462 463 S3I(s)->renegotiate_seen = 1; 464 S3I(s)->send_connection_binding = 1; 465 466 return 1; 467 468 err: 469 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 470 *alert = SSL_AD_DECODE_ERROR; 471 return 0; 472 } 473 474 int 475 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 476 { 477 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 478 } 479 480 int 481 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 482 { 483 CBB reneg; 484 485 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 486 return 0; 487 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 488 S3I(s)->previous_client_finished_len)) 489 return 0; 490 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 491 S3I(s)->previous_server_finished_len)) 492 return 0; 493 if (!CBB_flush(cbb)) 494 return 0; 495 496 return 1; 497 } 498 499 int 500 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 501 { 502 CBS reneg, prev_client, prev_server; 503 504 /* 505 * Ensure that the previous client and server values are both not 506 * present, or that they are both present. 507 */ 508 if ((S3I(s)->previous_client_finished_len == 0 && 509 S3I(s)->previous_server_finished_len != 0) || 510 (S3I(s)->previous_client_finished_len != 0 && 511 S3I(s)->previous_server_finished_len == 0)) { 512 *alert = TLS1_AD_INTERNAL_ERROR; 513 return 0; 514 } 515 516 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 517 goto err; 518 if (!CBS_get_bytes(&reneg, &prev_client, 519 S3I(s)->previous_client_finished_len)) 520 goto err; 521 if (!CBS_get_bytes(&reneg, &prev_server, 522 S3I(s)->previous_server_finished_len)) 523 goto err; 524 if (CBS_len(&reneg) != 0) 525 goto err; 526 if (CBS_len(cbs) != 0) 527 goto err; 528 529 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 530 S3I(s)->previous_client_finished_len)) { 531 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 532 *alert = SSL_AD_HANDSHAKE_FAILURE; 533 return 0; 534 } 535 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 536 S3I(s)->previous_server_finished_len)) { 537 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 538 *alert = SSL_AD_HANDSHAKE_FAILURE; 539 return 0; 540 } 541 542 S3I(s)->renegotiate_seen = 1; 543 S3I(s)->send_connection_binding = 1; 544 545 return 1; 546 547 err: 548 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 549 *alert = SSL_AD_DECODE_ERROR; 550 return 0; 551 } 552 553 /* 554 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 555 */ 556 int 557 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 558 { 559 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 560 } 561 562 int 563 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 564 { 565 uint16_t *tls_sigalgs = tls12_sigalgs; 566 size_t tls_sigalgs_len = tls12_sigalgs_len; 567 CBB sigalgs; 568 569 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 570 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 571 tls_sigalgs = tls13_sigalgs; 572 tls_sigalgs_len = tls13_sigalgs_len; 573 } 574 575 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 576 return 0; 577 578 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 579 return 0; 580 581 if (!CBB_flush(cbb)) 582 return 0; 583 584 return 1; 585 } 586 587 int 588 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 589 { 590 CBS sigalgs; 591 592 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 593 return 0; 594 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 595 return 0; 596 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 597 return 0; 598 599 return 1; 600 } 601 602 int 603 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 604 { 605 return (s->version >= TLS1_3_VERSION); 606 } 607 608 int 609 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 610 { 611 uint16_t *tls_sigalgs = tls12_sigalgs; 612 size_t tls_sigalgs_len = tls12_sigalgs_len; 613 CBB sigalgs; 614 615 if (s->version >= TLS1_3_VERSION) { 616 tls_sigalgs = tls13_sigalgs; 617 tls_sigalgs_len = tls13_sigalgs_len; 618 } 619 620 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 621 return 0; 622 623 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 624 return 0; 625 626 if (!CBB_flush(cbb)) 627 return 0; 628 629 return 1; 630 } 631 632 int 633 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 634 { 635 CBS sigalgs; 636 637 if (s->version < TLS1_3_VERSION) 638 return 0; 639 640 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 641 return 0; 642 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 643 return 0; 644 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 645 return 0; 646 647 return 1; 648 } 649 650 /* 651 * Server Name Indication - RFC 6066, section 3. 652 */ 653 int 654 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 655 { 656 return (s->tlsext_hostname != NULL); 657 } 658 659 int 660 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 661 { 662 CBB server_name_list, host_name; 663 664 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 665 return 0; 666 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 667 return 0; 668 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 669 return 0; 670 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 671 strlen(s->tlsext_hostname))) 672 return 0; 673 if (!CBB_flush(cbb)) 674 return 0; 675 676 return 1; 677 } 678 679 /* 680 * Validate that the CBS contains only a hostname consisting of RFC 5890 681 * compliant A-labels (see RFC 6066 section 3). Not a complete check 682 * since we don't parse punycode to verify its validity but limits to 683 * correct structure and character set. 684 */ 685 int 686 tlsext_sni_is_valid_hostname(CBS *cbs) 687 { 688 uint8_t prev, c = 0; 689 int component = 0; 690 CBS hostname; 691 692 CBS_dup(cbs, &hostname); 693 694 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 695 return 0; 696 697 while(CBS_len(&hostname) > 0) { 698 prev = c; 699 if (!CBS_get_u8(&hostname, &c)) 700 return 0; 701 /* Everything has to be ASCII, with no NUL byte. */ 702 if (!isascii(c) || c == '\0') 703 return 0; 704 /* It must be alphanumeric, a '-', or a '.' */ 705 if (!isalnum(c) && c != '-' && c != '.') 706 return 0; 707 /* '-' and '.' must not start a component or be at the end. */ 708 if (component == 0 || CBS_len(&hostname) == 0) { 709 if (c == '-' || c == '.') 710 return 0; 711 } 712 if (c == '.') { 713 /* Components can not end with a dash. */ 714 if (prev == '-') 715 return 0; 716 /* Start new component */ 717 component = 0; 718 continue; 719 } 720 /* Components must be 63 chars or less. */ 721 if (++component > 63) 722 return 0; 723 } 724 725 return 1; 726 } 727 728 int 729 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 730 { 731 CBS server_name_list, host_name; 732 uint8_t name_type; 733 734 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 735 goto err; 736 737 if (!CBS_get_u8(&server_name_list, &name_type)) 738 goto err; 739 /* 740 * RFC 6066 section 3, only one type (host_name) is specified. 741 * We do not tolerate unknown types, neither does BoringSSL. 742 * other implementations appear more tolerant. 743 */ 744 if (name_type != TLSEXT_NAMETYPE_host_name) { 745 *alert = SSL3_AD_ILLEGAL_PARAMETER; 746 goto err; 747 } 748 749 750 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 751 goto err; 752 /* 753 * RFC 6066 section 3 specifies a host name must be at least 1 byte 754 * so 0 length is a decode error. 755 */ 756 if (CBS_len(&host_name) < 1) 757 goto err; 758 759 if (!tlsext_sni_is_valid_hostname(&host_name)) { 760 *alert = SSL3_AD_ILLEGAL_PARAMETER; 761 goto err; 762 } 763 764 if (s->internal->hit || S3I(s)->hs_tls13.hrr) { 765 if (s->session->tlsext_hostname == NULL) { 766 *alert = TLS1_AD_UNRECOGNIZED_NAME; 767 goto err; 768 } 769 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 770 strlen(s->session->tlsext_hostname))) { 771 *alert = TLS1_AD_UNRECOGNIZED_NAME; 772 goto err; 773 } 774 } else { 775 if (s->session->tlsext_hostname != NULL) 776 goto err; 777 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 778 *alert = TLS1_AD_INTERNAL_ERROR; 779 goto err; 780 } 781 } 782 783 /* 784 * RFC 6066 section 3 forbids multiple host names with the same type, 785 * therefore we allow only one entry. 786 */ 787 if (CBS_len(&server_name_list) != 0) { 788 *alert = SSL3_AD_ILLEGAL_PARAMETER; 789 goto err; 790 } 791 if (CBS_len(cbs) != 0) 792 goto err; 793 794 return 1; 795 796 err: 797 return 0; 798 } 799 800 int 801 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 802 { 803 if (s->internal->hit) 804 return 0; 805 806 return (s->session->tlsext_hostname != NULL); 807 } 808 809 int 810 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 811 { 812 return 1; 813 } 814 815 int 816 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 817 { 818 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 819 *alert = TLS1_AD_UNRECOGNIZED_NAME; 820 return 0; 821 } 822 823 if (s->internal->hit) { 824 if (s->session->tlsext_hostname == NULL) { 825 *alert = TLS1_AD_UNRECOGNIZED_NAME; 826 return 0; 827 } 828 if (strcmp(s->tlsext_hostname, 829 s->session->tlsext_hostname) != 0) { 830 *alert = TLS1_AD_UNRECOGNIZED_NAME; 831 return 0; 832 } 833 } else { 834 if (s->session->tlsext_hostname != NULL) { 835 *alert = SSL_AD_DECODE_ERROR; 836 return 0; 837 } 838 if ((s->session->tlsext_hostname = 839 strdup(s->tlsext_hostname)) == NULL) { 840 *alert = TLS1_AD_INTERNAL_ERROR; 841 return 0; 842 } 843 } 844 845 return 1; 846 } 847 848 849 /* 850 *Certificate Status Request - RFC 6066 section 8. 851 */ 852 853 int 854 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 855 { 856 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 857 s->version != DTLS1_VERSION); 858 } 859 860 int 861 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 862 { 863 CBB respid_list, respid, exts; 864 unsigned char *ext_data; 865 size_t ext_len; 866 int i; 867 868 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 869 return 0; 870 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 871 return 0; 872 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 873 unsigned char *respid_data; 874 OCSP_RESPID *id; 875 size_t id_len; 876 877 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 878 i)) == NULL) 879 return 0; 880 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 881 return 0; 882 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 883 return 0; 884 if (!CBB_add_space(&respid, &respid_data, id_len)) 885 return 0; 886 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 887 return 0; 888 } 889 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 890 return 0; 891 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 892 NULL)) == -1) 893 return 0; 894 if (!CBB_add_space(&exts, &ext_data, ext_len)) 895 return 0; 896 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 897 ext_len)) 898 return 0; 899 if (!CBB_flush(cbb)) 900 return 0; 901 return 1; 902 } 903 904 int 905 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 906 { 907 int alert_desc = SSL_AD_DECODE_ERROR; 908 CBS respid_list, respid, exts; 909 const unsigned char *p; 910 uint8_t status_type; 911 int ret = 0; 912 913 if (!CBS_get_u8(cbs, &status_type)) 914 goto err; 915 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 916 /* ignore unknown status types */ 917 s->tlsext_status_type = -1; 918 919 if (!CBS_skip(cbs, CBS_len(cbs))) { 920 *alert = TLS1_AD_INTERNAL_ERROR; 921 return 0; 922 } 923 return 1; 924 } 925 s->tlsext_status_type = status_type; 926 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 927 goto err; 928 929 /* XXX */ 930 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 931 s->internal->tlsext_ocsp_ids = NULL; 932 if (CBS_len(&respid_list) > 0) { 933 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 934 if (s->internal->tlsext_ocsp_ids == NULL) { 935 alert_desc = SSL_AD_INTERNAL_ERROR; 936 goto err; 937 } 938 } 939 940 while (CBS_len(&respid_list) > 0) { 941 OCSP_RESPID *id; 942 943 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 944 goto err; 945 p = CBS_data(&respid); 946 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 947 goto err; 948 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 949 alert_desc = SSL_AD_INTERNAL_ERROR; 950 OCSP_RESPID_free(id); 951 goto err; 952 } 953 } 954 955 /* Read in request_extensions */ 956 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 957 goto err; 958 if (CBS_len(&exts) > 0) { 959 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 960 X509_EXTENSION_free); 961 p = CBS_data(&exts); 962 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 963 &p, CBS_len(&exts))) == NULL) 964 goto err; 965 } 966 967 /* should be nothing left */ 968 if (CBS_len(cbs) > 0) 969 goto err; 970 971 ret = 1; 972 err: 973 if (ret == 0) 974 *alert = alert_desc; 975 return ret; 976 } 977 978 int 979 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 980 { 981 if (s->version >= TLS1_3_VERSION && 982 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 983 s->ctx->internal->tlsext_status_cb != NULL) { 984 s->internal->tlsext_status_expected = 0; 985 if (s->ctx->internal->tlsext_status_cb(s, 986 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 987 s->internal->tlsext_ocsp_resp_len > 0) 988 s->internal->tlsext_status_expected = 1; 989 } 990 return s->internal->tlsext_status_expected; 991 } 992 993 int 994 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 995 { 996 CBB ocsp_response; 997 998 if (s->version >= TLS1_3_VERSION) { 999 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1000 return 0; 1001 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1002 return 0; 1003 if (!CBB_add_bytes(&ocsp_response, 1004 s->internal->tlsext_ocsp_resp, 1005 s->internal->tlsext_ocsp_resp_len)) 1006 return 0; 1007 if (!CBB_flush(cbb)) 1008 return 0; 1009 } 1010 return 1; 1011 } 1012 1013 int 1014 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1015 { 1016 CBS response; 1017 uint16_t version = TLS1_get_client_version(s); 1018 uint8_t status_type; 1019 1020 if (version >= TLS1_3_VERSION) { 1021 if (!CBS_get_u8(cbs, &status_type)) { 1022 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1023 return 0; 1024 } 1025 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1026 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1027 return 0; 1028 } 1029 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1030 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1031 return 0; 1032 } 1033 if (CBS_len(&response) > 65536) { 1034 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1035 return 0; 1036 } 1037 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1038 &s->internal->tlsext_ocsp_resp_len)) { 1039 *alert = SSL_AD_INTERNAL_ERROR; 1040 return 0; 1041 } 1042 } else { 1043 if (s->tlsext_status_type == -1) { 1044 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1045 return 0; 1046 } 1047 /* Set flag to expect CertificateStatus message */ 1048 s->internal->tlsext_status_expected = 1; 1049 } 1050 return 1; 1051 } 1052 1053 /* 1054 * SessionTicket extension - RFC 5077 section 3.2 1055 */ 1056 int 1057 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1058 { 1059 /* 1060 * Send session ticket extension when enabled and not overridden. 1061 * 1062 * When renegotiating, send an empty session ticket to indicate support. 1063 */ 1064 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1065 return 0; 1066 1067 if (s->internal->new_session) 1068 return 1; 1069 1070 if (s->internal->tlsext_session_ticket != NULL && 1071 s->internal->tlsext_session_ticket->data == NULL) 1072 return 0; 1073 1074 return 1; 1075 } 1076 1077 int 1078 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1079 { 1080 /* 1081 * Signal that we support session tickets by sending an empty 1082 * extension when renegotiating or no session found. 1083 */ 1084 if (s->internal->new_session || s->session == NULL) 1085 return 1; 1086 1087 if (s->session->tlsext_tick != NULL) { 1088 /* Attempt to resume with an existing session ticket */ 1089 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1090 s->session->tlsext_ticklen)) 1091 return 0; 1092 1093 } else if (s->internal->tlsext_session_ticket != NULL) { 1094 /* 1095 * Attempt to resume with a custom provided session ticket set 1096 * by SSL_set_session_ticket_ext(). 1097 */ 1098 if (s->internal->tlsext_session_ticket->length > 0) { 1099 size_t ticklen = s->internal->tlsext_session_ticket->length; 1100 1101 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1102 return 0; 1103 memcpy(s->session->tlsext_tick, 1104 s->internal->tlsext_session_ticket->data, 1105 ticklen); 1106 s->session->tlsext_ticklen = ticklen; 1107 1108 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1109 s->session->tlsext_ticklen)) 1110 return 0; 1111 } 1112 } 1113 1114 if (!CBB_flush(cbb)) 1115 return 0; 1116 1117 return 1; 1118 } 1119 1120 int 1121 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1122 int *alert) 1123 { 1124 if (s->internal->tls_session_ticket_ext_cb) { 1125 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1126 (int)CBS_len(cbs), 1127 s->internal->tls_session_ticket_ext_cb_arg)) { 1128 *alert = TLS1_AD_INTERNAL_ERROR; 1129 return 0; 1130 } 1131 } 1132 1133 /* We need to signal that this was processed fully */ 1134 if (!CBS_skip(cbs, CBS_len(cbs))) { 1135 *alert = TLS1_AD_INTERNAL_ERROR; 1136 return 0; 1137 } 1138 1139 return 1; 1140 } 1141 1142 int 1143 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1144 { 1145 return (s->internal->tlsext_ticket_expected && 1146 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1147 } 1148 1149 int 1150 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1151 { 1152 /* Empty ticket */ 1153 return 1; 1154 } 1155 1156 int 1157 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1158 int *alert) 1159 { 1160 if (s->internal->tls_session_ticket_ext_cb) { 1161 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1162 (int)CBS_len(cbs), 1163 s->internal->tls_session_ticket_ext_cb_arg)) { 1164 *alert = TLS1_AD_INTERNAL_ERROR; 1165 return 0; 1166 } 1167 } 1168 1169 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1170 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1171 return 0; 1172 } 1173 1174 s->internal->tlsext_ticket_expected = 1; 1175 1176 return 1; 1177 } 1178 1179 /* 1180 * DTLS extension for SRTP key establishment - RFC 5764 1181 */ 1182 1183 #ifndef OPENSSL_NO_SRTP 1184 1185 int 1186 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1187 { 1188 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1189 } 1190 1191 int 1192 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1193 { 1194 CBB profiles, mki; 1195 int ct, i; 1196 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1197 SRTP_PROTECTION_PROFILE *prof; 1198 1199 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1200 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1201 return 0; 1202 } 1203 1204 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1205 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1206 return 0; 1207 } 1208 1209 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1210 return 0; 1211 1212 for (i = 0; i < ct; i++) { 1213 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1214 return 0; 1215 if (!CBB_add_u16(&profiles, prof->id)) 1216 return 0; 1217 } 1218 1219 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1220 return 0; 1221 1222 if (!CBB_flush(cbb)) 1223 return 0; 1224 1225 return 1; 1226 } 1227 1228 int 1229 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1230 { 1231 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1232 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1233 int i, j; 1234 int ret; 1235 uint16_t id; 1236 CBS profiles, mki; 1237 1238 ret = 0; 1239 1240 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1241 goto err; 1242 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1243 goto err; 1244 1245 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1246 goto err; 1247 1248 while (CBS_len(&profiles) > 0) { 1249 if (!CBS_get_u16(&profiles, &id)) 1250 goto err; 1251 1252 if (!srtp_find_profile_by_num(id, &cprof)) { 1253 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1254 goto err; 1255 } 1256 } 1257 1258 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1259 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1260 *alert = SSL_AD_DECODE_ERROR; 1261 goto done; 1262 } 1263 if (CBS_len(cbs) != 0) 1264 goto err; 1265 1266 /* 1267 * Per RFC 5764 section 4.1.1 1268 * 1269 * Find the server preferred profile using the client's list. 1270 * 1271 * The server MUST send a profile if it sends the use_srtp 1272 * extension. If one is not found, it should fall back to the 1273 * negotiated DTLS cipher suite or return a DTLS alert. 1274 */ 1275 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1276 goto err; 1277 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1278 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1279 == NULL) 1280 goto err; 1281 1282 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1283 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1284 == NULL) 1285 goto err; 1286 1287 if (cprof->id == sprof->id) { 1288 s->internal->srtp_profile = sprof; 1289 ret = 1; 1290 goto done; 1291 } 1292 } 1293 } 1294 1295 /* If we didn't find anything, fall back to the negotiated */ 1296 ret = 1; 1297 goto done; 1298 1299 err: 1300 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1301 *alert = SSL_AD_DECODE_ERROR; 1302 1303 done: 1304 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1305 return ret; 1306 } 1307 1308 int 1309 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1310 { 1311 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1312 } 1313 1314 int 1315 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1316 { 1317 SRTP_PROTECTION_PROFILE *profile; 1318 CBB srtp, mki; 1319 1320 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1321 return 0; 1322 1323 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1324 return 0; 1325 1326 if (!CBB_add_u16(&srtp, profile->id)) 1327 return 0; 1328 1329 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1330 return 0; 1331 1332 if (!CBB_flush(cbb)) 1333 return 0; 1334 1335 return 1; 1336 } 1337 1338 int 1339 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1340 { 1341 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1342 SRTP_PROTECTION_PROFILE *prof; 1343 int i; 1344 uint16_t id; 1345 CBS profile_ids, mki; 1346 1347 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1348 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1349 goto err; 1350 } 1351 1352 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1353 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1354 goto err; 1355 } 1356 1357 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1358 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1359 *alert = SSL_AD_ILLEGAL_PARAMETER; 1360 return 0; 1361 } 1362 1363 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1364 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1365 goto err; 1366 } 1367 1368 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1369 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1370 == NULL) { 1371 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1372 goto err; 1373 } 1374 1375 if (prof->id == id) { 1376 s->internal->srtp_profile = prof; 1377 return 1; 1378 } 1379 } 1380 1381 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1382 err: 1383 *alert = SSL_AD_DECODE_ERROR; 1384 return 0; 1385 } 1386 1387 #endif /* OPENSSL_NO_SRTP */ 1388 1389 /* 1390 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1391 */ 1392 int 1393 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1394 { 1395 /* XXX once this gets initialized when we get tls13_client.c */ 1396 if (S3I(s)->hs_tls13.max_version == 0) 1397 return 0; 1398 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1399 TLS1_3_VERSION); 1400 } 1401 1402 int 1403 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1404 { 1405 CBB client_shares; 1406 1407 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1408 return 0; 1409 1410 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, 1411 &client_shares)) 1412 return 0; 1413 1414 if (!CBB_flush(cbb)) 1415 return 0; 1416 1417 return 1; 1418 } 1419 1420 int 1421 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1422 { 1423 CBS client_shares, key_exchange; 1424 uint16_t group; 1425 1426 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1427 goto err; 1428 1429 while (CBS_len(&client_shares) > 0) { 1430 1431 /* Unpack client share. */ 1432 if (!CBS_get_u16(&client_shares, &group)) 1433 goto err; 1434 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1435 return 0; 1436 1437 /* 1438 * XXX - check key exchange against supported groups from client. 1439 * XXX - check that groups only appear once. 1440 */ 1441 1442 /* 1443 * Ignore this client share if we're using earlier than TLSv1.3 1444 * or we've already selected a key share. 1445 */ 1446 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1447 continue; 1448 if (S3I(s)->hs_tls13.key_share != NULL) 1449 continue; 1450 1451 /* XXX - consider implementing server preference. */ 1452 if (!tls1_check_curve(s, group)) 1453 continue; 1454 1455 /* Decode and store the selected key share. */ 1456 S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); 1457 if (S3I(s)->hs_tls13.key_share == NULL) 1458 goto err; 1459 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1460 group, &key_exchange)) 1461 goto err; 1462 } 1463 1464 return 1; 1465 1466 err: 1467 *alert = SSL_AD_DECODE_ERROR; 1468 return 0; 1469 } 1470 1471 int 1472 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1473 { 1474 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1475 return 0; 1476 1477 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1478 } 1479 1480 int 1481 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1482 { 1483 /* In the case of a HRR, we only send the server selected group. */ 1484 if (S3I(s)->hs_tls13.hrr) { 1485 if (S3I(s)->hs_tls13.server_group == 0) 1486 return 0; 1487 return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); 1488 } 1489 1490 if (S3I(s)->hs_tls13.key_share == NULL) 1491 return 0; 1492 1493 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) 1494 return 0; 1495 1496 return 1; 1497 } 1498 1499 int 1500 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1501 { 1502 CBS key_exchange; 1503 uint16_t group; 1504 1505 /* Unpack server share. */ 1506 if (!CBS_get_u16(cbs, &group)) 1507 goto err; 1508 1509 if (CBS_len(cbs) == 0) { 1510 /* HRR does not include an actual key share. */ 1511 /* XXX - we should know that we are in a HRR... */ 1512 S3I(s)->hs_tls13.server_group = group; 1513 return 1; 1514 } 1515 1516 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1517 return 0; 1518 1519 if (S3I(s)->hs_tls13.key_share == NULL) 1520 return 0; 1521 1522 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1523 group, &key_exchange)) 1524 goto err; 1525 1526 return 1; 1527 1528 err: 1529 *alert = SSL_AD_DECODE_ERROR; 1530 return 0; 1531 } 1532 1533 /* 1534 * Supported Versions - RFC 8446 section 4.2.1. 1535 */ 1536 int 1537 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1538 { 1539 if (SSL_IS_DTLS(s)) 1540 return 0; 1541 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1542 } 1543 1544 int 1545 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1546 { 1547 uint16_t max, min; 1548 uint16_t version; 1549 CBB versions; 1550 1551 max = S3I(s)->hs_tls13.max_version; 1552 min = S3I(s)->hs_tls13.min_version; 1553 1554 if (min < TLS1_VERSION) 1555 return 0; 1556 1557 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1558 return 0; 1559 1560 /* XXX - fix, but contiguous for now... */ 1561 for (version = max; version >= min; version--) { 1562 if (!CBB_add_u16(&versions, version)) 1563 return 0; 1564 } 1565 1566 if (!CBB_flush(cbb)) 1567 return 0; 1568 1569 return 1; 1570 } 1571 1572 int 1573 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1574 { 1575 CBS versions; 1576 uint16_t version; 1577 uint16_t max, min; 1578 uint16_t matched_version = 0; 1579 1580 max = S3I(s)->hs_tls13.max_version; 1581 min = S3I(s)->hs_tls13.min_version; 1582 1583 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1584 goto err; 1585 1586 while (CBS_len(&versions) > 0) { 1587 if (!CBS_get_u16(&versions, &version)) 1588 goto err; 1589 /* 1590 * XXX What is below implements client preference, and 1591 * ignores any server preference entirely. 1592 */ 1593 if (matched_version == 0 && version >= min && version <= max) 1594 matched_version = version; 1595 } 1596 1597 /* 1598 * XXX if we haven't matched a version we should 1599 * fail - but we currently need to succeed to 1600 * ignore this before the server code for 1.3 1601 * is set up and initialized. 1602 */ 1603 if (max == 0) 1604 return 1; /* XXX */ 1605 1606 if (matched_version != 0) { 1607 s->version = matched_version; 1608 return 1; 1609 } 1610 1611 *alert = SSL_AD_PROTOCOL_VERSION; 1612 return 0; 1613 1614 err: 1615 *alert = SSL_AD_DECODE_ERROR; 1616 return 0; 1617 } 1618 1619 int 1620 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1621 { 1622 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1623 } 1624 1625 int 1626 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1627 { 1628 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1629 return 0; 1630 /* XXX set 1.2 in legacy version? */ 1631 1632 return 1; 1633 } 1634 1635 int 1636 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1637 { 1638 uint16_t selected_version; 1639 1640 if (!CBS_get_u16(cbs, &selected_version)) { 1641 *alert = SSL_AD_DECODE_ERROR; 1642 return 0; 1643 } 1644 1645 if (selected_version < TLS1_3_VERSION) { 1646 *alert = SSL_AD_ILLEGAL_PARAMETER; 1647 return 0; 1648 } 1649 1650 /* XXX test between min and max once initialization code goes in */ 1651 S3I(s)->hs_tls13.server_version = selected_version; 1652 1653 return 1; 1654 } 1655 1656 1657 /* 1658 * Cookie - RFC 8446 section 4.2.2. 1659 */ 1660 1661 int 1662 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1663 { 1664 if (SSL_IS_DTLS(s)) 1665 return 0; 1666 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1667 return 0; 1668 return (S3I(s)->hs_tls13.cookie_len > 0 && 1669 S3I(s)->hs_tls13.cookie != NULL); 1670 } 1671 1672 int 1673 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1674 { 1675 CBB cookie; 1676 1677 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1678 return 0; 1679 1680 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1681 S3I(s)->hs_tls13.cookie_len)) 1682 return 0; 1683 1684 if (!CBB_flush(cbb)) 1685 return 0; 1686 1687 return 1; 1688 } 1689 1690 int 1691 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1692 { 1693 CBS cookie; 1694 1695 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1696 goto err; 1697 1698 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1699 goto err; 1700 1701 /* 1702 * Check provided cookie value against what server previously 1703 * sent - client *MUST* send the same cookie with new CR after 1704 * a cookie is sent by the server with an HRR. 1705 */ 1706 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1707 S3I(s)->hs_tls13.cookie_len)) { 1708 /* XXX special cookie mismatch alert? */ 1709 *alert = SSL_AD_ILLEGAL_PARAMETER; 1710 return 0; 1711 } 1712 1713 return 1; 1714 1715 err: 1716 *alert = SSL_AD_DECODE_ERROR; 1717 return 0; 1718 } 1719 1720 int 1721 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1722 { 1723 1724 if (SSL_IS_DTLS(s)) 1725 return 0; 1726 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1727 return 0; 1728 /* 1729 * Server needs to set cookie value in tls13 handshake 1730 * in order to send one, should only be sent with HRR. 1731 */ 1732 return (S3I(s)->hs_tls13.cookie_len > 0 && 1733 S3I(s)->hs_tls13.cookie != NULL); 1734 } 1735 1736 int 1737 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1738 { 1739 CBB cookie; 1740 1741 /* XXX deduplicate with client code */ 1742 1743 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1744 return 0; 1745 1746 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1747 S3I(s)->hs_tls13.cookie_len)) 1748 return 0; 1749 1750 if (!CBB_flush(cbb)) 1751 return 0; 1752 1753 return 1; 1754 } 1755 1756 int 1757 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1758 { 1759 CBS cookie; 1760 1761 /* 1762 * XXX This currently assumes we will not get a second 1763 * HRR from a server with a cookie to process after accepting 1764 * one from the server in the same handshake 1765 */ 1766 if (S3I(s)->hs_tls13.cookie != NULL || 1767 S3I(s)->hs_tls13.cookie_len != 0) { 1768 *alert = SSL_AD_ILLEGAL_PARAMETER; 1769 return 0; 1770 } 1771 1772 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1773 goto err; 1774 1775 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1776 &S3I(s)->hs_tls13.cookie_len)) 1777 goto err; 1778 1779 return 1; 1780 1781 err: 1782 *alert = SSL_AD_DECODE_ERROR; 1783 return 0; 1784 } 1785 1786 struct tls_extension_funcs { 1787 int (*needs)(SSL *s, uint16_t msg_type); 1788 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1789 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1790 }; 1791 1792 struct tls_extension { 1793 uint16_t type; 1794 uint16_t messages; 1795 struct tls_extension_funcs client; 1796 struct tls_extension_funcs server; 1797 }; 1798 1799 static struct tls_extension tls_extensions[] = { 1800 { 1801 .type = TLSEXT_TYPE_supported_versions, 1802 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1803 SSL_TLSEXT_MSG_HRR, 1804 .client = { 1805 .needs = tlsext_versions_client_needs, 1806 .build = tlsext_versions_client_build, 1807 .parse = tlsext_versions_client_parse, 1808 }, 1809 .server = { 1810 .needs = tlsext_versions_server_needs, 1811 .build = tlsext_versions_server_build, 1812 .parse = tlsext_versions_server_parse, 1813 }, 1814 }, 1815 { 1816 .type = TLSEXT_TYPE_key_share, 1817 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1818 SSL_TLSEXT_MSG_HRR, 1819 .client = { 1820 .needs = tlsext_keyshare_client_needs, 1821 .build = tlsext_keyshare_client_build, 1822 .parse = tlsext_keyshare_client_parse, 1823 }, 1824 .server = { 1825 .needs = tlsext_keyshare_server_needs, 1826 .build = tlsext_keyshare_server_build, 1827 .parse = tlsext_keyshare_server_parse, 1828 }, 1829 }, 1830 { 1831 .type = TLSEXT_TYPE_server_name, 1832 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1833 .client = { 1834 .needs = tlsext_sni_client_needs, 1835 .build = tlsext_sni_client_build, 1836 .parse = tlsext_sni_client_parse, 1837 }, 1838 .server = { 1839 .needs = tlsext_sni_server_needs, 1840 .build = tlsext_sni_server_build, 1841 .parse = tlsext_sni_server_parse, 1842 }, 1843 }, 1844 { 1845 .type = TLSEXT_TYPE_renegotiate, 1846 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1847 .client = { 1848 .needs = tlsext_ri_client_needs, 1849 .build = tlsext_ri_client_build, 1850 .parse = tlsext_ri_client_parse, 1851 }, 1852 .server = { 1853 .needs = tlsext_ri_server_needs, 1854 .build = tlsext_ri_server_build, 1855 .parse = tlsext_ri_server_parse, 1856 }, 1857 }, 1858 { 1859 .type = TLSEXT_TYPE_status_request, 1860 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1861 SSL_TLSEXT_MSG_CT, 1862 .client = { 1863 .needs = tlsext_ocsp_client_needs, 1864 .build = tlsext_ocsp_client_build, 1865 .parse = tlsext_ocsp_client_parse, 1866 }, 1867 .server = { 1868 .needs = tlsext_ocsp_server_needs, 1869 .build = tlsext_ocsp_server_build, 1870 .parse = tlsext_ocsp_server_parse, 1871 }, 1872 }, 1873 { 1874 .type = TLSEXT_TYPE_ec_point_formats, 1875 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1876 .client = { 1877 .needs = tlsext_ecpf_client_needs, 1878 .build = tlsext_ecpf_client_build, 1879 .parse = tlsext_ecpf_client_parse, 1880 }, 1881 .server = { 1882 .needs = tlsext_ecpf_server_needs, 1883 .build = tlsext_ecpf_server_build, 1884 .parse = tlsext_ecpf_server_parse, 1885 }, 1886 }, 1887 { 1888 .type = TLSEXT_TYPE_supported_groups, 1889 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1890 .client = { 1891 .needs = tlsext_supportedgroups_client_needs, 1892 .build = tlsext_supportedgroups_client_build, 1893 .parse = tlsext_supportedgroups_client_parse, 1894 }, 1895 .server = { 1896 .needs = tlsext_supportedgroups_server_needs, 1897 .build = tlsext_supportedgroups_server_build, 1898 .parse = tlsext_supportedgroups_server_parse, 1899 }, 1900 }, 1901 { 1902 .type = TLSEXT_TYPE_session_ticket, 1903 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1904 .client = { 1905 .needs = tlsext_sessionticket_client_needs, 1906 .build = tlsext_sessionticket_client_build, 1907 .parse = tlsext_sessionticket_client_parse, 1908 }, 1909 .server = { 1910 .needs = tlsext_sessionticket_server_needs, 1911 .build = tlsext_sessionticket_server_build, 1912 .parse = tlsext_sessionticket_server_parse, 1913 }, 1914 }, 1915 { 1916 .type = TLSEXT_TYPE_signature_algorithms, 1917 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1918 .client = { 1919 .needs = tlsext_sigalgs_client_needs, 1920 .build = tlsext_sigalgs_client_build, 1921 .parse = tlsext_sigalgs_client_parse, 1922 }, 1923 .server = { 1924 .needs = tlsext_sigalgs_server_needs, 1925 .build = tlsext_sigalgs_server_build, 1926 .parse = tlsext_sigalgs_server_parse, 1927 }, 1928 }, 1929 { 1930 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1931 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1932 .client = { 1933 .needs = tlsext_alpn_client_needs, 1934 .build = tlsext_alpn_client_build, 1935 .parse = tlsext_alpn_client_parse, 1936 }, 1937 .server = { 1938 .needs = tlsext_alpn_server_needs, 1939 .build = tlsext_alpn_server_build, 1940 .parse = tlsext_alpn_server_parse, 1941 }, 1942 }, 1943 { 1944 .type = TLSEXT_TYPE_cookie, 1945 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1946 .client = { 1947 .needs = tlsext_cookie_client_needs, 1948 .build = tlsext_cookie_client_build, 1949 .parse = tlsext_cookie_client_parse, 1950 }, 1951 .server = { 1952 .needs = tlsext_cookie_server_needs, 1953 .build = tlsext_cookie_server_build, 1954 .parse = tlsext_cookie_server_parse, 1955 }, 1956 }, 1957 #ifndef OPENSSL_NO_SRTP 1958 { 1959 .type = TLSEXT_TYPE_use_srtp, 1960 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1961 SSL_TLSEXT_MSG_EE, 1962 .client = { 1963 .needs = tlsext_srtp_client_needs, 1964 .build = tlsext_srtp_client_build, 1965 .parse = tlsext_srtp_client_parse, 1966 }, 1967 .server = { 1968 .needs = tlsext_srtp_server_needs, 1969 .build = tlsext_srtp_server_build, 1970 .parse = tlsext_srtp_server_parse, 1971 }, 1972 } 1973 #endif /* OPENSSL_NO_SRTP */ 1974 }; 1975 1976 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1977 1978 /* Ensure that extensions fit in a uint32_t bitmask. */ 1979 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1980 1981 struct tls_extension * 1982 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1983 { 1984 size_t i; 1985 1986 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1987 if (tls_extensions[i].type == type) { 1988 *tls_extensions_idx = i; 1989 return &tls_extensions[i]; 1990 } 1991 } 1992 1993 return NULL; 1994 } 1995 1996 int 1997 tlsext_extension_seen(SSL *s, uint16_t type) 1998 { 1999 size_t idx; 2000 2001 if (tls_extension_find(type, &idx) == NULL) 2002 return 0; 2003 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 2004 } 2005 2006 static struct tls_extension_funcs * 2007 tlsext_funcs(struct tls_extension *tlsext, int is_server) 2008 { 2009 if (is_server) 2010 return &tlsext->server; 2011 2012 return &tlsext->client; 2013 } 2014 2015 static int 2016 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2017 { 2018 struct tls_extension_funcs *ext; 2019 struct tls_extension *tlsext; 2020 CBB extensions, extension_data; 2021 int extensions_present = 0; 2022 size_t i; 2023 uint16_t version; 2024 2025 if (is_server) 2026 version = s->version; 2027 else 2028 version = TLS1_get_client_version(s); 2029 2030 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2031 return 0; 2032 2033 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2034 tlsext = &tls_extensions[i]; 2035 ext = tlsext_funcs(tlsext, is_server); 2036 2037 /* RFC 8446 Section 4.2 */ 2038 if (version >= TLS1_3_VERSION && 2039 !(tlsext->messages & msg_type)) 2040 continue; 2041 2042 if (!ext->needs(s, msg_type)) 2043 continue; 2044 2045 if (!CBB_add_u16(&extensions, tlsext->type)) 2046 return 0; 2047 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2048 return 0; 2049 2050 if (!ext->build(s, msg_type, &extension_data)) 2051 return 0; 2052 2053 extensions_present = 1; 2054 } 2055 2056 if (!extensions_present && 2057 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2058 CBB_discard_child(cbb); 2059 2060 if (!CBB_flush(cbb)) 2061 return 0; 2062 2063 return 1; 2064 } 2065 2066 int 2067 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2068 { 2069 /* 2070 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2071 * cookie may be added, padding may be removed. 2072 */ 2073 struct tls13_ctx *ctx = s->internal->tls13; 2074 2075 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2076 type == TLSEXT_TYPE_padding) 2077 return 1; 2078 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2079 sizeof(type))) 2080 return 0; 2081 /* 2082 * key_share data may be changed, and pre_shared_key data may 2083 * be changed 2084 */ 2085 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2086 return 1; 2087 if (!tls13_clienthello_hash_update(ctx, cbs)) 2088 return 0; 2089 2090 return 1; 2091 } 2092 2093 static int 2094 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2095 { 2096 struct tls_extension_funcs *ext; 2097 struct tls_extension *tlsext; 2098 CBS extensions, extension_data; 2099 uint16_t type; 2100 size_t idx; 2101 uint16_t version; 2102 int alert_desc; 2103 2104 S3I(s)->hs.extensions_seen = 0; 2105 2106 if (is_server) 2107 version = s->version; 2108 else 2109 version = TLS1_get_client_version(s); 2110 2111 /* An empty extensions block is valid. */ 2112 if (CBS_len(cbs) == 0) 2113 return 1; 2114 2115 alert_desc = SSL_AD_DECODE_ERROR; 2116 2117 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2118 goto err; 2119 2120 while (CBS_len(&extensions) > 0) { 2121 if (!CBS_get_u16(&extensions, &type)) 2122 goto err; 2123 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2124 goto err; 2125 2126 if (s->internal->tlsext_debug_cb != NULL) 2127 s->internal->tlsext_debug_cb(s, is_server, type, 2128 (unsigned char *)CBS_data(&extension_data), 2129 CBS_len(&extension_data), 2130 s->internal->tlsext_debug_arg); 2131 2132 if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server && 2133 msg_type == SSL_TLSEXT_MSG_CH) { 2134 if (!tlsext_clienthello_hash_extension(s, type, 2135 &extension_data)) 2136 goto err; 2137 } 2138 2139 /* Unknown extensions are ignored. */ 2140 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2141 continue; 2142 2143 /* RFC 8446 Section 4.2 */ 2144 if (version >= TLS1_3_VERSION && 2145 !(tlsext->messages & msg_type)) { 2146 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2147 goto err; 2148 } 2149 2150 /* Check for duplicate known extensions. */ 2151 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2152 goto err; 2153 S3I(s)->hs.extensions_seen |= (1 << idx); 2154 2155 ext = tlsext_funcs(tlsext, is_server); 2156 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2157 goto err; 2158 2159 if (CBS_len(&extension_data) != 0) 2160 goto err; 2161 } 2162 2163 return 1; 2164 2165 err: 2166 *alert = alert_desc; 2167 2168 return 0; 2169 } 2170 2171 static void 2172 tlsext_server_reset_state(SSL *s) 2173 { 2174 s->tlsext_status_type = -1; 2175 S3I(s)->renegotiate_seen = 0; 2176 free(S3I(s)->alpn_selected); 2177 S3I(s)->alpn_selected = NULL; 2178 s->internal->srtp_profile = NULL; 2179 } 2180 2181 int 2182 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2183 { 2184 return tlsext_build(s, 1, msg_type, cbb); 2185 } 2186 2187 int 2188 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2189 { 2190 /* XXX - this should be done by the caller... */ 2191 if (msg_type == SSL_TLSEXT_MSG_CH) 2192 tlsext_server_reset_state(s); 2193 2194 return tlsext_parse(s, 1, msg_type, cbs, alert); 2195 } 2196 2197 static void 2198 tlsext_client_reset_state(SSL *s) 2199 { 2200 S3I(s)->renegotiate_seen = 0; 2201 free(S3I(s)->alpn_selected); 2202 S3I(s)->alpn_selected = NULL; 2203 } 2204 2205 int 2206 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2207 { 2208 return tlsext_build(s, 0, msg_type, cbb); 2209 } 2210 2211 int 2212 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2213 { 2214 /* XXX - this should be done by the caller... */ 2215 if (msg_type == SSL_TLSEXT_MSG_SH) 2216 tlsext_client_reset_state(s); 2217 2218 return tlsext_parse(s, 0, msg_type, cbs, alert); 2219 } 2220