1 /* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019, 2024 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/socket.h> 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <ctype.h> 26 27 #include <openssl/ocsp.h> 28 #include <openssl/opensslconf.h> 29 30 #include "bytestring.h" 31 #include "ssl_local.h" 32 #include "ssl_sigalgs.h" 33 #include "ssl_tlsext.h" 34 35 #define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 36 #define TLSEXT_MAX_SUPPORTED_GROUPS 64 37 38 /* 39 * Supported Application-Layer Protocol Negotiation - RFC 7301 40 */ 41 42 static int 43 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 44 { 45 /* ALPN protos have been specified and this is the initial handshake */ 46 return s->alpn_client_proto_list != NULL && 47 s->s3->hs.finished_len == 0; 48 } 49 50 static int 51 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 52 { 53 CBB protolist; 54 55 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 56 return 0; 57 58 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, 59 s->alpn_client_proto_list_len)) 60 return 0; 61 62 if (!CBB_flush(cbb)) 63 return 0; 64 65 return 1; 66 } 67 68 int 69 tlsext_alpn_check_format(CBS *cbs) 70 { 71 CBS proto_name_list; 72 73 if (CBS_len(cbs) == 0) 74 return 0; 75 76 CBS_dup(cbs, &proto_name_list); 77 while (CBS_len(&proto_name_list) > 0) { 78 CBS proto_name; 79 80 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 81 return 0; 82 if (CBS_len(&proto_name) == 0) 83 return 0; 84 } 85 86 return 1; 87 } 88 89 static int 90 tlsext_alpn_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 91 { 92 CBS alpn, selected_cbs; 93 const unsigned char *selected; 94 unsigned char selected_len; 95 int r; 96 97 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 98 return 0; 99 if (!tlsext_alpn_check_format(&alpn)) 100 return 0; 101 102 if (s->ctx->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg); 113 114 if (r == SSL_TLSEXT_ERR_OK) { 115 CBS_init(&selected_cbs, selected, selected_len); 116 117 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 118 &s->s3->alpn_selected_len)) { 119 *alert = SSL_AD_INTERNAL_ERROR; 120 return 0; 121 } 122 123 return 1; 124 } 125 126 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 127 if (r == SSL_TLSEXT_ERR_NOACK) 128 return 1; 129 130 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 131 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 132 133 return 0; 134 } 135 136 static int 137 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 138 { 139 return s->s3->alpn_selected != NULL; 140 } 141 142 static int 143 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 144 { 145 CBB list, selected; 146 147 if (!CBB_add_u16_length_prefixed(cbb, &list)) 148 return 0; 149 150 if (!CBB_add_u8_length_prefixed(&list, &selected)) 151 return 0; 152 153 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 154 s->s3->alpn_selected_len)) 155 return 0; 156 157 if (!CBB_flush(cbb)) 158 return 0; 159 160 return 1; 161 } 162 163 static int 164 tlsext_alpn_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 165 { 166 CBS list, proto; 167 168 if (s->alpn_client_proto_list == NULL) { 169 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 170 return 0; 171 } 172 173 if (!CBS_get_u16_length_prefixed(cbs, &list)) 174 return 0; 175 176 if (!CBS_get_u8_length_prefixed(&list, &proto)) 177 return 0; 178 179 if (CBS_len(&list) != 0) 180 return 0; 181 if (CBS_len(&proto) == 0) 182 return 0; 183 184 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 185 return 0; 186 187 return 1; 188 } 189 190 /* 191 * Supported Groups - RFC 7919 section 2 192 */ 193 static int 194 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 195 { 196 return ssl_has_ecc_ciphers(s) || 197 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 198 } 199 200 static int 201 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 202 { 203 const uint16_t *groups; 204 size_t groups_len; 205 CBB grouplist; 206 int i; 207 208 tls1_get_group_list(s, 0, &groups, &groups_len); 209 if (groups_len == 0) { 210 SSLerror(s, ERR_R_INTERNAL_ERROR); 211 return 0; 212 } 213 214 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 215 return 0; 216 217 for (i = 0; i < groups_len; i++) { 218 if (!ssl_security_supported_group(s, groups[i])) 219 continue; 220 if (!CBB_add_u16(&grouplist, groups[i])) 221 return 0; 222 } 223 224 if (!CBB_flush(cbb)) 225 return 0; 226 227 return 1; 228 } 229 230 static int 231 tlsext_supportedgroups_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 232 int *alert) 233 { 234 uint16_t *groups = NULL; 235 size_t groups_len; 236 CBS grouplist; 237 int i, j; 238 int ret = 0; 239 240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 241 goto err; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 goto err; 246 groups_len /= 2; 247 248 if (groups_len > TLSEXT_MAX_SUPPORTED_GROUPS) 249 goto err; 250 251 if (s->hit) 252 goto done; 253 254 if (s->s3->hs.tls13.hrr) { 255 if (s->session->tlsext_supportedgroups == NULL) { 256 *alert = SSL_AD_HANDSHAKE_FAILURE; 257 return 0; 258 } 259 260 /* 261 * The ClientHello extension hashing ensures that the client 262 * did not change its list of supported groups. 263 */ 264 265 goto done; 266 } 267 268 if (s->session->tlsext_supportedgroups != NULL) 269 goto err; /* XXX internal error? */ 270 271 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 272 *alert = SSL_AD_INTERNAL_ERROR; 273 goto err; 274 } 275 276 for (i = 0; i < groups_len; i++) { 277 if (!CBS_get_u16(&grouplist, &groups[i])) 278 goto err; 279 /* 280 * Do not allow duplicate groups to be sent. This is not 281 * currently specified in RFC 8446 or earlier, but there is no 282 * legitimate justification for this to occur in TLS 1.2 or TLS 283 * 1.3. 284 */ 285 for (j = 0; j < i; j++) { 286 if (groups[i] == groups[j]) { 287 *alert = SSL_AD_ILLEGAL_PARAMETER; 288 goto err; 289 } 290 } 291 } 292 293 if (CBS_len(&grouplist) != 0) 294 goto err; 295 296 s->session->tlsext_supportedgroups = groups; 297 s->session->tlsext_supportedgroups_length = groups_len; 298 groups = NULL; 299 300 301 done: 302 ret = 1; 303 304 err: 305 free(groups); 306 307 return ret; 308 } 309 310 /* This extension is never used by the server. */ 311 static int 312 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 313 { 314 return 0; 315 } 316 317 static int 318 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 319 { 320 return 0; 321 } 322 323 static int 324 tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 325 int *alert) 326 { 327 /* 328 * This extension is only allowed in TLSv1.3 encrypted extensions. 329 * It is not permitted in a ServerHello in any version of TLS. 330 */ 331 if (msg_type != SSL_TLSEXT_MSG_EE) 332 return 0; 333 334 /* 335 * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but 336 * clients must not act on it during the handshake. This allows servers 337 * to advertise their preferences for subsequent handshakes. We ignore 338 * this complication. 339 */ 340 if (!CBS_skip(cbs, CBS_len(cbs))) { 341 *alert = SSL_AD_INTERNAL_ERROR; 342 return 0; 343 } 344 345 return 1; 346 } 347 348 /* 349 * Supported Point Formats Extension - RFC 4492 section 5.1.2 350 */ 351 static int 352 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 353 { 354 CBB ecpf; 355 size_t formats_len; 356 const uint8_t *formats; 357 358 tls1_get_formatlist(s, 0, &formats, &formats_len); 359 360 if (formats_len == 0) { 361 SSLerror(s, ERR_R_INTERNAL_ERROR); 362 return 0; 363 } 364 365 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 366 return 0; 367 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 368 return 0; 369 if (!CBB_flush(cbb)) 370 return 0; 371 372 return 1; 373 } 374 375 static int 376 tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 377 { 378 CBS ecpf; 379 380 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 381 return 0; 382 if (CBS_len(&ecpf) == 0) 383 return 0; 384 385 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 386 if (!CBS_contains_zero_byte(&ecpf)) { 387 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 388 *alert = SSL_AD_ILLEGAL_PARAMETER; 389 return 0; 390 } 391 392 if (!s->hit) { 393 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 394 &(s->session->tlsext_ecpointformatlist_length))) { 395 *alert = SSL_AD_INTERNAL_ERROR; 396 return 0; 397 } 398 } 399 400 return 1; 401 } 402 403 static int 404 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 405 { 406 return ssl_has_ecc_ciphers(s); 407 } 408 409 static int 410 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 411 { 412 return tlsext_ecpf_build(s, msg_type, cbb); 413 } 414 415 static int 416 tlsext_ecpf_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 417 { 418 return tlsext_ecpf_process(s, msg_type, cbs, alert); 419 } 420 421 static int 422 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 423 { 424 return ssl_using_ecc_cipher(s); 425 } 426 427 static int 428 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 429 { 430 return tlsext_ecpf_build(s, msg_type, cbb); 431 } 432 433 static int 434 tlsext_ecpf_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 435 { 436 return tlsext_ecpf_process(s, msg_type, cbs, alert); 437 } 438 439 /* 440 * Renegotiation Indication - RFC 5746. 441 */ 442 static int 443 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 444 { 445 return (s->renegotiate); 446 } 447 448 static int 449 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 450 { 451 CBB reneg; 452 453 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 454 return 0; 455 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 456 s->s3->previous_client_finished_len)) 457 return 0; 458 if (!CBB_flush(cbb)) 459 return 0; 460 461 return 1; 462 } 463 464 static int 465 tlsext_ri_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 466 { 467 CBS reneg; 468 469 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 470 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 471 return 0; 472 } 473 474 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 475 s->s3->previous_client_finished_len)) { 476 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 477 *alert = SSL_AD_HANDSHAKE_FAILURE; 478 return 0; 479 } 480 481 s->s3->renegotiate_seen = 1; 482 s->s3->send_connection_binding = 1; 483 484 return 1; 485 } 486 487 static int 488 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 489 { 490 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 491 s->s3->send_connection_binding); 492 } 493 494 static int 495 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 496 { 497 CBB reneg; 498 499 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 500 return 0; 501 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 502 s->s3->previous_client_finished_len)) 503 return 0; 504 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 505 s->s3->previous_server_finished_len)) 506 return 0; 507 if (!CBB_flush(cbb)) 508 return 0; 509 510 return 1; 511 } 512 513 static int 514 tlsext_ri_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 515 { 516 CBS reneg, prev_client, prev_server; 517 518 /* 519 * Ensure that the previous client and server values are both not 520 * present, or that they are both present. 521 */ 522 if ((s->s3->previous_client_finished_len == 0 && 523 s->s3->previous_server_finished_len != 0) || 524 (s->s3->previous_client_finished_len != 0 && 525 s->s3->previous_server_finished_len == 0)) { 526 *alert = SSL_AD_INTERNAL_ERROR; 527 return 0; 528 } 529 530 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 531 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 532 return 0; 533 } 534 if (!CBS_get_bytes(&reneg, &prev_client, 535 s->s3->previous_client_finished_len)) { 536 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 537 return 0; 538 } 539 if (!CBS_get_bytes(&reneg, &prev_server, 540 s->s3->previous_server_finished_len)) { 541 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 542 return 0; 543 } 544 if (CBS_len(&reneg) != 0) { 545 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 546 return 0; 547 } 548 549 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 550 s->s3->previous_client_finished_len)) { 551 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 552 *alert = SSL_AD_HANDSHAKE_FAILURE; 553 return 0; 554 } 555 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 556 s->s3->previous_server_finished_len)) { 557 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 558 *alert = SSL_AD_HANDSHAKE_FAILURE; 559 return 0; 560 } 561 562 s->s3->renegotiate_seen = 1; 563 s->s3->send_connection_binding = 1; 564 565 return 1; 566 } 567 568 /* 569 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 570 */ 571 static int 572 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 573 { 574 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 575 } 576 577 static int 578 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 579 { 580 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 581 CBB sigalgs; 582 583 if (msg_type == SSL_TLSEXT_MSG_CH) 584 tls_version = s->s3->hs.our_min_tls_version; 585 586 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 587 return 0; 588 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 589 return 0; 590 if (!CBB_flush(cbb)) 591 return 0; 592 593 return 1; 594 } 595 596 static int 597 tlsext_sigalgs_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 598 { 599 CBS sigalgs; 600 601 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 602 return 0; 603 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 604 return 0; 605 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 606 return 0; 607 608 return 1; 609 } 610 611 static int 612 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 613 { 614 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 615 } 616 617 static int 618 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 619 { 620 CBB sigalgs; 621 622 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 623 return 0; 624 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 625 SSL_get_security_level(s))) 626 return 0; 627 if (!CBB_flush(cbb)) 628 return 0; 629 630 return 1; 631 } 632 633 static int 634 tlsext_sigalgs_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 635 { 636 CBS sigalgs; 637 638 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 639 return 0; 640 641 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 642 return 0; 643 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 644 return 0; 645 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 646 return 0; 647 648 return 1; 649 } 650 651 /* 652 * Server Name Indication - RFC 6066, section 3. 653 */ 654 static int 655 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 656 { 657 return (s->tlsext_hostname != NULL); 658 } 659 660 static int 661 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 662 { 663 CBB server_name_list, host_name; 664 665 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 666 return 0; 667 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 668 return 0; 669 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 670 return 0; 671 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 672 strlen(s->tlsext_hostname))) 673 return 0; 674 if (!CBB_flush(cbb)) 675 return 0; 676 677 return 1; 678 } 679 680 static int 681 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 682 { 683 union { 684 struct in_addr ip4; 685 struct in6_addr ip6; 686 } addrbuf; 687 char *hostname = NULL; 688 689 *is_ip = 0; 690 691 if (!CBS_strdup(cbs, &hostname)) 692 return 0; 693 694 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 695 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 696 *is_ip = 1; 697 698 free(hostname); 699 700 return 1; 701 } 702 703 /* 704 * Validate that the CBS contains only a hostname consisting of RFC 5890 705 * compliant A-labels (see RFC 6066 section 3). Not a complete check 706 * since we don't parse punycode to verify its validity but limits to 707 * correct structure and character set. 708 */ 709 int 710 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 711 { 712 uint8_t prev, c = 0; 713 int component = 0; 714 CBS hostname; 715 716 *is_ip = 0; 717 718 CBS_dup(cbs, &hostname); 719 720 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 721 return 0; 722 723 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 724 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 725 return 0; 726 if (*is_ip) 727 return 0; 728 729 while (CBS_len(&hostname) > 0) { 730 prev = c; 731 if (!CBS_get_u8(&hostname, &c)) 732 return 0; 733 /* Everything has to be ASCII, with no NUL byte. */ 734 if (!isascii(c) || c == '\0') 735 return 0; 736 /* It must be alphanumeric, a '-', or a '.' */ 737 if (!isalnum(c) && c != '-' && c != '.') 738 return 0; 739 /* '-' and '.' must not start a component or be at the end. */ 740 if (component == 0 || CBS_len(&hostname) == 0) { 741 if (c == '-' || c == '.') 742 return 0; 743 } 744 if (c == '.') { 745 /* Components can not end with a dash. */ 746 if (prev == '-') 747 return 0; 748 /* Start new component */ 749 component = 0; 750 continue; 751 } 752 /* Components must be 63 chars or less. */ 753 if (++component > 63) 754 return 0; 755 } 756 757 return 1; 758 } 759 760 static int 761 tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 762 { 763 CBS server_name_list, host_name; 764 uint8_t name_type; 765 int is_ip; 766 767 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 768 goto err; 769 770 if (!CBS_get_u8(&server_name_list, &name_type)) 771 goto err; 772 773 /* 774 * RFC 6066 section 3, only one type (host_name) is specified. 775 * We do not tolerate unknown types, neither does BoringSSL. 776 * other implementations appear more tolerant. 777 */ 778 if (name_type != TLSEXT_NAMETYPE_host_name) { 779 *alert = SSL_AD_ILLEGAL_PARAMETER; 780 goto err; 781 } 782 783 /* 784 * RFC 6066 section 3 specifies a host name must be at least 1 byte 785 * so 0 length is a decode error. 786 */ 787 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 788 goto err; 789 if (CBS_len(&host_name) < 1) 790 goto err; 791 792 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 793 /* 794 * Various pieces of software have been known to set the SNI 795 * host name to an IP address, even though that violates the 796 * RFC. If this is the case, pretend the SNI extension does 797 * not exist. 798 */ 799 if (is_ip) 800 goto done; 801 802 *alert = SSL_AD_ILLEGAL_PARAMETER; 803 goto err; 804 } 805 806 if (s->hit || s->s3->hs.tls13.hrr) { 807 if (s->session->tlsext_hostname == NULL) { 808 *alert = SSL_AD_UNRECOGNIZED_NAME; 809 goto err; 810 } 811 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 812 strlen(s->session->tlsext_hostname))) { 813 *alert = SSL_AD_UNRECOGNIZED_NAME; 814 goto err; 815 } 816 } else { 817 if (s->session->tlsext_hostname != NULL) 818 goto err; 819 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 820 *alert = SSL_AD_INTERNAL_ERROR; 821 goto err; 822 } 823 } 824 825 done: 826 /* 827 * RFC 6066 section 3 forbids multiple host names with the same type, 828 * therefore we allow only one entry. 829 */ 830 if (CBS_len(&server_name_list) != 0) { 831 *alert = SSL_AD_ILLEGAL_PARAMETER; 832 goto err; 833 } 834 835 return 1; 836 837 err: 838 return 0; 839 } 840 841 static int 842 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 843 { 844 if (s->hit) 845 return 0; 846 847 return (s->session->tlsext_hostname != NULL); 848 } 849 850 static int 851 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 852 { 853 return 1; 854 } 855 856 static int 857 tlsext_sni_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 858 { 859 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 860 *alert = SSL_AD_UNRECOGNIZED_NAME; 861 return 0; 862 } 863 864 if (s->hit) { 865 if (s->session->tlsext_hostname == NULL) { 866 *alert = SSL_AD_UNRECOGNIZED_NAME; 867 return 0; 868 } 869 if (strcmp(s->tlsext_hostname, 870 s->session->tlsext_hostname) != 0) { 871 *alert = SSL_AD_UNRECOGNIZED_NAME; 872 return 0; 873 } 874 } else { 875 if (s->session->tlsext_hostname != NULL) 876 return 0; 877 if ((s->session->tlsext_hostname = 878 strdup(s->tlsext_hostname)) == NULL) { 879 *alert = SSL_AD_INTERNAL_ERROR; 880 return 0; 881 } 882 } 883 884 return 1; 885 } 886 887 /* 888 * Certificate Status Request - RFC 6066 section 8. 889 */ 890 891 static int 892 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 893 { 894 if (msg_type != SSL_TLSEXT_MSG_CH) 895 return 0; 896 897 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 898 } 899 900 static int 901 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 902 { 903 CBB respid_list, respid, exts; 904 unsigned char *ext_data; 905 size_t ext_len; 906 int i; 907 908 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 909 return 0; 910 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 911 return 0; 912 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 913 unsigned char *respid_data; 914 OCSP_RESPID *id; 915 size_t id_len; 916 917 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, 918 i)) == NULL) 919 return 0; 920 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 921 return 0; 922 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 923 return 0; 924 if (!CBB_add_space(&respid, &respid_data, id_len)) 925 return 0; 926 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 927 return 0; 928 } 929 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 930 return 0; 931 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, 932 NULL)) == -1) 933 return 0; 934 if (!CBB_add_space(&exts, &ext_data, ext_len)) 935 return 0; 936 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != 937 ext_len)) 938 return 0; 939 if (!CBB_flush(cbb)) 940 return 0; 941 return 1; 942 } 943 944 static int 945 tlsext_ocsp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 946 { 947 int alert_desc = SSL_AD_DECODE_ERROR; 948 CBS respid_list, respid, exts; 949 const unsigned char *p; 950 uint8_t status_type; 951 int ret = 0; 952 953 if (msg_type != SSL_TLSEXT_MSG_CH) 954 goto err; 955 956 if (!CBS_get_u8(cbs, &status_type)) 957 goto err; 958 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 959 /* ignore unknown status types */ 960 s->tlsext_status_type = -1; 961 962 if (!CBS_skip(cbs, CBS_len(cbs))) { 963 *alert = SSL_AD_INTERNAL_ERROR; 964 return 0; 965 } 966 return 1; 967 } 968 s->tlsext_status_type = status_type; 969 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 970 goto err; 971 972 /* XXX */ 973 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 974 s->tlsext_ocsp_ids = NULL; 975 if (CBS_len(&respid_list) > 0) { 976 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 977 if (s->tlsext_ocsp_ids == NULL) { 978 alert_desc = SSL_AD_INTERNAL_ERROR; 979 goto err; 980 } 981 } 982 983 while (CBS_len(&respid_list) > 0) { 984 OCSP_RESPID *id; 985 986 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 987 goto err; 988 p = CBS_data(&respid); 989 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 990 goto err; 991 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 992 alert_desc = SSL_AD_INTERNAL_ERROR; 993 OCSP_RESPID_free(id); 994 goto err; 995 } 996 } 997 998 /* Read in request_extensions */ 999 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1000 goto err; 1001 if (CBS_len(&exts) > 0) { 1002 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 1003 X509_EXTENSION_free); 1004 p = CBS_data(&exts); 1005 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1006 &p, CBS_len(&exts))) == NULL) 1007 goto err; 1008 } 1009 1010 ret = 1; 1011 err: 1012 if (ret == 0) 1013 *alert = alert_desc; 1014 return ret; 1015 } 1016 1017 static int 1018 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1019 { 1020 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1021 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1022 s->ctx->tlsext_status_cb != NULL) { 1023 s->tlsext_status_expected = 0; 1024 if (s->ctx->tlsext_status_cb(s, 1025 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1026 s->tlsext_ocsp_resp_len > 0) 1027 s->tlsext_status_expected = 1; 1028 } 1029 return s->tlsext_status_expected; 1030 } 1031 1032 static int 1033 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1034 { 1035 CBB ocsp_response; 1036 1037 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1038 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1039 return 0; 1040 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1041 return 0; 1042 if (!CBB_add_bytes(&ocsp_response, 1043 s->tlsext_ocsp_resp, 1044 s->tlsext_ocsp_resp_len)) 1045 return 0; 1046 if (!CBB_flush(cbb)) 1047 return 0; 1048 } 1049 return 1; 1050 } 1051 1052 static int 1053 tlsext_ocsp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1054 { 1055 uint8_t status_type; 1056 CBS response; 1057 1058 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1059 if (msg_type == SSL_TLSEXT_MSG_CR) { 1060 /* 1061 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1062 * response with an empty status_request. 1063 */ 1064 if (CBS_len(cbs) == 0) 1065 return 1; 1066 1067 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1068 return 0; 1069 } 1070 if (!CBS_get_u8(cbs, &status_type)) { 1071 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1072 return 0; 1073 } 1074 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1075 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1076 return 0; 1077 } 1078 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1079 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1080 return 0; 1081 } 1082 if (CBS_len(&response) > 65536) { 1083 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1084 return 0; 1085 } 1086 if (!CBS_stow(&response, &s->tlsext_ocsp_resp, 1087 &s->tlsext_ocsp_resp_len)) { 1088 *alert = SSL_AD_INTERNAL_ERROR; 1089 return 0; 1090 } 1091 } else { 1092 if (s->tlsext_status_type == -1) { 1093 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1094 return 0; 1095 } 1096 /* Set flag to expect CertificateStatus message */ 1097 s->tlsext_status_expected = 1; 1098 } 1099 return 1; 1100 } 1101 1102 /* 1103 * SessionTicket extension - RFC 5077 section 3.2 1104 */ 1105 static int 1106 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1107 { 1108 /* 1109 * Send session ticket extension when enabled and not overridden. 1110 * 1111 * When renegotiating, send an empty session ticket to indicate support. 1112 */ 1113 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1114 return 0; 1115 1116 if (!ssl_security_tickets(s)) 1117 return 0; 1118 1119 if (s->new_session) 1120 return 1; 1121 1122 if (s->tlsext_session_ticket != NULL && 1123 s->tlsext_session_ticket->data == NULL) 1124 return 0; 1125 1126 return 1; 1127 } 1128 1129 static int 1130 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1131 { 1132 /* 1133 * Signal that we support session tickets by sending an empty 1134 * extension when renegotiating or no session found. 1135 */ 1136 if (s->new_session || s->session == NULL) 1137 return 1; 1138 1139 if (s->session->tlsext_tick != NULL) { 1140 /* Attempt to resume with an existing session ticket */ 1141 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1142 s->session->tlsext_ticklen)) 1143 return 0; 1144 1145 } else if (s->tlsext_session_ticket != NULL) { 1146 /* 1147 * Attempt to resume with a custom provided session ticket set 1148 * by SSL_set_session_ticket_ext(). 1149 */ 1150 if (s->tlsext_session_ticket->length > 0) { 1151 size_t ticklen = s->tlsext_session_ticket->length; 1152 1153 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1154 return 0; 1155 memcpy(s->session->tlsext_tick, 1156 s->tlsext_session_ticket->data, 1157 ticklen); 1158 s->session->tlsext_ticklen = ticklen; 1159 1160 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1161 s->session->tlsext_ticklen)) 1162 return 0; 1163 } 1164 } 1165 1166 if (!CBB_flush(cbb)) 1167 return 0; 1168 1169 return 1; 1170 } 1171 1172 static int 1173 tlsext_sessionticket_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1174 int *alert) 1175 { 1176 if (s->tls_session_ticket_ext_cb) { 1177 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1178 (int)CBS_len(cbs), 1179 s->tls_session_ticket_ext_cb_arg)) { 1180 *alert = SSL_AD_INTERNAL_ERROR; 1181 return 0; 1182 } 1183 } 1184 1185 /* We need to signal that this was processed fully */ 1186 if (!CBS_skip(cbs, CBS_len(cbs))) { 1187 *alert = SSL_AD_INTERNAL_ERROR; 1188 return 0; 1189 } 1190 1191 return 1; 1192 } 1193 1194 static int 1195 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1196 { 1197 return (s->tlsext_ticket_expected && 1198 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1199 ssl_security_tickets(s)); 1200 } 1201 1202 static int 1203 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1204 { 1205 /* Empty ticket */ 1206 return 1; 1207 } 1208 1209 static int 1210 tlsext_sessionticket_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1211 int *alert) 1212 { 1213 if (s->tls_session_ticket_ext_cb) { 1214 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1215 (int)CBS_len(cbs), 1216 s->tls_session_ticket_ext_cb_arg)) { 1217 *alert = SSL_AD_INTERNAL_ERROR; 1218 return 0; 1219 } 1220 } 1221 1222 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1223 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1224 return 0; 1225 } 1226 1227 s->tlsext_ticket_expected = 1; 1228 1229 return 1; 1230 } 1231 1232 /* 1233 * DTLS extension for SRTP key establishment - RFC 5764 1234 */ 1235 1236 #ifndef OPENSSL_NO_SRTP 1237 1238 static int 1239 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1240 { 1241 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1242 } 1243 1244 static int 1245 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1246 { 1247 CBB profiles, mki; 1248 int ct, i; 1249 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1250 const SRTP_PROTECTION_PROFILE *prof; 1251 1252 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1253 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1254 return 0; 1255 } 1256 1257 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1258 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1259 return 0; 1260 } 1261 1262 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1263 return 0; 1264 1265 for (i = 0; i < ct; i++) { 1266 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1267 return 0; 1268 if (!CBB_add_u16(&profiles, prof->id)) 1269 return 0; 1270 } 1271 1272 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1273 return 0; 1274 1275 if (!CBB_flush(cbb)) 1276 return 0; 1277 1278 return 1; 1279 } 1280 1281 static int 1282 tlsext_srtp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1283 { 1284 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1285 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1286 int i, j; 1287 int ret; 1288 uint16_t id; 1289 CBS profiles, mki; 1290 1291 ret = 0; 1292 1293 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1294 goto err; 1295 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1296 goto err; 1297 1298 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1299 goto err; 1300 1301 while (CBS_len(&profiles) > 0) { 1302 if (!CBS_get_u16(&profiles, &id)) 1303 goto err; 1304 1305 if (!srtp_find_profile_by_num(id, &cprof)) { 1306 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1307 goto err; 1308 } 1309 } 1310 1311 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1312 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1313 goto done; 1314 } 1315 1316 /* 1317 * Per RFC 5764 section 4.1.1 1318 * 1319 * Find the server preferred profile using the client's list. 1320 * 1321 * The server MUST send a profile if it sends the use_srtp 1322 * extension. If one is not found, it should fall back to the 1323 * negotiated DTLS cipher suite or return a DTLS alert. 1324 */ 1325 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1326 goto err; 1327 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1328 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1329 goto err; 1330 1331 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1332 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1333 == NULL) 1334 goto err; 1335 1336 if (cprof->id == sprof->id) { 1337 s->srtp_profile = sprof; 1338 ret = 1; 1339 goto done; 1340 } 1341 } 1342 } 1343 1344 /* If we didn't find anything, fall back to the negotiated */ 1345 ret = 1; 1346 goto done; 1347 1348 err: 1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1350 1351 done: 1352 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1353 return ret; 1354 } 1355 1356 static int 1357 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1358 { 1359 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1360 } 1361 1362 static int 1363 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1364 { 1365 SRTP_PROTECTION_PROFILE *profile; 1366 CBB srtp, mki; 1367 1368 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1369 return 0; 1370 1371 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1372 return 0; 1373 1374 if (!CBB_add_u16(&srtp, profile->id)) 1375 return 0; 1376 1377 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1378 return 0; 1379 1380 if (!CBB_flush(cbb)) 1381 return 0; 1382 1383 return 1; 1384 } 1385 1386 static int 1387 tlsext_srtp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1388 { 1389 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1390 const SRTP_PROTECTION_PROFILE *prof; 1391 int i; 1392 uint16_t id; 1393 CBS profile_ids, mki; 1394 1395 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1396 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1397 return 0; 1398 } 1399 1400 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1401 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1402 return 0; 1403 } 1404 1405 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1406 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1407 *alert = SSL_AD_ILLEGAL_PARAMETER; 1408 return 0; 1409 } 1410 1411 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1412 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1413 return 0; 1414 } 1415 1416 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1417 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1418 == NULL) { 1419 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1420 return 0; 1421 } 1422 1423 if (prof->id == id) { 1424 s->srtp_profile = prof; 1425 return 1; 1426 } 1427 } 1428 1429 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1430 1431 return 0; 1432 } 1433 1434 #endif /* OPENSSL_NO_SRTP */ 1435 1436 /* 1437 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1438 */ 1439 static int 1440 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1441 { 1442 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1443 } 1444 1445 static int 1446 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1447 { 1448 CBB client_shares, key_exchange; 1449 1450 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1451 return 0; 1452 1453 if (!CBB_add_u16(&client_shares, 1454 tls_key_share_group(s->s3->hs.key_share))) 1455 return 0; 1456 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1457 return 0; 1458 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1459 return 0; 1460 1461 if (!CBB_flush(cbb)) 1462 return 0; 1463 1464 return 1; 1465 } 1466 1467 static int 1468 tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1469 { 1470 const uint16_t *client_groups = NULL, *server_groups = NULL; 1471 size_t client_groups_len = 0, server_groups_len = 0; 1472 size_t i, j, client_groups_index; 1473 int preferred_group_found = 0; 1474 int decode_error; 1475 uint16_t client_preferred_group = 0; 1476 uint16_t group; 1477 CBS client_shares, key_exchange; 1478 1479 /* 1480 * RFC 8446 section 4.2.8: 1481 * 1482 * Each KeyShareEntry value MUST correspond to a group offered in the 1483 * "supported_groups" extension and MUST appear in the same order. 1484 * However, the values MAY be a non-contiguous subset of the 1485 * "supported_groups". 1486 */ 1487 1488 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) { 1489 *alert = SSL_AD_ILLEGAL_PARAMETER; 1490 return 0; 1491 } 1492 if (!tlsext_extension_processed(s, TLSEXT_TYPE_supported_groups)) { 1493 *alert = SSL_AD_INTERNAL_ERROR; 1494 return 0; 1495 } 1496 1497 if (s->s3->hs.tls13.hrr) { 1498 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1499 return 0; 1500 1501 /* Unpack client share. */ 1502 if (!CBS_get_u16(&client_shares, &group)) 1503 return 0; 1504 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1505 return 0; 1506 1507 /* There should only be one share. */ 1508 if (CBS_len(&client_shares) != 0) 1509 return 0; 1510 1511 if (group != s->s3->hs.tls13.server_group) { 1512 *alert = SSL_AD_ILLEGAL_PARAMETER; 1513 return 0; 1514 } 1515 1516 if (s->s3->hs.key_share != NULL) { 1517 *alert = SSL_AD_INTERNAL_ERROR; 1518 return 0; 1519 } 1520 1521 /* Decode and store the selected key share. */ 1522 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1523 *alert = SSL_AD_INTERNAL_ERROR; 1524 return 0; 1525 } 1526 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1527 &key_exchange, &decode_error, NULL)) { 1528 if (!decode_error) 1529 *alert = SSL_AD_INTERNAL_ERROR; 1530 return 0; 1531 } 1532 1533 return 1; 1534 } 1535 1536 /* 1537 * XXX similar to tls1_get_supported_group, but client pref 1538 * only - consider deduping later. 1539 */ 1540 /* 1541 * We are now assured of at least one client group. 1542 * Get the client and server group preference orders. 1543 */ 1544 tls1_get_group_list(s, 0, &server_groups, &server_groups_len); 1545 tls1_get_group_list(s, 1, &client_groups, &client_groups_len); 1546 1547 /* 1548 * Find the group that is most preferred by the client that 1549 * we also support. 1550 */ 1551 for (i = 0; i < client_groups_len && !preferred_group_found; i++) { 1552 if (!ssl_security_supported_group(s, client_groups[i])) 1553 continue; 1554 for (j = 0; j < server_groups_len; j++) { 1555 if (server_groups[j] == client_groups[i]) { 1556 client_preferred_group = client_groups[i]; 1557 preferred_group_found = 1; 1558 break; 1559 } 1560 } 1561 } 1562 1563 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1564 return 0; 1565 1566 client_groups_index = 0; 1567 while (CBS_len(&client_shares) > 0) { 1568 int client_sent_group; 1569 1570 /* Unpack client share. */ 1571 if (!CBS_get_u16(&client_shares, &group)) 1572 return 0; 1573 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1574 return 0; 1575 1576 /* Ignore this client share if we're using earlier than TLSv1.3 */ 1577 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1578 continue; 1579 1580 /* 1581 * Ensure the client share group was sent in supported groups, 1582 * and was sent in the same order as supported groups. The 1583 * supported groups has already been checked for duplicates. 1584 */ 1585 client_sent_group = 0; 1586 while (client_groups_index < client_groups_len) { 1587 if (group == client_groups[client_groups_index++]) { 1588 client_sent_group = 1; 1589 break; 1590 } 1591 } 1592 if (!client_sent_group) { 1593 *alert = SSL_AD_ILLEGAL_PARAMETER; 1594 return 0; 1595 } 1596 1597 /* Ignore this client share if we have already selected a key share */ 1598 if (s->s3->hs.key_share != NULL) 1599 continue; 1600 1601 /* 1602 * Ignore this client share if it is not for the most client 1603 * preferred supported group. This avoids a potential downgrade 1604 * situation where the client sends a client share for something 1605 * less preferred, and we choose to to use it instead of 1606 * requesting the more preferred group. 1607 */ 1608 if (!preferred_group_found || group != client_preferred_group) 1609 continue; 1610 1611 /* Decode and store the selected key share. */ 1612 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1613 *alert = SSL_AD_INTERNAL_ERROR; 1614 return 0; 1615 } 1616 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1617 &key_exchange, &decode_error, NULL)) { 1618 if (!decode_error) 1619 *alert = SSL_AD_INTERNAL_ERROR; 1620 return 0; 1621 } 1622 } 1623 1624 return 1; 1625 } 1626 1627 static int 1628 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1629 { 1630 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1631 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1632 } 1633 1634 static int 1635 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1636 { 1637 CBB key_exchange; 1638 1639 /* In the case of a HRR, we only send the server selected group. */ 1640 if (s->s3->hs.tls13.hrr) { 1641 if (s->s3->hs.tls13.server_group == 0) 1642 return 0; 1643 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1644 } 1645 1646 if (s->s3->hs.key_share == NULL) 1647 return 0; 1648 1649 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1650 return 0; 1651 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1652 return 0; 1653 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1654 return 0; 1655 1656 if (!CBB_flush(cbb)) 1657 return 0; 1658 1659 return 1; 1660 } 1661 1662 static int 1663 tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1664 { 1665 CBS key_exchange; 1666 int decode_error; 1667 uint16_t group; 1668 1669 /* Unpack server share. */ 1670 if (!CBS_get_u16(cbs, &group)) 1671 return 0; 1672 1673 if (CBS_len(cbs) == 0) { 1674 /* HRR does not include an actual key share, only the group. */ 1675 if (msg_type != SSL_TLSEXT_MSG_HRR) 1676 return 0; 1677 1678 s->s3->hs.tls13.server_group = group; 1679 return 1; 1680 } 1681 1682 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1683 return 0; 1684 1685 if (s->s3->hs.key_share == NULL) { 1686 *alert = SSL_AD_INTERNAL_ERROR; 1687 return 0; 1688 } 1689 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1690 *alert = SSL_AD_INTERNAL_ERROR; 1691 return 0; 1692 } 1693 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1694 &key_exchange, &decode_error, NULL)) { 1695 if (!decode_error) 1696 *alert = SSL_AD_INTERNAL_ERROR; 1697 return 0; 1698 } 1699 1700 return 1; 1701 } 1702 1703 /* 1704 * Supported Versions - RFC 8446 section 4.2.1. 1705 */ 1706 static int 1707 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1708 { 1709 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1710 } 1711 1712 static int 1713 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1714 { 1715 uint16_t max, min; 1716 uint16_t version; 1717 CBB versions; 1718 1719 max = s->s3->hs.our_max_tls_version; 1720 min = s->s3->hs.our_min_tls_version; 1721 1722 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1723 return 0; 1724 1725 /* XXX - fix, but contiguous for now... */ 1726 for (version = max; version >= min; version--) { 1727 if (!CBB_add_u16(&versions, version)) 1728 return 0; 1729 } 1730 1731 if (!CBB_flush(cbb)) 1732 return 0; 1733 1734 return 1; 1735 } 1736 1737 static int 1738 tlsext_versions_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1739 { 1740 CBS versions; 1741 uint16_t version; 1742 uint16_t max, min; 1743 uint16_t matched_version = 0; 1744 1745 max = s->s3->hs.our_max_tls_version; 1746 min = s->s3->hs.our_min_tls_version; 1747 1748 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1749 return 0; 1750 1751 while (CBS_len(&versions) > 0) { 1752 if (!CBS_get_u16(&versions, &version)) 1753 return 0; 1754 /* 1755 * XXX What is below implements client preference, and 1756 * ignores any server preference entirely. 1757 */ 1758 if (matched_version == 0 && version >= min && version <= max) 1759 matched_version = version; 1760 } 1761 1762 if (matched_version > 0) { 1763 /* XXX - this should be stored for later processing. */ 1764 s->version = matched_version; 1765 return 1; 1766 } 1767 1768 *alert = SSL_AD_PROTOCOL_VERSION; 1769 return 0; 1770 } 1771 1772 static int 1773 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1774 { 1775 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1776 } 1777 1778 static int 1779 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1780 { 1781 return CBB_add_u16(cbb, TLS1_3_VERSION); 1782 } 1783 1784 static int 1785 tlsext_versions_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1786 { 1787 uint16_t selected_version; 1788 1789 if (!CBS_get_u16(cbs, &selected_version)) 1790 return 0; 1791 1792 /* XXX - need to fix for DTLS 1.3 */ 1793 if (selected_version < TLS1_3_VERSION) { 1794 *alert = SSL_AD_ILLEGAL_PARAMETER; 1795 return 0; 1796 } 1797 1798 /* XXX test between min and max once initialization code goes in */ 1799 s->s3->hs.tls13.server_version = selected_version; 1800 1801 return 1; 1802 } 1803 1804 1805 /* 1806 * Cookie - RFC 8446 section 4.2.2. 1807 */ 1808 1809 static int 1810 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1811 { 1812 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1813 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1814 } 1815 1816 static int 1817 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1818 { 1819 CBB cookie; 1820 1821 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1822 return 0; 1823 1824 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1825 s->s3->hs.tls13.cookie_len)) 1826 return 0; 1827 1828 if (!CBB_flush(cbb)) 1829 return 0; 1830 1831 return 1; 1832 } 1833 1834 static int 1835 tlsext_cookie_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1836 { 1837 CBS cookie; 1838 1839 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1840 return 0; 1841 1842 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1843 return 0; 1844 1845 /* 1846 * Check provided cookie value against what server previously 1847 * sent - client *MUST* send the same cookie with new CR after 1848 * a cookie is sent by the server with an HRR. 1849 */ 1850 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1851 s->s3->hs.tls13.cookie_len)) { 1852 /* XXX special cookie mismatch alert? */ 1853 *alert = SSL_AD_ILLEGAL_PARAMETER; 1854 return 0; 1855 } 1856 1857 return 1; 1858 } 1859 1860 static int 1861 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1862 { 1863 /* 1864 * Server needs to set cookie value in tls13 handshake 1865 * in order to send one, should only be sent with HRR. 1866 */ 1867 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1868 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1869 } 1870 1871 static int 1872 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1873 { 1874 CBB cookie; 1875 1876 /* XXX deduplicate with client code */ 1877 1878 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1879 return 0; 1880 1881 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1882 s->s3->hs.tls13.cookie_len)) 1883 return 0; 1884 1885 if (!CBB_flush(cbb)) 1886 return 0; 1887 1888 return 1; 1889 } 1890 1891 static int 1892 tlsext_cookie_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1893 { 1894 CBS cookie; 1895 1896 /* 1897 * XXX This currently assumes we will not get a second 1898 * HRR from a server with a cookie to process after accepting 1899 * one from the server in the same handshake 1900 */ 1901 if (s->s3->hs.tls13.cookie != NULL || 1902 s->s3->hs.tls13.cookie_len != 0) { 1903 *alert = SSL_AD_ILLEGAL_PARAMETER; 1904 return 0; 1905 } 1906 1907 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1908 return 0; 1909 1910 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1911 &s->s3->hs.tls13.cookie_len)) 1912 return 0; 1913 1914 return 1; 1915 } 1916 1917 /* 1918 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1919 */ 1920 1921 static int 1922 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1923 { 1924 return (s->s3->hs.tls13.use_psk_dhe_ke && 1925 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1926 } 1927 1928 static int 1929 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1930 { 1931 CBB ke_modes; 1932 1933 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1934 return 0; 1935 1936 /* Only indicate support for PSK with DHE key establishment. */ 1937 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1938 return 0; 1939 1940 if (!CBB_flush(cbb)) 1941 return 0; 1942 1943 return 1; 1944 } 1945 1946 static int 1947 tlsext_psk_kex_modes_server_process(SSL *s, uint16_t msg_type, CBS *cbs, 1948 int *alert) 1949 { 1950 CBS ke_modes; 1951 uint8_t ke_mode; 1952 1953 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1954 return 0; 1955 1956 while (CBS_len(&ke_modes) > 0) { 1957 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1958 return 0; 1959 1960 if (ke_mode == TLS13_PSK_DHE_KE) 1961 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1962 } 1963 1964 return 1; 1965 } 1966 1967 static int 1968 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1969 { 1970 /* Servers MUST NOT send this extension. */ 1971 return 0; 1972 } 1973 1974 static int 1975 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1976 { 1977 return 0; 1978 } 1979 1980 static int 1981 tlsext_psk_kex_modes_client_process(SSL *s, uint16_t msg_type, CBS *cbs, 1982 int *alert) 1983 { 1984 return 0; 1985 } 1986 1987 /* 1988 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1989 */ 1990 1991 static int 1992 tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1993 { 1994 return 0; 1995 } 1996 1997 static int 1998 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1999 { 2000 return 0; 2001 } 2002 2003 static int 2004 tlsext_psk_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2005 { 2006 return CBS_skip(cbs, CBS_len(cbs)); 2007 } 2008 2009 static int 2010 tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 2011 { 2012 return 0; 2013 } 2014 2015 static int 2016 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2017 { 2018 return 0; 2019 } 2020 2021 static int 2022 tlsext_psk_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2023 { 2024 return CBS_skip(cbs, CBS_len(cbs)); 2025 } 2026 2027 /* 2028 * QUIC transport parameters extension - RFC 9001 section 8.2. 2029 */ 2030 2031 static int 2032 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 2033 { 2034 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2035 } 2036 2037 static int 2038 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 2039 CBB *cbb) 2040 { 2041 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2042 s->quic_transport_params_len)) 2043 return 0; 2044 2045 return 1; 2046 } 2047 2048 static int 2049 tlsext_quic_transport_parameters_client_process(SSL *s, uint16_t msg_type, 2050 CBS *cbs, int *alert) 2051 { 2052 if (!SSL_is_quic(s)) { 2053 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2054 return 0; 2055 } 2056 2057 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2058 &s->s3->peer_quic_transport_params_len)) 2059 return 0; 2060 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2061 return 0; 2062 2063 return 1; 2064 } 2065 2066 static int 2067 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 2068 { 2069 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 2070 } 2071 2072 static int 2073 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 2074 CBB *cbb) 2075 { 2076 if (!CBB_add_bytes(cbb, s->quic_transport_params, 2077 s->quic_transport_params_len)) 2078 return 0; 2079 2080 return 1; 2081 } 2082 2083 static int 2084 tlsext_quic_transport_parameters_server_process(SSL *s, uint16_t msg_type, 2085 CBS *cbs, int *alert) 2086 { 2087 if (!SSL_is_quic(s)) { 2088 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 2089 return 0; 2090 } 2091 2092 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 2093 &s->s3->peer_quic_transport_params_len)) 2094 return 0; 2095 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 2096 return 0; 2097 2098 return 1; 2099 } 2100 2101 struct tls_extension_funcs { 2102 int (*needs)(SSL *s, uint16_t msg_type); 2103 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 2104 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 2105 }; 2106 2107 struct tls_extension { 2108 uint16_t type; 2109 uint16_t messages; 2110 struct tls_extension_funcs client; 2111 struct tls_extension_funcs server; 2112 }; 2113 2114 /* 2115 * TLS extensions (in processing order). 2116 */ 2117 static const struct tls_extension tls_extensions[] = { 2118 { 2119 .type = TLSEXT_TYPE_supported_versions, 2120 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2121 SSL_TLSEXT_MSG_HRR, 2122 .client = { 2123 .needs = tlsext_versions_client_needs, 2124 .build = tlsext_versions_client_build, 2125 .process = tlsext_versions_client_process, 2126 }, 2127 .server = { 2128 .needs = tlsext_versions_server_needs, 2129 .build = tlsext_versions_server_build, 2130 .process = tlsext_versions_server_process, 2131 }, 2132 }, 2133 { 2134 .type = TLSEXT_TYPE_supported_groups, 2135 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2136 .client = { 2137 .needs = tlsext_supportedgroups_client_needs, 2138 .build = tlsext_supportedgroups_client_build, 2139 .process = tlsext_supportedgroups_client_process, 2140 }, 2141 .server = { 2142 .needs = tlsext_supportedgroups_server_needs, 2143 .build = tlsext_supportedgroups_server_build, 2144 .process = tlsext_supportedgroups_server_process, 2145 }, 2146 }, 2147 { 2148 .type = TLSEXT_TYPE_key_share, 2149 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2150 SSL_TLSEXT_MSG_HRR, 2151 .client = { 2152 .needs = tlsext_keyshare_client_needs, 2153 .build = tlsext_keyshare_client_build, 2154 .process = tlsext_keyshare_client_process, 2155 }, 2156 .server = { 2157 .needs = tlsext_keyshare_server_needs, 2158 .build = tlsext_keyshare_server_build, 2159 .process = tlsext_keyshare_server_process, 2160 }, 2161 }, 2162 { 2163 .type = TLSEXT_TYPE_server_name, 2164 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2165 .client = { 2166 .needs = tlsext_sni_client_needs, 2167 .build = tlsext_sni_client_build, 2168 .process = tlsext_sni_client_process, 2169 }, 2170 .server = { 2171 .needs = tlsext_sni_server_needs, 2172 .build = tlsext_sni_server_build, 2173 .process = tlsext_sni_server_process, 2174 }, 2175 }, 2176 { 2177 .type = TLSEXT_TYPE_renegotiate, 2178 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2179 .client = { 2180 .needs = tlsext_ri_client_needs, 2181 .build = tlsext_ri_client_build, 2182 .process = tlsext_ri_client_process, 2183 }, 2184 .server = { 2185 .needs = tlsext_ri_server_needs, 2186 .build = tlsext_ri_server_build, 2187 .process = tlsext_ri_server_process, 2188 }, 2189 }, 2190 { 2191 .type = TLSEXT_TYPE_status_request, 2192 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2193 SSL_TLSEXT_MSG_CT, 2194 .client = { 2195 .needs = tlsext_ocsp_client_needs, 2196 .build = tlsext_ocsp_client_build, 2197 .process = tlsext_ocsp_client_process, 2198 }, 2199 .server = { 2200 .needs = tlsext_ocsp_server_needs, 2201 .build = tlsext_ocsp_server_build, 2202 .process = tlsext_ocsp_server_process, 2203 }, 2204 }, 2205 { 2206 .type = TLSEXT_TYPE_ec_point_formats, 2207 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2208 .client = { 2209 .needs = tlsext_ecpf_client_needs, 2210 .build = tlsext_ecpf_client_build, 2211 .process = tlsext_ecpf_client_process, 2212 }, 2213 .server = { 2214 .needs = tlsext_ecpf_server_needs, 2215 .build = tlsext_ecpf_server_build, 2216 .process = tlsext_ecpf_server_process, 2217 }, 2218 }, 2219 { 2220 .type = TLSEXT_TYPE_session_ticket, 2221 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2222 .client = { 2223 .needs = tlsext_sessionticket_client_needs, 2224 .build = tlsext_sessionticket_client_build, 2225 .process = tlsext_sessionticket_client_process, 2226 }, 2227 .server = { 2228 .needs = tlsext_sessionticket_server_needs, 2229 .build = tlsext_sessionticket_server_build, 2230 .process = tlsext_sessionticket_server_process, 2231 }, 2232 }, 2233 { 2234 .type = TLSEXT_TYPE_signature_algorithms, 2235 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2236 .client = { 2237 .needs = tlsext_sigalgs_client_needs, 2238 .build = tlsext_sigalgs_client_build, 2239 .process = tlsext_sigalgs_client_process, 2240 }, 2241 .server = { 2242 .needs = tlsext_sigalgs_server_needs, 2243 .build = tlsext_sigalgs_server_build, 2244 .process = tlsext_sigalgs_server_process, 2245 }, 2246 }, 2247 { 2248 .type = TLSEXT_TYPE_alpn, 2249 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2250 .client = { 2251 .needs = tlsext_alpn_client_needs, 2252 .build = tlsext_alpn_client_build, 2253 .process = tlsext_alpn_client_process, 2254 }, 2255 .server = { 2256 .needs = tlsext_alpn_server_needs, 2257 .build = tlsext_alpn_server_build, 2258 .process = tlsext_alpn_server_process, 2259 }, 2260 }, 2261 { 2262 .type = TLSEXT_TYPE_cookie, 2263 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2264 .client = { 2265 .needs = tlsext_cookie_client_needs, 2266 .build = tlsext_cookie_client_build, 2267 .process = tlsext_cookie_client_process, 2268 }, 2269 .server = { 2270 .needs = tlsext_cookie_server_needs, 2271 .build = tlsext_cookie_server_build, 2272 .process = tlsext_cookie_server_process, 2273 }, 2274 }, 2275 #ifndef OPENSSL_NO_SRTP 2276 { 2277 .type = TLSEXT_TYPE_use_srtp, 2278 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2279 SSL_TLSEXT_MSG_EE, 2280 .client = { 2281 .needs = tlsext_srtp_client_needs, 2282 .build = tlsext_srtp_client_build, 2283 .process = tlsext_srtp_client_process, 2284 }, 2285 .server = { 2286 .needs = tlsext_srtp_server_needs, 2287 .build = tlsext_srtp_server_build, 2288 .process = tlsext_srtp_server_process, 2289 }, 2290 }, 2291 #endif /* OPENSSL_NO_SRTP */ 2292 { 2293 .type = TLSEXT_TYPE_quic_transport_parameters, 2294 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2295 .client = { 2296 .needs = tlsext_quic_transport_parameters_client_needs, 2297 .build = tlsext_quic_transport_parameters_client_build, 2298 .process = tlsext_quic_transport_parameters_client_process, 2299 }, 2300 .server = { 2301 .needs = tlsext_quic_transport_parameters_server_needs, 2302 .build = tlsext_quic_transport_parameters_server_build, 2303 .process = tlsext_quic_transport_parameters_server_process, 2304 }, 2305 }, 2306 { 2307 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2308 .messages = SSL_TLSEXT_MSG_CH, 2309 .client = { 2310 .needs = tlsext_psk_kex_modes_client_needs, 2311 .build = tlsext_psk_kex_modes_client_build, 2312 .process = tlsext_psk_kex_modes_client_process, 2313 }, 2314 .server = { 2315 .needs = tlsext_psk_kex_modes_server_needs, 2316 .build = tlsext_psk_kex_modes_server_build, 2317 .process = tlsext_psk_kex_modes_server_process, 2318 }, 2319 }, 2320 { 2321 .type = TLSEXT_TYPE_pre_shared_key, 2322 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2323 .client = { 2324 .needs = tlsext_psk_client_needs, 2325 .build = tlsext_psk_client_build, 2326 .process = tlsext_psk_client_process, 2327 }, 2328 .server = { 2329 .needs = tlsext_psk_server_needs, 2330 .build = tlsext_psk_server_build, 2331 .process = tlsext_psk_server_process, 2332 }, 2333 }, 2334 }; 2335 2336 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2337 2338 /* Ensure that extensions fit in a uint32_t bitmask. */ 2339 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2340 2341 struct tlsext_data { 2342 CBS extensions[N_TLS_EXTENSIONS]; 2343 }; 2344 2345 static struct tlsext_data * 2346 tlsext_data_new(void) 2347 { 2348 return calloc(1, sizeof(struct tlsext_data)); 2349 } 2350 2351 static void 2352 tlsext_data_free(struct tlsext_data *td) 2353 { 2354 freezero(td, sizeof(*td)); 2355 } 2356 2357 uint16_t 2358 tls_extension_type(const struct tls_extension *extension) 2359 { 2360 return extension->type; 2361 } 2362 2363 const struct tls_extension * 2364 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2365 { 2366 size_t i; 2367 2368 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2369 if (tls_extensions[i].type == type) { 2370 if (tls_extensions_idx != NULL) 2371 *tls_extensions_idx = i; 2372 return &tls_extensions[i]; 2373 } 2374 } 2375 2376 return NULL; 2377 } 2378 2379 int 2380 tlsext_extension_seen(SSL *s, uint16_t type) 2381 { 2382 size_t idx; 2383 2384 if (tls_extension_find(type, &idx) == NULL) 2385 return 0; 2386 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2387 } 2388 2389 int 2390 tlsext_extension_processed(SSL *s, uint16_t type) 2391 { 2392 size_t idx; 2393 2394 if (tls_extension_find(type, &idx) == NULL) 2395 return 0; 2396 return ((s->s3->hs.extensions_processed & (1 << idx)) != 0); 2397 } 2398 2399 const struct tls_extension_funcs * 2400 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2401 { 2402 if (is_server) 2403 return &tlsext->server; 2404 2405 return &tlsext->client; 2406 } 2407 2408 int 2409 tlsext_randomize_build_order(SSL *s) 2410 { 2411 const struct tls_extension *psk_ext; 2412 size_t idx, new_idx; 2413 size_t alpn_idx = 0, sni_idx = 0; 2414 2415 free(s->tlsext_build_order); 2416 s->tlsext_build_order_len = 0; 2417 2418 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2419 N_TLS_EXTENSIONS)) == NULL) 2420 return 0; 2421 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2422 2423 /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */ 2424 if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key, 2425 NULL)) == NULL) 2426 return 0; 2427 s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext; 2428 2429 /* Fisher-Yates shuffle with PSK fixed. */ 2430 for (idx = 0; idx < N_TLS_EXTENSIONS - 1; idx++) { 2431 new_idx = arc4random_uniform(idx + 1); 2432 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; 2433 s->tlsext_build_order[new_idx] = &tls_extensions[idx]; 2434 } 2435 2436 /* 2437 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN 2438 * for clients so that virtual host setups work correctly. 2439 */ 2440 2441 if (s->server) 2442 return 1; 2443 2444 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2445 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) 2446 alpn_idx = idx; 2447 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) 2448 sni_idx = idx; 2449 } 2450 if (alpn_idx < sni_idx) { 2451 const struct tls_extension *tmp; 2452 2453 tmp = s->tlsext_build_order[alpn_idx]; 2454 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; 2455 s->tlsext_build_order[sni_idx] = tmp; 2456 } 2457 2458 return 1; 2459 } 2460 2461 int 2462 tlsext_linearize_build_order(SSL *s) 2463 { 2464 size_t idx; 2465 2466 free(s->tlsext_build_order); 2467 s->tlsext_build_order_len = 0; 2468 2469 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2470 N_TLS_EXTENSIONS)) == NULL) 2471 return 0; 2472 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2473 2474 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) 2475 s->tlsext_build_order[idx] = &tls_extensions[idx]; 2476 2477 return 1; 2478 } 2479 2480 static int 2481 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2482 { 2483 const struct tls_extension_funcs *ext; 2484 const struct tls_extension *tlsext; 2485 CBB extensions, extension_data; 2486 int extensions_present = 0; 2487 uint16_t tls_version; 2488 size_t i; 2489 2490 tls_version = ssl_effective_tls_version(s); 2491 2492 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2493 return 0; 2494 2495 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2496 tlsext = s->tlsext_build_order[i]; 2497 ext = tlsext_funcs(tlsext, is_server); 2498 2499 /* RFC 8446 Section 4.2 */ 2500 if (tls_version >= TLS1_3_VERSION && 2501 !(tlsext->messages & msg_type)) 2502 continue; 2503 2504 if (!ext->needs(s, msg_type)) 2505 continue; 2506 2507 if (!CBB_add_u16(&extensions, tlsext->type)) 2508 return 0; 2509 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2510 return 0; 2511 2512 if (!ext->build(s, msg_type, &extension_data)) 2513 return 0; 2514 2515 extensions_present = 1; 2516 } 2517 2518 if (!extensions_present && 2519 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2520 CBB_discard_child(cbb); 2521 2522 if (!CBB_flush(cbb)) 2523 return 0; 2524 2525 return 1; 2526 } 2527 2528 int 2529 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2530 { 2531 /* 2532 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2533 * cookie may be added, padding may be removed. 2534 */ 2535 struct tls13_ctx *ctx = s->tls13; 2536 2537 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2538 type == TLSEXT_TYPE_padding) 2539 return 1; 2540 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2541 sizeof(type))) 2542 return 0; 2543 /* 2544 * key_share data may be changed, and pre_shared_key data may 2545 * be changed. 2546 */ 2547 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2548 return 1; 2549 if (!tls13_clienthello_hash_update(ctx, cbs)) 2550 return 0; 2551 2552 return 1; 2553 } 2554 2555 static int 2556 tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2557 CBS *cbs, int *alert) 2558 { 2559 const struct tls_extension *tlsext; 2560 CBS extensions, extension_data; 2561 uint16_t type; 2562 size_t idx; 2563 uint16_t tls_version; 2564 int alert_desc; 2565 2566 tls_version = ssl_effective_tls_version(s); 2567 2568 s->s3->hs.extensions_seen = 0; 2569 2570 /* An empty extensions block is valid. */ 2571 if (CBS_len(cbs) == 0) 2572 return 1; 2573 2574 alert_desc = SSL_AD_DECODE_ERROR; 2575 2576 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2577 goto err; 2578 2579 while (CBS_len(&extensions) > 0) { 2580 if (!CBS_get_u16(&extensions, &type)) 2581 goto err; 2582 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2583 goto err; 2584 2585 if (s->tlsext_debug_cb != NULL) 2586 s->tlsext_debug_cb(s, !is_server, type, 2587 (unsigned char *)CBS_data(&extension_data), 2588 CBS_len(&extension_data), 2589 s->tlsext_debug_arg); 2590 2591 /* Unknown extensions are ignored. */ 2592 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2593 continue; 2594 2595 if (tls_version >= TLS1_3_VERSION && is_server && 2596 msg_type == SSL_TLSEXT_MSG_CH) { 2597 if (!tlsext_clienthello_hash_extension(s, type, 2598 &extension_data)) 2599 goto err; 2600 } 2601 2602 /* RFC 8446 Section 4.2 */ 2603 if (tls_version >= TLS1_3_VERSION && 2604 !(tlsext->messages & msg_type)) { 2605 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2606 goto err; 2607 } 2608 2609 /* Check for duplicate known extensions. */ 2610 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2611 goto err; 2612 s->s3->hs.extensions_seen |= (1 << idx); 2613 2614 CBS_dup(&extension_data, &td->extensions[idx]); 2615 } 2616 2617 return 1; 2618 2619 err: 2620 *alert = alert_desc; 2621 2622 return 0; 2623 } 2624 2625 static int 2626 tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2627 int *alert) 2628 { 2629 const struct tls_extension_funcs *ext; 2630 const struct tls_extension *tlsext; 2631 int alert_desc; 2632 size_t idx; 2633 2634 alert_desc = SSL_AD_DECODE_ERROR; 2635 2636 s->s3->hs.extensions_processed = 0; 2637 2638 /* Run processing for present TLS extensions, in a defined order. */ 2639 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2640 tlsext = &tls_extensions[idx]; 2641 if ((s->s3->hs.extensions_seen & (1 << idx)) == 0) 2642 continue; 2643 ext = tlsext_funcs(tlsext, is_server); 2644 if (ext->process == NULL) 2645 continue; 2646 if (!ext->process(s, msg_type, &td->extensions[idx], &alert_desc)) 2647 goto err; 2648 2649 if (CBS_len(&td->extensions[idx]) != 0) 2650 goto err; 2651 2652 s->s3->hs.extensions_processed |= (1 << idx); 2653 } 2654 2655 return 1; 2656 2657 err: 2658 *alert = alert_desc; 2659 2660 return 0; 2661 } 2662 2663 static void 2664 tlsext_server_reset_state(SSL *s) 2665 { 2666 s->tlsext_status_type = -1; 2667 s->s3->renegotiate_seen = 0; 2668 free(s->s3->alpn_selected); 2669 s->s3->alpn_selected = NULL; 2670 s->s3->alpn_selected_len = 0; 2671 s->srtp_profile = NULL; 2672 } 2673 2674 int 2675 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2676 { 2677 return tlsext_build(s, 1, msg_type, cbb); 2678 } 2679 2680 int 2681 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2682 { 2683 struct tlsext_data *td; 2684 int ret = 0; 2685 2686 if ((td = tlsext_data_new()) == NULL) 2687 goto err; 2688 2689 /* XXX - this should be done by the caller... */ 2690 if (msg_type == SSL_TLSEXT_MSG_CH) 2691 tlsext_server_reset_state(s); 2692 2693 if (!tlsext_parse(s, td, 1, msg_type, cbs, alert)) 2694 goto err; 2695 if (!tlsext_process(s, td, 1, msg_type, alert)) 2696 goto err; 2697 2698 ret = 1; 2699 2700 err: 2701 tlsext_data_free(td); 2702 2703 return ret; 2704 } 2705 2706 static void 2707 tlsext_client_reset_state(SSL *s) 2708 { 2709 s->s3->renegotiate_seen = 0; 2710 free(s->s3->alpn_selected); 2711 s->s3->alpn_selected = NULL; 2712 s->s3->alpn_selected_len = 0; 2713 } 2714 2715 int 2716 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2717 { 2718 return tlsext_build(s, 0, msg_type, cbb); 2719 } 2720 2721 int 2722 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2723 { 2724 struct tlsext_data *td; 2725 int ret = 0; 2726 2727 if ((td = tlsext_data_new()) == NULL) 2728 goto err; 2729 2730 /* XXX - this should be done by the caller... */ 2731 if (msg_type == SSL_TLSEXT_MSG_SH) 2732 tlsext_client_reset_state(s); 2733 2734 if (!tlsext_parse(s, td, 0, msg_type, cbs, alert)) 2735 goto err; 2736 if (!tlsext_process(s, td, 0, msg_type, alert)) 2737 goto err; 2738 2739 ret = 1; 2740 2741 err: 2742 tlsext_data_free(td); 2743 2744 return ret; 2745 } 2746