1 /* $OpenBSD: ssl_tlsext.c,v 1.62 2020/02/18 16:12:14 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <openssl/ocsp.h> 21 22 #include "ssl_locl.h" 23 24 #include "bytestring.h" 25 #include "ssl_sigalgs.h" 26 #include "ssl_tlsext.h" 27 28 /* 29 * Supported Application-Layer Protocol Negotiation - RFC 7301 30 */ 31 32 int 33 tlsext_alpn_client_needs(SSL *s) 34 { 35 /* ALPN protos have been specified and this is the initial handshake */ 36 return s->internal->alpn_client_proto_list != NULL && 37 S3I(s)->tmp.finish_md_len == 0; 38 } 39 40 int 41 tlsext_alpn_client_build(SSL *s, CBB *cbb) 42 { 43 CBB protolist; 44 45 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 46 return 0; 47 48 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 49 s->internal->alpn_client_proto_list_len)) 50 return 0; 51 52 if (!CBB_flush(cbb)) 53 return 0; 54 55 return 1; 56 } 57 58 int 59 tlsext_alpn_server_parse(SSL *s, CBS *cbs, int *alert) 60 { 61 CBS proto_name_list, alpn; 62 const unsigned char *selected; 63 unsigned char selected_len; 64 int r; 65 66 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 67 goto err; 68 if (CBS_len(&alpn) < 2) 69 goto err; 70 if (CBS_len(cbs) != 0) 71 goto err; 72 73 CBS_dup(&alpn, &proto_name_list); 74 while (CBS_len(&proto_name_list) > 0) { 75 CBS proto_name; 76 77 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 78 goto err; 79 if (CBS_len(&proto_name) == 0) 80 goto err; 81 } 82 83 if (s->ctx->internal->alpn_select_cb == NULL) 84 return 1; 85 86 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 87 CBS_data(&alpn), CBS_len(&alpn), 88 s->ctx->internal->alpn_select_cb_arg); 89 if (r == SSL_TLSEXT_ERR_OK) { 90 free(S3I(s)->alpn_selected); 91 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 92 *alert = SSL_AD_INTERNAL_ERROR; 93 return 0; 94 } 95 memcpy(S3I(s)->alpn_selected, selected, selected_len); 96 S3I(s)->alpn_selected_len = selected_len; 97 } 98 99 return 1; 100 101 err: 102 *alert = SSL_AD_DECODE_ERROR; 103 return 0; 104 } 105 106 int 107 tlsext_alpn_server_needs(SSL *s) 108 { 109 return S3I(s)->alpn_selected != NULL; 110 } 111 112 int 113 tlsext_alpn_server_build(SSL *s, CBB *cbb) 114 { 115 CBB list, selected; 116 117 if (!CBB_add_u16_length_prefixed(cbb, &list)) 118 return 0; 119 120 if (!CBB_add_u8_length_prefixed(&list, &selected)) 121 return 0; 122 123 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 124 S3I(s)->alpn_selected_len)) 125 return 0; 126 127 if (!CBB_flush(cbb)) 128 return 0; 129 130 return 1; 131 } 132 133 int 134 tlsext_alpn_client_parse(SSL *s, CBS *cbs, int *alert) 135 { 136 CBS list, proto; 137 138 if (s->internal->alpn_client_proto_list == NULL) { 139 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 140 return 0; 141 } 142 143 if (!CBS_get_u16_length_prefixed(cbs, &list)) 144 goto err; 145 if (CBS_len(cbs) != 0) 146 goto err; 147 148 if (!CBS_get_u8_length_prefixed(&list, &proto)) 149 goto err; 150 151 if (CBS_len(&list) != 0) 152 goto err; 153 if (CBS_len(&proto) == 0) 154 goto err; 155 156 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 157 &(S3I(s)->alpn_selected_len))) 158 goto err; 159 160 return 1; 161 162 err: 163 *alert = TLS1_AD_DECODE_ERROR; 164 return 0; 165 } 166 167 /* 168 * Supported Groups - RFC 7919 section 2 169 */ 170 int 171 tlsext_supportedgroups_client_needs(SSL *s) 172 { 173 return ssl_has_ecc_ciphers(s) || 174 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 175 } 176 177 int 178 tlsext_supportedgroups_client_build(SSL *s, CBB *cbb) 179 { 180 const uint16_t *groups; 181 size_t groups_len; 182 CBB grouplist; 183 int i; 184 185 tls1_get_group_list(s, 0, &groups, &groups_len); 186 if (groups_len == 0) { 187 SSLerror(s, ERR_R_INTERNAL_ERROR); 188 return 0; 189 } 190 191 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 192 return 0; 193 194 for (i = 0; i < groups_len; i++) { 195 if (!CBB_add_u16(&grouplist, groups[i])) 196 return 0; 197 } 198 199 if (!CBB_flush(cbb)) 200 return 0; 201 202 return 1; 203 } 204 205 int 206 tlsext_supportedgroups_server_parse(SSL *s, CBS *cbs, int *alert) 207 { 208 CBS grouplist; 209 size_t groups_len; 210 211 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 212 goto err; 213 if (CBS_len(cbs) != 0) 214 goto err; 215 216 groups_len = CBS_len(&grouplist); 217 if (groups_len == 0 || groups_len % 2 != 0) 218 goto err; 219 groups_len /= 2; 220 221 if (!s->internal->hit) { 222 uint16_t *groups; 223 int i; 224 225 if (SSI(s)->tlsext_supportedgroups != NULL) 226 goto err; 227 228 if ((groups = reallocarray(NULL, groups_len, 229 sizeof(uint16_t))) == NULL) { 230 *alert = TLS1_AD_INTERNAL_ERROR; 231 return 0; 232 } 233 234 for (i = 0; i < groups_len; i++) { 235 if (!CBS_get_u16(&grouplist, &groups[i])) { 236 free(groups); 237 goto err; 238 } 239 } 240 241 if (CBS_len(&grouplist) != 0) { 242 free(groups); 243 goto err; 244 } 245 246 SSI(s)->tlsext_supportedgroups = groups; 247 SSI(s)->tlsext_supportedgroups_length = groups_len; 248 } 249 250 return 1; 251 252 err: 253 *alert = TLS1_AD_DECODE_ERROR; 254 return 0; 255 } 256 257 /* This extension is never used by the server. */ 258 int 259 tlsext_supportedgroups_server_needs(SSL *s) 260 { 261 return 0; 262 } 263 264 int 265 tlsext_supportedgroups_server_build(SSL *s, CBB *cbb) 266 { 267 return 0; 268 } 269 270 int 271 tlsext_supportedgroups_client_parse(SSL *s, CBS *cbs, int *alert) 272 { 273 /* 274 * Servers should not send this extension per the RFC. 275 * 276 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 277 * from at least 2014 but as of 2017, there are still large sites with 278 * this unpatched in production. As a result, we need to currently skip 279 * over the extension and ignore its content: 280 * 281 * https://support.f5.com/csp/article/K37345003 282 */ 283 if (!CBS_skip(cbs, CBS_len(cbs))) { 284 *alert = TLS1_AD_INTERNAL_ERROR; 285 return 0; 286 } 287 288 return 1; 289 } 290 291 /* 292 * Supported Point Formats Extension - RFC 4492 section 5.1.2 293 */ 294 static int 295 tlsext_ecpf_build(SSL *s, CBB *cbb) 296 { 297 CBB ecpf; 298 size_t formats_len; 299 const uint8_t *formats; 300 301 tls1_get_formatlist(s, 0, &formats, &formats_len); 302 303 if (formats_len == 0) { 304 SSLerror(s, ERR_R_INTERNAL_ERROR); 305 return 0; 306 } 307 308 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 309 return 0; 310 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 311 return 0; 312 if (!CBB_flush(cbb)) 313 return 0; 314 315 return 1; 316 } 317 318 static int 319 tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) 320 { 321 CBS ecpf; 322 323 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 324 goto err; 325 if (CBS_len(&ecpf) == 0) 326 goto err; 327 if (CBS_len(cbs) != 0) 328 goto err; 329 330 /* Must contain uncompressed (0) */ 331 if (!CBS_contains_zero_byte(&ecpf)) { 332 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 333 goto err; 334 } 335 336 if (!s->internal->hit) { 337 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 338 &(SSI(s)->tlsext_ecpointformatlist_length))) { 339 *alert = TLS1_AD_INTERNAL_ERROR; 340 return 0; 341 } 342 } 343 344 return 1; 345 346 err: 347 *alert = SSL_AD_DECODE_ERROR; 348 return 0; 349 } 350 351 int 352 tlsext_ecpf_client_needs(SSL *s) 353 { 354 return ssl_has_ecc_ciphers(s); 355 } 356 357 int 358 tlsext_ecpf_client_build(SSL *s, CBB *cbb) 359 { 360 return tlsext_ecpf_build(s, cbb); 361 } 362 363 int 364 tlsext_ecpf_server_parse(SSL *s, CBS *cbs, int *alert) 365 { 366 return tlsext_ecpf_parse(s, cbs, alert); 367 } 368 369 int 370 tlsext_ecpf_server_needs(SSL *s) 371 { 372 if (s->version == DTLS1_VERSION) 373 return 0; 374 375 return ssl_using_ecc_cipher(s); 376 } 377 378 int 379 tlsext_ecpf_server_build(SSL *s, CBB *cbb) 380 { 381 return tlsext_ecpf_build(s, cbb); 382 } 383 384 int 385 tlsext_ecpf_client_parse(SSL *s, CBS *cbs, int *alert) 386 { 387 return tlsext_ecpf_parse(s, cbs, alert); 388 } 389 390 /* 391 * Renegotiation Indication - RFC 5746. 392 */ 393 int 394 tlsext_ri_client_needs(SSL *s) 395 { 396 return (s->internal->renegotiate); 397 } 398 399 int 400 tlsext_ri_client_build(SSL *s, CBB *cbb) 401 { 402 CBB reneg; 403 404 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 405 return 0; 406 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 407 S3I(s)->previous_client_finished_len)) 408 return 0; 409 if (!CBB_flush(cbb)) 410 return 0; 411 412 return 1; 413 } 414 415 int 416 tlsext_ri_server_parse(SSL *s, CBS *cbs, int *alert) 417 { 418 CBS reneg; 419 420 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 421 goto err; 422 if (CBS_len(cbs) != 0) 423 goto err; 424 425 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 426 S3I(s)->previous_client_finished_len)) { 427 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 428 *alert = SSL_AD_HANDSHAKE_FAILURE; 429 return 0; 430 } 431 432 S3I(s)->renegotiate_seen = 1; 433 S3I(s)->send_connection_binding = 1; 434 435 return 1; 436 437 err: 438 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 439 *alert = SSL_AD_DECODE_ERROR; 440 return 0; 441 } 442 443 int 444 tlsext_ri_server_needs(SSL *s) 445 { 446 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 447 } 448 449 int 450 tlsext_ri_server_build(SSL *s, CBB *cbb) 451 { 452 CBB reneg; 453 454 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 455 return 0; 456 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 457 S3I(s)->previous_client_finished_len)) 458 return 0; 459 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 460 S3I(s)->previous_server_finished_len)) 461 return 0; 462 if (!CBB_flush(cbb)) 463 return 0; 464 465 return 1; 466 } 467 468 int 469 tlsext_ri_client_parse(SSL *s, CBS *cbs, int *alert) 470 { 471 CBS reneg, prev_client, prev_server; 472 473 /* 474 * Ensure that the previous client and server values are both not 475 * present, or that they are both present. 476 */ 477 if ((S3I(s)->previous_client_finished_len == 0 && 478 S3I(s)->previous_server_finished_len != 0) || 479 (S3I(s)->previous_client_finished_len != 0 && 480 S3I(s)->previous_server_finished_len == 0)) { 481 *alert = TLS1_AD_INTERNAL_ERROR; 482 return 0; 483 } 484 485 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 486 goto err; 487 if (!CBS_get_bytes(&reneg, &prev_client, 488 S3I(s)->previous_client_finished_len)) 489 goto err; 490 if (!CBS_get_bytes(&reneg, &prev_server, 491 S3I(s)->previous_server_finished_len)) 492 goto err; 493 if (CBS_len(&reneg) != 0) 494 goto err; 495 if (CBS_len(cbs) != 0) 496 goto err; 497 498 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 499 S3I(s)->previous_client_finished_len)) { 500 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 501 *alert = SSL_AD_HANDSHAKE_FAILURE; 502 return 0; 503 } 504 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 505 S3I(s)->previous_server_finished_len)) { 506 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 507 *alert = SSL_AD_HANDSHAKE_FAILURE; 508 return 0; 509 } 510 511 S3I(s)->renegotiate_seen = 1; 512 S3I(s)->send_connection_binding = 1; 513 514 return 1; 515 516 err: 517 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 518 *alert = SSL_AD_DECODE_ERROR; 519 return 0; 520 } 521 522 /* 523 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 524 */ 525 int 526 tlsext_sigalgs_client_needs(SSL *s) 527 { 528 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 529 } 530 531 int 532 tlsext_sigalgs_client_build(SSL *s, CBB *cbb) 533 { 534 uint16_t *tls_sigalgs = tls12_sigalgs; 535 size_t tls_sigalgs_len = tls12_sigalgs_len; 536 CBB sigalgs; 537 538 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 539 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 540 tls_sigalgs = tls13_sigalgs; 541 tls_sigalgs_len = tls13_sigalgs_len; 542 } 543 544 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 545 return 0; 546 547 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 548 return 0; 549 550 if (!CBB_flush(cbb)) 551 return 0; 552 553 return 1; 554 } 555 556 int 557 tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert) 558 { 559 CBS sigalgs; 560 561 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 562 return 0; 563 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 564 return 0; 565 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 566 return 0; 567 568 return 1; 569 } 570 571 int 572 tlsext_sigalgs_server_needs(SSL *s) 573 { 574 return (s->version >= TLS1_3_VERSION); 575 } 576 577 int 578 tlsext_sigalgs_server_build(SSL *s, CBB *cbb) 579 { 580 uint16_t *tls_sigalgs = tls12_sigalgs; 581 size_t tls_sigalgs_len = tls12_sigalgs_len; 582 CBB sigalgs; 583 584 if (s->version >= TLS1_3_VERSION) { 585 tls_sigalgs = tls13_sigalgs; 586 tls_sigalgs_len = tls13_sigalgs_len; 587 } 588 589 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 590 return 0; 591 592 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 593 return 0; 594 595 if (!CBB_flush(cbb)) 596 return 0; 597 598 return 1; 599 } 600 601 int 602 tlsext_sigalgs_client_parse(SSL *s, CBS *cbs, int *alert) 603 { 604 CBS sigalgs; 605 606 if (s->version < TLS1_3_VERSION) 607 return 0; 608 609 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 610 return 0; 611 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 612 return 0; 613 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 614 return 0; 615 616 return 1; 617 } 618 619 /* 620 * Server Name Indication - RFC 6066, section 3. 621 */ 622 int 623 tlsext_sni_client_needs(SSL *s) 624 { 625 return (s->tlsext_hostname != NULL); 626 } 627 628 int 629 tlsext_sni_client_build(SSL *s, CBB *cbb) 630 { 631 CBB server_name_list, host_name; 632 633 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 634 return 0; 635 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 636 return 0; 637 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 638 return 0; 639 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 640 strlen(s->tlsext_hostname))) 641 return 0; 642 if (!CBB_flush(cbb)) 643 return 0; 644 645 return 1; 646 } 647 648 int 649 tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert) 650 { 651 CBS server_name_list, host_name; 652 uint8_t name_type; 653 654 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 655 goto err; 656 657 /* 658 * RFC 6066 section 3 forbids multiple host names with the same type. 659 * Additionally, only one type (host_name) is specified. 660 */ 661 if (!CBS_get_u8(&server_name_list, &name_type)) 662 goto err; 663 if (name_type != TLSEXT_NAMETYPE_host_name) 664 goto err; 665 666 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 667 goto err; 668 if (CBS_len(&host_name) == 0 || 669 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || 670 CBS_contains_zero_byte(&host_name)) { 671 *alert = TLS1_AD_UNRECOGNIZED_NAME; 672 return 0; 673 } 674 675 if (s->internal->hit) { 676 if (s->session->tlsext_hostname == NULL) { 677 *alert = TLS1_AD_UNRECOGNIZED_NAME; 678 return 0; 679 } 680 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 681 strlen(s->session->tlsext_hostname))) { 682 *alert = TLS1_AD_UNRECOGNIZED_NAME; 683 return 0; 684 } 685 } else { 686 if (s->session->tlsext_hostname != NULL) 687 goto err; 688 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 689 *alert = TLS1_AD_INTERNAL_ERROR; 690 return 0; 691 } 692 } 693 694 if (CBS_len(&server_name_list) != 0) 695 goto err; 696 if (CBS_len(cbs) != 0) 697 goto err; 698 699 return 1; 700 701 err: 702 *alert = SSL_AD_DECODE_ERROR; 703 return 0; 704 } 705 706 int 707 tlsext_sni_server_needs(SSL *s) 708 { 709 if (s->internal->hit) 710 return 0; 711 712 return (s->session->tlsext_hostname != NULL); 713 } 714 715 int 716 tlsext_sni_server_build(SSL *s, CBB *cbb) 717 { 718 return 1; 719 } 720 721 int 722 tlsext_sni_client_parse(SSL *s, CBS *cbs, int *alert) 723 { 724 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 725 *alert = TLS1_AD_UNRECOGNIZED_NAME; 726 return 0; 727 } 728 729 if (s->internal->hit) { 730 if (s->session->tlsext_hostname == NULL) { 731 *alert = TLS1_AD_UNRECOGNIZED_NAME; 732 return 0; 733 } 734 if (strcmp(s->tlsext_hostname, 735 s->session->tlsext_hostname) != 0) { 736 *alert = TLS1_AD_UNRECOGNIZED_NAME; 737 return 0; 738 } 739 } else { 740 if (s->session->tlsext_hostname != NULL) { 741 *alert = SSL_AD_DECODE_ERROR; 742 return 0; 743 } 744 if ((s->session->tlsext_hostname = 745 strdup(s->tlsext_hostname)) == NULL) { 746 *alert = TLS1_AD_INTERNAL_ERROR; 747 return 0; 748 } 749 } 750 751 return 1; 752 } 753 754 755 /* 756 *Certificate Status Request - RFC 6066 section 8. 757 */ 758 759 int 760 tlsext_ocsp_client_needs(SSL *s) 761 { 762 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 763 s->version != DTLS1_VERSION); 764 } 765 766 int 767 tlsext_ocsp_client_build(SSL *s, CBB *cbb) 768 { 769 CBB respid_list, respid, exts; 770 unsigned char *ext_data; 771 size_t ext_len; 772 int i; 773 774 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 775 return 0; 776 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 777 return 0; 778 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 779 unsigned char *respid_data; 780 OCSP_RESPID *id; 781 size_t id_len; 782 783 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 784 i)) == NULL) 785 return 0; 786 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 787 return 0; 788 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 789 return 0; 790 if (!CBB_add_space(&respid, &respid_data, id_len)) 791 return 0; 792 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 793 return 0; 794 } 795 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 796 return 0; 797 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 798 NULL)) == -1) 799 return 0; 800 if (!CBB_add_space(&exts, &ext_data, ext_len)) 801 return 0; 802 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 803 ext_len)) 804 return 0; 805 if (!CBB_flush(cbb)) 806 return 0; 807 return 1; 808 } 809 810 int 811 tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert) 812 { 813 int alert_desc = SSL_AD_DECODE_ERROR; 814 CBS respid_list, respid, exts; 815 const unsigned char *p; 816 uint8_t status_type; 817 int ret = 0; 818 819 if (!CBS_get_u8(cbs, &status_type)) 820 goto err; 821 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 822 /* ignore unknown status types */ 823 s->tlsext_status_type = -1; 824 825 if (!CBS_skip(cbs, CBS_len(cbs))) { 826 *alert = TLS1_AD_INTERNAL_ERROR; 827 return 0; 828 } 829 return 1; 830 } 831 s->tlsext_status_type = status_type; 832 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 833 goto err; 834 835 /* XXX */ 836 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 837 s->internal->tlsext_ocsp_ids = NULL; 838 if (CBS_len(&respid_list) > 0) { 839 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 840 if (s->internal->tlsext_ocsp_ids == NULL) { 841 alert_desc = SSL_AD_INTERNAL_ERROR; 842 goto err; 843 } 844 } 845 846 while (CBS_len(&respid_list) > 0) { 847 OCSP_RESPID *id; 848 849 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 850 goto err; 851 p = CBS_data(&respid); 852 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 853 goto err; 854 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 855 alert_desc = SSL_AD_INTERNAL_ERROR; 856 OCSP_RESPID_free(id); 857 goto err; 858 } 859 } 860 861 /* Read in request_extensions */ 862 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 863 goto err; 864 if (CBS_len(&exts) > 0) { 865 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 866 X509_EXTENSION_free); 867 p = CBS_data(&exts); 868 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 869 &p, CBS_len(&exts))) == NULL) 870 goto err; 871 } 872 873 /* should be nothing left */ 874 if (CBS_len(cbs) > 0) 875 goto err; 876 877 ret = 1; 878 err: 879 if (ret == 0) 880 *alert = alert_desc; 881 return ret; 882 } 883 884 int 885 tlsext_ocsp_server_needs(SSL *s) 886 { 887 return s->internal->tlsext_status_expected; 888 } 889 890 int 891 tlsext_ocsp_server_build(SSL *s, CBB *cbb) 892 { 893 return 1; 894 } 895 896 int 897 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) 898 { 899 if (s->tlsext_status_type == -1) { 900 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 901 return 0; 902 } 903 /* Set flag to expect CertificateStatus message */ 904 s->internal->tlsext_status_expected = 1; 905 return 1; 906 } 907 908 /* 909 * SessionTicket extension - RFC 5077 section 3.2 910 */ 911 int 912 tlsext_sessionticket_client_needs(SSL *s) 913 { 914 /* 915 * Send session ticket extension when enabled and not overridden. 916 * 917 * When renegotiating, send an empty session ticket to indicate support. 918 */ 919 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 920 return 0; 921 922 if (s->internal->new_session) 923 return 1; 924 925 if (s->internal->tlsext_session_ticket != NULL && 926 s->internal->tlsext_session_ticket->data == NULL) 927 return 0; 928 929 return 1; 930 } 931 932 int 933 tlsext_sessionticket_client_build(SSL *s, CBB *cbb) 934 { 935 /* 936 * Signal that we support session tickets by sending an empty 937 * extension when renegotiating or no session found. 938 */ 939 if (s->internal->new_session || s->session == NULL) 940 return 1; 941 942 if (s->session->tlsext_tick != NULL) { 943 /* Attempt to resume with an existing session ticket */ 944 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 945 s->session->tlsext_ticklen)) 946 return 0; 947 948 } else if (s->internal->tlsext_session_ticket != NULL) { 949 /* 950 * Attempt to resume with a custom provided session ticket set 951 * by SSL_set_session_ticket_ext(). 952 */ 953 if (s->internal->tlsext_session_ticket->length > 0) { 954 size_t ticklen = s->internal->tlsext_session_ticket->length; 955 956 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 957 return 0; 958 memcpy(s->session->tlsext_tick, 959 s->internal->tlsext_session_ticket->data, 960 ticklen); 961 s->session->tlsext_ticklen = ticklen; 962 963 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 964 s->session->tlsext_ticklen)) 965 return 0; 966 } 967 } 968 969 if (!CBB_flush(cbb)) 970 return 0; 971 972 return 1; 973 } 974 975 int 976 tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert) 977 { 978 if (s->internal->tls_session_ticket_ext_cb) { 979 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 980 (int)CBS_len(cbs), 981 s->internal->tls_session_ticket_ext_cb_arg)) { 982 *alert = TLS1_AD_INTERNAL_ERROR; 983 return 0; 984 } 985 } 986 987 /* We need to signal that this was processed fully */ 988 if (!CBS_skip(cbs, CBS_len(cbs))) { 989 *alert = TLS1_AD_INTERNAL_ERROR; 990 return 0; 991 } 992 993 return 1; 994 } 995 996 int 997 tlsext_sessionticket_server_needs(SSL *s) 998 { 999 return (s->internal->tlsext_ticket_expected && 1000 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1001 } 1002 1003 int 1004 tlsext_sessionticket_server_build(SSL *s, CBB *cbb) 1005 { 1006 /* Empty ticket */ 1007 return 1; 1008 } 1009 1010 int 1011 tlsext_sessionticket_client_parse(SSL *s, CBS *cbs, int *alert) 1012 { 1013 if (s->internal->tls_session_ticket_ext_cb) { 1014 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1015 (int)CBS_len(cbs), 1016 s->internal->tls_session_ticket_ext_cb_arg)) { 1017 *alert = TLS1_AD_INTERNAL_ERROR; 1018 return 0; 1019 } 1020 } 1021 1022 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1023 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1024 return 0; 1025 } 1026 1027 s->internal->tlsext_ticket_expected = 1; 1028 1029 return 1; 1030 } 1031 1032 /* 1033 * DTLS extension for SRTP key establishment - RFC 5764 1034 */ 1035 1036 #ifndef OPENSSL_NO_SRTP 1037 1038 int 1039 tlsext_srtp_client_needs(SSL *s) 1040 { 1041 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1042 } 1043 1044 int 1045 tlsext_srtp_client_build(SSL *s, CBB *cbb) 1046 { 1047 CBB profiles, mki; 1048 int ct, i; 1049 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1050 SRTP_PROTECTION_PROFILE *prof; 1051 1052 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1053 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1054 return 0; 1055 } 1056 1057 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1058 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1059 return 0; 1060 } 1061 1062 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1063 return 0; 1064 1065 for (i = 0; i < ct; i++) { 1066 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1067 return 0; 1068 if (!CBB_add_u16(&profiles, prof->id)) 1069 return 0; 1070 } 1071 1072 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1073 return 0; 1074 1075 if (!CBB_flush(cbb)) 1076 return 0; 1077 1078 return 1; 1079 } 1080 1081 int 1082 tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert) 1083 { 1084 SRTP_PROTECTION_PROFILE *cprof, *sprof; 1085 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1086 int i, j; 1087 int ret; 1088 uint16_t id; 1089 CBS profiles, mki; 1090 1091 ret = 0; 1092 1093 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1094 goto err; 1095 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1096 goto err; 1097 1098 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1099 goto err; 1100 1101 while (CBS_len(&profiles) > 0) { 1102 if (!CBS_get_u16(&profiles, &id)) 1103 goto err; 1104 1105 if (!srtp_find_profile_by_num(id, &cprof)) { 1106 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1107 goto err; 1108 } 1109 } 1110 1111 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1112 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1113 *alert = SSL_AD_DECODE_ERROR; 1114 goto done; 1115 } 1116 if (CBS_len(cbs) != 0) 1117 goto err; 1118 1119 /* 1120 * Per RFC 5764 section 4.1.1 1121 * 1122 * Find the server preferred profile using the client's list. 1123 * 1124 * The server MUST send a profile if it sends the use_srtp 1125 * extension. If one is not found, it should fall back to the 1126 * negotiated DTLS cipher suite or return a DTLS alert. 1127 */ 1128 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1129 goto err; 1130 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1131 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1132 == NULL) 1133 goto err; 1134 1135 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1136 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1137 == NULL) 1138 goto err; 1139 1140 if (cprof->id == sprof->id) { 1141 s->internal->srtp_profile = sprof; 1142 ret = 1; 1143 goto done; 1144 } 1145 } 1146 } 1147 1148 /* If we didn't find anything, fall back to the negotiated */ 1149 ret = 1; 1150 goto done; 1151 1152 err: 1153 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1154 *alert = SSL_AD_DECODE_ERROR; 1155 1156 done: 1157 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1158 return ret; 1159 } 1160 1161 int 1162 tlsext_srtp_server_needs(SSL *s) 1163 { 1164 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1165 } 1166 1167 int 1168 tlsext_srtp_server_build(SSL *s, CBB *cbb) 1169 { 1170 SRTP_PROTECTION_PROFILE *profile; 1171 CBB srtp, mki; 1172 1173 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1174 return 0; 1175 1176 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1177 return 0; 1178 1179 if (!CBB_add_u16(&srtp, profile->id)) 1180 return 0; 1181 1182 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1183 return 0; 1184 1185 if (!CBB_flush(cbb)) 1186 return 0; 1187 1188 return 1; 1189 } 1190 1191 int 1192 tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert) 1193 { 1194 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1195 SRTP_PROTECTION_PROFILE *prof; 1196 int i; 1197 uint16_t id; 1198 CBS profile_ids, mki; 1199 1200 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1201 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1202 goto err; 1203 } 1204 1205 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1206 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1207 goto err; 1208 } 1209 1210 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1211 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1212 *alert = SSL_AD_ILLEGAL_PARAMETER; 1213 return 0; 1214 } 1215 1216 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1217 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1218 goto err; 1219 } 1220 1221 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1222 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1223 == NULL) { 1224 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1225 goto err; 1226 } 1227 1228 if (prof->id == id) { 1229 s->internal->srtp_profile = prof; 1230 return 1; 1231 } 1232 } 1233 1234 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1235 err: 1236 *alert = SSL_AD_DECODE_ERROR; 1237 return 0; 1238 } 1239 1240 #endif /* OPENSSL_NO_SRTP */ 1241 1242 /* 1243 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1244 */ 1245 int 1246 tlsext_keyshare_client_needs(SSL *s) 1247 { 1248 /* XXX once this gets initialized when we get tls13_client.c */ 1249 if (S3I(s)->hs_tls13.max_version == 0) 1250 return 0; 1251 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1252 TLS1_3_VERSION); 1253 } 1254 1255 int 1256 tlsext_keyshare_client_build(SSL *s, CBB *cbb) 1257 { 1258 CBB client_shares; 1259 1260 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1261 return 0; 1262 1263 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, 1264 &client_shares)) 1265 return 0; 1266 1267 if (!CBB_flush(cbb)) 1268 return 0; 1269 1270 return 1; 1271 } 1272 1273 int 1274 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1275 { 1276 CBS client_shares, key_exchange; 1277 uint16_t group; 1278 1279 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1280 goto err; 1281 1282 while (CBS_len(&client_shares) > 0) { 1283 1284 /* Unpack client share. */ 1285 if (!CBS_get_u16(&client_shares, &group)) 1286 goto err; 1287 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1288 return 0; 1289 1290 /* 1291 * XXX support other groups later. 1292 * XXX enforce group can only appear once. 1293 */ 1294 if (S3I(s)->hs_tls13.key_share == NULL || 1295 tls13_key_share_group(S3I(s)->hs_tls13.key_share) != group) 1296 continue; 1297 1298 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1299 group, &key_exchange)) 1300 goto err; 1301 } 1302 1303 return 1; 1304 1305 err: 1306 *alert = SSL_AD_DECODE_ERROR; 1307 return 0; 1308 } 1309 1310 int 1311 tlsext_keyshare_server_needs(SSL *s) 1312 { 1313 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1314 return 0; 1315 1316 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1317 } 1318 1319 int 1320 tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1321 { 1322 if (S3I(s)->hs_tls13.key_share == NULL) 1323 return 0; 1324 1325 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) 1326 return 0; 1327 1328 return 1; 1329 } 1330 1331 int 1332 tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert) 1333 { 1334 CBS key_exchange; 1335 uint16_t group; 1336 1337 /* Unpack server share. */ 1338 if (!CBS_get_u16(cbs, &group)) 1339 goto err; 1340 1341 if (CBS_len(cbs) == 0) { 1342 /* HRR does not include an actual key share. */ 1343 /* XXX - we should know that we are in a HRR... */ 1344 S3I(s)->hs_tls13.server_group = group; 1345 return 1; 1346 } 1347 1348 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1349 return 0; 1350 1351 if (S3I(s)->hs_tls13.key_share == NULL) 1352 return 0; 1353 1354 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1355 group, &key_exchange)) 1356 goto err; 1357 1358 return 1; 1359 1360 err: 1361 *alert = SSL_AD_DECODE_ERROR; 1362 return 0; 1363 } 1364 1365 /* 1366 * Supported Versions - RFC 8446 section 4.2.1. 1367 */ 1368 int 1369 tlsext_versions_client_needs(SSL *s) 1370 { 1371 if (SSL_IS_DTLS(s)) 1372 return 0; 1373 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1374 } 1375 1376 int 1377 tlsext_versions_client_build(SSL *s, CBB *cbb) 1378 { 1379 uint16_t max, min; 1380 uint16_t version; 1381 CBB versions; 1382 1383 max = S3I(s)->hs_tls13.max_version; 1384 min = S3I(s)->hs_tls13.min_version; 1385 1386 if (min < TLS1_VERSION) 1387 return 0; 1388 1389 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1390 return 0; 1391 1392 /* XXX - fix, but contiguous for now... */ 1393 for (version = max; version >= min; version--) { 1394 if (!CBB_add_u16(&versions, version)) 1395 return 0; 1396 } 1397 1398 if (!CBB_flush(cbb)) 1399 return 0; 1400 1401 return 1; 1402 } 1403 1404 int 1405 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1406 { 1407 CBS versions; 1408 uint16_t version; 1409 uint16_t max, min; 1410 uint16_t matched_version = 0; 1411 1412 max = S3I(s)->hs_tls13.max_version; 1413 min = S3I(s)->hs_tls13.min_version; 1414 1415 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1416 goto err; 1417 1418 while (CBS_len(&versions) > 0) { 1419 if (!CBS_get_u16(&versions, &version)) 1420 goto err; 1421 /* 1422 * XXX What is below implements client preference, and 1423 * ignores any server preference entirely. 1424 */ 1425 if (matched_version == 0 && version >= min && version <= max) 1426 matched_version = version; 1427 } 1428 1429 /* 1430 * XXX if we haven't matched a version we should 1431 * fail - but we currently need to succeed to 1432 * ignore this before the server code for 1.3 1433 * is set up and initialized. 1434 */ 1435 if (max == 0) 1436 return 1; /* XXX */ 1437 1438 if (matched_version != 0) { 1439 s->version = matched_version; 1440 return 1; 1441 } 1442 1443 *alert = SSL_AD_PROTOCOL_VERSION; 1444 return 0; 1445 1446 err: 1447 *alert = SSL_AD_DECODE_ERROR; 1448 return 0; 1449 } 1450 1451 int 1452 tlsext_versions_server_needs(SSL *s) 1453 { 1454 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1455 } 1456 1457 int 1458 tlsext_versions_server_build(SSL *s, CBB *cbb) 1459 { 1460 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1461 return 0; 1462 /* XXX set 1.2 in legacy version? */ 1463 1464 return 1; 1465 } 1466 1467 int 1468 tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert) 1469 { 1470 uint16_t selected_version; 1471 1472 if (!CBS_get_u16(cbs, &selected_version)) { 1473 *alert = SSL_AD_DECODE_ERROR; 1474 return 0; 1475 } 1476 1477 if (selected_version < TLS1_3_VERSION) { 1478 *alert = SSL_AD_ILLEGAL_PARAMETER; 1479 return 0; 1480 } 1481 1482 /* XXX test between min and max once initialization code goes in */ 1483 S3I(s)->hs_tls13.server_version = selected_version; 1484 1485 return 1; 1486 } 1487 1488 1489 /* 1490 * Cookie - RFC 8446 section 4.2.2. 1491 */ 1492 1493 int 1494 tlsext_cookie_client_needs(SSL *s) 1495 { 1496 if (SSL_IS_DTLS(s)) 1497 return 0; 1498 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1499 return 0; 1500 return (S3I(s)->hs_tls13.cookie_len > 0 && 1501 S3I(s)->hs_tls13.cookie != NULL); 1502 } 1503 1504 int 1505 tlsext_cookie_client_build(SSL *s, CBB *cbb) 1506 { 1507 CBB cookie; 1508 1509 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1510 return 0; 1511 1512 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1513 S3I(s)->hs_tls13.cookie_len)) 1514 return 0; 1515 1516 if (!CBB_flush(cbb)) 1517 return 0; 1518 1519 return 1; 1520 } 1521 1522 int 1523 tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert) 1524 { 1525 CBS cookie; 1526 1527 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1528 goto err; 1529 1530 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1531 goto err; 1532 1533 /* 1534 * Check provided cookie value against what server previously 1535 * sent - client *MUST* send the same cookie with new CR after 1536 * a cookie is sent by the server with an HRR. 1537 */ 1538 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1539 S3I(s)->hs_tls13.cookie_len)) { 1540 /* XXX special cookie mismatch alert? */ 1541 *alert = SSL_AD_ILLEGAL_PARAMETER; 1542 return 0; 1543 } 1544 1545 return 1; 1546 1547 err: 1548 *alert = SSL_AD_DECODE_ERROR; 1549 return 0; 1550 } 1551 1552 int 1553 tlsext_cookie_server_needs(SSL *s) 1554 { 1555 1556 if (SSL_IS_DTLS(s)) 1557 return 0; 1558 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1559 return 0; 1560 /* 1561 * Server needs to set cookie value in tls13 handshake 1562 * in order to send one, should only be sent with HRR. 1563 */ 1564 return (S3I(s)->hs_tls13.cookie_len > 0 && 1565 S3I(s)->hs_tls13.cookie != NULL); 1566 } 1567 1568 int 1569 tlsext_cookie_server_build(SSL *s, CBB *cbb) 1570 { 1571 CBB cookie; 1572 1573 /* XXX deduplicate with client code */ 1574 1575 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1576 return 0; 1577 1578 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1579 S3I(s)->hs_tls13.cookie_len)) 1580 return 0; 1581 1582 if (!CBB_flush(cbb)) 1583 return 0; 1584 1585 return 1; 1586 } 1587 1588 int 1589 tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert) 1590 { 1591 CBS cookie; 1592 1593 /* 1594 * XXX This currently assumes we will not get a second 1595 * HRR from a server with a cookie to process after accepting 1596 * one from the server in the same handshake 1597 */ 1598 if (S3I(s)->hs_tls13.cookie != NULL || 1599 S3I(s)->hs_tls13.cookie_len != 0) { 1600 *alert = SSL_AD_ILLEGAL_PARAMETER; 1601 return 0; 1602 } 1603 1604 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1605 goto err; 1606 1607 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1608 &S3I(s)->hs_tls13.cookie_len)) 1609 goto err; 1610 1611 return 1; 1612 1613 err: 1614 *alert = SSL_AD_DECODE_ERROR; 1615 return 0; 1616 } 1617 1618 struct tls_extension_funcs { 1619 int (*needs)(SSL *s); 1620 int (*build)(SSL *s, CBB *cbb); 1621 int (*parse)(SSL *s, CBS *cbs, int *alert); 1622 }; 1623 1624 struct tls_extension { 1625 uint16_t type; 1626 uint16_t messages; 1627 struct tls_extension_funcs client; 1628 struct tls_extension_funcs server; 1629 }; 1630 1631 static struct tls_extension tls_extensions[] = { 1632 { 1633 .type = TLSEXT_TYPE_supported_versions, 1634 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1635 SSL_TLSEXT_MSG_HRR, 1636 .client = { 1637 .needs = tlsext_versions_client_needs, 1638 .build = tlsext_versions_client_build, 1639 .parse = tlsext_versions_client_parse, 1640 }, 1641 .server = { 1642 .needs = tlsext_versions_server_needs, 1643 .build = tlsext_versions_server_build, 1644 .parse = tlsext_versions_server_parse, 1645 }, 1646 }, 1647 { 1648 .type = TLSEXT_TYPE_key_share, 1649 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1650 SSL_TLSEXT_MSG_HRR, 1651 .client = { 1652 .needs = tlsext_keyshare_client_needs, 1653 .build = tlsext_keyshare_client_build, 1654 .parse = tlsext_keyshare_client_parse, 1655 }, 1656 .server = { 1657 .needs = tlsext_keyshare_server_needs, 1658 .build = tlsext_keyshare_server_build, 1659 .parse = tlsext_keyshare_server_parse, 1660 }, 1661 }, 1662 { 1663 .type = TLSEXT_TYPE_server_name, 1664 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1665 .client = { 1666 .needs = tlsext_sni_client_needs, 1667 .build = tlsext_sni_client_build, 1668 .parse = tlsext_sni_client_parse, 1669 }, 1670 .server = { 1671 .needs = tlsext_sni_server_needs, 1672 .build = tlsext_sni_server_build, 1673 .parse = tlsext_sni_server_parse, 1674 }, 1675 }, 1676 { 1677 .type = TLSEXT_TYPE_renegotiate, 1678 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1679 .client = { 1680 .needs = tlsext_ri_client_needs, 1681 .build = tlsext_ri_client_build, 1682 .parse = tlsext_ri_client_parse, 1683 }, 1684 .server = { 1685 .needs = tlsext_ri_server_needs, 1686 .build = tlsext_ri_server_build, 1687 .parse = tlsext_ri_server_parse, 1688 }, 1689 }, 1690 { 1691 .type = TLSEXT_TYPE_status_request, 1692 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1693 SSL_TLSEXT_MSG_CT, 1694 .client = { 1695 .needs = tlsext_ocsp_client_needs, 1696 .build = tlsext_ocsp_client_build, 1697 .parse = tlsext_ocsp_client_parse, 1698 }, 1699 .server = { 1700 .needs = tlsext_ocsp_server_needs, 1701 .build = tlsext_ocsp_server_build, 1702 .parse = tlsext_ocsp_server_parse, 1703 }, 1704 }, 1705 { 1706 .type = TLSEXT_TYPE_ec_point_formats, 1707 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1708 .client = { 1709 .needs = tlsext_ecpf_client_needs, 1710 .build = tlsext_ecpf_client_build, 1711 .parse = tlsext_ecpf_client_parse, 1712 }, 1713 .server = { 1714 .needs = tlsext_ecpf_server_needs, 1715 .build = tlsext_ecpf_server_build, 1716 .parse = tlsext_ecpf_server_parse, 1717 }, 1718 }, 1719 { 1720 .type = TLSEXT_TYPE_supported_groups, 1721 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1722 .client = { 1723 .needs = tlsext_supportedgroups_client_needs, 1724 .build = tlsext_supportedgroups_client_build, 1725 .parse = tlsext_supportedgroups_client_parse, 1726 }, 1727 .server = { 1728 .needs = tlsext_supportedgroups_server_needs, 1729 .build = tlsext_supportedgroups_server_build, 1730 .parse = tlsext_supportedgroups_server_parse, 1731 }, 1732 }, 1733 { 1734 .type = TLSEXT_TYPE_session_ticket, 1735 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1736 .client = { 1737 .needs = tlsext_sessionticket_client_needs, 1738 .build = tlsext_sessionticket_client_build, 1739 .parse = tlsext_sessionticket_client_parse, 1740 }, 1741 .server = { 1742 .needs = tlsext_sessionticket_server_needs, 1743 .build = tlsext_sessionticket_server_build, 1744 .parse = tlsext_sessionticket_server_parse, 1745 }, 1746 }, 1747 { 1748 .type = TLSEXT_TYPE_signature_algorithms, 1749 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1750 .client = { 1751 .needs = tlsext_sigalgs_client_needs, 1752 .build = tlsext_sigalgs_client_build, 1753 .parse = tlsext_sigalgs_client_parse, 1754 }, 1755 .server = { 1756 .needs = tlsext_sigalgs_server_needs, 1757 .build = tlsext_sigalgs_server_build, 1758 .parse = tlsext_sigalgs_server_parse, 1759 }, 1760 }, 1761 { 1762 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1763 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1764 .client = { 1765 .needs = tlsext_alpn_client_needs, 1766 .build = tlsext_alpn_client_build, 1767 .parse = tlsext_alpn_client_parse, 1768 }, 1769 .server = { 1770 .needs = tlsext_alpn_server_needs, 1771 .build = tlsext_alpn_server_build, 1772 .parse = tlsext_alpn_server_parse, 1773 }, 1774 }, 1775 { 1776 .type = TLSEXT_TYPE_cookie, 1777 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1778 .client = { 1779 .needs = tlsext_cookie_client_needs, 1780 .build = tlsext_cookie_client_build, 1781 .parse = tlsext_cookie_client_parse, 1782 }, 1783 .server = { 1784 .needs = tlsext_cookie_server_needs, 1785 .build = tlsext_cookie_server_build, 1786 .parse = tlsext_cookie_server_parse, 1787 }, 1788 }, 1789 #ifndef OPENSSL_NO_SRTP 1790 { 1791 .type = TLSEXT_TYPE_use_srtp, 1792 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1793 SSL_TLSEXT_MSG_EE, 1794 .client = { 1795 .needs = tlsext_srtp_client_needs, 1796 .build = tlsext_srtp_client_build, 1797 .parse = tlsext_srtp_client_parse, 1798 }, 1799 .server = { 1800 .needs = tlsext_srtp_server_needs, 1801 .build = tlsext_srtp_server_build, 1802 .parse = tlsext_srtp_server_parse, 1803 }, 1804 } 1805 #endif /* OPENSSL_NO_SRTP */ 1806 }; 1807 1808 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1809 1810 /* Ensure that extensions fit in a uint32_t bitmask. */ 1811 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1812 1813 struct tls_extension * 1814 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1815 { 1816 size_t i; 1817 1818 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1819 if (tls_extensions[i].type == type) { 1820 *tls_extensions_idx = i; 1821 return &tls_extensions[i]; 1822 } 1823 } 1824 1825 return NULL; 1826 } 1827 1828 int 1829 tlsext_extension_seen(SSL *s, uint16_t type) 1830 { 1831 size_t idx; 1832 1833 if (tls_extension_find(type, &idx) == NULL) 1834 return 0; 1835 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1836 } 1837 1838 static struct tls_extension_funcs * 1839 tlsext_funcs(struct tls_extension *tlsext, int is_server) 1840 { 1841 if (is_server) 1842 return &tlsext->server; 1843 1844 return &tlsext->client; 1845 } 1846 1847 static int 1848 tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type) 1849 { 1850 struct tls_extension_funcs *ext; 1851 struct tls_extension *tlsext; 1852 CBB extensions, extension_data; 1853 int extensions_present = 0; 1854 size_t i; 1855 uint16_t version; 1856 1857 if (is_server) 1858 version = s->version; 1859 else 1860 version = TLS1_get_client_version(s); 1861 1862 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1863 return 0; 1864 1865 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1866 tlsext = &tls_extensions[i]; 1867 ext = tlsext_funcs(tlsext, is_server); 1868 1869 /* RFC 8446 Section 4.2 */ 1870 if (version >= TLS1_3_VERSION && 1871 !(tlsext->messages & msg_type)) 1872 continue; 1873 1874 if (!ext->needs(s)) 1875 continue; 1876 1877 if (!CBB_add_u16(&extensions, tlsext->type)) 1878 return 0; 1879 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1880 return 0; 1881 1882 if (!ext->build(s, &extension_data)) 1883 return 0; 1884 1885 extensions_present = 1; 1886 } 1887 1888 if (!extensions_present && 1889 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 1890 CBB_discard_child(cbb); 1891 1892 if (!CBB_flush(cbb)) 1893 return 0; 1894 1895 return 1; 1896 } 1897 1898 static int 1899 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type) 1900 { 1901 struct tls_extension_funcs *ext; 1902 struct tls_extension *tlsext; 1903 CBS extensions, extension_data; 1904 uint16_t type; 1905 size_t idx; 1906 uint16_t version; 1907 int alert_desc; 1908 1909 S3I(s)->hs.extensions_seen = 0; 1910 1911 if (is_server) 1912 version = s->version; 1913 else 1914 version = TLS1_get_client_version(s); 1915 1916 /* An empty extensions block is valid. */ 1917 if (CBS_len(cbs) == 0) 1918 return 1; 1919 1920 alert_desc = SSL_AD_DECODE_ERROR; 1921 1922 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 1923 goto err; 1924 1925 while (CBS_len(&extensions) > 0) { 1926 if (!CBS_get_u16(&extensions, &type)) 1927 goto err; 1928 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 1929 goto err; 1930 1931 if (s->internal->tlsext_debug_cb != NULL) 1932 s->internal->tlsext_debug_cb(s, is_server, type, 1933 (unsigned char *)CBS_data(&extension_data), 1934 CBS_len(&extension_data), 1935 s->internal->tlsext_debug_arg); 1936 1937 /* Unknown extensions are ignored. */ 1938 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 1939 continue; 1940 1941 /* RFC 8446 Section 4.2 */ 1942 if (version >= TLS1_3_VERSION && 1943 !(tlsext->messages & msg_type)) { 1944 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 1945 goto err; 1946 } 1947 1948 /* Check for duplicate known extensions. */ 1949 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 1950 goto err; 1951 S3I(s)->hs.extensions_seen |= (1 << idx); 1952 1953 ext = tlsext_funcs(tlsext, is_server); 1954 if (!ext->parse(s, &extension_data, &alert_desc)) 1955 goto err; 1956 1957 if (CBS_len(&extension_data) != 0) 1958 goto err; 1959 } 1960 1961 return 1; 1962 1963 err: 1964 *alert = alert_desc; 1965 1966 return 0; 1967 } 1968 1969 static void 1970 tlsext_server_reset_state(SSL *s) 1971 { 1972 s->internal->servername_done = 0; 1973 s->tlsext_status_type = -1; 1974 S3I(s)->renegotiate_seen = 0; 1975 free(S3I(s)->alpn_selected); 1976 S3I(s)->alpn_selected = NULL; 1977 s->internal->srtp_profile = NULL; 1978 } 1979 1980 int 1981 tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type) 1982 { 1983 return tlsext_build(s, cbb, 1, msg_type); 1984 } 1985 1986 int 1987 tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 1988 { 1989 /* XXX - this possibly should be done by the caller... */ 1990 tlsext_server_reset_state(s); 1991 1992 return tlsext_parse(s, cbs, alert, 1, msg_type); 1993 } 1994 1995 static void 1996 tlsext_client_reset_state(SSL *s) 1997 { 1998 S3I(s)->renegotiate_seen = 0; 1999 free(S3I(s)->alpn_selected); 2000 S3I(s)->alpn_selected = NULL; 2001 } 2002 2003 int 2004 tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type) 2005 { 2006 return tlsext_build(s, cbb, 0, msg_type); 2007 } 2008 2009 int 2010 tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type) 2011 { 2012 /* XXX - this possibly should be done by the caller... */ 2013 tlsext_client_reset_state(s); 2014 2015 return tlsext_parse(s, cbs, alert, 0, msg_type); 2016 } 2017