1 /* $OpenBSD: ssl_tlsext.c,v 1.137 2023/04/28 18:14:59 tb Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/socket.h> 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <ctype.h> 26 27 #include <openssl/ocsp.h> 28 #include <openssl/opensslconf.h> 29 30 #include "bytestring.h" 31 #include "ssl_local.h" 32 #include "ssl_sigalgs.h" 33 #include "ssl_tlsext.h" 34 35 #define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 36 37 /* 38 * Supported Application-Layer Protocol Negotiation - RFC 7301 39 */ 40 41 static int 42 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 43 { 44 /* ALPN protos have been specified and this is the initial handshake */ 45 return s->alpn_client_proto_list != NULL && 46 s->s3->hs.finished_len == 0; 47 } 48 49 static int 50 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 51 { 52 CBB protolist; 53 54 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 55 return 0; 56 57 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, 58 s->alpn_client_proto_list_len)) 59 return 0; 60 61 if (!CBB_flush(cbb)) 62 return 0; 63 64 return 1; 65 } 66 67 int 68 tlsext_alpn_check_format(CBS *cbs) 69 { 70 CBS proto_name_list; 71 72 if (CBS_len(cbs) == 0) 73 return 0; 74 75 CBS_dup(cbs, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 return 0; 81 if (CBS_len(&proto_name) == 0) 82 return 0; 83 } 84 85 return 1; 86 } 87 88 static int 89 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 90 { 91 CBS alpn, selected_cbs; 92 const unsigned char *selected; 93 unsigned char selected_len; 94 int r; 95 96 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 97 return 0; 98 99 if (!tlsext_alpn_check_format(&alpn)) 100 return 0; 101 102 if (s->ctx->alpn_select_cb == NULL) 103 return 1; 104 105 /* 106 * XXX - A few things should be considered here: 107 * 1. Ensure that the same protocol is selected on session resumption. 108 * 2. Should the callback be called even if no ALPN extension was sent? 109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 110 */ 111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 112 CBS_data(&alpn), CBS_len(&alpn), 113 s->ctx->alpn_select_cb_arg); 114 115 if (r == SSL_TLSEXT_ERR_OK) { 116 CBS_init(&selected_cbs, selected, selected_len); 117 118 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, 119 &s->s3->alpn_selected_len)) { 120 *alert = SSL_AD_INTERNAL_ERROR; 121 return 0; 122 } 123 124 return 1; 125 } 126 127 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */ 128 if (r == SSL_TLSEXT_ERR_NOACK) 129 return 1; 130 131 *alert = SSL_AD_NO_APPLICATION_PROTOCOL; 132 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); 133 134 return 0; 135 } 136 137 static int 138 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 139 { 140 return s->s3->alpn_selected != NULL; 141 } 142 143 static int 144 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 145 { 146 CBB list, selected; 147 148 if (!CBB_add_u16_length_prefixed(cbb, &list)) 149 return 0; 150 151 if (!CBB_add_u8_length_prefixed(&list, &selected)) 152 return 0; 153 154 if (!CBB_add_bytes(&selected, s->s3->alpn_selected, 155 s->s3->alpn_selected_len)) 156 return 0; 157 158 if (!CBB_flush(cbb)) 159 return 0; 160 161 return 1; 162 } 163 164 static int 165 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 166 { 167 CBS list, proto; 168 169 if (s->alpn_client_proto_list == NULL) { 170 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 171 return 0; 172 } 173 174 if (!CBS_get_u16_length_prefixed(cbs, &list)) 175 return 0; 176 177 if (!CBS_get_u8_length_prefixed(&list, &proto)) 178 return 0; 179 180 if (CBS_len(&list) != 0) 181 return 0; 182 if (CBS_len(&proto) == 0) 183 return 0; 184 185 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) 186 return 0; 187 188 return 1; 189 } 190 191 /* 192 * Supported Groups - RFC 7919 section 2 193 */ 194 static int 195 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 196 { 197 return ssl_has_ecc_ciphers(s) || 198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 199 } 200 201 static int 202 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 203 { 204 const uint16_t *groups; 205 size_t groups_len; 206 CBB grouplist; 207 int i; 208 209 tls1_get_group_list(s, 0, &groups, &groups_len); 210 if (groups_len == 0) { 211 SSLerror(s, ERR_R_INTERNAL_ERROR); 212 return 0; 213 } 214 215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 216 return 0; 217 218 for (i = 0; i < groups_len; i++) { 219 if (!ssl_security_supported_group(s, groups[i])) 220 continue; 221 if (!CBB_add_u16(&grouplist, groups[i])) 222 return 0; 223 } 224 225 if (!CBB_flush(cbb)) 226 return 0; 227 228 return 1; 229 } 230 231 static int 232 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 233 int *alert) 234 { 235 CBS grouplist; 236 uint16_t *groups; 237 size_t groups_len; 238 int i; 239 240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 241 return 0; 242 243 groups_len = CBS_len(&grouplist); 244 if (groups_len == 0 || groups_len % 2 != 0) 245 return 0; 246 groups_len /= 2; 247 248 if (s->hit) 249 return 1; 250 251 if (s->s3->hs.tls13.hrr) { 252 if (s->session->tlsext_supportedgroups == NULL) { 253 *alert = SSL_AD_HANDSHAKE_FAILURE; 254 return 0; 255 } 256 257 /* 258 * The ClientHello extension hashing ensures that the client 259 * did not change its list of supported groups. 260 */ 261 262 return 1; 263 } 264 265 if (s->session->tlsext_supportedgroups != NULL) 266 return 0; /* XXX internal error? */ 267 268 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { 269 *alert = SSL_AD_INTERNAL_ERROR; 270 return 0; 271 } 272 273 for (i = 0; i < groups_len; i++) { 274 if (!CBS_get_u16(&grouplist, &groups[i])) { 275 free(groups); 276 return 0; 277 } 278 } 279 280 if (CBS_len(&grouplist) != 0) { 281 free(groups); 282 return 0; 283 } 284 285 s->session->tlsext_supportedgroups = groups; 286 s->session->tlsext_supportedgroups_length = groups_len; 287 288 return 1; 289 } 290 291 /* This extension is never used by the server. */ 292 static int 293 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 294 { 295 return 0; 296 } 297 298 static int 299 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 300 { 301 return 0; 302 } 303 304 static int 305 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 306 int *alert) 307 { 308 /* 309 * Servers should not send this extension per the RFC. 310 * 311 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 312 * from at least 2014 but as of 2017, there are still large sites with 313 * this unpatched in production. As a result, we need to currently skip 314 * over the extension and ignore its content: 315 * 316 * https://support.f5.com/csp/article/K37345003 317 */ 318 if (!CBS_skip(cbs, CBS_len(cbs))) { 319 *alert = SSL_AD_INTERNAL_ERROR; 320 return 0; 321 } 322 323 return 1; 324 } 325 326 /* 327 * Supported Point Formats Extension - RFC 4492 section 5.1.2 328 */ 329 static int 330 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 331 { 332 CBB ecpf; 333 size_t formats_len; 334 const uint8_t *formats; 335 336 tls1_get_formatlist(s, 0, &formats, &formats_len); 337 338 if (formats_len == 0) { 339 SSLerror(s, ERR_R_INTERNAL_ERROR); 340 return 0; 341 } 342 343 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 344 return 0; 345 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 346 return 0; 347 if (!CBB_flush(cbb)) 348 return 0; 349 350 return 1; 351 } 352 353 static int 354 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 355 { 356 CBS ecpf; 357 358 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 359 return 0; 360 if (CBS_len(&ecpf) == 0) 361 return 0; 362 363 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 364 if (!CBS_contains_zero_byte(&ecpf)) { 365 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 366 *alert = SSL_AD_ILLEGAL_PARAMETER; 367 return 0; 368 } 369 370 if (!s->hit) { 371 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), 372 &(s->session->tlsext_ecpointformatlist_length))) { 373 *alert = SSL_AD_INTERNAL_ERROR; 374 return 0; 375 } 376 } 377 378 return 1; 379 } 380 381 static int 382 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 383 { 384 return ssl_has_ecc_ciphers(s); 385 } 386 387 static int 388 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 389 { 390 return tlsext_ecpf_build(s, msg_type, cbb); 391 } 392 393 static int 394 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 395 { 396 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 397 } 398 399 static int 400 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 401 { 402 return ssl_using_ecc_cipher(s); 403 } 404 405 static int 406 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 407 { 408 return tlsext_ecpf_build(s, msg_type, cbb); 409 } 410 411 static int 412 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 413 { 414 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 415 } 416 417 /* 418 * Renegotiation Indication - RFC 5746. 419 */ 420 static int 421 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 422 { 423 return (s->renegotiate); 424 } 425 426 static int 427 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 428 { 429 CBB reneg; 430 431 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 432 return 0; 433 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 434 s->s3->previous_client_finished_len)) 435 return 0; 436 if (!CBB_flush(cbb)) 437 return 0; 438 439 return 1; 440 } 441 442 static int 443 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 444 { 445 CBS reneg; 446 447 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 448 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 449 return 0; 450 } 451 452 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, 453 s->s3->previous_client_finished_len)) { 454 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 455 *alert = SSL_AD_HANDSHAKE_FAILURE; 456 return 0; 457 } 458 459 s->s3->renegotiate_seen = 1; 460 s->s3->send_connection_binding = 1; 461 462 return 1; 463 } 464 465 static int 466 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 467 { 468 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && 469 s->s3->send_connection_binding); 470 } 471 472 static int 473 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 474 { 475 CBB reneg; 476 477 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 478 return 0; 479 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished, 480 s->s3->previous_client_finished_len)) 481 return 0; 482 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished, 483 s->s3->previous_server_finished_len)) 484 return 0; 485 if (!CBB_flush(cbb)) 486 return 0; 487 488 return 1; 489 } 490 491 static int 492 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 493 { 494 CBS reneg, prev_client, prev_server; 495 496 /* 497 * Ensure that the previous client and server values are both not 498 * present, or that they are both present. 499 */ 500 if ((s->s3->previous_client_finished_len == 0 && 501 s->s3->previous_server_finished_len != 0) || 502 (s->s3->previous_client_finished_len != 0 && 503 s->s3->previous_server_finished_len == 0)) { 504 *alert = SSL_AD_INTERNAL_ERROR; 505 return 0; 506 } 507 508 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { 509 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 510 return 0; 511 } 512 if (!CBS_get_bytes(&reneg, &prev_client, 513 s->s3->previous_client_finished_len)) { 514 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 515 return 0; 516 } 517 if (!CBS_get_bytes(&reneg, &prev_server, 518 s->s3->previous_server_finished_len)) { 519 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 520 return 0; 521 } 522 if (CBS_len(&reneg) != 0) { 523 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 524 return 0; 525 } 526 527 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, 528 s->s3->previous_client_finished_len)) { 529 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 530 *alert = SSL_AD_HANDSHAKE_FAILURE; 531 return 0; 532 } 533 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished, 534 s->s3->previous_server_finished_len)) { 535 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 536 *alert = SSL_AD_HANDSHAKE_FAILURE; 537 return 0; 538 } 539 540 s->s3->renegotiate_seen = 1; 541 s->s3->send_connection_binding = 1; 542 543 return 1; 544 } 545 546 /* 547 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 548 */ 549 static int 550 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 551 { 552 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); 553 } 554 555 static int 556 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 557 { 558 uint16_t tls_version = s->s3->hs.negotiated_tls_version; 559 CBB sigalgs; 560 561 if (msg_type == SSL_TLSEXT_MSG_CH) 562 tls_version = s->s3->hs.our_min_tls_version; 563 564 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 565 return 0; 566 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) 567 return 0; 568 if (!CBB_flush(cbb)) 569 return 0; 570 571 return 1; 572 } 573 574 static int 575 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 576 { 577 CBS sigalgs; 578 579 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 580 return 0; 581 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 582 return 0; 583 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 584 return 0; 585 586 return 1; 587 } 588 589 static int 590 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 591 { 592 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 593 } 594 595 static int 596 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 597 { 598 CBB sigalgs; 599 600 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 601 return 0; 602 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, 603 SSL_get_security_level(s))) 604 return 0; 605 if (!CBB_flush(cbb)) 606 return 0; 607 608 return 1; 609 } 610 611 static int 612 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 613 { 614 CBS sigalgs; 615 616 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 617 return 0; 618 619 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 620 return 0; 621 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 622 return 0; 623 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len)) 624 return 0; 625 626 return 1; 627 } 628 629 /* 630 * Server Name Indication - RFC 6066, section 3. 631 */ 632 static int 633 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 634 { 635 return (s->tlsext_hostname != NULL); 636 } 637 638 static int 639 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 640 { 641 CBB server_name_list, host_name; 642 643 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 644 return 0; 645 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 646 return 0; 647 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 648 return 0; 649 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 650 strlen(s->tlsext_hostname))) 651 return 0; 652 if (!CBB_flush(cbb)) 653 return 0; 654 655 return 1; 656 } 657 658 static int 659 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip) 660 { 661 union { 662 struct in_addr ip4; 663 struct in6_addr ip6; 664 } addrbuf; 665 char *hostname = NULL; 666 667 *is_ip = 0; 668 669 if (!CBS_strdup(cbs, &hostname)) 670 return 0; 671 672 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 || 673 inet_pton(AF_INET6, hostname, &addrbuf) == 1) 674 *is_ip = 1; 675 676 free(hostname); 677 678 return 1; 679 } 680 681 /* 682 * Validate that the CBS contains only a hostname consisting of RFC 5890 683 * compliant A-labels (see RFC 6066 section 3). Not a complete check 684 * since we don't parse punycode to verify its validity but limits to 685 * correct structure and character set. 686 */ 687 int 688 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) 689 { 690 uint8_t prev, c = 0; 691 int component = 0; 692 CBS hostname; 693 694 *is_ip = 0; 695 696 CBS_dup(cbs, &hostname); 697 698 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 699 return 0; 700 701 /* An IP literal is invalid as a host name (RFC 6066 section 3). */ 702 if (!tlsext_sni_is_ip_literal(&hostname, is_ip)) 703 return 0; 704 if (*is_ip) 705 return 0; 706 707 while (CBS_len(&hostname) > 0) { 708 prev = c; 709 if (!CBS_get_u8(&hostname, &c)) 710 return 0; 711 /* Everything has to be ASCII, with no NUL byte. */ 712 if (!isascii(c) || c == '\0') 713 return 0; 714 /* It must be alphanumeric, a '-', or a '.' */ 715 if (!isalnum(c) && c != '-' && c != '.') 716 return 0; 717 /* '-' and '.' must not start a component or be at the end. */ 718 if (component == 0 || CBS_len(&hostname) == 0) { 719 if (c == '-' || c == '.') 720 return 0; 721 } 722 if (c == '.') { 723 /* Components can not end with a dash. */ 724 if (prev == '-') 725 return 0; 726 /* Start new component */ 727 component = 0; 728 continue; 729 } 730 /* Components must be 63 chars or less. */ 731 if (++component > 63) 732 return 0; 733 } 734 735 return 1; 736 } 737 738 static int 739 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 740 { 741 CBS server_name_list, host_name; 742 uint8_t name_type; 743 int is_ip; 744 745 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 746 goto err; 747 748 if (!CBS_get_u8(&server_name_list, &name_type)) 749 goto err; 750 751 /* 752 * RFC 6066 section 3, only one type (host_name) is specified. 753 * We do not tolerate unknown types, neither does BoringSSL. 754 * other implementations appear more tolerant. 755 */ 756 if (name_type != TLSEXT_NAMETYPE_host_name) { 757 *alert = SSL_AD_ILLEGAL_PARAMETER; 758 goto err; 759 } 760 761 /* 762 * RFC 6066 section 3 specifies a host name must be at least 1 byte 763 * so 0 length is a decode error. 764 */ 765 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 766 goto err; 767 if (CBS_len(&host_name) < 1) 768 goto err; 769 770 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) { 771 /* 772 * Various pieces of software have been known to set the SNI 773 * host name to an IP address, even though that violates the 774 * RFC. If this is the case, pretend the SNI extension does 775 * not exist. 776 */ 777 if (is_ip) 778 goto done; 779 780 *alert = SSL_AD_ILLEGAL_PARAMETER; 781 goto err; 782 } 783 784 if (s->hit || s->s3->hs.tls13.hrr) { 785 if (s->session->tlsext_hostname == NULL) { 786 *alert = SSL_AD_UNRECOGNIZED_NAME; 787 goto err; 788 } 789 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 790 strlen(s->session->tlsext_hostname))) { 791 *alert = SSL_AD_UNRECOGNIZED_NAME; 792 goto err; 793 } 794 } else { 795 if (s->session->tlsext_hostname != NULL) 796 goto err; 797 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 798 *alert = SSL_AD_INTERNAL_ERROR; 799 goto err; 800 } 801 } 802 803 done: 804 /* 805 * RFC 6066 section 3 forbids multiple host names with the same type, 806 * therefore we allow only one entry. 807 */ 808 if (CBS_len(&server_name_list) != 0) { 809 *alert = SSL_AD_ILLEGAL_PARAMETER; 810 goto err; 811 } 812 813 return 1; 814 815 err: 816 return 0; 817 } 818 819 static int 820 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 821 { 822 if (s->hit) 823 return 0; 824 825 return (s->session->tlsext_hostname != NULL); 826 } 827 828 static int 829 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 830 { 831 return 1; 832 } 833 834 static int 835 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 836 { 837 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 838 *alert = SSL_AD_UNRECOGNIZED_NAME; 839 return 0; 840 } 841 842 if (s->hit) { 843 if (s->session->tlsext_hostname == NULL) { 844 *alert = SSL_AD_UNRECOGNIZED_NAME; 845 return 0; 846 } 847 if (strcmp(s->tlsext_hostname, 848 s->session->tlsext_hostname) != 0) { 849 *alert = SSL_AD_UNRECOGNIZED_NAME; 850 return 0; 851 } 852 } else { 853 if (s->session->tlsext_hostname != NULL) 854 return 0; 855 if ((s->session->tlsext_hostname = 856 strdup(s->tlsext_hostname)) == NULL) { 857 *alert = SSL_AD_INTERNAL_ERROR; 858 return 0; 859 } 860 } 861 862 return 1; 863 } 864 865 /* 866 * Certificate Status Request - RFC 6066 section 8. 867 */ 868 869 static int 870 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 871 { 872 if (msg_type != SSL_TLSEXT_MSG_CH) 873 return 0; 874 875 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 876 } 877 878 static int 879 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 880 { 881 CBB respid_list, respid, exts; 882 unsigned char *ext_data; 883 size_t ext_len; 884 int i; 885 886 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 887 return 0; 888 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 889 return 0; 890 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { 891 unsigned char *respid_data; 892 OCSP_RESPID *id; 893 size_t id_len; 894 895 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, 896 i)) == NULL) 897 return 0; 898 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 899 return 0; 900 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 901 return 0; 902 if (!CBB_add_space(&respid, &respid_data, id_len)) 903 return 0; 904 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 905 return 0; 906 } 907 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 908 return 0; 909 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, 910 NULL)) == -1) 911 return 0; 912 if (!CBB_add_space(&exts, &ext_data, ext_len)) 913 return 0; 914 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != 915 ext_len)) 916 return 0; 917 if (!CBB_flush(cbb)) 918 return 0; 919 return 1; 920 } 921 922 static int 923 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 924 { 925 int alert_desc = SSL_AD_DECODE_ERROR; 926 CBS respid_list, respid, exts; 927 const unsigned char *p; 928 uint8_t status_type; 929 int ret = 0; 930 931 if (msg_type != SSL_TLSEXT_MSG_CH) 932 goto err; 933 934 if (!CBS_get_u8(cbs, &status_type)) 935 goto err; 936 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 937 /* ignore unknown status types */ 938 s->tlsext_status_type = -1; 939 940 if (!CBS_skip(cbs, CBS_len(cbs))) { 941 *alert = SSL_AD_INTERNAL_ERROR; 942 return 0; 943 } 944 return 1; 945 } 946 s->tlsext_status_type = status_type; 947 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 948 goto err; 949 950 /* XXX */ 951 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 952 s->tlsext_ocsp_ids = NULL; 953 if (CBS_len(&respid_list) > 0) { 954 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 955 if (s->tlsext_ocsp_ids == NULL) { 956 alert_desc = SSL_AD_INTERNAL_ERROR; 957 goto err; 958 } 959 } 960 961 while (CBS_len(&respid_list) > 0) { 962 OCSP_RESPID *id; 963 964 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 965 goto err; 966 p = CBS_data(&respid); 967 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 968 goto err; 969 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { 970 alert_desc = SSL_AD_INTERNAL_ERROR; 971 OCSP_RESPID_free(id); 972 goto err; 973 } 974 } 975 976 /* Read in request_extensions */ 977 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 978 goto err; 979 if (CBS_len(&exts) > 0) { 980 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, 981 X509_EXTENSION_free); 982 p = CBS_data(&exts); 983 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 984 &p, CBS_len(&exts))) == NULL) 985 goto err; 986 } 987 988 ret = 1; 989 err: 990 if (ret == 0) 991 *alert = alert_desc; 992 return ret; 993 } 994 995 static int 996 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 997 { 998 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 999 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 1000 s->ctx->tlsext_status_cb != NULL) { 1001 s->tlsext_status_expected = 0; 1002 if (s->ctx->tlsext_status_cb(s, 1003 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 1004 s->tlsext_ocsp_resp_len > 0) 1005 s->tlsext_status_expected = 1; 1006 } 1007 return s->tlsext_status_expected; 1008 } 1009 1010 static int 1011 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1012 { 1013 CBB ocsp_response; 1014 1015 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) { 1016 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1017 return 0; 1018 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1019 return 0; 1020 if (!CBB_add_bytes(&ocsp_response, 1021 s->tlsext_ocsp_resp, 1022 s->tlsext_ocsp_resp_len)) 1023 return 0; 1024 if (!CBB_flush(cbb)) 1025 return 0; 1026 } 1027 return 1; 1028 } 1029 1030 static int 1031 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1032 { 1033 uint8_t status_type; 1034 CBS response; 1035 1036 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1037 if (msg_type == SSL_TLSEXT_MSG_CR) { 1038 /* 1039 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1040 * response with an empty status_request. 1041 */ 1042 if (CBS_len(cbs) == 0) 1043 return 1; 1044 1045 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1046 return 0; 1047 } 1048 if (!CBS_get_u8(cbs, &status_type)) { 1049 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1050 return 0; 1051 } 1052 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1053 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1054 return 0; 1055 } 1056 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1057 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1058 return 0; 1059 } 1060 if (CBS_len(&response) > 65536) { 1061 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1062 return 0; 1063 } 1064 if (!CBS_stow(&response, &s->tlsext_ocsp_resp, 1065 &s->tlsext_ocsp_resp_len)) { 1066 *alert = SSL_AD_INTERNAL_ERROR; 1067 return 0; 1068 } 1069 } else { 1070 if (s->tlsext_status_type == -1) { 1071 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1072 return 0; 1073 } 1074 /* Set flag to expect CertificateStatus message */ 1075 s->tlsext_status_expected = 1; 1076 } 1077 return 1; 1078 } 1079 1080 /* 1081 * SessionTicket extension - RFC 5077 section 3.2 1082 */ 1083 static int 1084 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1085 { 1086 /* 1087 * Send session ticket extension when enabled and not overridden. 1088 * 1089 * When renegotiating, send an empty session ticket to indicate support. 1090 */ 1091 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1092 return 0; 1093 1094 if (!ssl_security_tickets(s)) 1095 return 0; 1096 1097 if (s->new_session) 1098 return 1; 1099 1100 if (s->tlsext_session_ticket != NULL && 1101 s->tlsext_session_ticket->data == NULL) 1102 return 0; 1103 1104 return 1; 1105 } 1106 1107 static int 1108 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1109 { 1110 /* 1111 * Signal that we support session tickets by sending an empty 1112 * extension when renegotiating or no session found. 1113 */ 1114 if (s->new_session || s->session == NULL) 1115 return 1; 1116 1117 if (s->session->tlsext_tick != NULL) { 1118 /* Attempt to resume with an existing session ticket */ 1119 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1120 s->session->tlsext_ticklen)) 1121 return 0; 1122 1123 } else if (s->tlsext_session_ticket != NULL) { 1124 /* 1125 * Attempt to resume with a custom provided session ticket set 1126 * by SSL_set_session_ticket_ext(). 1127 */ 1128 if (s->tlsext_session_ticket->length > 0) { 1129 size_t ticklen = s->tlsext_session_ticket->length; 1130 1131 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1132 return 0; 1133 memcpy(s->session->tlsext_tick, 1134 s->tlsext_session_ticket->data, 1135 ticklen); 1136 s->session->tlsext_ticklen = ticklen; 1137 1138 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1139 s->session->tlsext_ticklen)) 1140 return 0; 1141 } 1142 } 1143 1144 if (!CBB_flush(cbb)) 1145 return 0; 1146 1147 return 1; 1148 } 1149 1150 static int 1151 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1152 int *alert) 1153 { 1154 if (s->tls_session_ticket_ext_cb) { 1155 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1156 (int)CBS_len(cbs), 1157 s->tls_session_ticket_ext_cb_arg)) { 1158 *alert = SSL_AD_INTERNAL_ERROR; 1159 return 0; 1160 } 1161 } 1162 1163 /* We need to signal that this was processed fully */ 1164 if (!CBS_skip(cbs, CBS_len(cbs))) { 1165 *alert = SSL_AD_INTERNAL_ERROR; 1166 return 0; 1167 } 1168 1169 return 1; 1170 } 1171 1172 static int 1173 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1174 { 1175 return (s->tlsext_ticket_expected && 1176 !(SSL_get_options(s) & SSL_OP_NO_TICKET) && 1177 ssl_security_tickets(s)); 1178 } 1179 1180 static int 1181 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1182 { 1183 /* Empty ticket */ 1184 return 1; 1185 } 1186 1187 static int 1188 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1189 int *alert) 1190 { 1191 if (s->tls_session_ticket_ext_cb) { 1192 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1193 (int)CBS_len(cbs), 1194 s->tls_session_ticket_ext_cb_arg)) { 1195 *alert = SSL_AD_INTERNAL_ERROR; 1196 return 0; 1197 } 1198 } 1199 1200 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1201 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1202 return 0; 1203 } 1204 1205 s->tlsext_ticket_expected = 1; 1206 1207 return 1; 1208 } 1209 1210 /* 1211 * DTLS extension for SRTP key establishment - RFC 5764 1212 */ 1213 1214 #ifndef OPENSSL_NO_SRTP 1215 1216 static int 1217 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1218 { 1219 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1220 } 1221 1222 static int 1223 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1224 { 1225 CBB profiles, mki; 1226 int ct, i; 1227 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1228 const SRTP_PROTECTION_PROFILE *prof; 1229 1230 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1231 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1232 return 0; 1233 } 1234 1235 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1236 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1237 return 0; 1238 } 1239 1240 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1241 return 0; 1242 1243 for (i = 0; i < ct; i++) { 1244 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1245 return 0; 1246 if (!CBB_add_u16(&profiles, prof->id)) 1247 return 0; 1248 } 1249 1250 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1251 return 0; 1252 1253 if (!CBB_flush(cbb)) 1254 return 0; 1255 1256 return 1; 1257 } 1258 1259 static int 1260 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1261 { 1262 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1263 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1264 int i, j; 1265 int ret; 1266 uint16_t id; 1267 CBS profiles, mki; 1268 1269 ret = 0; 1270 1271 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1272 goto err; 1273 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1274 goto err; 1275 1276 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1277 goto err; 1278 1279 while (CBS_len(&profiles) > 0) { 1280 if (!CBS_get_u16(&profiles, &id)) 1281 goto err; 1282 1283 if (!srtp_find_profile_by_num(id, &cprof)) { 1284 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1285 goto err; 1286 } 1287 } 1288 1289 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1290 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1291 goto done; 1292 } 1293 1294 /* 1295 * Per RFC 5764 section 4.1.1 1296 * 1297 * Find the server preferred profile using the client's list. 1298 * 1299 * The server MUST send a profile if it sends the use_srtp 1300 * extension. If one is not found, it should fall back to the 1301 * negotiated DTLS cipher suite or return a DTLS alert. 1302 */ 1303 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1304 goto err; 1305 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1306 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) 1307 goto err; 1308 1309 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1310 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1311 == NULL) 1312 goto err; 1313 1314 if (cprof->id == sprof->id) { 1315 s->srtp_profile = sprof; 1316 ret = 1; 1317 goto done; 1318 } 1319 } 1320 } 1321 1322 /* If we didn't find anything, fall back to the negotiated */ 1323 ret = 1; 1324 goto done; 1325 1326 err: 1327 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1328 1329 done: 1330 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1331 return ret; 1332 } 1333 1334 static int 1335 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1336 { 1337 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1338 } 1339 1340 static int 1341 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1342 { 1343 SRTP_PROTECTION_PROFILE *profile; 1344 CBB srtp, mki; 1345 1346 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1347 return 0; 1348 1349 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1350 return 0; 1351 1352 if (!CBB_add_u16(&srtp, profile->id)) 1353 return 0; 1354 1355 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1356 return 0; 1357 1358 if (!CBB_flush(cbb)) 1359 return 0; 1360 1361 return 1; 1362 } 1363 1364 static int 1365 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1366 { 1367 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1368 const SRTP_PROTECTION_PROFILE *prof; 1369 int i; 1370 uint16_t id; 1371 CBS profile_ids, mki; 1372 1373 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1374 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1375 return 0; 1376 } 1377 1378 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1379 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1380 return 0; 1381 } 1382 1383 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1384 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1385 *alert = SSL_AD_ILLEGAL_PARAMETER; 1386 return 0; 1387 } 1388 1389 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1390 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1391 return 0; 1392 } 1393 1394 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1395 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1396 == NULL) { 1397 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1398 return 0; 1399 } 1400 1401 if (prof->id == id) { 1402 s->srtp_profile = prof; 1403 return 1; 1404 } 1405 } 1406 1407 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1408 1409 return 0; 1410 } 1411 1412 #endif /* OPENSSL_NO_SRTP */ 1413 1414 /* 1415 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1416 */ 1417 static int 1418 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1419 { 1420 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1421 } 1422 1423 static int 1424 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1425 { 1426 CBB client_shares, key_exchange; 1427 1428 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1429 return 0; 1430 1431 if (!CBB_add_u16(&client_shares, 1432 tls_key_share_group(s->s3->hs.key_share))) 1433 return 0; 1434 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange)) 1435 return 0; 1436 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1437 return 0; 1438 1439 if (!CBB_flush(cbb)) 1440 return 0; 1441 1442 return 1; 1443 } 1444 1445 static int 1446 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1447 { 1448 CBS client_shares, key_exchange; 1449 int decode_error; 1450 uint16_t group; 1451 1452 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1453 return 0; 1454 1455 while (CBS_len(&client_shares) > 0) { 1456 1457 /* Unpack client share. */ 1458 if (!CBS_get_u16(&client_shares, &group)) 1459 return 0; 1460 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1461 return 0; 1462 1463 /* 1464 * XXX - check key exchange against supported groups from client. 1465 * XXX - check that groups only appear once. 1466 */ 1467 1468 /* 1469 * Ignore this client share if we're using earlier than TLSv1.3 1470 * or we've already selected a key share. 1471 */ 1472 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION) 1473 continue; 1474 if (s->s3->hs.key_share != NULL) 1475 continue; 1476 1477 /* XXX - consider implementing server preference. */ 1478 if (!tls1_check_group(s, group)) 1479 continue; 1480 1481 /* Decode and store the selected key share. */ 1482 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) { 1483 *alert = SSL_AD_INTERNAL_ERROR; 1484 return 0; 1485 } 1486 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1487 &key_exchange, &decode_error, NULL)) { 1488 if (!decode_error) 1489 *alert = SSL_AD_INTERNAL_ERROR; 1490 return 0; 1491 } 1492 } 1493 1494 return 1; 1495 } 1496 1497 static int 1498 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1499 { 1500 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && 1501 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1502 } 1503 1504 static int 1505 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1506 { 1507 CBB key_exchange; 1508 1509 /* In the case of a HRR, we only send the server selected group. */ 1510 if (s->s3->hs.tls13.hrr) { 1511 if (s->s3->hs.tls13.server_group == 0) 1512 return 0; 1513 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group); 1514 } 1515 1516 if (s->s3->hs.key_share == NULL) 1517 return 0; 1518 1519 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share))) 1520 return 0; 1521 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) 1522 return 0; 1523 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) 1524 return 0; 1525 1526 if (!CBB_flush(cbb)) 1527 return 0; 1528 1529 return 1; 1530 } 1531 1532 static int 1533 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1534 { 1535 CBS key_exchange; 1536 int decode_error; 1537 uint16_t group; 1538 1539 /* Unpack server share. */ 1540 if (!CBS_get_u16(cbs, &group)) 1541 return 0; 1542 1543 if (CBS_len(cbs) == 0) { 1544 /* HRR does not include an actual key share, only the group. */ 1545 if (msg_type != SSL_TLSEXT_MSG_HRR) 1546 return 0; 1547 1548 s->s3->hs.tls13.server_group = group; 1549 return 1; 1550 } 1551 1552 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1553 return 0; 1554 1555 if (s->s3->hs.key_share == NULL) { 1556 *alert = SSL_AD_INTERNAL_ERROR; 1557 return 0; 1558 } 1559 if (tls_key_share_group(s->s3->hs.key_share) != group) { 1560 *alert = SSL_AD_INTERNAL_ERROR; 1561 return 0; 1562 } 1563 if (!tls_key_share_peer_public(s->s3->hs.key_share, 1564 &key_exchange, &decode_error, NULL)) { 1565 if (!decode_error) 1566 *alert = SSL_AD_INTERNAL_ERROR; 1567 return 0; 1568 } 1569 1570 return 1; 1571 } 1572 1573 /* 1574 * Supported Versions - RFC 8446 section 4.2.1. 1575 */ 1576 static int 1577 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1578 { 1579 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1580 } 1581 1582 static int 1583 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1584 { 1585 uint16_t max, min; 1586 uint16_t version; 1587 CBB versions; 1588 1589 max = s->s3->hs.our_max_tls_version; 1590 min = s->s3->hs.our_min_tls_version; 1591 1592 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1593 return 0; 1594 1595 /* XXX - fix, but contiguous for now... */ 1596 for (version = max; version >= min; version--) { 1597 if (!CBB_add_u16(&versions, version)) 1598 return 0; 1599 } 1600 1601 if (!CBB_flush(cbb)) 1602 return 0; 1603 1604 return 1; 1605 } 1606 1607 static int 1608 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1609 { 1610 CBS versions; 1611 uint16_t version; 1612 uint16_t max, min; 1613 uint16_t matched_version = 0; 1614 1615 max = s->s3->hs.our_max_tls_version; 1616 min = s->s3->hs.our_min_tls_version; 1617 1618 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1619 return 0; 1620 1621 while (CBS_len(&versions) > 0) { 1622 if (!CBS_get_u16(&versions, &version)) 1623 return 0; 1624 /* 1625 * XXX What is below implements client preference, and 1626 * ignores any server preference entirely. 1627 */ 1628 if (matched_version == 0 && version >= min && version <= max) 1629 matched_version = version; 1630 } 1631 1632 if (matched_version > 0) { 1633 /* XXX - this should be stored for later processing. */ 1634 s->version = matched_version; 1635 return 1; 1636 } 1637 1638 *alert = SSL_AD_PROTOCOL_VERSION; 1639 return 0; 1640 } 1641 1642 static int 1643 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1644 { 1645 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); 1646 } 1647 1648 static int 1649 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1650 { 1651 return CBB_add_u16(cbb, TLS1_3_VERSION); 1652 } 1653 1654 static int 1655 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1656 { 1657 uint16_t selected_version; 1658 1659 if (!CBS_get_u16(cbs, &selected_version)) 1660 return 0; 1661 1662 /* XXX - need to fix for DTLS 1.3 */ 1663 if (selected_version < TLS1_3_VERSION) { 1664 *alert = SSL_AD_ILLEGAL_PARAMETER; 1665 return 0; 1666 } 1667 1668 /* XXX test between min and max once initialization code goes in */ 1669 s->s3->hs.tls13.server_version = selected_version; 1670 1671 return 1; 1672 } 1673 1674 1675 /* 1676 * Cookie - RFC 8446 section 4.2.2. 1677 */ 1678 1679 static int 1680 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1681 { 1682 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1683 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1684 } 1685 1686 static int 1687 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1688 { 1689 CBB cookie; 1690 1691 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1692 return 0; 1693 1694 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1695 s->s3->hs.tls13.cookie_len)) 1696 return 0; 1697 1698 if (!CBB_flush(cbb)) 1699 return 0; 1700 1701 return 1; 1702 } 1703 1704 static int 1705 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1706 { 1707 CBS cookie; 1708 1709 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1710 return 0; 1711 1712 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) 1713 return 0; 1714 1715 /* 1716 * Check provided cookie value against what server previously 1717 * sent - client *MUST* send the same cookie with new CR after 1718 * a cookie is sent by the server with an HRR. 1719 */ 1720 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie, 1721 s->s3->hs.tls13.cookie_len)) { 1722 /* XXX special cookie mismatch alert? */ 1723 *alert = SSL_AD_ILLEGAL_PARAMETER; 1724 return 0; 1725 } 1726 1727 return 1; 1728 } 1729 1730 static int 1731 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1732 { 1733 /* 1734 * Server needs to set cookie value in tls13 handshake 1735 * in order to send one, should only be sent with HRR. 1736 */ 1737 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && 1738 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); 1739 } 1740 1741 static int 1742 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1743 { 1744 CBB cookie; 1745 1746 /* XXX deduplicate with client code */ 1747 1748 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1749 return 0; 1750 1751 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie, 1752 s->s3->hs.tls13.cookie_len)) 1753 return 0; 1754 1755 if (!CBB_flush(cbb)) 1756 return 0; 1757 1758 return 1; 1759 } 1760 1761 static int 1762 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1763 { 1764 CBS cookie; 1765 1766 /* 1767 * XXX This currently assumes we will not get a second 1768 * HRR from a server with a cookie to process after accepting 1769 * one from the server in the same handshake 1770 */ 1771 if (s->s3->hs.tls13.cookie != NULL || 1772 s->s3->hs.tls13.cookie_len != 0) { 1773 *alert = SSL_AD_ILLEGAL_PARAMETER; 1774 return 0; 1775 } 1776 1777 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1778 return 0; 1779 1780 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, 1781 &s->s3->hs.tls13.cookie_len)) 1782 return 0; 1783 1784 return 1; 1785 } 1786 1787 /* 1788 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. 1789 */ 1790 1791 static int 1792 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) 1793 { 1794 return (s->s3->hs.tls13.use_psk_dhe_ke && 1795 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); 1796 } 1797 1798 static int 1799 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1800 { 1801 CBB ke_modes; 1802 1803 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) 1804 return 0; 1805 1806 /* Only indicate support for PSK with DHE key establishment. */ 1807 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) 1808 return 0; 1809 1810 if (!CBB_flush(cbb)) 1811 return 0; 1812 1813 return 1; 1814 } 1815 1816 static int 1817 tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1818 int *alert) 1819 { 1820 CBS ke_modes; 1821 uint8_t ke_mode; 1822 1823 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) 1824 return 0; 1825 1826 while (CBS_len(&ke_modes) > 0) { 1827 if (!CBS_get_u8(&ke_modes, &ke_mode)) 1828 return 0; 1829 1830 if (ke_mode == TLS13_PSK_DHE_KE) 1831 s->s3->hs.tls13.use_psk_dhe_ke = 1; 1832 } 1833 1834 return 1; 1835 } 1836 1837 static int 1838 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) 1839 { 1840 /* Servers MUST NOT send this extension. */ 1841 return 0; 1842 } 1843 1844 static int 1845 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1846 { 1847 return 0; 1848 } 1849 1850 static int 1851 tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1852 int *alert) 1853 { 1854 return 0; 1855 } 1856 1857 /* 1858 * Pre-Shared Key Extension - RFC 8446, 4.2.11 1859 */ 1860 1861 static int 1862 tlsext_psk_client_needs(SSL *s, uint16_t msg_type) 1863 { 1864 return 0; 1865 } 1866 1867 static int 1868 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1869 { 1870 return 0; 1871 } 1872 1873 static int 1874 tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1875 { 1876 return CBS_skip(cbs, CBS_len(cbs)); 1877 } 1878 1879 static int 1880 tlsext_psk_server_needs(SSL *s, uint16_t msg_type) 1881 { 1882 return 0; 1883 } 1884 1885 static int 1886 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1887 { 1888 return 0; 1889 } 1890 1891 static int 1892 tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1893 { 1894 return CBS_skip(cbs, CBS_len(cbs)); 1895 } 1896 1897 /* 1898 * QUIC transport parameters extension - RFC 9001 section 8.2. 1899 */ 1900 1901 static int 1902 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) 1903 { 1904 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 1905 } 1906 1907 static int 1908 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, 1909 CBB *cbb) 1910 { 1911 if (!CBB_add_bytes(cbb, s->quic_transport_params, 1912 s->quic_transport_params_len)) 1913 return 0; 1914 1915 return 1; 1916 } 1917 1918 static int 1919 tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, 1920 CBS *cbs, int *alert) 1921 { 1922 if (!SSL_is_quic(s)) { 1923 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1924 return 0; 1925 } 1926 1927 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1928 &s->s3->peer_quic_transport_params_len)) 1929 return 0; 1930 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1931 return 0; 1932 1933 return 1; 1934 } 1935 1936 static int 1937 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) 1938 { 1939 return SSL_is_quic(s) && s->quic_transport_params_len > 0; 1940 } 1941 1942 static int 1943 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, 1944 CBB *cbb) 1945 { 1946 if (!CBB_add_bytes(cbb, s->quic_transport_params, 1947 s->quic_transport_params_len)) 1948 return 0; 1949 1950 return 1; 1951 } 1952 1953 static int 1954 tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, 1955 CBS *cbs, int *alert) 1956 { 1957 if (!SSL_is_quic(s)) { 1958 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1959 return 0; 1960 } 1961 1962 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, 1963 &s->s3->peer_quic_transport_params_len)) 1964 return 0; 1965 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) 1966 return 0; 1967 1968 return 1; 1969 } 1970 1971 struct tls_extension_funcs { 1972 int (*needs)(SSL *s, uint16_t msg_type); 1973 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1974 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1975 }; 1976 1977 struct tls_extension { 1978 uint16_t type; 1979 uint16_t messages; 1980 struct tls_extension_funcs client; 1981 struct tls_extension_funcs server; 1982 }; 1983 1984 static const struct tls_extension tls_extensions[] = { 1985 { 1986 .type = TLSEXT_TYPE_supported_versions, 1987 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1988 SSL_TLSEXT_MSG_HRR, 1989 .client = { 1990 .needs = tlsext_versions_client_needs, 1991 .build = tlsext_versions_client_build, 1992 .parse = tlsext_versions_client_parse, 1993 }, 1994 .server = { 1995 .needs = tlsext_versions_server_needs, 1996 .build = tlsext_versions_server_build, 1997 .parse = tlsext_versions_server_parse, 1998 }, 1999 }, 2000 { 2001 .type = TLSEXT_TYPE_key_share, 2002 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 2003 SSL_TLSEXT_MSG_HRR, 2004 .client = { 2005 .needs = tlsext_keyshare_client_needs, 2006 .build = tlsext_keyshare_client_build, 2007 .parse = tlsext_keyshare_client_parse, 2008 }, 2009 .server = { 2010 .needs = tlsext_keyshare_server_needs, 2011 .build = tlsext_keyshare_server_build, 2012 .parse = tlsext_keyshare_server_parse, 2013 }, 2014 }, 2015 { 2016 .type = TLSEXT_TYPE_server_name, 2017 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2018 .client = { 2019 .needs = tlsext_sni_client_needs, 2020 .build = tlsext_sni_client_build, 2021 .parse = tlsext_sni_client_parse, 2022 }, 2023 .server = { 2024 .needs = tlsext_sni_server_needs, 2025 .build = tlsext_sni_server_build, 2026 .parse = tlsext_sni_server_parse, 2027 }, 2028 }, 2029 { 2030 .type = TLSEXT_TYPE_renegotiate, 2031 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2032 .client = { 2033 .needs = tlsext_ri_client_needs, 2034 .build = tlsext_ri_client_build, 2035 .parse = tlsext_ri_client_parse, 2036 }, 2037 .server = { 2038 .needs = tlsext_ri_server_needs, 2039 .build = tlsext_ri_server_build, 2040 .parse = tlsext_ri_server_parse, 2041 }, 2042 }, 2043 { 2044 .type = TLSEXT_TYPE_status_request, 2045 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 2046 SSL_TLSEXT_MSG_CT, 2047 .client = { 2048 .needs = tlsext_ocsp_client_needs, 2049 .build = tlsext_ocsp_client_build, 2050 .parse = tlsext_ocsp_client_parse, 2051 }, 2052 .server = { 2053 .needs = tlsext_ocsp_server_needs, 2054 .build = tlsext_ocsp_server_build, 2055 .parse = tlsext_ocsp_server_parse, 2056 }, 2057 }, 2058 { 2059 .type = TLSEXT_TYPE_ec_point_formats, 2060 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2061 .client = { 2062 .needs = tlsext_ecpf_client_needs, 2063 .build = tlsext_ecpf_client_build, 2064 .parse = tlsext_ecpf_client_parse, 2065 }, 2066 .server = { 2067 .needs = tlsext_ecpf_server_needs, 2068 .build = tlsext_ecpf_server_build, 2069 .parse = tlsext_ecpf_server_parse, 2070 }, 2071 }, 2072 { 2073 .type = TLSEXT_TYPE_supported_groups, 2074 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2075 .client = { 2076 .needs = tlsext_supportedgroups_client_needs, 2077 .build = tlsext_supportedgroups_client_build, 2078 .parse = tlsext_supportedgroups_client_parse, 2079 }, 2080 .server = { 2081 .needs = tlsext_supportedgroups_server_needs, 2082 .build = tlsext_supportedgroups_server_build, 2083 .parse = tlsext_supportedgroups_server_parse, 2084 }, 2085 }, 2086 { 2087 .type = TLSEXT_TYPE_session_ticket, 2088 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2089 .client = { 2090 .needs = tlsext_sessionticket_client_needs, 2091 .build = tlsext_sessionticket_client_build, 2092 .parse = tlsext_sessionticket_client_parse, 2093 }, 2094 .server = { 2095 .needs = tlsext_sessionticket_server_needs, 2096 .build = tlsext_sessionticket_server_build, 2097 .parse = tlsext_sessionticket_server_parse, 2098 }, 2099 }, 2100 { 2101 .type = TLSEXT_TYPE_signature_algorithms, 2102 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 2103 .client = { 2104 .needs = tlsext_sigalgs_client_needs, 2105 .build = tlsext_sigalgs_client_build, 2106 .parse = tlsext_sigalgs_client_parse, 2107 }, 2108 .server = { 2109 .needs = tlsext_sigalgs_server_needs, 2110 .build = tlsext_sigalgs_server_build, 2111 .parse = tlsext_sigalgs_server_parse, 2112 }, 2113 }, 2114 { 2115 .type = TLSEXT_TYPE_alpn, 2116 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2117 .client = { 2118 .needs = tlsext_alpn_client_needs, 2119 .build = tlsext_alpn_client_build, 2120 .parse = tlsext_alpn_client_parse, 2121 }, 2122 .server = { 2123 .needs = tlsext_alpn_server_needs, 2124 .build = tlsext_alpn_server_build, 2125 .parse = tlsext_alpn_server_parse, 2126 }, 2127 }, 2128 { 2129 .type = TLSEXT_TYPE_cookie, 2130 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 2131 .client = { 2132 .needs = tlsext_cookie_client_needs, 2133 .build = tlsext_cookie_client_build, 2134 .parse = tlsext_cookie_client_parse, 2135 }, 2136 .server = { 2137 .needs = tlsext_cookie_server_needs, 2138 .build = tlsext_cookie_server_build, 2139 .parse = tlsext_cookie_server_parse, 2140 }, 2141 }, 2142 #ifndef OPENSSL_NO_SRTP 2143 { 2144 .type = TLSEXT_TYPE_use_srtp, 2145 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 2146 SSL_TLSEXT_MSG_EE, 2147 .client = { 2148 .needs = tlsext_srtp_client_needs, 2149 .build = tlsext_srtp_client_build, 2150 .parse = tlsext_srtp_client_parse, 2151 }, 2152 .server = { 2153 .needs = tlsext_srtp_server_needs, 2154 .build = tlsext_srtp_server_build, 2155 .parse = tlsext_srtp_server_parse, 2156 }, 2157 }, 2158 #endif /* OPENSSL_NO_SRTP */ 2159 { 2160 .type = TLSEXT_TYPE_quic_transport_parameters, 2161 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 2162 .client = { 2163 .needs = tlsext_quic_transport_parameters_client_needs, 2164 .build = tlsext_quic_transport_parameters_client_build, 2165 .parse = tlsext_quic_transport_parameters_client_parse, 2166 }, 2167 .server = { 2168 .needs = tlsext_quic_transport_parameters_server_needs, 2169 .build = tlsext_quic_transport_parameters_server_build, 2170 .parse = tlsext_quic_transport_parameters_server_parse, 2171 }, 2172 }, 2173 { 2174 .type = TLSEXT_TYPE_psk_key_exchange_modes, 2175 .messages = SSL_TLSEXT_MSG_CH, 2176 .client = { 2177 .needs = tlsext_psk_kex_modes_client_needs, 2178 .build = tlsext_psk_kex_modes_client_build, 2179 .parse = tlsext_psk_kex_modes_client_parse, 2180 }, 2181 .server = { 2182 .needs = tlsext_psk_kex_modes_server_needs, 2183 .build = tlsext_psk_kex_modes_server_build, 2184 .parse = tlsext_psk_kex_modes_server_parse, 2185 }, 2186 }, 2187 { 2188 /* MUST be last extension in CH per RFC 8446 section 4.2. */ 2189 2190 .type = TLSEXT_TYPE_pre_shared_key, 2191 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 2192 .client = { 2193 .needs = tlsext_psk_client_needs, 2194 .build = tlsext_psk_client_build, 2195 .parse = tlsext_psk_client_parse, 2196 }, 2197 .server = { 2198 .needs = tlsext_psk_server_needs, 2199 .build = tlsext_psk_server_build, 2200 .parse = tlsext_psk_server_parse, 2201 }, 2202 }, 2203 }; 2204 2205 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 2206 2207 /* Ensure that extensions fit in a uint32_t bitmask. */ 2208 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2209 2210 uint16_t 2211 tls_extension_type(const struct tls_extension *extension) 2212 { 2213 return extension->type; 2214 } 2215 2216 const struct tls_extension * 2217 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 2218 { 2219 size_t i; 2220 2221 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2222 if (tls_extensions[i].type == type) { 2223 *tls_extensions_idx = i; 2224 return &tls_extensions[i]; 2225 } 2226 } 2227 2228 return NULL; 2229 } 2230 2231 int 2232 tlsext_extension_seen(SSL *s, uint16_t type) 2233 { 2234 size_t idx; 2235 2236 if (tls_extension_find(type, &idx) == NULL) 2237 return 0; 2238 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); 2239 } 2240 2241 const struct tls_extension_funcs * 2242 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 2243 { 2244 if (is_server) 2245 return &tlsext->server; 2246 2247 return &tlsext->client; 2248 } 2249 2250 int 2251 tlsext_randomize_build_order(SSL *s) 2252 { 2253 size_t idx, new_idx, psk_idx; 2254 size_t alpn_idx = 0, sni_idx = 0; 2255 2256 free(s->tlsext_build_order); 2257 s->tlsext_build_order_len = 0; 2258 2259 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2260 N_TLS_EXTENSIONS)) == NULL) 2261 return 0; 2262 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2263 2264 /* RFC 8446, section 4.2: PSK must be the last extension in the CH. */ 2265 psk_idx = N_TLS_EXTENSIONS - 1; 2266 s->tlsext_build_order[psk_idx] = &tls_extensions[psk_idx]; 2267 2268 /* Fisher-Yates shuffle with PSK fixed. */ 2269 for (idx = 0; idx < psk_idx; idx++) { 2270 new_idx = arc4random_uniform(idx + 1); 2271 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; 2272 s->tlsext_build_order[new_idx] = &tls_extensions[idx]; 2273 } 2274 2275 /* 2276 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN 2277 * for clients so that virtual host setups work correctly. 2278 */ 2279 2280 if (s->server) 2281 return 1; 2282 2283 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { 2284 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) 2285 alpn_idx = idx; 2286 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) 2287 sni_idx = idx; 2288 } 2289 if (alpn_idx < sni_idx) { 2290 const struct tls_extension *tmp; 2291 2292 tmp = s->tlsext_build_order[alpn_idx]; 2293 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; 2294 s->tlsext_build_order[sni_idx] = tmp; 2295 } 2296 2297 return 1; 2298 } 2299 2300 int 2301 tlsext_linearize_build_order(SSL *s) 2302 { 2303 size_t idx; 2304 2305 free(s->tlsext_build_order); 2306 s->tlsext_build_order_len = 0; 2307 2308 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), 2309 N_TLS_EXTENSIONS)) == NULL) 2310 return 0; 2311 s->tlsext_build_order_len = N_TLS_EXTENSIONS; 2312 2313 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) 2314 s->tlsext_build_order[idx] = &tls_extensions[idx]; 2315 2316 return 1; 2317 } 2318 2319 static int 2320 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 2321 { 2322 const struct tls_extension_funcs *ext; 2323 const struct tls_extension *tlsext; 2324 CBB extensions, extension_data; 2325 int extensions_present = 0; 2326 uint16_t tls_version; 2327 size_t i; 2328 2329 tls_version = ssl_effective_tls_version(s); 2330 2331 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2332 return 0; 2333 2334 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 2335 tlsext = s->tlsext_build_order[i]; 2336 ext = tlsext_funcs(tlsext, is_server); 2337 2338 /* RFC 8446 Section 4.2 */ 2339 if (tls_version >= TLS1_3_VERSION && 2340 !(tlsext->messages & msg_type)) 2341 continue; 2342 2343 if (!ext->needs(s, msg_type)) 2344 continue; 2345 2346 if (!CBB_add_u16(&extensions, tlsext->type)) 2347 return 0; 2348 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2349 return 0; 2350 2351 if (!ext->build(s, msg_type, &extension_data)) 2352 return 0; 2353 2354 extensions_present = 1; 2355 } 2356 2357 if (!extensions_present && 2358 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2359 CBB_discard_child(cbb); 2360 2361 if (!CBB_flush(cbb)) 2362 return 0; 2363 2364 return 1; 2365 } 2366 2367 int 2368 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2369 { 2370 /* 2371 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2372 * cookie may be added, padding may be removed. 2373 */ 2374 struct tls13_ctx *ctx = s->tls13; 2375 2376 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2377 type == TLSEXT_TYPE_padding) 2378 return 1; 2379 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2380 sizeof(type))) 2381 return 0; 2382 /* 2383 * key_share data may be changed, and pre_shared_key data may 2384 * be changed 2385 */ 2386 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2387 return 1; 2388 if (!tls13_clienthello_hash_update(ctx, cbs)) 2389 return 0; 2390 2391 return 1; 2392 } 2393 2394 static int 2395 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2396 { 2397 const struct tls_extension_funcs *ext; 2398 const struct tls_extension *tlsext; 2399 CBS extensions, extension_data; 2400 uint16_t type; 2401 size_t idx; 2402 uint16_t tls_version; 2403 int alert_desc; 2404 2405 tls_version = ssl_effective_tls_version(s); 2406 2407 s->s3->hs.extensions_seen = 0; 2408 2409 /* An empty extensions block is valid. */ 2410 if (CBS_len(cbs) == 0) 2411 return 1; 2412 2413 alert_desc = SSL_AD_DECODE_ERROR; 2414 2415 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2416 goto err; 2417 2418 while (CBS_len(&extensions) > 0) { 2419 if (!CBS_get_u16(&extensions, &type)) 2420 goto err; 2421 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2422 goto err; 2423 2424 if (s->tlsext_debug_cb != NULL) 2425 s->tlsext_debug_cb(s, !is_server, type, 2426 (unsigned char *)CBS_data(&extension_data), 2427 CBS_len(&extension_data), 2428 s->tlsext_debug_arg); 2429 2430 /* Unknown extensions are ignored. */ 2431 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2432 continue; 2433 2434 if (tls_version >= TLS1_3_VERSION && is_server && 2435 msg_type == SSL_TLSEXT_MSG_CH) { 2436 if (!tlsext_clienthello_hash_extension(s, type, 2437 &extension_data)) 2438 goto err; 2439 } 2440 2441 /* RFC 8446 Section 4.2 */ 2442 if (tls_version >= TLS1_3_VERSION && 2443 !(tlsext->messages & msg_type)) { 2444 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2445 goto err; 2446 } 2447 2448 /* Check for duplicate known extensions. */ 2449 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0) 2450 goto err; 2451 s->s3->hs.extensions_seen |= (1 << idx); 2452 2453 ext = tlsext_funcs(tlsext, is_server); 2454 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2455 goto err; 2456 2457 if (CBS_len(&extension_data) != 0) 2458 goto err; 2459 } 2460 2461 return 1; 2462 2463 err: 2464 *alert = alert_desc; 2465 2466 return 0; 2467 } 2468 2469 static void 2470 tlsext_server_reset_state(SSL *s) 2471 { 2472 s->tlsext_status_type = -1; 2473 s->s3->renegotiate_seen = 0; 2474 free(s->s3->alpn_selected); 2475 s->s3->alpn_selected = NULL; 2476 s->s3->alpn_selected_len = 0; 2477 s->srtp_profile = NULL; 2478 } 2479 2480 int 2481 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2482 { 2483 return tlsext_build(s, 1, msg_type, cbb); 2484 } 2485 2486 int 2487 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2488 { 2489 /* XXX - this should be done by the caller... */ 2490 if (msg_type == SSL_TLSEXT_MSG_CH) 2491 tlsext_server_reset_state(s); 2492 2493 return tlsext_parse(s, 1, msg_type, cbs, alert); 2494 } 2495 2496 static void 2497 tlsext_client_reset_state(SSL *s) 2498 { 2499 s->s3->renegotiate_seen = 0; 2500 free(s->s3->alpn_selected); 2501 s->s3->alpn_selected = NULL; 2502 s->s3->alpn_selected_len = 0; 2503 } 2504 2505 int 2506 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2507 { 2508 return tlsext_build(s, 0, msg_type, cbb); 2509 } 2510 2511 int 2512 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2513 { 2514 /* XXX - this should be done by the caller... */ 2515 if (msg_type == SSL_TLSEXT_MSG_SH) 2516 tlsext_client_reset_state(s); 2517 2518 return tlsext_parse(s, 0, msg_type, cbs, alert); 2519 } 2520