1 /* $OpenBSD: ssl_tlsext.c,v 1.110 2022/02/05 14:54:10 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/socket.h> 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <ctype.h> 26 27 #include <openssl/ocsp.h> 28 #include <openssl/opensslconf.h> 29 30 #include "bytestring.h" 31 #include "ssl_locl.h" 32 #include "ssl_sigalgs.h" 33 #include "ssl_tlsext.h" 34 35 /* 36 * Supported Application-Layer Protocol Negotiation - RFC 7301 37 */ 38 39 int 40 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 41 { 42 /* ALPN protos have been specified and this is the initial handshake */ 43 return s->internal->alpn_client_proto_list != NULL && 44 s->s3->hs.finished_len == 0; 45 } 46 47 int 48 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 49 { 50 CBB protolist; 51 52 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 53 return 0; 54 55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 56 s->internal->alpn_client_proto_list_len)) 57 return 0; 58 59 if (!CBB_flush(cbb)) 60 return 0; 61 62 return 1; 63 } 64 65 int 66 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 67 { 68 CBS proto_name_list, alpn; 69 const unsigned char *selected; 70 unsigned char selected_len; 71 int r; 72 73 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 74 goto err; 75 if (CBS_len(&alpn) < 2) 76 goto err; 77 if (CBS_len(cbs) != 0) 78 goto err; 79 80 CBS_dup(&alpn, &proto_name_list); 81 while (CBS_len(&proto_name_list) > 0) { 82 CBS proto_name; 83 84 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 85 goto err; 86 if (CBS_len(&proto_name) == 0) 87 goto err; 88 } 89 90 if (s->ctx->internal->alpn_select_cb == NULL) 91 return 1; 92 93 /* 94 * XXX - A few things should be considered here: 95 * 1. Ensure that the same protocol is selected on session resumption. 96 * 2. Should the callback be called even if no ALPN extension was sent? 97 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 98 */ 99 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 100 CBS_data(&alpn), CBS_len(&alpn), 101 s->ctx->internal->alpn_select_cb_arg); 102 103 if (r == SSL_TLSEXT_ERR_OK) { 104 free(s->s3->alpn_selected); 105 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { 106 s->s3->alpn_selected_len = 0; 107 *alert = SSL_AD_INTERNAL_ERROR; 108 return 0; 109 } 110 memcpy(s->s3->alpn_selected, selected, selected_len); 111 s->s3->alpn_selected_len = selected_len; 112 113 return 1; 114 } 115 116 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 117 if (r == SSL_TLSEXT_ERR_NOACK) 118 return 1; 119 120 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 121 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 122 123 return 0; 124 125 err: 126 *alert = SSL_AD_DECODE_ERROR; 127 return 0; 128 } 129 130 int 131 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 132 { 133 return s->s3->alpn_selected != NULL; 134 } 135 136 int 137 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 138 { 139 CBB list, selected; 140 141 if (!CBB_add_u16_length_prefixed(cbb, &list)) 142 return 0; 143 144 if (!CBB_add_u8_length_prefixed(&list, &selected)) 145 return 0; 146 147 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 148 s->s3->alpn_selected_len)) 149 return 0; 150 151 if (!CBB_flush(cbb)) 152 return 0; 153 154 return 1; 155 } 156 157 int 158 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 159 { 160 CBS list, proto; 161 162 if (s->internal->alpn_client_proto_list == NULL) { 163 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 164 return 0; 165 } 166 167 if (!CBS_get_u16_length_prefixed(cbs, &list)) 168 goto err; 169 if (CBS_len(cbs) != 0) 170 goto err; 171 172 if (!CBS_get_u8_length_prefixed(&list, &proto)) 173 goto err; 174 175 if (CBS_len(&list) != 0) 176 goto err; 177 if (CBS_len(&proto) == 0) 178 goto err; 179 180 if (!CBS_stow(&proto, &(s->s3->alpn_selected), 181 &(s->s3->alpn_selected_len))) 182 goto err; 183 184 return 1; 185 186 err: 187 *alert = SSL_AD_DECODE_ERROR; 188 return 0; 189 } 190 191 /* 192 * Supported Groups - RFC 7919 section 2 193 */ 194 int 195 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 196 { 197 return ssl_has_ecc_ciphers(s) || 198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 199 } 200 201 int 202 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 203 { 204 const uint16_t *groups; 205 size_t groups_len; 206 CBB grouplist; 207 int i; 208 209 tls1_get_group_list(s, 0, &groups, &groups_len); 210 if (groups_len == 0) { 211 SSLerror(s, ERR_R_INTERNAL_ERROR); 212 return 0; 213 } 214 215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 216 return 0; 217 218 for (i = 0; i < groups_len; i++) { 219 if (!CBB_add_u16(&grouplist, groups[i])) 220 return 0; 221 } 222 223 if (!CBB_flush(cbb)) 224 return 0; 225 226 return 1; 227 } 228 229 int 230 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 231 int *alert) 232 { 233 CBS grouplist; 234 size_t groups_len; 235 236 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 237 goto err; 238 if (CBS_len(cbs) != 0) 239 goto err; 240 241 groups_len = CBS_len(&grouplist); 242 if (groups_len == 0 || groups_len % 2 != 0) 243 goto err; 244 groups_len /= 2; 245 246 if (!s->internal->hit) { 247 uint16_t *groups; 248 int i; 249 250 if (s->s3->hs.tls13.hrr) { 251 if (s->session->tlsext_supportedgroups == NULL) { 252 *alert = SSL_AD_HANDSHAKE_FAILURE; 253 return 0; 254 } 255 /* 256 * In the case of TLSv1.3 the client cannot change 257 * the supported groups. 258 */ 259 if (groups_len != s->session->tlsext_supportedgroups_length) { 260 *alert = SSL_AD_ILLEGAL_PARAMETER; 261 return 0; 262 } 263 for (i = 0; i < groups_len; i++) { 264 uint16_t group; 265 266 if (!CBS_get_u16(&grouplist, &group)) 267 goto err; 268 if (s->session->tlsext_supportedgroups[i] != group) { 269 *alert = SSL_AD_ILLEGAL_PARAMETER; 270 return 0; 271 } 272 } 273 274 return 1; 275 } 276 277 if (s->session->tlsext_supportedgroups != NULL) 278 goto err; 279 280 if ((groups = reallocarray(NULL, groups_len, 281 sizeof(uint16_t))) == NULL) { 282 *alert = SSL_AD_INTERNAL_ERROR; 283 return 0; 284 } 285 286 for (i = 0; i < groups_len; i++) { 287 if (!CBS_get_u16(&grouplist, &groups[i])) { 288 free(groups); 289 goto err; 290 } 291 } 292 293 if (CBS_len(&grouplist) != 0) { 294 free(groups); 295 goto err; 296 } 297 298 s->session->tlsext_supportedgroups = groups; 299 s->session->tlsext_supportedgroups_length = groups_len; 300 } 301 302 return 1; 303 304 err: 305 *alert = SSL_AD_DECODE_ERROR; 306 return 0; 307 } 308 309 /* This extension is never used by the server. */ 310 int 311 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 312 { 313 return 0; 314 } 315 316 int 317 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 318 { 319 return 0; 320 } 321 322 int 323 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 324 int *alert) 325 { 326 /* 327 * Servers should not send this extension per the RFC. 328 * 329 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 330 * from at least 2014 but as of 2017, there are still large sites with 331 * this unpatched in production. As a result, we need to currently skip 332 * over the extension and ignore its content: 333 * 334 * https://support.f5.com/csp/article/K37345003 335 */ 336 if (!CBS_skip(cbs, CBS_len(cbs))) { 337 *alert = SSL_AD_INTERNAL_ERROR; 338 return 0; 339 } 340 341 return 1; 342 } 343 344 /* 345 * Supported Point Formats Extension - RFC 4492 section 5.1.2 346 */ 347 static int 348 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 349 { 350 CBB ecpf; 351 size_t formats_len; 352 const uint8_t *formats; 353 354 tls1_get_formatlist(s, 0, &formats, &formats_len); 355 356 if (formats_len == 0) { 357 SSLerror(s, ERR_R_INTERNAL_ERROR); 358 return 0; 359 } 360 361 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 362 return 0; 363 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 364 return 0; 365 if (!CBB_flush(cbb)) 366 return 0; 367 368 return 1; 369 } 370 371 static int 372 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 373 { 374 CBS ecpf; 375 376 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 377 return 0; 378 if (CBS_len(&ecpf) == 0) 379 return 0; 380 if (CBS_len(cbs) != 0) 381 return 0; 382 383 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 384 if (!CBS_contains_zero_byte(&ecpf)) { 385 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 386 *alert = SSL_AD_ILLEGAL_PARAMETER; 387 return 0; 388 } 389 390 if (!s->internal->hit) { 391 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 392 &(s->session->tlsext_ecpointformatlist_length))) { 393 *alert = SSL_AD_INTERNAL_ERROR; 394 return 0; 395 } 396 } 397 398 return 1; 399 } 400 401 int 402 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 403 { 404 return ssl_has_ecc_ciphers(s); 405 } 406 407 int 408 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 409 { 410 return tlsext_ecpf_build(s, msg_type, cbb); 411 } 412 413 int 414 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 415 { 416 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 417 } 418 419 int 420 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 421 { 422 return ssl_using_ecc_cipher(s); 423 } 424 425 int 426 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 427 { 428 return tlsext_ecpf_build(s, msg_type, cbb); 429 } 430 431 int 432 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 433 { 434 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 435 } 436 437 /* 438 * Renegotiation Indication - RFC 5746. 439 */ 440 int 441 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 442 { 443 return (s->internal->renegotiate); 444 } 445 446 int 447 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 448 { 449 CBB reneg; 450 451 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 452 return 0; 453 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 454 s->s3->previous_client_finished_len)) 455 return 0; 456 if (!CBB_flush(cbb)) 457 return 0; 458 459 return 1; 460 } 461 462 int 463 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 464 { 465 CBS reneg; 466 467 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 468 goto err; 469 if (CBS_len(cbs) != 0) 470 goto err; 471 472 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 473 s->s3->previous_client_finished_len)) { 474 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 475 *alert = SSL_AD_HANDSHAKE_FAILURE; 476 return 0; 477 } 478 479 s->s3->renegotiate_seen = 1; 480 s->s3->send_connection_binding = 1; 481 482 return 1; 483 484 err: 485 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 486 *alert = SSL_AD_DECODE_ERROR; 487 return 0; 488 } 489 490 int 491 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 492 { 493 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 494 s->s3->send_connection_binding); 495 } 496 497 int 498 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 499 { 500 CBB reneg; 501 502 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 503 return 0; 504 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 505 s->s3->previous_client_finished_len)) 506 return 0; 507 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 508 s->s3->previous_server_finished_len)) 509 return 0; 510 if (!CBB_flush(cbb)) 511 return 0; 512 513 return 1; 514 } 515 516 int 517 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 518 { 519 CBS reneg, prev_client, prev_server; 520 521 /* 522 * Ensure that the previous client and server values are both not 523 * present, or that they are both present. 524 */ 525 if ((s->s3->previous_client_finished_len == 0 && 526 s->s3->previous_server_finished_len != 0) || 527 (s->s3->previous_client_finished_len != 0 && 528 s->s3->previous_server_finished_len == 0)) { 529 *alert = SSL_AD_INTERNAL_ERROR; 530 return 0; 531 } 532 533 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 534 goto err; 535 if (!CBS_get_bytes(&reneg, &prev_client, 536 s->s3->previous_client_finished_len)) 537 goto err; 538 if (!CBS_get_bytes(&reneg, &prev_server, 539 s->s3->previous_server_finished_len)) 540 goto err; 541 if (CBS_len(&reneg) != 0) 542 goto err; 543 if (CBS_len(cbs) != 0) 544 goto err; 545 546 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 547 s->s3->previous_client_finished_len)) { 548 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 549 *alert = SSL_AD_HANDSHAKE_FAILURE; 550 return 0; 551 } 552 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 553 s->s3->previous_server_finished_len)) { 554 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 555 *alert = SSL_AD_HANDSHAKE_FAILURE; 556 return 0; 557 } 558 559 s->s3->renegotiate_seen = 1; 560 s->s3->send_connection_binding = 1; 561 562 return 1; 563 564 err: 565 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 566 *alert = SSL_AD_DECODE_ERROR; 567 return 0; 568 } 569 570 /* 571 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 572 */ 573 int 574 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 575 { 576 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 577 } 578 579 int 580 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 581 { 582 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 583 CBB sigalgs; 584 585 if (msg_type == SSL_TLSEXT_MSG_CH) 586 tls_version = s->s3->hs.our_min_tls_version; 587 588 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 589 return 0; 590 if (!ssl_sigalgs_build(tls_version, &sigalgs)) 591 return 0; 592 if (!CBB_flush(cbb)) 593 return 0; 594 595 return 1; 596 } 597 598 int 599 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 600 { 601 CBS sigalgs; 602 603 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 604 return 0; 605 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 606 return 0; 607 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 608 return 0; 609 610 return 1; 611 } 612 613 int 614 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 615 { 616 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 617 } 618 619 int 620 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 621 { 622 CBB sigalgs; 623 624 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 625 return 0; 626 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs)) 627 return 0; 628 if (!CBB_flush(cbb)) 629 return 0; 630 631 return 1; 632 } 633 634 int 635 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 636 { 637 CBS sigalgs; 638 639 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 640 return 0; 641 642 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 643 return 0; 644 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 645 return 0; 646 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 647 return 0; 648 649 return 1; 650 } 651 652 /* 653 * Server Name Indication - RFC 6066, section 3. 654 */ 655 int 656 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 657 { 658 return (s->tlsext_hostname != NULL); 659 } 660 661 int 662 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 663 { 664 CBB server_name_list, host_name; 665 666 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 667 return 0; 668 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 669 return 0; 670 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 671 return 0; 672 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 673 strlen(s->tlsext_hostname))) 674 return 0; 675 if (!CBB_flush(cbb)) 676 return 0; 677 678 return 1; 679 } 680 681 static int 682 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 683 { 684 union { 685 struct in_addr ip4; 686 struct in6_addr ip6; 687 } addrbuf; 688 char *hostname = NULL; 689 690 *is_ip = 0; 691 692 if (!CBS_strdup(cbs, &hostname)) 693 return 0; 694 695 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 696 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 697 *is_ip = 1; 698 699 free(hostname); 700 701 return 1; 702 } 703 704 /* 705 * Validate that the CBS contains only a hostname consisting of RFC 5890 706 * compliant A-labels (see RFC 6066 section 3). Not a complete check 707 * since we don't parse punycode to verify its validity but limits to 708 * correct structure and character set. 709 */ 710 int 711 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 712 { 713 uint8_t prev, c = 0; 714 int component = 0; 715 CBS hostname; 716 717 *is_ip = 0; 718 719 CBS_dup(cbs, &hostname); 720 721 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 722 return 0; 723 724 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 725 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 726 return 0; 727 if (*is_ip) 728 return 0; 729 730 while (CBS_len(&hostname) > 0) { 731 prev = c; 732 if (!CBS_get_u8(&hostname, &c)) 733 return 0; 734 /* Everything has to be ASCII, with no NUL byte. */ 735 if (!isascii(c) || c == '\0') 736 return 0; 737 /* It must be alphanumeric, a '-', or a '.' */ 738 if (!isalnum(c) && c != '-' && c != '.') 739 return 0; 740 /* '-' and '.' must not start a component or be at the end. */ 741 if (component == 0 || CBS_len(&hostname) == 0) { 742 if (c == '-' || c == '.') 743 return 0; 744 } 745 if (c == '.') { 746 /* Components can not end with a dash. */ 747 if (prev == '-') 748 return 0; 749 /* Start new component */ 750 component = 0; 751 continue; 752 } 753 /* Components must be 63 chars or less. */ 754 if (++component > 63) 755 return 0; 756 } 757 758 return 1; 759 } 760 761 int 762 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 763 { 764 CBS server_name_list, host_name; 765 uint8_t name_type; 766 int is_ip; 767 768 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 769 goto err; 770 771 if (!CBS_get_u8(&server_name_list, &name_type)) 772 goto err; 773 774 /* 775 * RFC 6066 section 3, only one type (host_name) is specified. 776 * We do not tolerate unknown types, neither does BoringSSL. 777 * other implementations appear more tolerant. 778 */ 779 if (name_type != TLSEXT_NAMETYPE_host_name) { 780 *alert = SSL_AD_ILLEGAL_PARAMETER; 781 goto err; 782 } 783 784 /* 785 * RFC 6066 section 3 specifies a host name must be at least 1 byte 786 * so 0 length is a decode error. 787 */ 788 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 789 goto err; 790 if (CBS_len(&host_name) < 1) 791 goto err; 792 793 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 794 /* 795 * Various pieces of software have been known to set the SNI 796 * host name to an IP address, even though that violates the 797 * RFC. If this is the case, pretend the SNI extension does 798 * not exist. 799 */ 800 if (is_ip) 801 goto done; 802 803 *alert = SSL_AD_ILLEGAL_PARAMETER; 804 goto err; 805 } 806 807 if (s->internal->hit || s->s3->hs.tls13.hrr) { 808 if (s->session->tlsext_hostname == NULL) { 809 *alert = SSL_AD_UNRECOGNIZED_NAME; 810 goto err; 811 } 812 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 813 strlen(s->session->tlsext_hostname))) { 814 *alert = SSL_AD_UNRECOGNIZED_NAME; 815 goto err; 816 } 817 } else { 818 if (s->session->tlsext_hostname != NULL) 819 goto err; 820 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 821 *alert = SSL_AD_INTERNAL_ERROR; 822 goto err; 823 } 824 } 825 826 done: 827 /* 828 * RFC 6066 section 3 forbids multiple host names with the same type, 829 * therefore we allow only one entry. 830 */ 831 if (CBS_len(&server_name_list) != 0) { 832 *alert = SSL_AD_ILLEGAL_PARAMETER; 833 goto err; 834 } 835 if (CBS_len(cbs) != 0) 836 goto err; 837 838 return 1; 839 840 err: 841 return 0; 842 } 843 844 int 845 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 846 { 847 if (s->internal->hit) 848 return 0; 849 850 return (s->session->tlsext_hostname != NULL); 851 } 852 853 int 854 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 855 { 856 return 1; 857 } 858 859 int 860 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 861 { 862 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 863 *alert = SSL_AD_UNRECOGNIZED_NAME; 864 return 0; 865 } 866 867 if (s->internal->hit) { 868 if (s->session->tlsext_hostname == NULL) { 869 *alert = SSL_AD_UNRECOGNIZED_NAME; 870 return 0; 871 } 872 if (strcmp(s->tlsext_hostname, 873 s->session->tlsext_hostname) != 0) { 874 *alert = SSL_AD_UNRECOGNIZED_NAME; 875 return 0; 876 } 877 } else { 878 if (s->session->tlsext_hostname != NULL) { 879 *alert = SSL_AD_DECODE_ERROR; 880 return 0; 881 } 882 if ((s->session->tlsext_hostname = 883 strdup(s->tlsext_hostname)) == NULL) { 884 *alert = SSL_AD_INTERNAL_ERROR; 885 return 0; 886 } 887 } 888 889 return 1; 890 } 891 892 893 /* 894 * Certificate Status Request - RFC 6066 section 8. 895 */ 896 897 int 898 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 899 { 900 if (msg_type != SSL_TLSEXT_MSG_CH) 901 return 0; 902 903 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 904 } 905 906 int 907 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 908 { 909 CBB respid_list, respid, exts; 910 unsigned char *ext_data; 911 size_t ext_len; 912 int i; 913 914 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 915 return 0; 916 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 917 return 0; 918 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 919 unsigned char *respid_data; 920 OCSP_RESPID *id; 921 size_t id_len; 922 923 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 924 i)) == NULL) 925 return 0; 926 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 927 return 0; 928 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 929 return 0; 930 if (!CBB_add_space(&respid, &respid_data, id_len)) 931 return 0; 932 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 933 return 0; 934 } 935 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 936 return 0; 937 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 938 NULL)) == -1) 939 return 0; 940 if (!CBB_add_space(&exts, &ext_data, ext_len)) 941 return 0; 942 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 943 ext_len)) 944 return 0; 945 if (!CBB_flush(cbb)) 946 return 0; 947 return 1; 948 } 949 950 int 951 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 952 { 953 int alert_desc = SSL_AD_DECODE_ERROR; 954 CBS respid_list, respid, exts; 955 const unsigned char *p; 956 uint8_t status_type; 957 int ret = 0; 958 959 if (msg_type != SSL_TLSEXT_MSG_CH) 960 goto err; 961 962 if (!CBS_get_u8(cbs, &status_type)) 963 goto err; 964 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 965 /* ignore unknown status types */ 966 s->tlsext_status_type = -1; 967 968 if (!CBS_skip(cbs, CBS_len(cbs))) { 969 *alert = SSL_AD_INTERNAL_ERROR; 970 return 0; 971 } 972 return 1; 973 } 974 s->tlsext_status_type = status_type; 975 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 976 goto err; 977 978 /* XXX */ 979 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 980 s->internal->tlsext_ocsp_ids = NULL; 981 if (CBS_len(&respid_list) > 0) { 982 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 983 if (s->internal->tlsext_ocsp_ids == NULL) { 984 alert_desc = SSL_AD_INTERNAL_ERROR; 985 goto err; 986 } 987 } 988 989 while (CBS_len(&respid_list) > 0) { 990 OCSP_RESPID *id; 991 992 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 993 goto err; 994 p = CBS_data(&respid); 995 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 996 goto err; 997 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 998 alert_desc = SSL_AD_INTERNAL_ERROR; 999 OCSP_RESPID_free(id); 1000 goto err; 1001 } 1002 } 1003 1004 /* Read in request_extensions */ 1005 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 1006 goto err; 1007 if (CBS_len(&exts) > 0) { 1008 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 1009 X509_EXTENSION_free); 1010 p = CBS_data(&exts); 1011 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 1012 &p, CBS_len(&exts))) == NULL) 1013 goto err; 1014 } 1015 1016 /* should be nothing left */ 1017 if (CBS_len(cbs) > 0) 1018 goto err; 1019 1020 ret = 1; 1021 err: 1022 if (ret == 0) 1023 *alert = alert_desc; 1024 return ret; 1025 } 1026 1027 int 1028 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 1029 { 1030 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1031 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1032 s->ctx->internal->tlsext_status_cb != NULL) { 1033 s->internal->tlsext_status_expected = 0; 1034 if (s->ctx->internal->tlsext_status_cb(s, 1035 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1036 s->internal->tlsext_ocsp_resp_len > 0) 1037 s->internal->tlsext_status_expected = 1; 1038 } 1039 return s->internal->tlsext_status_expected; 1040 } 1041 1042 int 1043 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1044 { 1045 CBB ocsp_response; 1046 1047 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1048 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1049 return 0; 1050 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1051 return 0; 1052 if (!CBB_add_bytes(&ocsp_response, 1053 s->internal->tlsext_ocsp_resp, 1054 s->internal->tlsext_ocsp_resp_len)) 1055 return 0; 1056 if (!CBB_flush(cbb)) 1057 return 0; 1058 } 1059 return 1; 1060 } 1061 1062 int 1063 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1064 { 1065 uint8_t status_type; 1066 CBS response; 1067 1068 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1069 if (msg_type == SSL_TLSEXT_MSG_CR) { 1070 /* 1071 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1072 * response with an empty status_request. 1073 */ 1074 if (CBS_len(cbs) == 0) 1075 return 1; 1076 1077 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1078 return 0; 1079 } 1080 if (!CBS_get_u8(cbs, &status_type)) { 1081 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1082 return 0; 1083 } 1084 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1085 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1086 return 0; 1087 } 1088 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1089 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1090 return 0; 1091 } 1092 if (CBS_len(&response) > 65536) { 1093 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1094 return 0; 1095 } 1096 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1097 &s->internal->tlsext_ocsp_resp_len)) { 1098 *alert = SSL_AD_INTERNAL_ERROR; 1099 return 0; 1100 } 1101 } else { 1102 if (s->tlsext_status_type == -1) { 1103 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1104 return 0; 1105 } 1106 /* Set flag to expect CertificateStatus message */ 1107 s->internal->tlsext_status_expected = 1; 1108 } 1109 return 1; 1110 } 1111 1112 /* 1113 * SessionTicket extension - RFC 5077 section 3.2 1114 */ 1115 int 1116 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1117 { 1118 /* 1119 * Send session ticket extension when enabled and not overridden. 1120 * 1121 * When renegotiating, send an empty session ticket to indicate support. 1122 */ 1123 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1124 return 0; 1125 1126 if (s->internal->new_session) 1127 return 1; 1128 1129 if (s->internal->tlsext_session_ticket != NULL && 1130 s->internal->tlsext_session_ticket->data == NULL) 1131 return 0; 1132 1133 return 1; 1134 } 1135 1136 int 1137 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1138 { 1139 /* 1140 * Signal that we support session tickets by sending an empty 1141 * extension when renegotiating or no session found. 1142 */ 1143 if (s->internal->new_session || s->session == NULL) 1144 return 1; 1145 1146 if (s->session->tlsext_tick != NULL) { 1147 /* Attempt to resume with an existing session ticket */ 1148 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1149 s->session->tlsext_ticklen)) 1150 return 0; 1151 1152 } else if (s->internal->tlsext_session_ticket != NULL) { 1153 /* 1154 * Attempt to resume with a custom provided session ticket set 1155 * by SSL_set_session_ticket_ext(). 1156 */ 1157 if (s->internal->tlsext_session_ticket->length > 0) { 1158 size_t ticklen = s->internal->tlsext_session_ticket->length; 1159 1160 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1161 return 0; 1162 memcpy(s->session->tlsext_tick, 1163 s->internal->tlsext_session_ticket->data, 1164 ticklen); 1165 s->session->tlsext_ticklen = ticklen; 1166 1167 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1168 s->session->tlsext_ticklen)) 1169 return 0; 1170 } 1171 } 1172 1173 if (!CBB_flush(cbb)) 1174 return 0; 1175 1176 return 1; 1177 } 1178 1179 int 1180 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1181 int *alert) 1182 { 1183 if (s->internal->tls_session_ticket_ext_cb) { 1184 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1185 (int)CBS_len(cbs), 1186 s->internal->tls_session_ticket_ext_cb_arg)) { 1187 *alert = SSL_AD_INTERNAL_ERROR; 1188 return 0; 1189 } 1190 } 1191 1192 /* We need to signal that this was processed fully */ 1193 if (!CBS_skip(cbs, CBS_len(cbs))) { 1194 *alert = SSL_AD_INTERNAL_ERROR; 1195 return 0; 1196 } 1197 1198 return 1; 1199 } 1200 1201 int 1202 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1203 { 1204 return (s->internal->tlsext_ticket_expected && 1205 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1206 } 1207 1208 int 1209 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1210 { 1211 /* Empty ticket */ 1212 return 1; 1213 } 1214 1215 int 1216 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1217 int *alert) 1218 { 1219 if (s->internal->tls_session_ticket_ext_cb) { 1220 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1221 (int)CBS_len(cbs), 1222 s->internal->tls_session_ticket_ext_cb_arg)) { 1223 *alert = SSL_AD_INTERNAL_ERROR; 1224 return 0; 1225 } 1226 } 1227 1228 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1229 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1230 return 0; 1231 } 1232 1233 s->internal->tlsext_ticket_expected = 1; 1234 1235 return 1; 1236 } 1237 1238 /* 1239 * DTLS extension for SRTP key establishment - RFC 5764 1240 */ 1241 1242 #ifndef OPENSSL_NO_SRTP 1243 1244 int 1245 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1246 { 1247 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1248 } 1249 1250 int 1251 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1252 { 1253 CBB profiles, mki; 1254 int ct, i; 1255 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1256 const SRTP_PROTECTION_PROFILE *prof; 1257 1258 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1259 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1260 return 0; 1261 } 1262 1263 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1264 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1265 return 0; 1266 } 1267 1268 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1269 return 0; 1270 1271 for (i = 0; i < ct; i++) { 1272 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1273 return 0; 1274 if (!CBB_add_u16(&profiles, prof->id)) 1275 return 0; 1276 } 1277 1278 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1279 return 0; 1280 1281 if (!CBB_flush(cbb)) 1282 return 0; 1283 1284 return 1; 1285 } 1286 1287 int 1288 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1289 { 1290 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1291 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1292 int i, j; 1293 int ret; 1294 uint16_t id; 1295 CBS profiles, mki; 1296 1297 ret = 0; 1298 1299 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1300 goto err; 1301 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1302 goto err; 1303 1304 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1305 goto err; 1306 1307 while (CBS_len(&profiles) > 0) { 1308 if (!CBS_get_u16(&profiles, &id)) 1309 goto err; 1310 1311 if (!srtp_find_profile_by_num(id, &cprof)) { 1312 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1313 goto err; 1314 } 1315 } 1316 1317 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1318 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1319 *alert = SSL_AD_DECODE_ERROR; 1320 goto done; 1321 } 1322 if (CBS_len(cbs) != 0) 1323 goto err; 1324 1325 /* 1326 * Per RFC 5764 section 4.1.1 1327 * 1328 * Find the server preferred profile using the client's list. 1329 * 1330 * The server MUST send a profile if it sends the use_srtp 1331 * extension. If one is not found, it should fall back to the 1332 * negotiated DTLS cipher suite or return a DTLS alert. 1333 */ 1334 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1335 goto err; 1336 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1337 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1338 == NULL) 1339 goto err; 1340 1341 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1342 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1343 == NULL) 1344 goto err; 1345 1346 if (cprof->id == sprof->id) { 1347 s->internal->srtp_profile = sprof; 1348 ret = 1; 1349 goto done; 1350 } 1351 } 1352 } 1353 1354 /* If we didn't find anything, fall back to the negotiated */ 1355 ret = 1; 1356 goto done; 1357 1358 err: 1359 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1360 *alert = SSL_AD_DECODE_ERROR; 1361 1362 done: 1363 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1364 return ret; 1365 } 1366 1367 int 1368 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1369 { 1370 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1371 } 1372 1373 int 1374 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1375 { 1376 SRTP_PROTECTION_PROFILE *profile; 1377 CBB srtp, mki; 1378 1379 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1380 return 0; 1381 1382 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1383 return 0; 1384 1385 if (!CBB_add_u16(&srtp, profile->id)) 1386 return 0; 1387 1388 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1389 return 0; 1390 1391 if (!CBB_flush(cbb)) 1392 return 0; 1393 1394 return 1; 1395 } 1396 1397 int 1398 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1399 { 1400 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1401 const SRTP_PROTECTION_PROFILE *prof; 1402 int i; 1403 uint16_t id; 1404 CBS profile_ids, mki; 1405 1406 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1407 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1408 goto err; 1409 } 1410 1411 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1412 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1413 goto err; 1414 } 1415 1416 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1417 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1418 *alert = SSL_AD_ILLEGAL_PARAMETER; 1419 return 0; 1420 } 1421 1422 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1423 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1424 goto err; 1425 } 1426 1427 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1428 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1429 == NULL) { 1430 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1431 goto err; 1432 } 1433 1434 if (prof->id == id) { 1435 s->internal->srtp_profile = prof; 1436 return 1; 1437 } 1438 } 1439 1440 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1441 err: 1442 *alert = SSL_AD_DECODE_ERROR; 1443 return 0; 1444 } 1445 1446 #endif /* OPENSSL_NO_SRTP */ 1447 1448 /* 1449 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1450 */ 1451 int 1452 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1453 { 1454 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1455 } 1456 1457 int 1458 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1459 { 1460 CBB client_shares, key_exchange; 1461 1462 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1463 return 0; 1464 1465 if (!CBB_add_u16(&client_shares, 1466 tls_key_share_group(s->s3->hs.key_share))) 1467 return 0; 1468 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1469 return 0; 1470 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1471 return 0; 1472 1473 if (!CBB_flush(cbb)) 1474 return 0; 1475 1476 return 1; 1477 } 1478 1479 int 1480 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1481 { 1482 CBS client_shares, key_exchange; 1483 int decode_error; 1484 uint16_t group; 1485 1486 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1487 return 0; 1488 1489 while (CBS_len(&client_shares) > 0) { 1490 1491 /* Unpack client share. */ 1492 if (!CBS_get_u16(&client_shares, &group)) 1493 return 0; 1494 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1495 return 0; 1496 1497 /* 1498 * XXX - check key exchange against supported groups from client. 1499 * XXX - check that groups only appear once. 1500 */ 1501 1502 /* 1503 * Ignore this client share if we're using earlier than TLSv1.3 1504 * or we've already selected a key share. 1505 */ 1506 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1507 continue; 1508 if (s->s3->hs.key_share != NULL) 1509 continue; 1510 1511 /* XXX - consider implementing server preference. */ 1512 if (!tls1_check_curve(s, group)) 1513 continue; 1514 1515 /* Decode and store the selected key share. */ 1516 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1517 *alert = SSL_AD_INTERNAL_ERROR; 1518 return 0; 1519 } 1520 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1521 &key_exchange, &decode_error, NULL)) { 1522 if (!decode_error) 1523 *alert = SSL_AD_INTERNAL_ERROR; 1524 return 0; 1525 } 1526 } 1527 1528 return 1; 1529 } 1530 1531 int 1532 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1533 { 1534 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1535 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1536 } 1537 1538 int 1539 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1540 { 1541 CBB key_exchange; 1542 1543 /* In the case of a HRR, we only send the server selected group. */ 1544 if (s->s3->hs.tls13.hrr) { 1545 if (s->s3->hs.tls13.server_group == 0) 1546 return 0; 1547 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1548 } 1549 1550 if (s->s3->hs.key_share == NULL) 1551 return 0; 1552 1553 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1554 return 0; 1555 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1556 return 0; 1557 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1558 return 0; 1559 1560 if (!CBB_flush(cbb)) 1561 return 0; 1562 1563 return 1; 1564 } 1565 1566 int 1567 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1568 { 1569 CBS key_exchange; 1570 int decode_error; 1571 uint16_t group; 1572 1573 /* Unpack server share. */ 1574 if (!CBS_get_u16(cbs, &group)) 1575 return 0; 1576 1577 if (CBS_len(cbs) == 0) { 1578 /* HRR does not include an actual key share, only the group. */ 1579 if (msg_type != SSL_TLSEXT_MSG_HRR) 1580 return 0; 1581 1582 s->s3->hs.tls13.server_group = group; 1583 return 1; 1584 } 1585 1586 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1587 return 0; 1588 1589 if (s->s3->hs.key_share == NULL) { 1590 *alert = SSL_AD_INTERNAL_ERROR; 1591 return 0; 1592 } 1593 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1594 *alert = SSL_AD_INTERNAL_ERROR; 1595 return 0; 1596 } 1597 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1598 &key_exchange, &decode_error, NULL)) { 1599 if (!decode_error) 1600 *alert = SSL_AD_INTERNAL_ERROR; 1601 return 0; 1602 } 1603 1604 return 1; 1605 } 1606 1607 /* 1608 * Supported Versions - RFC 8446 section 4.2.1. 1609 */ 1610 int 1611 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1612 { 1613 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1614 } 1615 1616 int 1617 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1618 { 1619 uint16_t max, min; 1620 uint16_t version; 1621 CBB versions; 1622 1623 max = s->s3->hs.our_max_tls_version; 1624 min = s->s3->hs.our_min_tls_version; 1625 1626 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1627 return 0; 1628 1629 /* XXX - fix, but contiguous for now... */ 1630 for (version = max; version >= min; version--) { 1631 if (!CBB_add_u16(&versions, version)) 1632 return 0; 1633 } 1634 1635 if (!CBB_flush(cbb)) 1636 return 0; 1637 1638 return 1; 1639 } 1640 1641 int 1642 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1643 { 1644 CBS versions; 1645 uint16_t version; 1646 uint16_t max, min; 1647 uint16_t matched_version = 0; 1648 1649 max = s->s3->hs.our_max_tls_version; 1650 min = s->s3->hs.our_min_tls_version; 1651 1652 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1653 goto err; 1654 1655 while (CBS_len(&versions) > 0) { 1656 if (!CBS_get_u16(&versions, &version)) 1657 goto err; 1658 /* 1659 * XXX What is below implements client preference, and 1660 * ignores any server preference entirely. 1661 */ 1662 if (matched_version == 0 && version >= min && version <= max) 1663 matched_version = version; 1664 } 1665 1666 if (matched_version > 0) { 1667 /* XXX - this should be stored for later processing. */ 1668 s->version = matched_version; 1669 return 1; 1670 } 1671 1672 *alert = SSL_AD_PROTOCOL_VERSION; 1673 return 0; 1674 1675 err: 1676 *alert = SSL_AD_DECODE_ERROR; 1677 return 0; 1678 } 1679 1680 int 1681 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1682 { 1683 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1684 } 1685 1686 int 1687 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1688 { 1689 return CBB_add_u16(cbb, TLS1_3_VERSION); 1690 } 1691 1692 int 1693 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1694 { 1695 uint16_t selected_version; 1696 1697 if (!CBS_get_u16(cbs, &selected_version)) { 1698 *alert = SSL_AD_DECODE_ERROR; 1699 return 0; 1700 } 1701 1702 /* XXX - need to fix for DTLS 1.3 */ 1703 if (selected_version < TLS1_3_VERSION) { 1704 *alert = SSL_AD_ILLEGAL_PARAMETER; 1705 return 0; 1706 } 1707 1708 /* XXX test between min and max once initialization code goes in */ 1709 s->s3->hs.tls13.server_version = selected_version; 1710 1711 return 1; 1712 } 1713 1714 1715 /* 1716 * Cookie - RFC 8446 section 4.2.2. 1717 */ 1718 1719 int 1720 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1721 { 1722 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1723 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1724 } 1725 1726 int 1727 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1728 { 1729 CBB cookie; 1730 1731 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1732 return 0; 1733 1734 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1735 s->s3->hs.tls13.cookie_len)) 1736 return 0; 1737 1738 if (!CBB_flush(cbb)) 1739 return 0; 1740 1741 return 1; 1742 } 1743 1744 int 1745 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1746 { 1747 CBS cookie; 1748 1749 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1750 goto err; 1751 1752 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1753 goto err; 1754 1755 /* 1756 * Check provided cookie value against what server previously 1757 * sent - client *MUST* send the same cookie with new CR after 1758 * a cookie is sent by the server with an HRR. 1759 */ 1760 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1761 s->s3->hs.tls13.cookie_len)) { 1762 /* XXX special cookie mismatch alert? */ 1763 *alert = SSL_AD_ILLEGAL_PARAMETER; 1764 return 0; 1765 } 1766 1767 return 1; 1768 1769 err: 1770 *alert = SSL_AD_DECODE_ERROR; 1771 return 0; 1772 } 1773 1774 int 1775 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1776 { 1777 /* 1778 * Server needs to set cookie value in tls13 handshake 1779 * in order to send one, should only be sent with HRR. 1780 */ 1781 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1782 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1783 } 1784 1785 int 1786 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1787 { 1788 CBB cookie; 1789 1790 /* XXX deduplicate with client code */ 1791 1792 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1793 return 0; 1794 1795 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1796 s->s3->hs.tls13.cookie_len)) 1797 return 0; 1798 1799 if (!CBB_flush(cbb)) 1800 return 0; 1801 1802 return 1; 1803 } 1804 1805 int 1806 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1807 { 1808 CBS cookie; 1809 1810 /* 1811 * XXX This currently assumes we will not get a second 1812 * HRR from a server with a cookie to process after accepting 1813 * one from the server in the same handshake 1814 */ 1815 if (s->s3->hs.tls13.cookie != NULL || 1816 s->s3->hs.tls13.cookie_len != 0) { 1817 *alert = SSL_AD_ILLEGAL_PARAMETER; 1818 return 0; 1819 } 1820 1821 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1822 goto err; 1823 1824 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1825 &s->s3->hs.tls13.cookie_len)) 1826 goto err; 1827 1828 return 1; 1829 1830 err: 1831 *alert = SSL_AD_DECODE_ERROR; 1832 return 0; 1833 } 1834 1835 struct tls_extension_funcs { 1836 int (*needs)(SSL *s, uint16_t msg_type); 1837 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1838 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1839 }; 1840 1841 struct tls_extension { 1842 uint16_t type; 1843 uint16_t messages; 1844 struct tls_extension_funcs client; 1845 struct tls_extension_funcs server; 1846 }; 1847 1848 static const struct tls_extension tls_extensions[] = { 1849 { 1850 .type = TLSEXT_TYPE_supported_versions, 1851 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1852 SSL_TLSEXT_MSG_HRR, 1853 .client = { 1854 .needs = tlsext_versions_client_needs, 1855 .build = tlsext_versions_client_build, 1856 .parse = tlsext_versions_client_parse, 1857 }, 1858 .server = { 1859 .needs = tlsext_versions_server_needs, 1860 .build = tlsext_versions_server_build, 1861 .parse = tlsext_versions_server_parse, 1862 }, 1863 }, 1864 { 1865 .type = TLSEXT_TYPE_key_share, 1866 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1867 SSL_TLSEXT_MSG_HRR, 1868 .client = { 1869 .needs = tlsext_keyshare_client_needs, 1870 .build = tlsext_keyshare_client_build, 1871 .parse = tlsext_keyshare_client_parse, 1872 }, 1873 .server = { 1874 .needs = tlsext_keyshare_server_needs, 1875 .build = tlsext_keyshare_server_build, 1876 .parse = tlsext_keyshare_server_parse, 1877 }, 1878 }, 1879 { 1880 .type = TLSEXT_TYPE_server_name, 1881 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1882 .client = { 1883 .needs = tlsext_sni_client_needs, 1884 .build = tlsext_sni_client_build, 1885 .parse = tlsext_sni_client_parse, 1886 }, 1887 .server = { 1888 .needs = tlsext_sni_server_needs, 1889 .build = tlsext_sni_server_build, 1890 .parse = tlsext_sni_server_parse, 1891 }, 1892 }, 1893 { 1894 .type = TLSEXT_TYPE_renegotiate, 1895 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1896 .client = { 1897 .needs = tlsext_ri_client_needs, 1898 .build = tlsext_ri_client_build, 1899 .parse = tlsext_ri_client_parse, 1900 }, 1901 .server = { 1902 .needs = tlsext_ri_server_needs, 1903 .build = tlsext_ri_server_build, 1904 .parse = tlsext_ri_server_parse, 1905 }, 1906 }, 1907 { 1908 .type = TLSEXT_TYPE_status_request, 1909 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1910 SSL_TLSEXT_MSG_CT, 1911 .client = { 1912 .needs = tlsext_ocsp_client_needs, 1913 .build = tlsext_ocsp_client_build, 1914 .parse = tlsext_ocsp_client_parse, 1915 }, 1916 .server = { 1917 .needs = tlsext_ocsp_server_needs, 1918 .build = tlsext_ocsp_server_build, 1919 .parse = tlsext_ocsp_server_parse, 1920 }, 1921 }, 1922 { 1923 .type = TLSEXT_TYPE_ec_point_formats, 1924 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1925 .client = { 1926 .needs = tlsext_ecpf_client_needs, 1927 .build = tlsext_ecpf_client_build, 1928 .parse = tlsext_ecpf_client_parse, 1929 }, 1930 .server = { 1931 .needs = tlsext_ecpf_server_needs, 1932 .build = tlsext_ecpf_server_build, 1933 .parse = tlsext_ecpf_server_parse, 1934 }, 1935 }, 1936 { 1937 .type = TLSEXT_TYPE_supported_groups, 1938 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1939 .client = { 1940 .needs = tlsext_supportedgroups_client_needs, 1941 .build = tlsext_supportedgroups_client_build, 1942 .parse = tlsext_supportedgroups_client_parse, 1943 }, 1944 .server = { 1945 .needs = tlsext_supportedgroups_server_needs, 1946 .build = tlsext_supportedgroups_server_build, 1947 .parse = tlsext_supportedgroups_server_parse, 1948 }, 1949 }, 1950 { 1951 .type = TLSEXT_TYPE_session_ticket, 1952 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1953 .client = { 1954 .needs = tlsext_sessionticket_client_needs, 1955 .build = tlsext_sessionticket_client_build, 1956 .parse = tlsext_sessionticket_client_parse, 1957 }, 1958 .server = { 1959 .needs = tlsext_sessionticket_server_needs, 1960 .build = tlsext_sessionticket_server_build, 1961 .parse = tlsext_sessionticket_server_parse, 1962 }, 1963 }, 1964 { 1965 .type = TLSEXT_TYPE_signature_algorithms, 1966 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1967 .client = { 1968 .needs = tlsext_sigalgs_client_needs, 1969 .build = tlsext_sigalgs_client_build, 1970 .parse = tlsext_sigalgs_client_parse, 1971 }, 1972 .server = { 1973 .needs = tlsext_sigalgs_server_needs, 1974 .build = tlsext_sigalgs_server_build, 1975 .parse = tlsext_sigalgs_server_parse, 1976 }, 1977 }, 1978 { 1979 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1980 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1981 .client = { 1982 .needs = tlsext_alpn_client_needs, 1983 .build = tlsext_alpn_client_build, 1984 .parse = tlsext_alpn_client_parse, 1985 }, 1986 .server = { 1987 .needs = tlsext_alpn_server_needs, 1988 .build = tlsext_alpn_server_build, 1989 .parse = tlsext_alpn_server_parse, 1990 }, 1991 }, 1992 { 1993 .type = TLSEXT_TYPE_cookie, 1994 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1995 .client = { 1996 .needs = tlsext_cookie_client_needs, 1997 .build = tlsext_cookie_client_build, 1998 .parse = tlsext_cookie_client_parse, 1999 }, 2000 .server = { 2001 .needs = tlsext_cookie_server_needs, 2002 .build = tlsext_cookie_server_build, 2003 .parse = tlsext_cookie_server_parse, 2004 }, 2005 }, 2006 #ifndef OPENSSL_NO_SRTP 2007 { 2008 .type = TLSEXT_TYPE_use_srtp, 2009 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2010 SSL_TLSEXT_MSG_EE, 2011 .client = { 2012 .needs = tlsext_srtp_client_needs, 2013 .build = tlsext_srtp_client_build, 2014 .parse = tlsext_srtp_client_parse, 2015 }, 2016 .server = { 2017 .needs = tlsext_srtp_server_needs, 2018 .build = tlsext_srtp_server_build, 2019 .parse = tlsext_srtp_server_parse, 2020 }, 2021 } 2022 #endif /* OPENSSL_NO_SRTP */ 2023 }; 2024 2025 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2026 2027 /* Ensure that extensions fit in a uint32_t bitmask. */ 2028 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2029 2030 const struct tls_extension * 2031 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2032 { 2033 size_t i; 2034 2035 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2036 if (tls_extensions[i].type == type) { 2037 *tls_extensions_idx = i; 2038 return &tls_extensions[i]; 2039 } 2040 } 2041 2042 return NULL; 2043 } 2044 2045 int 2046 tlsext_extension_seen(SSL *s, uint16_t type) 2047 { 2048 size_t idx; 2049 2050 if (tls_extension_find(type, &idx) == NULL) 2051 return 0; 2052 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2053 } 2054 2055 static const struct tls_extension_funcs * 2056 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2057 { 2058 if (is_server) 2059 return &tlsext->server; 2060 2061 return &tlsext->client; 2062 } 2063 2064 static int 2065 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2066 { 2067 const struct tls_extension_funcs *ext; 2068 const struct tls_extension *tlsext; 2069 CBB extensions, extension_data; 2070 int extensions_present = 0; 2071 uint16_t tls_version; 2072 size_t i; 2073 2074 tls_version = ssl_effective_tls_version(s); 2075 2076 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2077 return 0; 2078 2079 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2080 tlsext = &tls_extensions[i]; 2081 ext = tlsext_funcs(tlsext, is_server); 2082 2083 /* RFC 8446 Section 4.2 */ 2084 if (tls_version >= TLS1_3_VERSION && 2085 !(tlsext->messages & msg_type)) 2086 continue; 2087 2088 if (!ext->needs(s, msg_type)) 2089 continue; 2090 2091 if (!CBB_add_u16(&extensions, tlsext->type)) 2092 return 0; 2093 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2094 return 0; 2095 2096 if (!ext->build(s, msg_type, &extension_data)) 2097 return 0; 2098 2099 extensions_present = 1; 2100 } 2101 2102 if (!extensions_present && 2103 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2104 CBB_discard_child(cbb); 2105 2106 if (!CBB_flush(cbb)) 2107 return 0; 2108 2109 return 1; 2110 } 2111 2112 int 2113 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2114 { 2115 /* 2116 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2117 * cookie may be added, padding may be removed. 2118 */ 2119 struct tls13_ctx *ctx = s->internal->tls13; 2120 2121 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2122 type == TLSEXT_TYPE_padding) 2123 return 1; 2124 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2125 sizeof(type))) 2126 return 0; 2127 /* 2128 * key_share data may be changed, and pre_shared_key data may 2129 * be changed 2130 */ 2131 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2132 return 1; 2133 if (!tls13_clienthello_hash_update(ctx, cbs)) 2134 return 0; 2135 2136 return 1; 2137 } 2138 2139 static int 2140 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2141 { 2142 const struct tls_extension_funcs *ext; 2143 const struct tls_extension *tlsext; 2144 CBS extensions, extension_data; 2145 uint16_t type; 2146 size_t idx; 2147 uint16_t tls_version; 2148 int alert_desc; 2149 2150 tls_version = ssl_effective_tls_version(s); 2151 2152 s->s3->hs.extensions_seen = 0; 2153 2154 /* An empty extensions block is valid. */ 2155 if (CBS_len(cbs) == 0) 2156 return 1; 2157 2158 alert_desc = SSL_AD_DECODE_ERROR; 2159 2160 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2161 goto err; 2162 2163 while (CBS_len(&extensions) > 0) { 2164 if (!CBS_get_u16(&extensions, &type)) 2165 goto err; 2166 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2167 goto err; 2168 2169 if (s->internal->tlsext_debug_cb != NULL) 2170 s->internal->tlsext_debug_cb(s, !is_server, type, 2171 (unsigned char *)CBS_data(&extension_data), 2172 CBS_len(&extension_data), 2173 s->internal->tlsext_debug_arg); 2174 2175 /* Unknown extensions are ignored. */ 2176 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2177 continue; 2178 2179 if (tls_version >= TLS1_3_VERSION && is_server && 2180 msg_type == SSL_TLSEXT_MSG_CH) { 2181 if (!tlsext_clienthello_hash_extension(s, type, 2182 &extension_data)) 2183 goto err; 2184 } 2185 2186 /* RFC 8446 Section 4.2 */ 2187 if (tls_version >= TLS1_3_VERSION && 2188 !(tlsext->messages & msg_type)) { 2189 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2190 goto err; 2191 } 2192 2193 /* Check for duplicate known extensions. */ 2194 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2195 goto err; 2196 s->s3->hs.extensions_seen |= (1 << idx); 2197 2198 ext = tlsext_funcs(tlsext, is_server); 2199 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2200 goto err; 2201 2202 if (CBS_len(&extension_data) != 0) 2203 goto err; 2204 } 2205 2206 return 1; 2207 2208 err: 2209 *alert = alert_desc; 2210 2211 return 0; 2212 } 2213 2214 static void 2215 tlsext_server_reset_state(SSL *s) 2216 { 2217 s->tlsext_status_type = -1; 2218 s->s3->renegotiate_seen = 0; 2219 free(s->s3->alpn_selected); 2220 s->s3->alpn_selected = NULL; 2221 s->s3->alpn_selected_len = 0; 2222 s->internal->srtp_profile = NULL; 2223 } 2224 2225 int 2226 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2227 { 2228 return tlsext_build(s, 1, msg_type, cbb); 2229 } 2230 2231 int 2232 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2233 { 2234 /* XXX - this should be done by the caller... */ 2235 if (msg_type == SSL_TLSEXT_MSG_CH) 2236 tlsext_server_reset_state(s); 2237 2238 return tlsext_parse(s, 1, msg_type, cbs, alert); 2239 } 2240 2241 static void 2242 tlsext_client_reset_state(SSL *s) 2243 { 2244 s->s3->renegotiate_seen = 0; 2245 free(s->s3->alpn_selected); 2246 s->s3->alpn_selected = NULL; 2247 s->s3->alpn_selected_len = 0; 2248 } 2249 2250 int 2251 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2252 { 2253 return tlsext_build(s, 0, msg_type, cbb); 2254 } 2255 2256 int 2257 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2258 { 2259 /* XXX - this should be done by the caller... */ 2260 if (msg_type == SSL_TLSEXT_MSG_SH) 2261 tlsext_client_reset_state(s); 2262 2263 return tlsext_parse(s, 0, msg_type, cbs, alert); 2264 } 2265