1 /* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <ctype.h> 21 22 #include <openssl/ocsp.h> 23 24 #include "ssl_locl.h" 25 26 #include "bytestring.h" 27 #include "ssl_sigalgs.h" 28 #include "ssl_tlsext.h" 29 30 /* 31 * Supported Application-Layer Protocol Negotiation - RFC 7301 32 */ 33 34 int 35 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 36 { 37 /* ALPN protos have been specified and this is the initial handshake */ 38 return s->internal->alpn_client_proto_list != NULL && 39 S3I(s)->tmp.finish_md_len == 0; 40 } 41 42 int 43 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 44 { 45 CBB protolist; 46 47 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 48 return 0; 49 50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 51 s->internal->alpn_client_proto_list_len)) 52 return 0; 53 54 if (!CBB_flush(cbb)) 55 return 0; 56 57 return 1; 58 } 59 60 int 61 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 62 { 63 CBS proto_name_list, alpn; 64 const unsigned char *selected; 65 unsigned char selected_len; 66 int r; 67 68 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 69 goto err; 70 if (CBS_len(&alpn) < 2) 71 goto err; 72 if (CBS_len(cbs) != 0) 73 goto err; 74 75 CBS_dup(&alpn, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 goto err; 81 if (CBS_len(&proto_name) == 0) 82 goto err; 83 } 84 85 if (s->ctx->internal->alpn_select_cb == NULL) 86 return 1; 87 88 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 89 CBS_data(&alpn), CBS_len(&alpn), 90 s->ctx->internal->alpn_select_cb_arg); 91 if (r == SSL_TLSEXT_ERR_OK) { 92 free(S3I(s)->alpn_selected); 93 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 94 S3I(s)->alpn_selected_len = 0; 95 *alert = SSL_AD_INTERNAL_ERROR; 96 return 0; 97 } 98 memcpy(S3I(s)->alpn_selected, selected, selected_len); 99 S3I(s)->alpn_selected_len = selected_len; 100 } 101 102 return 1; 103 104 err: 105 *alert = SSL_AD_DECODE_ERROR; 106 return 0; 107 } 108 109 int 110 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 111 { 112 return S3I(s)->alpn_selected != NULL; 113 } 114 115 int 116 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 117 { 118 CBB list, selected; 119 120 if (!CBB_add_u16_length_prefixed(cbb, &list)) 121 return 0; 122 123 if (!CBB_add_u8_length_prefixed(&list, &selected)) 124 return 0; 125 126 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 127 S3I(s)->alpn_selected_len)) 128 return 0; 129 130 if (!CBB_flush(cbb)) 131 return 0; 132 133 return 1; 134 } 135 136 int 137 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 138 { 139 CBS list, proto; 140 141 if (s->internal->alpn_client_proto_list == NULL) { 142 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 143 return 0; 144 } 145 146 if (!CBS_get_u16_length_prefixed(cbs, &list)) 147 goto err; 148 if (CBS_len(cbs) != 0) 149 goto err; 150 151 if (!CBS_get_u8_length_prefixed(&list, &proto)) 152 goto err; 153 154 if (CBS_len(&list) != 0) 155 goto err; 156 if (CBS_len(&proto) == 0) 157 goto err; 158 159 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 160 &(S3I(s)->alpn_selected_len))) 161 goto err; 162 163 return 1; 164 165 err: 166 *alert = TLS1_AD_DECODE_ERROR; 167 return 0; 168 } 169 170 /* 171 * Supported Groups - RFC 7919 section 2 172 */ 173 int 174 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 175 { 176 return ssl_has_ecc_ciphers(s) || 177 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 178 } 179 180 int 181 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 182 { 183 const uint16_t *groups; 184 size_t groups_len; 185 CBB grouplist; 186 int i; 187 188 tls1_get_group_list(s, 0, &groups, &groups_len); 189 if (groups_len == 0) { 190 SSLerror(s, ERR_R_INTERNAL_ERROR); 191 return 0; 192 } 193 194 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 195 return 0; 196 197 for (i = 0; i < groups_len; i++) { 198 if (!CBB_add_u16(&grouplist, groups[i])) 199 return 0; 200 } 201 202 if (!CBB_flush(cbb)) 203 return 0; 204 205 return 1; 206 } 207 208 int 209 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 210 int *alert) 211 { 212 CBS grouplist; 213 size_t groups_len; 214 215 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 216 goto err; 217 if (CBS_len(cbs) != 0) 218 goto err; 219 220 groups_len = CBS_len(&grouplist); 221 if (groups_len == 0 || groups_len % 2 != 0) 222 goto err; 223 groups_len /= 2; 224 225 if (!s->internal->hit) { 226 uint16_t *groups; 227 int i; 228 229 if (S3I(s)->hs_tls13.hrr) { 230 if (SSI(s)->tlsext_supportedgroups == NULL) { 231 *alert = SSL_AD_HANDSHAKE_FAILURE; 232 return 0; 233 } 234 /* 235 * In the case of TLSv1.3 the client cannot change 236 * the supported groups. 237 */ 238 if (groups_len != SSI(s)->tlsext_supportedgroups_length) { 239 *alert = SSL_AD_ILLEGAL_PARAMETER; 240 return 0; 241 } 242 for (i = 0; i < groups_len; i++) { 243 uint16_t group; 244 245 if (!CBS_get_u16(&grouplist, &group)) 246 goto err; 247 if (SSI(s)->tlsext_supportedgroups[i] != group) { 248 *alert = SSL_AD_ILLEGAL_PARAMETER; 249 return 0; 250 } 251 } 252 253 return 1; 254 } 255 256 if (SSI(s)->tlsext_supportedgroups != NULL) 257 goto err; 258 259 if ((groups = reallocarray(NULL, groups_len, 260 sizeof(uint16_t))) == NULL) { 261 *alert = TLS1_AD_INTERNAL_ERROR; 262 return 0; 263 } 264 265 for (i = 0; i < groups_len; i++) { 266 if (!CBS_get_u16(&grouplist, &groups[i])) { 267 free(groups); 268 goto err; 269 } 270 } 271 272 if (CBS_len(&grouplist) != 0) { 273 free(groups); 274 goto err; 275 } 276 277 SSI(s)->tlsext_supportedgroups = groups; 278 SSI(s)->tlsext_supportedgroups_length = groups_len; 279 } 280 281 return 1; 282 283 err: 284 *alert = TLS1_AD_DECODE_ERROR; 285 return 0; 286 } 287 288 /* This extension is never used by the server. */ 289 int 290 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 291 { 292 return 0; 293 } 294 295 int 296 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 297 { 298 return 0; 299 } 300 301 int 302 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 303 int *alert) 304 { 305 /* 306 * Servers should not send this extension per the RFC. 307 * 308 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 309 * from at least 2014 but as of 2017, there are still large sites with 310 * this unpatched in production. As a result, we need to currently skip 311 * over the extension and ignore its content: 312 * 313 * https://support.f5.com/csp/article/K37345003 314 */ 315 if (!CBS_skip(cbs, CBS_len(cbs))) { 316 *alert = TLS1_AD_INTERNAL_ERROR; 317 return 0; 318 } 319 320 return 1; 321 } 322 323 /* 324 * Supported Point Formats Extension - RFC 4492 section 5.1.2 325 */ 326 static int 327 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 328 { 329 CBB ecpf; 330 size_t formats_len; 331 const uint8_t *formats; 332 333 tls1_get_formatlist(s, 0, &formats, &formats_len); 334 335 if (formats_len == 0) { 336 SSLerror(s, ERR_R_INTERNAL_ERROR); 337 return 0; 338 } 339 340 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 341 return 0; 342 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 343 return 0; 344 if (!CBB_flush(cbb)) 345 return 0; 346 347 return 1; 348 } 349 350 static int 351 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 352 { 353 CBS ecpf; 354 355 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 356 goto err; 357 if (CBS_len(&ecpf) == 0) 358 goto err; 359 if (CBS_len(cbs) != 0) 360 goto err; 361 362 /* Must contain uncompressed (0) */ 363 if (!CBS_contains_zero_byte(&ecpf)) { 364 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 365 goto err; 366 } 367 368 if (!s->internal->hit) { 369 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 370 &(SSI(s)->tlsext_ecpointformatlist_length))) { 371 *alert = TLS1_AD_INTERNAL_ERROR; 372 return 0; 373 } 374 } 375 376 return 1; 377 378 err: 379 *alert = SSL_AD_DECODE_ERROR; 380 return 0; 381 } 382 383 int 384 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 385 { 386 return ssl_has_ecc_ciphers(s); 387 } 388 389 int 390 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 391 { 392 return tlsext_ecpf_build(s, msg_type, cbb); 393 } 394 395 int 396 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 397 { 398 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 399 } 400 401 int 402 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 403 { 404 return ssl_using_ecc_cipher(s); 405 } 406 407 int 408 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 409 { 410 return tlsext_ecpf_build(s, msg_type, cbb); 411 } 412 413 int 414 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 415 { 416 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 417 } 418 419 /* 420 * Renegotiation Indication - RFC 5746. 421 */ 422 int 423 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 424 { 425 return (s->internal->renegotiate); 426 } 427 428 int 429 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 430 { 431 CBB reneg; 432 433 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 434 return 0; 435 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 436 S3I(s)->previous_client_finished_len)) 437 return 0; 438 if (!CBB_flush(cbb)) 439 return 0; 440 441 return 1; 442 } 443 444 int 445 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 446 { 447 CBS reneg; 448 449 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 450 goto err; 451 if (CBS_len(cbs) != 0) 452 goto err; 453 454 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 455 S3I(s)->previous_client_finished_len)) { 456 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 457 *alert = SSL_AD_HANDSHAKE_FAILURE; 458 return 0; 459 } 460 461 S3I(s)->renegotiate_seen = 1; 462 S3I(s)->send_connection_binding = 1; 463 464 return 1; 465 466 err: 467 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 468 *alert = SSL_AD_DECODE_ERROR; 469 return 0; 470 } 471 472 int 473 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 474 { 475 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 476 } 477 478 int 479 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 480 { 481 CBB reneg; 482 483 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 484 return 0; 485 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 486 S3I(s)->previous_client_finished_len)) 487 return 0; 488 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 489 S3I(s)->previous_server_finished_len)) 490 return 0; 491 if (!CBB_flush(cbb)) 492 return 0; 493 494 return 1; 495 } 496 497 int 498 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 499 { 500 CBS reneg, prev_client, prev_server; 501 502 /* 503 * Ensure that the previous client and server values are both not 504 * present, or that they are both present. 505 */ 506 if ((S3I(s)->previous_client_finished_len == 0 && 507 S3I(s)->previous_server_finished_len != 0) || 508 (S3I(s)->previous_client_finished_len != 0 && 509 S3I(s)->previous_server_finished_len == 0)) { 510 *alert = TLS1_AD_INTERNAL_ERROR; 511 return 0; 512 } 513 514 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 515 goto err; 516 if (!CBS_get_bytes(&reneg, &prev_client, 517 S3I(s)->previous_client_finished_len)) 518 goto err; 519 if (!CBS_get_bytes(&reneg, &prev_server, 520 S3I(s)->previous_server_finished_len)) 521 goto err; 522 if (CBS_len(&reneg) != 0) 523 goto err; 524 if (CBS_len(cbs) != 0) 525 goto err; 526 527 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 528 S3I(s)->previous_client_finished_len)) { 529 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 530 *alert = SSL_AD_HANDSHAKE_FAILURE; 531 return 0; 532 } 533 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 534 S3I(s)->previous_server_finished_len)) { 535 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 536 *alert = SSL_AD_HANDSHAKE_FAILURE; 537 return 0; 538 } 539 540 S3I(s)->renegotiate_seen = 1; 541 S3I(s)->send_connection_binding = 1; 542 543 return 1; 544 545 err: 546 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 547 *alert = SSL_AD_DECODE_ERROR; 548 return 0; 549 } 550 551 /* 552 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 553 */ 554 int 555 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 556 { 557 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 558 } 559 560 int 561 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 562 { 563 const uint16_t *tls_sigalgs = tls12_sigalgs; 564 size_t tls_sigalgs_len = tls12_sigalgs_len; 565 CBB sigalgs; 566 567 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 568 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { 569 tls_sigalgs = tls13_sigalgs; 570 tls_sigalgs_len = tls13_sigalgs_len; 571 } 572 573 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 574 return 0; 575 576 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 577 return 0; 578 579 if (!CBB_flush(cbb)) 580 return 0; 581 582 return 1; 583 } 584 585 int 586 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 587 { 588 CBS sigalgs; 589 590 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 591 return 0; 592 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 593 return 0; 594 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 595 return 0; 596 597 return 1; 598 } 599 600 int 601 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 602 { 603 return (s->version >= TLS1_3_VERSION); 604 } 605 606 int 607 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 608 { 609 const uint16_t *tls_sigalgs = tls12_sigalgs; 610 size_t tls_sigalgs_len = tls12_sigalgs_len; 611 CBB sigalgs; 612 613 if (s->version >= TLS1_3_VERSION) { 614 tls_sigalgs = tls13_sigalgs; 615 tls_sigalgs_len = tls13_sigalgs_len; 616 } 617 618 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 619 return 0; 620 621 if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) 622 return 0; 623 624 if (!CBB_flush(cbb)) 625 return 0; 626 627 return 1; 628 } 629 630 int 631 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 632 { 633 CBS sigalgs; 634 635 if (s->version < TLS1_3_VERSION) 636 return 0; 637 638 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 639 return 0; 640 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 641 return 0; 642 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 643 return 0; 644 645 return 1; 646 } 647 648 /* 649 * Server Name Indication - RFC 6066, section 3. 650 */ 651 int 652 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 653 { 654 return (s->tlsext_hostname != NULL); 655 } 656 657 int 658 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 659 { 660 CBB server_name_list, host_name; 661 662 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 663 return 0; 664 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 665 return 0; 666 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 667 return 0; 668 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 669 strlen(s->tlsext_hostname))) 670 return 0; 671 if (!CBB_flush(cbb)) 672 return 0; 673 674 return 1; 675 } 676 677 /* 678 * Validate that the CBS contains only a hostname consisting of RFC 5890 679 * compliant A-labels (see RFC 6066 section 3). Not a complete check 680 * since we don't parse punycode to verify its validity but limits to 681 * correct structure and character set. 682 */ 683 int 684 tlsext_sni_is_valid_hostname(CBS *cbs) 685 { 686 uint8_t prev, c = 0; 687 int component = 0; 688 CBS hostname; 689 690 CBS_dup(cbs, &hostname); 691 692 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 693 return 0; 694 695 while(CBS_len(&hostname) > 0) { 696 prev = c; 697 if (!CBS_get_u8(&hostname, &c)) 698 return 0; 699 /* Everything has to be ASCII, with no NUL byte. */ 700 if (!isascii(c) || c == '\0') 701 return 0; 702 /* It must be alphanumeric, a '-', or a '.' */ 703 if (!isalnum(c) && c != '-' && c != '.') 704 return 0; 705 /* '-' and '.' must not start a component or be at the end. */ 706 if (component == 0 || CBS_len(&hostname) == 0) { 707 if (c == '-' || c == '.') 708 return 0; 709 } 710 if (c == '.') { 711 /* Components can not end with a dash. */ 712 if (prev == '-') 713 return 0; 714 /* Start new component */ 715 component = 0; 716 continue; 717 } 718 /* Components must be 63 chars or less. */ 719 if (++component > 63) 720 return 0; 721 } 722 723 return 1; 724 } 725 726 int 727 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 728 { 729 CBS server_name_list, host_name; 730 uint8_t name_type; 731 732 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 733 goto err; 734 735 if (!CBS_get_u8(&server_name_list, &name_type)) 736 goto err; 737 /* 738 * RFC 6066 section 3, only one type (host_name) is specified. 739 * We do not tolerate unknown types, neither does BoringSSL. 740 * other implementations appear more tolerant. 741 */ 742 if (name_type != TLSEXT_NAMETYPE_host_name) { 743 *alert = SSL3_AD_ILLEGAL_PARAMETER; 744 goto err; 745 } 746 747 748 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 749 goto err; 750 /* 751 * RFC 6066 section 3 specifies a host name must be at least 1 byte 752 * so 0 length is a decode error. 753 */ 754 if (CBS_len(&host_name) < 1) 755 goto err; 756 757 if (!tlsext_sni_is_valid_hostname(&host_name)) { 758 *alert = SSL3_AD_ILLEGAL_PARAMETER; 759 goto err; 760 } 761 762 if (s->internal->hit || S3I(s)->hs_tls13.hrr) { 763 if (s->session->tlsext_hostname == NULL) { 764 *alert = TLS1_AD_UNRECOGNIZED_NAME; 765 goto err; 766 } 767 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 768 strlen(s->session->tlsext_hostname))) { 769 *alert = TLS1_AD_UNRECOGNIZED_NAME; 770 goto err; 771 } 772 } else { 773 if (s->session->tlsext_hostname != NULL) 774 goto err; 775 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 776 *alert = TLS1_AD_INTERNAL_ERROR; 777 goto err; 778 } 779 } 780 781 /* 782 * RFC 6066 section 3 forbids multiple host names with the same type, 783 * therefore we allow only one entry. 784 */ 785 if (CBS_len(&server_name_list) != 0) { 786 *alert = SSL3_AD_ILLEGAL_PARAMETER; 787 goto err; 788 } 789 if (CBS_len(cbs) != 0) 790 goto err; 791 792 return 1; 793 794 err: 795 return 0; 796 } 797 798 int 799 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 800 { 801 if (s->internal->hit) 802 return 0; 803 804 return (s->session->tlsext_hostname != NULL); 805 } 806 807 int 808 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 809 { 810 return 1; 811 } 812 813 int 814 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 815 { 816 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 817 *alert = TLS1_AD_UNRECOGNIZED_NAME; 818 return 0; 819 } 820 821 if (s->internal->hit) { 822 if (s->session->tlsext_hostname == NULL) { 823 *alert = TLS1_AD_UNRECOGNIZED_NAME; 824 return 0; 825 } 826 if (strcmp(s->tlsext_hostname, 827 s->session->tlsext_hostname) != 0) { 828 *alert = TLS1_AD_UNRECOGNIZED_NAME; 829 return 0; 830 } 831 } else { 832 if (s->session->tlsext_hostname != NULL) { 833 *alert = SSL_AD_DECODE_ERROR; 834 return 0; 835 } 836 if ((s->session->tlsext_hostname = 837 strdup(s->tlsext_hostname)) == NULL) { 838 *alert = TLS1_AD_INTERNAL_ERROR; 839 return 0; 840 } 841 } 842 843 return 1; 844 } 845 846 847 /* 848 * Certificate Status Request - RFC 6066 section 8. 849 */ 850 851 int 852 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 853 { 854 if (msg_type != SSL_TLSEXT_MSG_CH) 855 return 0; 856 857 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 858 } 859 860 int 861 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 862 { 863 CBB respid_list, respid, exts; 864 unsigned char *ext_data; 865 size_t ext_len; 866 int i; 867 868 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 869 return 0; 870 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 871 return 0; 872 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 873 unsigned char *respid_data; 874 OCSP_RESPID *id; 875 size_t id_len; 876 877 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 878 i)) == NULL) 879 return 0; 880 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 881 return 0; 882 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 883 return 0; 884 if (!CBB_add_space(&respid, &respid_data, id_len)) 885 return 0; 886 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 887 return 0; 888 } 889 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 890 return 0; 891 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 892 NULL)) == -1) 893 return 0; 894 if (!CBB_add_space(&exts, &ext_data, ext_len)) 895 return 0; 896 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 897 ext_len)) 898 return 0; 899 if (!CBB_flush(cbb)) 900 return 0; 901 return 1; 902 } 903 904 int 905 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 906 { 907 int alert_desc = SSL_AD_DECODE_ERROR; 908 CBS respid_list, respid, exts; 909 const unsigned char *p; 910 uint8_t status_type; 911 int ret = 0; 912 913 if (msg_type != SSL_TLSEXT_MSG_CH) 914 goto err; 915 916 if (!CBS_get_u8(cbs, &status_type)) 917 goto err; 918 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 919 /* ignore unknown status types */ 920 s->tlsext_status_type = -1; 921 922 if (!CBS_skip(cbs, CBS_len(cbs))) { 923 *alert = TLS1_AD_INTERNAL_ERROR; 924 return 0; 925 } 926 return 1; 927 } 928 s->tlsext_status_type = status_type; 929 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 930 goto err; 931 932 /* XXX */ 933 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 934 s->internal->tlsext_ocsp_ids = NULL; 935 if (CBS_len(&respid_list) > 0) { 936 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 937 if (s->internal->tlsext_ocsp_ids == NULL) { 938 alert_desc = SSL_AD_INTERNAL_ERROR; 939 goto err; 940 } 941 } 942 943 while (CBS_len(&respid_list) > 0) { 944 OCSP_RESPID *id; 945 946 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 947 goto err; 948 p = CBS_data(&respid); 949 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 950 goto err; 951 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 952 alert_desc = SSL_AD_INTERNAL_ERROR; 953 OCSP_RESPID_free(id); 954 goto err; 955 } 956 } 957 958 /* Read in request_extensions */ 959 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 960 goto err; 961 if (CBS_len(&exts) > 0) { 962 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 963 X509_EXTENSION_free); 964 p = CBS_data(&exts); 965 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 966 &p, CBS_len(&exts))) == NULL) 967 goto err; 968 } 969 970 /* should be nothing left */ 971 if (CBS_len(cbs) > 0) 972 goto err; 973 974 ret = 1; 975 err: 976 if (ret == 0) 977 *alert = alert_desc; 978 return ret; 979 } 980 981 int 982 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 983 { 984 if (s->version >= TLS1_3_VERSION && 985 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 986 s->ctx->internal->tlsext_status_cb != NULL) { 987 s->internal->tlsext_status_expected = 0; 988 if (s->ctx->internal->tlsext_status_cb(s, 989 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 990 s->internal->tlsext_ocsp_resp_len > 0) 991 s->internal->tlsext_status_expected = 1; 992 } 993 return s->internal->tlsext_status_expected; 994 } 995 996 int 997 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 998 { 999 CBB ocsp_response; 1000 1001 if (s->version >= TLS1_3_VERSION) { 1002 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1003 return 0; 1004 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1005 return 0; 1006 if (!CBB_add_bytes(&ocsp_response, 1007 s->internal->tlsext_ocsp_resp, 1008 s->internal->tlsext_ocsp_resp_len)) 1009 return 0; 1010 if (!CBB_flush(cbb)) 1011 return 0; 1012 } 1013 return 1; 1014 } 1015 1016 int 1017 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1018 { 1019 CBS response; 1020 uint16_t version = TLS1_get_client_version(s); 1021 uint8_t status_type; 1022 1023 if (version >= TLS1_3_VERSION) { 1024 if (msg_type == SSL_TLSEXT_MSG_CR) { 1025 /* 1026 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1027 * response with an empty status_request. 1028 */ 1029 if (CBS_len(cbs) == 0) 1030 return 1; 1031 1032 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1033 return 0; 1034 } 1035 if (!CBS_get_u8(cbs, &status_type)) { 1036 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1037 return 0; 1038 } 1039 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1040 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1041 return 0; 1042 } 1043 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1044 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1045 return 0; 1046 } 1047 if (CBS_len(&response) > 65536) { 1048 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1049 return 0; 1050 } 1051 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1052 &s->internal->tlsext_ocsp_resp_len)) { 1053 *alert = SSL_AD_INTERNAL_ERROR; 1054 return 0; 1055 } 1056 } else { 1057 if (s->tlsext_status_type == -1) { 1058 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1059 return 0; 1060 } 1061 /* Set flag to expect CertificateStatus message */ 1062 s->internal->tlsext_status_expected = 1; 1063 } 1064 return 1; 1065 } 1066 1067 /* 1068 * SessionTicket extension - RFC 5077 section 3.2 1069 */ 1070 int 1071 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1072 { 1073 /* 1074 * Send session ticket extension when enabled and not overridden. 1075 * 1076 * When renegotiating, send an empty session ticket to indicate support. 1077 */ 1078 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1079 return 0; 1080 1081 if (s->internal->new_session) 1082 return 1; 1083 1084 if (s->internal->tlsext_session_ticket != NULL && 1085 s->internal->tlsext_session_ticket->data == NULL) 1086 return 0; 1087 1088 return 1; 1089 } 1090 1091 int 1092 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1093 { 1094 /* 1095 * Signal that we support session tickets by sending an empty 1096 * extension when renegotiating or no session found. 1097 */ 1098 if (s->internal->new_session || s->session == NULL) 1099 return 1; 1100 1101 if (s->session->tlsext_tick != NULL) { 1102 /* Attempt to resume with an existing session ticket */ 1103 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1104 s->session->tlsext_ticklen)) 1105 return 0; 1106 1107 } else if (s->internal->tlsext_session_ticket != NULL) { 1108 /* 1109 * Attempt to resume with a custom provided session ticket set 1110 * by SSL_set_session_ticket_ext(). 1111 */ 1112 if (s->internal->tlsext_session_ticket->length > 0) { 1113 size_t ticklen = s->internal->tlsext_session_ticket->length; 1114 1115 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1116 return 0; 1117 memcpy(s->session->tlsext_tick, 1118 s->internal->tlsext_session_ticket->data, 1119 ticklen); 1120 s->session->tlsext_ticklen = ticklen; 1121 1122 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1123 s->session->tlsext_ticklen)) 1124 return 0; 1125 } 1126 } 1127 1128 if (!CBB_flush(cbb)) 1129 return 0; 1130 1131 return 1; 1132 } 1133 1134 int 1135 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1136 int *alert) 1137 { 1138 if (s->internal->tls_session_ticket_ext_cb) { 1139 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1140 (int)CBS_len(cbs), 1141 s->internal->tls_session_ticket_ext_cb_arg)) { 1142 *alert = TLS1_AD_INTERNAL_ERROR; 1143 return 0; 1144 } 1145 } 1146 1147 /* We need to signal that this was processed fully */ 1148 if (!CBS_skip(cbs, CBS_len(cbs))) { 1149 *alert = TLS1_AD_INTERNAL_ERROR; 1150 return 0; 1151 } 1152 1153 return 1; 1154 } 1155 1156 int 1157 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1158 { 1159 return (s->internal->tlsext_ticket_expected && 1160 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1161 } 1162 1163 int 1164 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1165 { 1166 /* Empty ticket */ 1167 return 1; 1168 } 1169 1170 int 1171 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1172 int *alert) 1173 { 1174 if (s->internal->tls_session_ticket_ext_cb) { 1175 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1176 (int)CBS_len(cbs), 1177 s->internal->tls_session_ticket_ext_cb_arg)) { 1178 *alert = TLS1_AD_INTERNAL_ERROR; 1179 return 0; 1180 } 1181 } 1182 1183 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1184 *alert = TLS1_AD_UNSUPPORTED_EXTENSION; 1185 return 0; 1186 } 1187 1188 s->internal->tlsext_ticket_expected = 1; 1189 1190 return 1; 1191 } 1192 1193 /* 1194 * DTLS extension for SRTP key establishment - RFC 5764 1195 */ 1196 1197 #ifndef OPENSSL_NO_SRTP 1198 1199 int 1200 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1201 { 1202 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1203 } 1204 1205 int 1206 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1207 { 1208 CBB profiles, mki; 1209 int ct, i; 1210 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1211 const SRTP_PROTECTION_PROFILE *prof; 1212 1213 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1214 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1215 return 0; 1216 } 1217 1218 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1219 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1220 return 0; 1221 } 1222 1223 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1224 return 0; 1225 1226 for (i = 0; i < ct; i++) { 1227 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1228 return 0; 1229 if (!CBB_add_u16(&profiles, prof->id)) 1230 return 0; 1231 } 1232 1233 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1234 return 0; 1235 1236 if (!CBB_flush(cbb)) 1237 return 0; 1238 1239 return 1; 1240 } 1241 1242 int 1243 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1244 { 1245 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1246 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1247 int i, j; 1248 int ret; 1249 uint16_t id; 1250 CBS profiles, mki; 1251 1252 ret = 0; 1253 1254 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1255 goto err; 1256 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1257 goto err; 1258 1259 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1260 goto err; 1261 1262 while (CBS_len(&profiles) > 0) { 1263 if (!CBS_get_u16(&profiles, &id)) 1264 goto err; 1265 1266 if (!srtp_find_profile_by_num(id, &cprof)) { 1267 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1268 goto err; 1269 } 1270 } 1271 1272 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1273 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1274 *alert = SSL_AD_DECODE_ERROR; 1275 goto done; 1276 } 1277 if (CBS_len(cbs) != 0) 1278 goto err; 1279 1280 /* 1281 * Per RFC 5764 section 4.1.1 1282 * 1283 * Find the server preferred profile using the client's list. 1284 * 1285 * The server MUST send a profile if it sends the use_srtp 1286 * extension. If one is not found, it should fall back to the 1287 * negotiated DTLS cipher suite or return a DTLS alert. 1288 */ 1289 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1290 goto err; 1291 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1292 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1293 == NULL) 1294 goto err; 1295 1296 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1297 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1298 == NULL) 1299 goto err; 1300 1301 if (cprof->id == sprof->id) { 1302 s->internal->srtp_profile = sprof; 1303 ret = 1; 1304 goto done; 1305 } 1306 } 1307 } 1308 1309 /* If we didn't find anything, fall back to the negotiated */ 1310 ret = 1; 1311 goto done; 1312 1313 err: 1314 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1315 *alert = SSL_AD_DECODE_ERROR; 1316 1317 done: 1318 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1319 return ret; 1320 } 1321 1322 int 1323 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1324 { 1325 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1326 } 1327 1328 int 1329 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1330 { 1331 SRTP_PROTECTION_PROFILE *profile; 1332 CBB srtp, mki; 1333 1334 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1335 return 0; 1336 1337 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1338 return 0; 1339 1340 if (!CBB_add_u16(&srtp, profile->id)) 1341 return 0; 1342 1343 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1344 return 0; 1345 1346 if (!CBB_flush(cbb)) 1347 return 0; 1348 1349 return 1; 1350 } 1351 1352 int 1353 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1354 { 1355 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1356 const SRTP_PROTECTION_PROFILE *prof; 1357 int i; 1358 uint16_t id; 1359 CBS profile_ids, mki; 1360 1361 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1362 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1363 goto err; 1364 } 1365 1366 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1367 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1368 goto err; 1369 } 1370 1371 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1372 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1373 *alert = SSL_AD_ILLEGAL_PARAMETER; 1374 return 0; 1375 } 1376 1377 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1378 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1379 goto err; 1380 } 1381 1382 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1383 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1384 == NULL) { 1385 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1386 goto err; 1387 } 1388 1389 if (prof->id == id) { 1390 s->internal->srtp_profile = prof; 1391 return 1; 1392 } 1393 } 1394 1395 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1396 err: 1397 *alert = SSL_AD_DECODE_ERROR; 1398 return 0; 1399 } 1400 1401 #endif /* OPENSSL_NO_SRTP */ 1402 1403 /* 1404 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1405 */ 1406 int 1407 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1408 { 1409 /* XXX once this gets initialized when we get tls13_client.c */ 1410 if (S3I(s)->hs_tls13.max_version == 0) 1411 return 0; 1412 return (!SSL_is_dtls(s) && S3I(s)->hs_tls13.max_version >= 1413 TLS1_3_VERSION); 1414 } 1415 1416 int 1417 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1418 { 1419 CBB client_shares; 1420 1421 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1422 return 0; 1423 1424 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, 1425 &client_shares)) 1426 return 0; 1427 1428 if (!CBB_flush(cbb)) 1429 return 0; 1430 1431 return 1; 1432 } 1433 1434 int 1435 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1436 { 1437 CBS client_shares, key_exchange; 1438 uint16_t group; 1439 1440 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1441 goto err; 1442 1443 while (CBS_len(&client_shares) > 0) { 1444 1445 /* Unpack client share. */ 1446 if (!CBS_get_u16(&client_shares, &group)) 1447 goto err; 1448 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1449 return 0; 1450 1451 /* 1452 * XXX - check key exchange against supported groups from client. 1453 * XXX - check that groups only appear once. 1454 */ 1455 1456 /* 1457 * Ignore this client share if we're using earlier than TLSv1.3 1458 * or we've already selected a key share. 1459 */ 1460 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1461 continue; 1462 if (S3I(s)->hs_tls13.key_share != NULL) 1463 continue; 1464 1465 /* XXX - consider implementing server preference. */ 1466 if (!tls1_check_curve(s, group)) 1467 continue; 1468 1469 /* Decode and store the selected key share. */ 1470 S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); 1471 if (S3I(s)->hs_tls13.key_share == NULL) 1472 goto err; 1473 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1474 group, &key_exchange)) 1475 goto err; 1476 } 1477 1478 return 1; 1479 1480 err: 1481 *alert = SSL_AD_DECODE_ERROR; 1482 return 0; 1483 } 1484 1485 int 1486 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1487 { 1488 if (SSL_is_dtls(s) || s->version < TLS1_3_VERSION) 1489 return 0; 1490 1491 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1492 } 1493 1494 int 1495 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1496 { 1497 /* In the case of a HRR, we only send the server selected group. */ 1498 if (S3I(s)->hs_tls13.hrr) { 1499 if (S3I(s)->hs_tls13.server_group == 0) 1500 return 0; 1501 return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); 1502 } 1503 1504 if (S3I(s)->hs_tls13.key_share == NULL) 1505 return 0; 1506 1507 if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) 1508 return 0; 1509 1510 return 1; 1511 } 1512 1513 int 1514 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1515 { 1516 CBS key_exchange; 1517 uint16_t group; 1518 1519 /* Unpack server share. */ 1520 if (!CBS_get_u16(cbs, &group)) 1521 goto err; 1522 1523 if (CBS_len(cbs) == 0) { 1524 /* HRR does not include an actual key share. */ 1525 /* XXX - we should know that we are in a HRR... */ 1526 S3I(s)->hs_tls13.server_group = group; 1527 return 1; 1528 } 1529 1530 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1531 return 0; 1532 1533 if (S3I(s)->hs_tls13.key_share == NULL) 1534 return 0; 1535 1536 if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, 1537 group, &key_exchange)) 1538 goto err; 1539 1540 return 1; 1541 1542 err: 1543 *alert = SSL_AD_DECODE_ERROR; 1544 return 0; 1545 } 1546 1547 /* 1548 * Supported Versions - RFC 8446 section 4.2.1. 1549 */ 1550 int 1551 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1552 { 1553 if (SSL_is_dtls(s)) 1554 return 0; 1555 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1556 } 1557 1558 int 1559 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1560 { 1561 uint16_t max, min; 1562 uint16_t version; 1563 CBB versions; 1564 1565 max = S3I(s)->hs_tls13.max_version; 1566 min = S3I(s)->hs_tls13.min_version; 1567 1568 if (min < TLS1_VERSION) 1569 return 0; 1570 1571 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1572 return 0; 1573 1574 /* XXX - fix, but contiguous for now... */ 1575 for (version = max; version >= min; version--) { 1576 if (!CBB_add_u16(&versions, version)) 1577 return 0; 1578 } 1579 1580 if (!CBB_flush(cbb)) 1581 return 0; 1582 1583 return 1; 1584 } 1585 1586 int 1587 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1588 { 1589 CBS versions; 1590 uint16_t version; 1591 uint16_t max, min; 1592 uint16_t matched_version = 0; 1593 1594 max = S3I(s)->hs_tls13.max_version; 1595 min = S3I(s)->hs_tls13.min_version; 1596 1597 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1598 goto err; 1599 1600 while (CBS_len(&versions) > 0) { 1601 if (!CBS_get_u16(&versions, &version)) 1602 goto err; 1603 /* 1604 * XXX What is below implements client preference, and 1605 * ignores any server preference entirely. 1606 */ 1607 if (matched_version == 0 && version >= min && version <= max) 1608 matched_version = version; 1609 } 1610 1611 /* 1612 * XXX if we haven't matched a version we should 1613 * fail - but we currently need to succeed to 1614 * ignore this before the server code for 1.3 1615 * is set up and initialized. 1616 */ 1617 if (max == 0) 1618 return 1; /* XXX */ 1619 1620 if (matched_version != 0) { 1621 s->version = matched_version; 1622 return 1; 1623 } 1624 1625 *alert = SSL_AD_PROTOCOL_VERSION; 1626 return 0; 1627 1628 err: 1629 *alert = SSL_AD_DECODE_ERROR; 1630 return 0; 1631 } 1632 1633 int 1634 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1635 { 1636 return (!SSL_is_dtls(s) && s->version >= TLS1_3_VERSION); 1637 } 1638 1639 int 1640 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1641 { 1642 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1643 return 0; 1644 /* XXX set 1.2 in legacy version? */ 1645 1646 return 1; 1647 } 1648 1649 int 1650 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1651 { 1652 uint16_t selected_version; 1653 1654 if (!CBS_get_u16(cbs, &selected_version)) { 1655 *alert = SSL_AD_DECODE_ERROR; 1656 return 0; 1657 } 1658 1659 if (selected_version < TLS1_3_VERSION) { 1660 *alert = SSL_AD_ILLEGAL_PARAMETER; 1661 return 0; 1662 } 1663 1664 /* XXX test between min and max once initialization code goes in */ 1665 S3I(s)->hs_tls13.server_version = selected_version; 1666 1667 return 1; 1668 } 1669 1670 1671 /* 1672 * Cookie - RFC 8446 section 4.2.2. 1673 */ 1674 1675 int 1676 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1677 { 1678 if (SSL_is_dtls(s)) 1679 return 0; 1680 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1681 return 0; 1682 return (S3I(s)->hs_tls13.cookie_len > 0 && 1683 S3I(s)->hs_tls13.cookie != NULL); 1684 } 1685 1686 int 1687 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1688 { 1689 CBB cookie; 1690 1691 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1692 return 0; 1693 1694 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1695 S3I(s)->hs_tls13.cookie_len)) 1696 return 0; 1697 1698 if (!CBB_flush(cbb)) 1699 return 0; 1700 1701 return 1; 1702 } 1703 1704 int 1705 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1706 { 1707 CBS cookie; 1708 1709 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1710 goto err; 1711 1712 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) 1713 goto err; 1714 1715 /* 1716 * Check provided cookie value against what server previously 1717 * sent - client *MUST* send the same cookie with new CR after 1718 * a cookie is sent by the server with an HRR. 1719 */ 1720 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, 1721 S3I(s)->hs_tls13.cookie_len)) { 1722 /* XXX special cookie mismatch alert? */ 1723 *alert = SSL_AD_ILLEGAL_PARAMETER; 1724 return 0; 1725 } 1726 1727 return 1; 1728 1729 err: 1730 *alert = SSL_AD_DECODE_ERROR; 1731 return 0; 1732 } 1733 1734 int 1735 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1736 { 1737 1738 if (SSL_is_dtls(s)) 1739 return 0; 1740 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1741 return 0; 1742 /* 1743 * Server needs to set cookie value in tls13 handshake 1744 * in order to send one, should only be sent with HRR. 1745 */ 1746 return (S3I(s)->hs_tls13.cookie_len > 0 && 1747 S3I(s)->hs_tls13.cookie != NULL); 1748 } 1749 1750 int 1751 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1752 { 1753 CBB cookie; 1754 1755 /* XXX deduplicate with client code */ 1756 1757 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1758 return 0; 1759 1760 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, 1761 S3I(s)->hs_tls13.cookie_len)) 1762 return 0; 1763 1764 if (!CBB_flush(cbb)) 1765 return 0; 1766 1767 return 1; 1768 } 1769 1770 int 1771 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1772 { 1773 CBS cookie; 1774 1775 /* 1776 * XXX This currently assumes we will not get a second 1777 * HRR from a server with a cookie to process after accepting 1778 * one from the server in the same handshake 1779 */ 1780 if (S3I(s)->hs_tls13.cookie != NULL || 1781 S3I(s)->hs_tls13.cookie_len != 0) { 1782 *alert = SSL_AD_ILLEGAL_PARAMETER; 1783 return 0; 1784 } 1785 1786 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1787 goto err; 1788 1789 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, 1790 &S3I(s)->hs_tls13.cookie_len)) 1791 goto err; 1792 1793 return 1; 1794 1795 err: 1796 *alert = SSL_AD_DECODE_ERROR; 1797 return 0; 1798 } 1799 1800 struct tls_extension_funcs { 1801 int (*needs)(SSL *s, uint16_t msg_type); 1802 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1803 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1804 }; 1805 1806 struct tls_extension { 1807 uint16_t type; 1808 uint16_t messages; 1809 struct tls_extension_funcs client; 1810 struct tls_extension_funcs server; 1811 }; 1812 1813 static const struct tls_extension tls_extensions[] = { 1814 { 1815 .type = TLSEXT_TYPE_supported_versions, 1816 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1817 SSL_TLSEXT_MSG_HRR, 1818 .client = { 1819 .needs = tlsext_versions_client_needs, 1820 .build = tlsext_versions_client_build, 1821 .parse = tlsext_versions_client_parse, 1822 }, 1823 .server = { 1824 .needs = tlsext_versions_server_needs, 1825 .build = tlsext_versions_server_build, 1826 .parse = tlsext_versions_server_parse, 1827 }, 1828 }, 1829 { 1830 .type = TLSEXT_TYPE_key_share, 1831 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1832 SSL_TLSEXT_MSG_HRR, 1833 .client = { 1834 .needs = tlsext_keyshare_client_needs, 1835 .build = tlsext_keyshare_client_build, 1836 .parse = tlsext_keyshare_client_parse, 1837 }, 1838 .server = { 1839 .needs = tlsext_keyshare_server_needs, 1840 .build = tlsext_keyshare_server_build, 1841 .parse = tlsext_keyshare_server_parse, 1842 }, 1843 }, 1844 { 1845 .type = TLSEXT_TYPE_server_name, 1846 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1847 .client = { 1848 .needs = tlsext_sni_client_needs, 1849 .build = tlsext_sni_client_build, 1850 .parse = tlsext_sni_client_parse, 1851 }, 1852 .server = { 1853 .needs = tlsext_sni_server_needs, 1854 .build = tlsext_sni_server_build, 1855 .parse = tlsext_sni_server_parse, 1856 }, 1857 }, 1858 { 1859 .type = TLSEXT_TYPE_renegotiate, 1860 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1861 .client = { 1862 .needs = tlsext_ri_client_needs, 1863 .build = tlsext_ri_client_build, 1864 .parse = tlsext_ri_client_parse, 1865 }, 1866 .server = { 1867 .needs = tlsext_ri_server_needs, 1868 .build = tlsext_ri_server_build, 1869 .parse = tlsext_ri_server_parse, 1870 }, 1871 }, 1872 { 1873 .type = TLSEXT_TYPE_status_request, 1874 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1875 SSL_TLSEXT_MSG_CT, 1876 .client = { 1877 .needs = tlsext_ocsp_client_needs, 1878 .build = tlsext_ocsp_client_build, 1879 .parse = tlsext_ocsp_client_parse, 1880 }, 1881 .server = { 1882 .needs = tlsext_ocsp_server_needs, 1883 .build = tlsext_ocsp_server_build, 1884 .parse = tlsext_ocsp_server_parse, 1885 }, 1886 }, 1887 { 1888 .type = TLSEXT_TYPE_ec_point_formats, 1889 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1890 .client = { 1891 .needs = tlsext_ecpf_client_needs, 1892 .build = tlsext_ecpf_client_build, 1893 .parse = tlsext_ecpf_client_parse, 1894 }, 1895 .server = { 1896 .needs = tlsext_ecpf_server_needs, 1897 .build = tlsext_ecpf_server_build, 1898 .parse = tlsext_ecpf_server_parse, 1899 }, 1900 }, 1901 { 1902 .type = TLSEXT_TYPE_supported_groups, 1903 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1904 .client = { 1905 .needs = tlsext_supportedgroups_client_needs, 1906 .build = tlsext_supportedgroups_client_build, 1907 .parse = tlsext_supportedgroups_client_parse, 1908 }, 1909 .server = { 1910 .needs = tlsext_supportedgroups_server_needs, 1911 .build = tlsext_supportedgroups_server_build, 1912 .parse = tlsext_supportedgroups_server_parse, 1913 }, 1914 }, 1915 { 1916 .type = TLSEXT_TYPE_session_ticket, 1917 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1918 .client = { 1919 .needs = tlsext_sessionticket_client_needs, 1920 .build = tlsext_sessionticket_client_build, 1921 .parse = tlsext_sessionticket_client_parse, 1922 }, 1923 .server = { 1924 .needs = tlsext_sessionticket_server_needs, 1925 .build = tlsext_sessionticket_server_build, 1926 .parse = tlsext_sessionticket_server_parse, 1927 }, 1928 }, 1929 { 1930 .type = TLSEXT_TYPE_signature_algorithms, 1931 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1932 .client = { 1933 .needs = tlsext_sigalgs_client_needs, 1934 .build = tlsext_sigalgs_client_build, 1935 .parse = tlsext_sigalgs_client_parse, 1936 }, 1937 .server = { 1938 .needs = tlsext_sigalgs_server_needs, 1939 .build = tlsext_sigalgs_server_build, 1940 .parse = tlsext_sigalgs_server_parse, 1941 }, 1942 }, 1943 { 1944 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1945 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1946 .client = { 1947 .needs = tlsext_alpn_client_needs, 1948 .build = tlsext_alpn_client_build, 1949 .parse = tlsext_alpn_client_parse, 1950 }, 1951 .server = { 1952 .needs = tlsext_alpn_server_needs, 1953 .build = tlsext_alpn_server_build, 1954 .parse = tlsext_alpn_server_parse, 1955 }, 1956 }, 1957 { 1958 .type = TLSEXT_TYPE_cookie, 1959 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1960 .client = { 1961 .needs = tlsext_cookie_client_needs, 1962 .build = tlsext_cookie_client_build, 1963 .parse = tlsext_cookie_client_parse, 1964 }, 1965 .server = { 1966 .needs = tlsext_cookie_server_needs, 1967 .build = tlsext_cookie_server_build, 1968 .parse = tlsext_cookie_server_parse, 1969 }, 1970 }, 1971 #ifndef OPENSSL_NO_SRTP 1972 { 1973 .type = TLSEXT_TYPE_use_srtp, 1974 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1975 SSL_TLSEXT_MSG_EE, 1976 .client = { 1977 .needs = tlsext_srtp_client_needs, 1978 .build = tlsext_srtp_client_build, 1979 .parse = tlsext_srtp_client_parse, 1980 }, 1981 .server = { 1982 .needs = tlsext_srtp_server_needs, 1983 .build = tlsext_srtp_server_build, 1984 .parse = tlsext_srtp_server_parse, 1985 }, 1986 } 1987 #endif /* OPENSSL_NO_SRTP */ 1988 }; 1989 1990 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1991 1992 /* Ensure that extensions fit in a uint32_t bitmask. */ 1993 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1994 1995 const struct tls_extension * 1996 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1997 { 1998 size_t i; 1999 2000 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2001 if (tls_extensions[i].type == type) { 2002 *tls_extensions_idx = i; 2003 return &tls_extensions[i]; 2004 } 2005 } 2006 2007 return NULL; 2008 } 2009 2010 int 2011 tlsext_extension_seen(SSL *s, uint16_t type) 2012 { 2013 size_t idx; 2014 2015 if (tls_extension_find(type, &idx) == NULL) 2016 return 0; 2017 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 2018 } 2019 2020 static const struct tls_extension_funcs * 2021 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2022 { 2023 if (is_server) 2024 return &tlsext->server; 2025 2026 return &tlsext->client; 2027 } 2028 2029 static int 2030 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2031 { 2032 const struct tls_extension_funcs *ext; 2033 const struct tls_extension *tlsext; 2034 CBB extensions, extension_data; 2035 int extensions_present = 0; 2036 size_t i; 2037 uint16_t version; 2038 2039 if (is_server) 2040 version = s->version; 2041 else 2042 version = TLS1_get_client_version(s); 2043 2044 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2045 return 0; 2046 2047 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2048 tlsext = &tls_extensions[i]; 2049 ext = tlsext_funcs(tlsext, is_server); 2050 2051 /* RFC 8446 Section 4.2 */ 2052 if (version >= TLS1_3_VERSION && 2053 !(tlsext->messages & msg_type)) 2054 continue; 2055 2056 if (!ext->needs(s, msg_type)) 2057 continue; 2058 2059 if (!CBB_add_u16(&extensions, tlsext->type)) 2060 return 0; 2061 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2062 return 0; 2063 2064 if (!ext->build(s, msg_type, &extension_data)) 2065 return 0; 2066 2067 extensions_present = 1; 2068 } 2069 2070 if (!extensions_present && 2071 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2072 CBB_discard_child(cbb); 2073 2074 if (!CBB_flush(cbb)) 2075 return 0; 2076 2077 return 1; 2078 } 2079 2080 int 2081 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2082 { 2083 /* 2084 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2085 * cookie may be added, padding may be removed. 2086 */ 2087 struct tls13_ctx *ctx = s->internal->tls13; 2088 2089 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2090 type == TLSEXT_TYPE_padding) 2091 return 1; 2092 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2093 sizeof(type))) 2094 return 0; 2095 /* 2096 * key_share data may be changed, and pre_shared_key data may 2097 * be changed 2098 */ 2099 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2100 return 1; 2101 if (!tls13_clienthello_hash_update(ctx, cbs)) 2102 return 0; 2103 2104 return 1; 2105 } 2106 2107 static int 2108 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2109 { 2110 const struct tls_extension_funcs *ext; 2111 const struct tls_extension *tlsext; 2112 CBS extensions, extension_data; 2113 uint16_t type; 2114 size_t idx; 2115 uint16_t version; 2116 int alert_desc; 2117 2118 S3I(s)->hs.extensions_seen = 0; 2119 2120 if (is_server) 2121 version = s->version; 2122 else 2123 version = TLS1_get_client_version(s); 2124 2125 /* An empty extensions block is valid. */ 2126 if (CBS_len(cbs) == 0) 2127 return 1; 2128 2129 alert_desc = SSL_AD_DECODE_ERROR; 2130 2131 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2132 goto err; 2133 2134 while (CBS_len(&extensions) > 0) { 2135 if (!CBS_get_u16(&extensions, &type)) 2136 goto err; 2137 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2138 goto err; 2139 2140 if (s->internal->tlsext_debug_cb != NULL) 2141 s->internal->tlsext_debug_cb(s, is_server, type, 2142 (unsigned char *)CBS_data(&extension_data), 2143 CBS_len(&extension_data), 2144 s->internal->tlsext_debug_arg); 2145 2146 if (!SSL_is_dtls(s) && version >= TLS1_3_VERSION && is_server && 2147 msg_type == SSL_TLSEXT_MSG_CH) { 2148 if (!tlsext_clienthello_hash_extension(s, type, 2149 &extension_data)) 2150 goto err; 2151 } 2152 2153 /* Unknown extensions are ignored. */ 2154 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2155 continue; 2156 2157 /* RFC 8446 Section 4.2 */ 2158 if (version >= TLS1_3_VERSION && 2159 !(tlsext->messages & msg_type)) { 2160 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2161 goto err; 2162 } 2163 2164 /* Check for duplicate known extensions. */ 2165 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2166 goto err; 2167 S3I(s)->hs.extensions_seen |= (1 << idx); 2168 2169 ext = tlsext_funcs(tlsext, is_server); 2170 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2171 goto err; 2172 2173 if (CBS_len(&extension_data) != 0) 2174 goto err; 2175 } 2176 2177 return 1; 2178 2179 err: 2180 *alert = alert_desc; 2181 2182 return 0; 2183 } 2184 2185 static void 2186 tlsext_server_reset_state(SSL *s) 2187 { 2188 s->tlsext_status_type = -1; 2189 S3I(s)->renegotiate_seen = 0; 2190 free(S3I(s)->alpn_selected); 2191 S3I(s)->alpn_selected = NULL; 2192 S3I(s)->alpn_selected_len = 0; 2193 s->internal->srtp_profile = NULL; 2194 } 2195 2196 int 2197 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2198 { 2199 return tlsext_build(s, 1, msg_type, cbb); 2200 } 2201 2202 int 2203 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2204 { 2205 /* XXX - this should be done by the caller... */ 2206 if (msg_type == SSL_TLSEXT_MSG_CH) 2207 tlsext_server_reset_state(s); 2208 2209 return tlsext_parse(s, 1, msg_type, cbs, alert); 2210 } 2211 2212 static void 2213 tlsext_client_reset_state(SSL *s) 2214 { 2215 S3I(s)->renegotiate_seen = 0; 2216 free(S3I(s)->alpn_selected); 2217 S3I(s)->alpn_selected = NULL; 2218 S3I(s)->alpn_selected_len = 0; 2219 } 2220 2221 int 2222 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2223 { 2224 return tlsext_build(s, 0, msg_type, cbb); 2225 } 2226 2227 int 2228 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2229 { 2230 /* XXX - this should be done by the caller... */ 2231 if (msg_type == SSL_TLSEXT_MSG_SH) 2232 tlsext_client_reset_state(s); 2233 2234 return tlsext_parse(s, 0, msg_type, cbs, alert); 2235 } 2236