1 /* $OpenBSD: ssl_tlsext.c,v 1.98 2021/09/02 11:10:43 beck Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <ctype.h> 21 22 #include <openssl/ocsp.h> 23 #include <openssl/opensslconf.h> 24 25 #include "bytestring.h" 26 #include "ssl_locl.h" 27 #include "ssl_sigalgs.h" 28 #include "ssl_tlsext.h" 29 30 /* 31 * Supported Application-Layer Protocol Negotiation - RFC 7301 32 */ 33 34 int 35 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) 36 { 37 /* ALPN protos have been specified and this is the initial handshake */ 38 return s->internal->alpn_client_proto_list != NULL && 39 S3I(s)->hs.finished_len == 0; 40 } 41 42 int 43 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 44 { 45 CBB protolist; 46 47 if (!CBB_add_u16_length_prefixed(cbb, &protolist)) 48 return 0; 49 50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, 51 s->internal->alpn_client_proto_list_len)) 52 return 0; 53 54 if (!CBB_flush(cbb)) 55 return 0; 56 57 return 1; 58 } 59 60 int 61 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) 62 { 63 CBS proto_name_list, alpn; 64 const unsigned char *selected; 65 unsigned char selected_len; 66 int r; 67 68 if (!CBS_get_u16_length_prefixed(cbs, &alpn)) 69 goto err; 70 if (CBS_len(&alpn) < 2) 71 goto err; 72 if (CBS_len(cbs) != 0) 73 goto err; 74 75 CBS_dup(&alpn, &proto_name_list); 76 while (CBS_len(&proto_name_list) > 0) { 77 CBS proto_name; 78 79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) 80 goto err; 81 if (CBS_len(&proto_name) == 0) 82 goto err; 83 } 84 85 if (s->ctx->internal->alpn_select_cb == NULL) 86 return 1; 87 88 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, 89 CBS_data(&alpn), CBS_len(&alpn), 90 s->ctx->internal->alpn_select_cb_arg); 91 if (r == SSL_TLSEXT_ERR_OK) { 92 free(S3I(s)->alpn_selected); 93 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { 94 S3I(s)->alpn_selected_len = 0; 95 *alert = SSL_AD_INTERNAL_ERROR; 96 return 0; 97 } 98 memcpy(S3I(s)->alpn_selected, selected, selected_len); 99 S3I(s)->alpn_selected_len = selected_len; 100 } 101 102 return 1; 103 104 err: 105 *alert = SSL_AD_DECODE_ERROR; 106 return 0; 107 } 108 109 int 110 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) 111 { 112 return S3I(s)->alpn_selected != NULL; 113 } 114 115 int 116 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 117 { 118 CBB list, selected; 119 120 if (!CBB_add_u16_length_prefixed(cbb, &list)) 121 return 0; 122 123 if (!CBB_add_u8_length_prefixed(&list, &selected)) 124 return 0; 125 126 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected, 127 S3I(s)->alpn_selected_len)) 128 return 0; 129 130 if (!CBB_flush(cbb)) 131 return 0; 132 133 return 1; 134 } 135 136 int 137 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 138 { 139 CBS list, proto; 140 141 if (s->internal->alpn_client_proto_list == NULL) { 142 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 143 return 0; 144 } 145 146 if (!CBS_get_u16_length_prefixed(cbs, &list)) 147 goto err; 148 if (CBS_len(cbs) != 0) 149 goto err; 150 151 if (!CBS_get_u8_length_prefixed(&list, &proto)) 152 goto err; 153 154 if (CBS_len(&list) != 0) 155 goto err; 156 if (CBS_len(&proto) == 0) 157 goto err; 158 159 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected), 160 &(S3I(s)->alpn_selected_len))) 161 goto err; 162 163 return 1; 164 165 err: 166 *alert = SSL_AD_DECODE_ERROR; 167 return 0; 168 } 169 170 /* 171 * Supported Groups - RFC 7919 section 2 172 */ 173 int 174 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 175 { 176 return ssl_has_ecc_ciphers(s) || 177 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 178 } 179 180 int 181 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 182 { 183 const uint16_t *groups; 184 size_t groups_len; 185 CBB grouplist; 186 int i; 187 188 tls1_get_group_list(s, 0, &groups, &groups_len); 189 if (groups_len == 0) { 190 SSLerror(s, ERR_R_INTERNAL_ERROR); 191 return 0; 192 } 193 194 if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) 195 return 0; 196 197 for (i = 0; i < groups_len; i++) { 198 if (!CBB_add_u16(&grouplist, groups[i])) 199 return 0; 200 } 201 202 if (!CBB_flush(cbb)) 203 return 0; 204 205 return 1; 206 } 207 208 int 209 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 210 int *alert) 211 { 212 CBS grouplist; 213 size_t groups_len; 214 215 if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) 216 goto err; 217 if (CBS_len(cbs) != 0) 218 goto err; 219 220 groups_len = CBS_len(&grouplist); 221 if (groups_len == 0 || groups_len % 2 != 0) 222 goto err; 223 groups_len /= 2; 224 225 if (!s->internal->hit) { 226 uint16_t *groups; 227 int i; 228 229 if (S3I(s)->hs.tls13.hrr) { 230 if (SSI(s)->tlsext_supportedgroups == NULL) { 231 *alert = SSL_AD_HANDSHAKE_FAILURE; 232 return 0; 233 } 234 /* 235 * In the case of TLSv1.3 the client cannot change 236 * the supported groups. 237 */ 238 if (groups_len != SSI(s)->tlsext_supportedgroups_length) { 239 *alert = SSL_AD_ILLEGAL_PARAMETER; 240 return 0; 241 } 242 for (i = 0; i < groups_len; i++) { 243 uint16_t group; 244 245 if (!CBS_get_u16(&grouplist, &group)) 246 goto err; 247 if (SSI(s)->tlsext_supportedgroups[i] != group) { 248 *alert = SSL_AD_ILLEGAL_PARAMETER; 249 return 0; 250 } 251 } 252 253 return 1; 254 } 255 256 if (SSI(s)->tlsext_supportedgroups != NULL) 257 goto err; 258 259 if ((groups = reallocarray(NULL, groups_len, 260 sizeof(uint16_t))) == NULL) { 261 *alert = SSL_AD_INTERNAL_ERROR; 262 return 0; 263 } 264 265 for (i = 0; i < groups_len; i++) { 266 if (!CBS_get_u16(&grouplist, &groups[i])) { 267 free(groups); 268 goto err; 269 } 270 } 271 272 if (CBS_len(&grouplist) != 0) { 273 free(groups); 274 goto err; 275 } 276 277 SSI(s)->tlsext_supportedgroups = groups; 278 SSI(s)->tlsext_supportedgroups_length = groups_len; 279 } 280 281 return 1; 282 283 err: 284 *alert = SSL_AD_DECODE_ERROR; 285 return 0; 286 } 287 288 /* This extension is never used by the server. */ 289 int 290 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) 291 { 292 return 0; 293 } 294 295 int 296 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 297 { 298 return 0; 299 } 300 301 int 302 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 303 int *alert) 304 { 305 /* 306 * Servers should not send this extension per the RFC. 307 * 308 * However, certain F5 BIG-IP systems incorrectly send it. This bug is 309 * from at least 2014 but as of 2017, there are still large sites with 310 * this unpatched in production. As a result, we need to currently skip 311 * over the extension and ignore its content: 312 * 313 * https://support.f5.com/csp/article/K37345003 314 */ 315 if (!CBS_skip(cbs, CBS_len(cbs))) { 316 *alert = SSL_AD_INTERNAL_ERROR; 317 return 0; 318 } 319 320 return 1; 321 } 322 323 /* 324 * Supported Point Formats Extension - RFC 4492 section 5.1.2 325 */ 326 static int 327 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) 328 { 329 CBB ecpf; 330 size_t formats_len; 331 const uint8_t *formats; 332 333 tls1_get_formatlist(s, 0, &formats, &formats_len); 334 335 if (formats_len == 0) { 336 SSLerror(s, ERR_R_INTERNAL_ERROR); 337 return 0; 338 } 339 340 if (!CBB_add_u8_length_prefixed(cbb, &ecpf)) 341 return 0; 342 if (!CBB_add_bytes(&ecpf, formats, formats_len)) 343 return 0; 344 if (!CBB_flush(cbb)) 345 return 0; 346 347 return 1; 348 } 349 350 static int 351 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 352 { 353 CBS ecpf; 354 355 if (!CBS_get_u8_length_prefixed(cbs, &ecpf)) 356 return 0; 357 if (CBS_len(&ecpf) == 0) 358 return 0; 359 if (CBS_len(cbs) != 0) 360 return 0; 361 362 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ 363 if (!CBS_contains_zero_byte(&ecpf)) { 364 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 365 *alert = SSL_AD_ILLEGAL_PARAMETER; 366 return 0; 367 } 368 369 if (!s->internal->hit) { 370 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), 371 &(SSI(s)->tlsext_ecpointformatlist_length))) { 372 *alert = SSL_AD_INTERNAL_ERROR; 373 return 0; 374 } 375 } 376 377 return 1; 378 } 379 380 int 381 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) 382 { 383 return ssl_has_ecc_ciphers(s); 384 } 385 386 int 387 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 388 { 389 return tlsext_ecpf_build(s, msg_type, cbb); 390 } 391 392 int 393 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 394 { 395 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 396 } 397 398 int 399 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) 400 { 401 return ssl_using_ecc_cipher(s); 402 } 403 404 int 405 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 406 { 407 return tlsext_ecpf_build(s, msg_type, cbb); 408 } 409 410 int 411 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 412 { 413 return tlsext_ecpf_parse(s, msg_type, cbs, alert); 414 } 415 416 /* 417 * Renegotiation Indication - RFC 5746. 418 */ 419 int 420 tlsext_ri_client_needs(SSL *s, uint16_t msg_type) 421 { 422 return (s->internal->renegotiate); 423 } 424 425 int 426 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 427 { 428 CBB reneg; 429 430 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 431 return 0; 432 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 433 S3I(s)->previous_client_finished_len)) 434 return 0; 435 if (!CBB_flush(cbb)) 436 return 0; 437 438 return 1; 439 } 440 441 int 442 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 443 { 444 CBS reneg; 445 446 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 447 goto err; 448 if (CBS_len(cbs) != 0) 449 goto err; 450 451 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, 452 S3I(s)->previous_client_finished_len)) { 453 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 454 *alert = SSL_AD_HANDSHAKE_FAILURE; 455 return 0; 456 } 457 458 S3I(s)->renegotiate_seen = 1; 459 S3I(s)->send_connection_binding = 1; 460 461 return 1; 462 463 err: 464 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 465 *alert = SSL_AD_DECODE_ERROR; 466 return 0; 467 } 468 469 int 470 tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 471 { 472 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && 473 S3I(s)->send_connection_binding); 474 } 475 476 int 477 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 478 { 479 CBB reneg; 480 481 if (!CBB_add_u8_length_prefixed(cbb, &reneg)) 482 return 0; 483 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished, 484 S3I(s)->previous_client_finished_len)) 485 return 0; 486 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished, 487 S3I(s)->previous_server_finished_len)) 488 return 0; 489 if (!CBB_flush(cbb)) 490 return 0; 491 492 return 1; 493 } 494 495 int 496 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 497 { 498 CBS reneg, prev_client, prev_server; 499 500 /* 501 * Ensure that the previous client and server values are both not 502 * present, or that they are both present. 503 */ 504 if ((S3I(s)->previous_client_finished_len == 0 && 505 S3I(s)->previous_server_finished_len != 0) || 506 (S3I(s)->previous_client_finished_len != 0 && 507 S3I(s)->previous_server_finished_len == 0)) { 508 *alert = SSL_AD_INTERNAL_ERROR; 509 return 0; 510 } 511 512 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) 513 goto err; 514 if (!CBS_get_bytes(&reneg, &prev_client, 515 S3I(s)->previous_client_finished_len)) 516 goto err; 517 if (!CBS_get_bytes(&reneg, &prev_server, 518 S3I(s)->previous_server_finished_len)) 519 goto err; 520 if (CBS_len(&reneg) != 0) 521 goto err; 522 if (CBS_len(cbs) != 0) 523 goto err; 524 525 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished, 526 S3I(s)->previous_client_finished_len)) { 527 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 528 *alert = SSL_AD_HANDSHAKE_FAILURE; 529 return 0; 530 } 531 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished, 532 S3I(s)->previous_server_finished_len)) { 533 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); 534 *alert = SSL_AD_HANDSHAKE_FAILURE; 535 return 0; 536 } 537 538 S3I(s)->renegotiate_seen = 1; 539 S3I(s)->send_connection_binding = 1; 540 541 return 1; 542 543 err: 544 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); 545 *alert = SSL_AD_DECODE_ERROR; 546 return 0; 547 } 548 549 /* 550 * Signature Algorithms - RFC 5246 section 7.4.1.4.1. 551 */ 552 int 553 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 554 { 555 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); 556 } 557 558 int 559 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 560 { 561 uint16_t tls_version = S3I(s)->hs.negotiated_tls_version; 562 CBB sigalgs; 563 564 if (msg_type == SSL_TLSEXT_MSG_CH) 565 tls_version = S3I(s)->hs.our_min_tls_version; 566 567 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 568 return 0; 569 if (!ssl_sigalgs_build(tls_version, &sigalgs)) 570 return 0; 571 if (!CBB_flush(cbb)) 572 return 0; 573 574 return 1; 575 } 576 577 int 578 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 579 { 580 CBS sigalgs; 581 582 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 583 return 0; 584 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 585 return 0; 586 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 587 return 0; 588 589 return 1; 590 } 591 592 int 593 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 594 { 595 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 596 } 597 598 int 599 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 600 { 601 CBB sigalgs; 602 603 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 604 return 0; 605 if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs)) 606 return 0; 607 if (!CBB_flush(cbb)) 608 return 0; 609 610 return 1; 611 } 612 613 int 614 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 615 { 616 CBS sigalgs; 617 618 if (ssl_effective_tls_version(s) < TLS1_3_VERSION) 619 return 0; 620 621 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 622 return 0; 623 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) 624 return 0; 625 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) 626 return 0; 627 628 return 1; 629 } 630 631 /* 632 * Server Name Indication - RFC 6066, section 3. 633 */ 634 int 635 tlsext_sni_client_needs(SSL *s, uint16_t msg_type) 636 { 637 return (s->tlsext_hostname != NULL); 638 } 639 640 int 641 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 642 { 643 CBB server_name_list, host_name; 644 645 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list)) 646 return 0; 647 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name)) 648 return 0; 649 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name)) 650 return 0; 651 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname, 652 strlen(s->tlsext_hostname))) 653 return 0; 654 if (!CBB_flush(cbb)) 655 return 0; 656 657 return 1; 658 } 659 660 /* 661 * Validate that the CBS contains only a hostname consisting of RFC 5890 662 * compliant A-labels (see RFC 6066 section 3). Not a complete check 663 * since we don't parse punycode to verify its validity but limits to 664 * correct structure and character set. 665 */ 666 int 667 tlsext_sni_is_valid_hostname(CBS *cbs) 668 { 669 uint8_t prev, c = 0; 670 int component = 0; 671 CBS hostname; 672 673 CBS_dup(cbs, &hostname); 674 675 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) 676 return 0; 677 678 while(CBS_len(&hostname) > 0) { 679 prev = c; 680 if (!CBS_get_u8(&hostname, &c)) 681 return 0; 682 /* Everything has to be ASCII, with no NUL byte. */ 683 if (!isascii(c) || c == '\0') 684 return 0; 685 /* It must be alphanumeric, a '-', or a '.' */ 686 if (!isalnum(c) && c != '-' && c != '.') 687 return 0; 688 /* '-' and '.' must not start a component or be at the end. */ 689 if (component == 0 || CBS_len(&hostname) == 0) { 690 if (c == '-' || c == '.') 691 return 0; 692 } 693 if (c == '.') { 694 /* Components can not end with a dash. */ 695 if (prev == '-') 696 return 0; 697 /* Start new component */ 698 component = 0; 699 continue; 700 } 701 /* Components must be 63 chars or less. */ 702 if (++component > 63) 703 return 0; 704 } 705 706 return 1; 707 } 708 709 int 710 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 711 { 712 CBS server_name_list, host_name; 713 uint8_t name_type; 714 715 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) 716 goto err; 717 718 if (!CBS_get_u8(&server_name_list, &name_type)) 719 goto err; 720 /* 721 * RFC 6066 section 3, only one type (host_name) is specified. 722 * We do not tolerate unknown types, neither does BoringSSL. 723 * other implementations appear more tolerant. 724 */ 725 if (name_type != TLSEXT_NAMETYPE_host_name) { 726 *alert = SSL_AD_ILLEGAL_PARAMETER; 727 goto err; 728 } 729 730 731 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) 732 goto err; 733 /* 734 * RFC 6066 section 3 specifies a host name must be at least 1 byte 735 * so 0 length is a decode error. 736 */ 737 if (CBS_len(&host_name) < 1) 738 goto err; 739 740 if (!tlsext_sni_is_valid_hostname(&host_name)) { 741 *alert = SSL_AD_ILLEGAL_PARAMETER; 742 goto err; 743 } 744 745 if (s->internal->hit || S3I(s)->hs.tls13.hrr) { 746 if (s->session->tlsext_hostname == NULL) { 747 *alert = SSL_AD_UNRECOGNIZED_NAME; 748 goto err; 749 } 750 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, 751 strlen(s->session->tlsext_hostname))) { 752 *alert = SSL_AD_UNRECOGNIZED_NAME; 753 goto err; 754 } 755 } else { 756 if (s->session->tlsext_hostname != NULL) 757 goto err; 758 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { 759 *alert = SSL_AD_INTERNAL_ERROR; 760 goto err; 761 } 762 } 763 764 /* 765 * RFC 6066 section 3 forbids multiple host names with the same type, 766 * therefore we allow only one entry. 767 */ 768 if (CBS_len(&server_name_list) != 0) { 769 *alert = SSL_AD_ILLEGAL_PARAMETER; 770 goto err; 771 } 772 if (CBS_len(cbs) != 0) 773 goto err; 774 775 return 1; 776 777 err: 778 return 0; 779 } 780 781 int 782 tlsext_sni_server_needs(SSL *s, uint16_t msg_type) 783 { 784 if (s->internal->hit) 785 return 0; 786 787 return (s->session->tlsext_hostname != NULL); 788 } 789 790 int 791 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 792 { 793 return 1; 794 } 795 796 int 797 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 798 { 799 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 800 *alert = SSL_AD_UNRECOGNIZED_NAME; 801 return 0; 802 } 803 804 if (s->internal->hit) { 805 if (s->session->tlsext_hostname == NULL) { 806 *alert = SSL_AD_UNRECOGNIZED_NAME; 807 return 0; 808 } 809 if (strcmp(s->tlsext_hostname, 810 s->session->tlsext_hostname) != 0) { 811 *alert = SSL_AD_UNRECOGNIZED_NAME; 812 return 0; 813 } 814 } else { 815 if (s->session->tlsext_hostname != NULL) { 816 *alert = SSL_AD_DECODE_ERROR; 817 return 0; 818 } 819 if ((s->session->tlsext_hostname = 820 strdup(s->tlsext_hostname)) == NULL) { 821 *alert = SSL_AD_INTERNAL_ERROR; 822 return 0; 823 } 824 } 825 826 return 1; 827 } 828 829 830 /* 831 * Certificate Status Request - RFC 6066 section 8. 832 */ 833 834 int 835 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 836 { 837 if (msg_type != SSL_TLSEXT_MSG_CH) 838 return 0; 839 840 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); 841 } 842 843 int 844 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 845 { 846 CBB respid_list, respid, exts; 847 unsigned char *ext_data; 848 size_t ext_len; 849 int i; 850 851 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 852 return 0; 853 if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) 854 return 0; 855 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { 856 unsigned char *respid_data; 857 OCSP_RESPID *id; 858 size_t id_len; 859 860 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, 861 i)) == NULL) 862 return 0; 863 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) 864 return 0; 865 if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) 866 return 0; 867 if (!CBB_add_space(&respid, &respid_data, id_len)) 868 return 0; 869 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) 870 return 0; 871 } 872 if (!CBB_add_u16_length_prefixed(cbb, &exts)) 873 return 0; 874 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, 875 NULL)) == -1) 876 return 0; 877 if (!CBB_add_space(&exts, &ext_data, ext_len)) 878 return 0; 879 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != 880 ext_len)) 881 return 0; 882 if (!CBB_flush(cbb)) 883 return 0; 884 return 1; 885 } 886 887 int 888 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 889 { 890 int alert_desc = SSL_AD_DECODE_ERROR; 891 CBS respid_list, respid, exts; 892 const unsigned char *p; 893 uint8_t status_type; 894 int ret = 0; 895 896 if (msg_type != SSL_TLSEXT_MSG_CH) 897 goto err; 898 899 if (!CBS_get_u8(cbs, &status_type)) 900 goto err; 901 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 902 /* ignore unknown status types */ 903 s->tlsext_status_type = -1; 904 905 if (!CBS_skip(cbs, CBS_len(cbs))) { 906 *alert = SSL_AD_INTERNAL_ERROR; 907 return 0; 908 } 909 return 1; 910 } 911 s->tlsext_status_type = status_type; 912 if (!CBS_get_u16_length_prefixed(cbs, &respid_list)) 913 goto err; 914 915 /* XXX */ 916 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); 917 s->internal->tlsext_ocsp_ids = NULL; 918 if (CBS_len(&respid_list) > 0) { 919 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); 920 if (s->internal->tlsext_ocsp_ids == NULL) { 921 alert_desc = SSL_AD_INTERNAL_ERROR; 922 goto err; 923 } 924 } 925 926 while (CBS_len(&respid_list) > 0) { 927 OCSP_RESPID *id; 928 929 if (!CBS_get_u16_length_prefixed(&respid_list, &respid)) 930 goto err; 931 p = CBS_data(&respid); 932 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) 933 goto err; 934 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { 935 alert_desc = SSL_AD_INTERNAL_ERROR; 936 OCSP_RESPID_free(id); 937 goto err; 938 } 939 } 940 941 /* Read in request_extensions */ 942 if (!CBS_get_u16_length_prefixed(cbs, &exts)) 943 goto err; 944 if (CBS_len(&exts) > 0) { 945 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, 946 X509_EXTENSION_free); 947 p = CBS_data(&exts); 948 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, 949 &p, CBS_len(&exts))) == NULL) 950 goto err; 951 } 952 953 /* should be nothing left */ 954 if (CBS_len(cbs) > 0) 955 goto err; 956 957 ret = 1; 958 err: 959 if (ret == 0) 960 *alert = alert_desc; 961 return ret; 962 } 963 964 int 965 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 966 { 967 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 968 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 969 s->ctx->internal->tlsext_status_cb != NULL) { 970 s->internal->tlsext_status_expected = 0; 971 if (s->ctx->internal->tlsext_status_cb(s, 972 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && 973 s->internal->tlsext_ocsp_resp_len > 0) 974 s->internal->tlsext_status_expected = 1; 975 } 976 return s->internal->tlsext_status_expected; 977 } 978 979 int 980 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 981 { 982 CBB ocsp_response; 983 984 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { 985 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 986 return 0; 987 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 988 return 0; 989 if (!CBB_add_bytes(&ocsp_response, 990 s->internal->tlsext_ocsp_resp, 991 s->internal->tlsext_ocsp_resp_len)) 992 return 0; 993 if (!CBB_flush(cbb)) 994 return 0; 995 } 996 return 1; 997 } 998 999 int 1000 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1001 { 1002 uint8_t status_type; 1003 CBS response; 1004 1005 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { 1006 if (msg_type == SSL_TLSEXT_MSG_CR) { 1007 /* 1008 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1009 * response with an empty status_request. 1010 */ 1011 if (CBS_len(cbs) == 0) 1012 return 1; 1013 1014 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1015 return 0; 1016 } 1017 if (!CBS_get_u8(cbs, &status_type)) { 1018 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1019 return 0; 1020 } 1021 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1022 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1023 return 0; 1024 } 1025 if (!CBS_get_u24_length_prefixed(cbs, &response)) { 1026 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1027 return 0; 1028 } 1029 if (CBS_len(&response) > 65536) { 1030 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1031 return 0; 1032 } 1033 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1034 &s->internal->tlsext_ocsp_resp_len)) { 1035 *alert = SSL_AD_INTERNAL_ERROR; 1036 return 0; 1037 } 1038 } else { 1039 if (s->tlsext_status_type == -1) { 1040 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1041 return 0; 1042 } 1043 /* Set flag to expect CertificateStatus message */ 1044 s->internal->tlsext_status_expected = 1; 1045 } 1046 return 1; 1047 } 1048 1049 /* 1050 * SessionTicket extension - RFC 5077 section 3.2 1051 */ 1052 int 1053 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) 1054 { 1055 /* 1056 * Send session ticket extension when enabled and not overridden. 1057 * 1058 * When renegotiating, send an empty session ticket to indicate support. 1059 */ 1060 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) 1061 return 0; 1062 1063 if (s->internal->new_session) 1064 return 1; 1065 1066 if (s->internal->tlsext_session_ticket != NULL && 1067 s->internal->tlsext_session_ticket->data == NULL) 1068 return 0; 1069 1070 return 1; 1071 } 1072 1073 int 1074 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1075 { 1076 /* 1077 * Signal that we support session tickets by sending an empty 1078 * extension when renegotiating or no session found. 1079 */ 1080 if (s->internal->new_session || s->session == NULL) 1081 return 1; 1082 1083 if (s->session->tlsext_tick != NULL) { 1084 /* Attempt to resume with an existing session ticket */ 1085 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1086 s->session->tlsext_ticklen)) 1087 return 0; 1088 1089 } else if (s->internal->tlsext_session_ticket != NULL) { 1090 /* 1091 * Attempt to resume with a custom provided session ticket set 1092 * by SSL_set_session_ticket_ext(). 1093 */ 1094 if (s->internal->tlsext_session_ticket->length > 0) { 1095 size_t ticklen = s->internal->tlsext_session_ticket->length; 1096 1097 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) 1098 return 0; 1099 memcpy(s->session->tlsext_tick, 1100 s->internal->tlsext_session_ticket->data, 1101 ticklen); 1102 s->session->tlsext_ticklen = ticklen; 1103 1104 if (!CBB_add_bytes(cbb, s->session->tlsext_tick, 1105 s->session->tlsext_ticklen)) 1106 return 0; 1107 } 1108 } 1109 1110 if (!CBB_flush(cbb)) 1111 return 0; 1112 1113 return 1; 1114 } 1115 1116 int 1117 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1118 int *alert) 1119 { 1120 if (s->internal->tls_session_ticket_ext_cb) { 1121 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1122 (int)CBS_len(cbs), 1123 s->internal->tls_session_ticket_ext_cb_arg)) { 1124 *alert = SSL_AD_INTERNAL_ERROR; 1125 return 0; 1126 } 1127 } 1128 1129 /* We need to signal that this was processed fully */ 1130 if (!CBS_skip(cbs, CBS_len(cbs))) { 1131 *alert = SSL_AD_INTERNAL_ERROR; 1132 return 0; 1133 } 1134 1135 return 1; 1136 } 1137 1138 int 1139 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) 1140 { 1141 return (s->internal->tlsext_ticket_expected && 1142 !(SSL_get_options(s) & SSL_OP_NO_TICKET)); 1143 } 1144 1145 int 1146 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1147 { 1148 /* Empty ticket */ 1149 return 1; 1150 } 1151 1152 int 1153 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, 1154 int *alert) 1155 { 1156 if (s->internal->tls_session_ticket_ext_cb) { 1157 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1158 (int)CBS_len(cbs), 1159 s->internal->tls_session_ticket_ext_cb_arg)) { 1160 *alert = SSL_AD_INTERNAL_ERROR; 1161 return 0; 1162 } 1163 } 1164 1165 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { 1166 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1167 return 0; 1168 } 1169 1170 s->internal->tlsext_ticket_expected = 1; 1171 1172 return 1; 1173 } 1174 1175 /* 1176 * DTLS extension for SRTP key establishment - RFC 5764 1177 */ 1178 1179 #ifndef OPENSSL_NO_SRTP 1180 1181 int 1182 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1183 { 1184 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; 1185 } 1186 1187 int 1188 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1189 { 1190 CBB profiles, mki; 1191 int ct, i; 1192 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL; 1193 const SRTP_PROTECTION_PROFILE *prof; 1194 1195 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1196 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1197 return 0; 1198 } 1199 1200 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) { 1201 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); 1202 return 0; 1203 } 1204 1205 if (!CBB_add_u16_length_prefixed(cbb, &profiles)) 1206 return 0; 1207 1208 for (i = 0; i < ct; i++) { 1209 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) 1210 return 0; 1211 if (!CBB_add_u16(&profiles, prof->id)) 1212 return 0; 1213 } 1214 1215 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1216 return 0; 1217 1218 if (!CBB_flush(cbb)) 1219 return 0; 1220 1221 return 1; 1222 } 1223 1224 int 1225 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1226 { 1227 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1228 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1229 int i, j; 1230 int ret; 1231 uint16_t id; 1232 CBS profiles, mki; 1233 1234 ret = 0; 1235 1236 if (!CBS_get_u16_length_prefixed(cbs, &profiles)) 1237 goto err; 1238 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0) 1239 goto err; 1240 1241 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL) 1242 goto err; 1243 1244 while (CBS_len(&profiles) > 0) { 1245 if (!CBS_get_u16(&profiles, &id)) 1246 goto err; 1247 1248 if (!srtp_find_profile_by_num(id, &cprof)) { 1249 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)) 1250 goto err; 1251 } 1252 } 1253 1254 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1255 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1256 *alert = SSL_AD_DECODE_ERROR; 1257 goto done; 1258 } 1259 if (CBS_len(cbs) != 0) 1260 goto err; 1261 1262 /* 1263 * Per RFC 5764 section 4.1.1 1264 * 1265 * Find the server preferred profile using the client's list. 1266 * 1267 * The server MUST send a profile if it sends the use_srtp 1268 * extension. If one is not found, it should fall back to the 1269 * negotiated DTLS cipher suite or return a DTLS alert. 1270 */ 1271 if ((srvr = SSL_get_srtp_profiles(s)) == NULL) 1272 goto err; 1273 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { 1274 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) 1275 == NULL) 1276 goto err; 1277 1278 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { 1279 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)) 1280 == NULL) 1281 goto err; 1282 1283 if (cprof->id == sprof->id) { 1284 s->internal->srtp_profile = sprof; 1285 ret = 1; 1286 goto done; 1287 } 1288 } 1289 } 1290 1291 /* If we didn't find anything, fall back to the negotiated */ 1292 ret = 1; 1293 goto done; 1294 1295 err: 1296 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1297 *alert = SSL_AD_DECODE_ERROR; 1298 1299 done: 1300 sk_SRTP_PROTECTION_PROFILE_free(clnt); 1301 return ret; 1302 } 1303 1304 int 1305 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1306 { 1307 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; 1308 } 1309 1310 int 1311 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1312 { 1313 SRTP_PROTECTION_PROFILE *profile; 1314 CBB srtp, mki; 1315 1316 if (!CBB_add_u16_length_prefixed(cbb, &srtp)) 1317 return 0; 1318 1319 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL) 1320 return 0; 1321 1322 if (!CBB_add_u16(&srtp, profile->id)) 1323 return 0; 1324 1325 if (!CBB_add_u8_length_prefixed(cbb, &mki)) 1326 return 0; 1327 1328 if (!CBB_flush(cbb)) 1329 return 0; 1330 1331 return 1; 1332 } 1333 1334 int 1335 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1336 { 1337 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1338 const SRTP_PROTECTION_PROFILE *prof; 1339 int i; 1340 uint16_t id; 1341 CBS profile_ids, mki; 1342 1343 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { 1344 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1345 goto err; 1346 } 1347 1348 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { 1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1350 goto err; 1351 } 1352 1353 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { 1354 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); 1355 *alert = SSL_AD_ILLEGAL_PARAMETER; 1356 return 0; 1357 } 1358 1359 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { 1360 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1361 goto err; 1362 } 1363 1364 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1365 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) 1366 == NULL) { 1367 SSLerror(s, SSL_R_NO_SRTP_PROFILES); 1368 goto err; 1369 } 1370 1371 if (prof->id == id) { 1372 s->internal->srtp_profile = prof; 1373 return 1; 1374 } 1375 } 1376 1377 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1378 err: 1379 *alert = SSL_AD_DECODE_ERROR; 1380 return 0; 1381 } 1382 1383 #endif /* OPENSSL_NO_SRTP */ 1384 1385 /* 1386 * TLSv1.3 Key Share - RFC 8446 section 4.2.8. 1387 */ 1388 int 1389 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1390 { 1391 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1392 } 1393 1394 int 1395 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1396 { 1397 CBB client_shares; 1398 1399 if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) 1400 return 0; 1401 1402 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, 1403 &client_shares)) 1404 return 0; 1405 1406 if (!CBB_flush(cbb)) 1407 return 0; 1408 1409 return 1; 1410 } 1411 1412 int 1413 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1414 { 1415 CBS client_shares, key_exchange; 1416 uint16_t group; 1417 1418 if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) 1419 goto err; 1420 1421 while (CBS_len(&client_shares) > 0) { 1422 1423 /* Unpack client share. */ 1424 if (!CBS_get_u16(&client_shares, &group)) 1425 goto err; 1426 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) 1427 return 0; 1428 1429 /* 1430 * XXX - check key exchange against supported groups from client. 1431 * XXX - check that groups only appear once. 1432 */ 1433 1434 /* 1435 * Ignore this client share if we're using earlier than TLSv1.3 1436 * or we've already selected a key share. 1437 */ 1438 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) 1439 continue; 1440 if (S3I(s)->hs.tls13.key_share != NULL) 1441 continue; 1442 1443 /* XXX - consider implementing server preference. */ 1444 if (!tls1_check_curve(s, group)) 1445 continue; 1446 1447 /* Decode and store the selected key share. */ 1448 S3I(s)->hs.tls13.key_share = tls13_key_share_new(group); 1449 if (S3I(s)->hs.tls13.key_share == NULL) 1450 goto err; 1451 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, 1452 group, &key_exchange)) 1453 goto err; 1454 } 1455 1456 return 1; 1457 1458 err: 1459 *alert = SSL_AD_DECODE_ERROR; 1460 return 0; 1461 } 1462 1463 int 1464 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1465 { 1466 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && 1467 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); 1468 } 1469 1470 int 1471 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1472 { 1473 /* In the case of a HRR, we only send the server selected group. */ 1474 if (S3I(s)->hs.tls13.hrr) { 1475 if (S3I(s)->hs.tls13.server_group == 0) 1476 return 0; 1477 return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); 1478 } 1479 1480 if (S3I(s)->hs.tls13.key_share == NULL) 1481 return 0; 1482 1483 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb)) 1484 return 0; 1485 1486 return 1; 1487 } 1488 1489 int 1490 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1491 { 1492 CBS key_exchange; 1493 uint16_t group; 1494 1495 /* Unpack server share. */ 1496 if (!CBS_get_u16(cbs, &group)) 1497 goto err; 1498 1499 if (CBS_len(cbs) == 0) { 1500 /* HRR does not include an actual key share. */ 1501 /* XXX - we should know that we are in a HRR... */ 1502 S3I(s)->hs.tls13.server_group = group; 1503 return 1; 1504 } 1505 1506 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1507 return 0; 1508 1509 if (S3I(s)->hs.tls13.key_share == NULL) 1510 return 0; 1511 1512 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, 1513 group, &key_exchange)) 1514 goto err; 1515 1516 return 1; 1517 1518 err: 1519 *alert = SSL_AD_DECODE_ERROR; 1520 return 0; 1521 } 1522 1523 /* 1524 * Supported Versions - RFC 8446 section 4.2.1. 1525 */ 1526 int 1527 tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1528 { 1529 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); 1530 } 1531 1532 int 1533 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1534 { 1535 uint16_t max, min; 1536 uint16_t version; 1537 CBB versions; 1538 1539 max = S3I(s)->hs.our_max_tls_version; 1540 min = S3I(s)->hs.our_min_tls_version; 1541 1542 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1543 return 0; 1544 1545 /* XXX - fix, but contiguous for now... */ 1546 for (version = max; version >= min; version--) { 1547 if (!CBB_add_u16(&versions, version)) 1548 return 0; 1549 } 1550 1551 if (!CBB_flush(cbb)) 1552 return 0; 1553 1554 return 1; 1555 } 1556 1557 int 1558 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1559 { 1560 CBS versions; 1561 uint16_t version; 1562 uint16_t max, min; 1563 uint16_t matched_version = 0; 1564 1565 max = S3I(s)->hs.our_max_tls_version; 1566 min = S3I(s)->hs.our_min_tls_version; 1567 1568 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1569 goto err; 1570 1571 while (CBS_len(&versions) > 0) { 1572 if (!CBS_get_u16(&versions, &version)) 1573 goto err; 1574 /* 1575 * XXX What is below implements client preference, and 1576 * ignores any server preference entirely. 1577 */ 1578 if (matched_version == 0 && version >= min && version <= max) 1579 matched_version = version; 1580 } 1581 1582 if (matched_version > 0) { 1583 /* XXX - this should be stored for later processing. */ 1584 s->version = matched_version; 1585 return 1; 1586 } 1587 1588 *alert = SSL_AD_PROTOCOL_VERSION; 1589 return 0; 1590 1591 err: 1592 *alert = SSL_AD_DECODE_ERROR; 1593 return 0; 1594 } 1595 1596 int 1597 tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1598 { 1599 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); 1600 } 1601 1602 int 1603 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1604 { 1605 return CBB_add_u16(cbb, TLS1_3_VERSION); 1606 } 1607 1608 int 1609 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1610 { 1611 uint16_t selected_version; 1612 1613 if (!CBS_get_u16(cbs, &selected_version)) { 1614 *alert = SSL_AD_DECODE_ERROR; 1615 return 0; 1616 } 1617 1618 /* XXX - need to fix for DTLS 1.3 */ 1619 if (selected_version < TLS1_3_VERSION) { 1620 *alert = SSL_AD_ILLEGAL_PARAMETER; 1621 return 0; 1622 } 1623 1624 /* XXX test between min and max once initialization code goes in */ 1625 S3I(s)->hs.tls13.server_version = selected_version; 1626 1627 return 1; 1628 } 1629 1630 1631 /* 1632 * Cookie - RFC 8446 section 4.2.2. 1633 */ 1634 1635 int 1636 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1637 { 1638 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1639 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1640 } 1641 1642 int 1643 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 1644 { 1645 CBB cookie; 1646 1647 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1648 return 0; 1649 1650 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1651 S3I(s)->hs.tls13.cookie_len)) 1652 return 0; 1653 1654 if (!CBB_flush(cbb)) 1655 return 0; 1656 1657 return 1; 1658 } 1659 1660 int 1661 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1662 { 1663 CBS cookie; 1664 1665 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1666 goto err; 1667 1668 if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) 1669 goto err; 1670 1671 /* 1672 * Check provided cookie value against what server previously 1673 * sent - client *MUST* send the same cookie with new CR after 1674 * a cookie is sent by the server with an HRR. 1675 */ 1676 if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, 1677 S3I(s)->hs.tls13.cookie_len)) { 1678 /* XXX special cookie mismatch alert? */ 1679 *alert = SSL_AD_ILLEGAL_PARAMETER; 1680 return 0; 1681 } 1682 1683 return 1; 1684 1685 err: 1686 *alert = SSL_AD_DECODE_ERROR; 1687 return 0; 1688 } 1689 1690 int 1691 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1692 { 1693 /* 1694 * Server needs to set cookie value in tls13 handshake 1695 * in order to send one, should only be sent with HRR. 1696 */ 1697 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && 1698 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); 1699 } 1700 1701 int 1702 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1703 { 1704 CBB cookie; 1705 1706 /* XXX deduplicate with client code */ 1707 1708 if (!CBB_add_u16_length_prefixed(cbb, &cookie)) 1709 return 0; 1710 1711 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, 1712 S3I(s)->hs.tls13.cookie_len)) 1713 return 0; 1714 1715 if (!CBB_flush(cbb)) 1716 return 0; 1717 1718 return 1; 1719 } 1720 1721 int 1722 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1723 { 1724 CBS cookie; 1725 1726 /* 1727 * XXX This currently assumes we will not get a second 1728 * HRR from a server with a cookie to process after accepting 1729 * one from the server in the same handshake 1730 */ 1731 if (S3I(s)->hs.tls13.cookie != NULL || 1732 S3I(s)->hs.tls13.cookie_len != 0) { 1733 *alert = SSL_AD_ILLEGAL_PARAMETER; 1734 return 0; 1735 } 1736 1737 if (!CBS_get_u16_length_prefixed(cbs, &cookie)) 1738 goto err; 1739 1740 if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, 1741 &S3I(s)->hs.tls13.cookie_len)) 1742 goto err; 1743 1744 return 1; 1745 1746 err: 1747 *alert = SSL_AD_DECODE_ERROR; 1748 return 0; 1749 } 1750 1751 struct tls_extension_funcs { 1752 int (*needs)(SSL *s, uint16_t msg_type); 1753 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1754 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); 1755 }; 1756 1757 struct tls_extension { 1758 uint16_t type; 1759 uint16_t messages; 1760 struct tls_extension_funcs client; 1761 struct tls_extension_funcs server; 1762 }; 1763 1764 static const struct tls_extension tls_extensions[] = { 1765 { 1766 .type = TLSEXT_TYPE_supported_versions, 1767 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1768 SSL_TLSEXT_MSG_HRR, 1769 .client = { 1770 .needs = tlsext_versions_client_needs, 1771 .build = tlsext_versions_client_build, 1772 .parse = tlsext_versions_client_parse, 1773 }, 1774 .server = { 1775 .needs = tlsext_versions_server_needs, 1776 .build = tlsext_versions_server_build, 1777 .parse = tlsext_versions_server_parse, 1778 }, 1779 }, 1780 { 1781 .type = TLSEXT_TYPE_key_share, 1782 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | 1783 SSL_TLSEXT_MSG_HRR, 1784 .client = { 1785 .needs = tlsext_keyshare_client_needs, 1786 .build = tlsext_keyshare_client_build, 1787 .parse = tlsext_keyshare_client_parse, 1788 }, 1789 .server = { 1790 .needs = tlsext_keyshare_server_needs, 1791 .build = tlsext_keyshare_server_build, 1792 .parse = tlsext_keyshare_server_parse, 1793 }, 1794 }, 1795 { 1796 .type = TLSEXT_TYPE_server_name, 1797 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1798 .client = { 1799 .needs = tlsext_sni_client_needs, 1800 .build = tlsext_sni_client_build, 1801 .parse = tlsext_sni_client_parse, 1802 }, 1803 .server = { 1804 .needs = tlsext_sni_server_needs, 1805 .build = tlsext_sni_server_build, 1806 .parse = tlsext_sni_server_parse, 1807 }, 1808 }, 1809 { 1810 .type = TLSEXT_TYPE_renegotiate, 1811 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1812 .client = { 1813 .needs = tlsext_ri_client_needs, 1814 .build = tlsext_ri_client_build, 1815 .parse = tlsext_ri_client_parse, 1816 }, 1817 .server = { 1818 .needs = tlsext_ri_server_needs, 1819 .build = tlsext_ri_server_build, 1820 .parse = tlsext_ri_server_parse, 1821 }, 1822 }, 1823 { 1824 .type = TLSEXT_TYPE_status_request, 1825 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | 1826 SSL_TLSEXT_MSG_CT, 1827 .client = { 1828 .needs = tlsext_ocsp_client_needs, 1829 .build = tlsext_ocsp_client_build, 1830 .parse = tlsext_ocsp_client_parse, 1831 }, 1832 .server = { 1833 .needs = tlsext_ocsp_server_needs, 1834 .build = tlsext_ocsp_server_build, 1835 .parse = tlsext_ocsp_server_parse, 1836 }, 1837 }, 1838 { 1839 .type = TLSEXT_TYPE_ec_point_formats, 1840 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1841 .client = { 1842 .needs = tlsext_ecpf_client_needs, 1843 .build = tlsext_ecpf_client_build, 1844 .parse = tlsext_ecpf_client_parse, 1845 }, 1846 .server = { 1847 .needs = tlsext_ecpf_server_needs, 1848 .build = tlsext_ecpf_server_build, 1849 .parse = tlsext_ecpf_server_parse, 1850 }, 1851 }, 1852 { 1853 .type = TLSEXT_TYPE_supported_groups, 1854 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1855 .client = { 1856 .needs = tlsext_supportedgroups_client_needs, 1857 .build = tlsext_supportedgroups_client_build, 1858 .parse = tlsext_supportedgroups_client_parse, 1859 }, 1860 .server = { 1861 .needs = tlsext_supportedgroups_server_needs, 1862 .build = tlsext_supportedgroups_server_build, 1863 .parse = tlsext_supportedgroups_server_parse, 1864 }, 1865 }, 1866 { 1867 .type = TLSEXT_TYPE_session_ticket, 1868 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, 1869 .client = { 1870 .needs = tlsext_sessionticket_client_needs, 1871 .build = tlsext_sessionticket_client_build, 1872 .parse = tlsext_sessionticket_client_parse, 1873 }, 1874 .server = { 1875 .needs = tlsext_sessionticket_server_needs, 1876 .build = tlsext_sessionticket_server_build, 1877 .parse = tlsext_sessionticket_server_parse, 1878 }, 1879 }, 1880 { 1881 .type = TLSEXT_TYPE_signature_algorithms, 1882 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, 1883 .client = { 1884 .needs = tlsext_sigalgs_client_needs, 1885 .build = tlsext_sigalgs_client_build, 1886 .parse = tlsext_sigalgs_client_parse, 1887 }, 1888 .server = { 1889 .needs = tlsext_sigalgs_server_needs, 1890 .build = tlsext_sigalgs_server_build, 1891 .parse = tlsext_sigalgs_server_parse, 1892 }, 1893 }, 1894 { 1895 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1896 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, 1897 .client = { 1898 .needs = tlsext_alpn_client_needs, 1899 .build = tlsext_alpn_client_build, 1900 .parse = tlsext_alpn_client_parse, 1901 }, 1902 .server = { 1903 .needs = tlsext_alpn_server_needs, 1904 .build = tlsext_alpn_server_build, 1905 .parse = tlsext_alpn_server_parse, 1906 }, 1907 }, 1908 { 1909 .type = TLSEXT_TYPE_cookie, 1910 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, 1911 .client = { 1912 .needs = tlsext_cookie_client_needs, 1913 .build = tlsext_cookie_client_build, 1914 .parse = tlsext_cookie_client_parse, 1915 }, 1916 .server = { 1917 .needs = tlsext_cookie_server_needs, 1918 .build = tlsext_cookie_server_build, 1919 .parse = tlsext_cookie_server_parse, 1920 }, 1921 }, 1922 #ifndef OPENSSL_NO_SRTP 1923 { 1924 .type = TLSEXT_TYPE_use_srtp, 1925 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | 1926 SSL_TLSEXT_MSG_EE, 1927 .client = { 1928 .needs = tlsext_srtp_client_needs, 1929 .build = tlsext_srtp_client_build, 1930 .parse = tlsext_srtp_client_parse, 1931 }, 1932 .server = { 1933 .needs = tlsext_srtp_server_needs, 1934 .build = tlsext_srtp_server_build, 1935 .parse = tlsext_srtp_server_parse, 1936 }, 1937 } 1938 #endif /* OPENSSL_NO_SRTP */ 1939 }; 1940 1941 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) 1942 1943 /* Ensure that extensions fit in a uint32_t bitmask. */ 1944 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1945 1946 const struct tls_extension * 1947 tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1948 { 1949 size_t i; 1950 1951 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1952 if (tls_extensions[i].type == type) { 1953 *tls_extensions_idx = i; 1954 return &tls_extensions[i]; 1955 } 1956 } 1957 1958 return NULL; 1959 } 1960 1961 int 1962 tlsext_extension_seen(SSL *s, uint16_t type) 1963 { 1964 size_t idx; 1965 1966 if (tls_extension_find(type, &idx) == NULL) 1967 return 0; 1968 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); 1969 } 1970 1971 static const struct tls_extension_funcs * 1972 tlsext_funcs(const struct tls_extension *tlsext, int is_server) 1973 { 1974 if (is_server) 1975 return &tlsext->server; 1976 1977 return &tlsext->client; 1978 } 1979 1980 static int 1981 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) 1982 { 1983 const struct tls_extension_funcs *ext; 1984 const struct tls_extension *tlsext; 1985 CBB extensions, extension_data; 1986 int extensions_present = 0; 1987 uint16_t tls_version; 1988 size_t i; 1989 1990 tls_version = ssl_effective_tls_version(s); 1991 1992 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 1993 return 0; 1994 1995 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1996 tlsext = &tls_extensions[i]; 1997 ext = tlsext_funcs(tlsext, is_server); 1998 1999 /* RFC 8446 Section 4.2 */ 2000 if (tls_version >= TLS1_3_VERSION && 2001 !(tlsext->messages & msg_type)) 2002 continue; 2003 2004 if (!ext->needs(s, msg_type)) 2005 continue; 2006 2007 if (!CBB_add_u16(&extensions, tlsext->type)) 2008 return 0; 2009 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 2010 return 0; 2011 2012 if (!ext->build(s, msg_type, &extension_data)) 2013 return 0; 2014 2015 extensions_present = 1; 2016 } 2017 2018 if (!extensions_present && 2019 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) 2020 CBB_discard_child(cbb); 2021 2022 if (!CBB_flush(cbb)) 2023 return 0; 2024 2025 return 1; 2026 } 2027 2028 int 2029 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) 2030 { 2031 /* 2032 * RFC 8446 4.1.2. For subsequent CH, early data will be removed, 2033 * cookie may be added, padding may be removed. 2034 */ 2035 struct tls13_ctx *ctx = s->internal->tls13; 2036 2037 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || 2038 type == TLSEXT_TYPE_padding) 2039 return 1; 2040 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, 2041 sizeof(type))) 2042 return 0; 2043 /* 2044 * key_share data may be changed, and pre_shared_key data may 2045 * be changed 2046 */ 2047 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) 2048 return 1; 2049 if (!tls13_clienthello_hash_update(ctx, cbs)) 2050 return 0; 2051 2052 return 1; 2053 } 2054 2055 static int 2056 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) 2057 { 2058 const struct tls_extension_funcs *ext; 2059 const struct tls_extension *tlsext; 2060 CBS extensions, extension_data; 2061 uint16_t type; 2062 size_t idx; 2063 uint16_t tls_version; 2064 int alert_desc; 2065 2066 tls_version = ssl_effective_tls_version(s); 2067 2068 S3I(s)->hs.extensions_seen = 0; 2069 2070 /* An empty extensions block is valid. */ 2071 if (CBS_len(cbs) == 0) 2072 return 1; 2073 2074 alert_desc = SSL_AD_DECODE_ERROR; 2075 2076 if (!CBS_get_u16_length_prefixed(cbs, &extensions)) 2077 goto err; 2078 2079 while (CBS_len(&extensions) > 0) { 2080 if (!CBS_get_u16(&extensions, &type)) 2081 goto err; 2082 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 2083 goto err; 2084 2085 if (s->internal->tlsext_debug_cb != NULL) 2086 s->internal->tlsext_debug_cb(s, !is_server, type, 2087 (unsigned char *)CBS_data(&extension_data), 2088 CBS_len(&extension_data), 2089 s->internal->tlsext_debug_arg); 2090 2091 /* Unknown extensions are ignored. */ 2092 if ((tlsext = tls_extension_find(type, &idx)) == NULL) 2093 continue; 2094 2095 if (tls_version >= TLS1_3_VERSION && is_server && 2096 msg_type == SSL_TLSEXT_MSG_CH) { 2097 if (!tlsext_clienthello_hash_extension(s, type, 2098 &extension_data)) 2099 goto err; 2100 } 2101 2102 /* RFC 8446 Section 4.2 */ 2103 if (tls_version >= TLS1_3_VERSION && 2104 !(tlsext->messages & msg_type)) { 2105 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2106 goto err; 2107 } 2108 2109 /* Check for duplicate known extensions. */ 2110 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 2111 goto err; 2112 S3I(s)->hs.extensions_seen |= (1 << idx); 2113 2114 ext = tlsext_funcs(tlsext, is_server); 2115 if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) 2116 goto err; 2117 2118 if (CBS_len(&extension_data) != 0) 2119 goto err; 2120 } 2121 2122 return 1; 2123 2124 err: 2125 *alert = alert_desc; 2126 2127 return 0; 2128 } 2129 2130 static void 2131 tlsext_server_reset_state(SSL *s) 2132 { 2133 s->tlsext_status_type = -1; 2134 S3I(s)->renegotiate_seen = 0; 2135 free(S3I(s)->alpn_selected); 2136 S3I(s)->alpn_selected = NULL; 2137 S3I(s)->alpn_selected_len = 0; 2138 s->internal->srtp_profile = NULL; 2139 } 2140 2141 int 2142 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 2143 { 2144 return tlsext_build(s, 1, msg_type, cbb); 2145 } 2146 2147 int 2148 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2149 { 2150 /* XXX - this should be done by the caller... */ 2151 if (msg_type == SSL_TLSEXT_MSG_CH) 2152 tlsext_server_reset_state(s); 2153 2154 return tlsext_parse(s, 1, msg_type, cbs, alert); 2155 } 2156 2157 static void 2158 tlsext_client_reset_state(SSL *s) 2159 { 2160 S3I(s)->renegotiate_seen = 0; 2161 free(S3I(s)->alpn_selected); 2162 S3I(s)->alpn_selected = NULL; 2163 S3I(s)->alpn_selected_len = 0; 2164 } 2165 2166 int 2167 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) 2168 { 2169 return tlsext_build(s, 0, msg_type, cbb); 2170 } 2171 2172 int 2173 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 2174 { 2175 /* XXX - this should be done by the caller... */ 2176 if (msg_type == SSL_TLSEXT_MSG_SH) 2177 tlsext_client_reset_state(s); 2178 2179 return tlsext_parse(s, 0, msg_type, cbs, alert); 2180 } 2181