summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_tlsext.c
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2022-05-04 18:02:08 +0000
committercvs2svn <admin@example.com>2022-05-04 18:02:08 +0000
commit3c94dc45dfb15483d76c47a128ec352cc0b655ac (patch)
treea7cfb4512c784e9518f1b1c2f4009295b8766ef4 /src/lib/libssl/ssl_tlsext.c
parentf32cca700e59c0fd1ddd8f1fd4b35a5401be28fe (diff)
downloadopenbsd-tb_20220504.tar.gz
openbsd-tb_20220504.tar.bz2
openbsd-tb_20220504.zip
This commit was manufactured by cvs2git to create tag 'tb_20220504'.tb_20220504
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_tlsext.c2264
1 files changed, 0 insertions, 2264 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
deleted file mode 100644
index f93f44ceba..0000000000
--- a/src/lib/libssl/ssl_tlsext.c
+++ /dev/null
@@ -1,2264 +0,0 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.110 2022/02/05 14:54:10 jsing Exp $ */
2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/socket.h>
21
22#include <arpa/inet.h>
23#include <netinet/in.h>
24
25#include <ctype.h>
26
27#include <openssl/ocsp.h>
28#include <openssl/opensslconf.h>
29
30#include "bytestring.h"
31#include "ssl_locl.h"
32#include "ssl_sigalgs.h"
33#include "ssl_tlsext.h"
34
35/*
36 * Supported Application-Layer Protocol Negotiation - RFC 7301
37 */
38
39int
40tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
41{
42 /* ALPN protos have been specified and this is the initial handshake */
43 return s->internal->alpn_client_proto_list != NULL &&
44 s->s3->hs.finished_len == 0;
45}
46
47int
48tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
49{
50 CBB protolist;
51
52 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
53 return 0;
54
55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
56 s->internal->alpn_client_proto_list_len))
57 return 0;
58
59 if (!CBB_flush(cbb))
60 return 0;
61
62 return 1;
63}
64
65int
66tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
67{
68 CBS proto_name_list, alpn;
69 const unsigned char *selected;
70 unsigned char selected_len;
71 int r;
72
73 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
74 goto err;
75 if (CBS_len(&alpn) < 2)
76 goto err;
77 if (CBS_len(cbs) != 0)
78 goto err;
79
80 CBS_dup(&alpn, &proto_name_list);
81 while (CBS_len(&proto_name_list) > 0) {
82 CBS proto_name;
83
84 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
85 goto err;
86 if (CBS_len(&proto_name) == 0)
87 goto err;
88 }
89
90 if (s->ctx->internal->alpn_select_cb == NULL)
91 return 1;
92
93 /*
94 * XXX - A few things should be considered here:
95 * 1. Ensure that the same protocol is selected on session resumption.
96 * 2. Should the callback be called even if no ALPN extension was sent?
97 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
98 */
99 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
100 CBS_data(&alpn), CBS_len(&alpn),
101 s->ctx->internal->alpn_select_cb_arg);
102
103 if (r == SSL_TLSEXT_ERR_OK) {
104 free(s->s3->alpn_selected);
105 if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) {
106 s->s3->alpn_selected_len = 0;
107 *alert = SSL_AD_INTERNAL_ERROR;
108 return 0;
109 }
110 memcpy(s->s3->alpn_selected, selected, selected_len);
111 s->s3->alpn_selected_len = selected_len;
112
113 return 1;
114 }
115
116 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
117 if (r == SSL_TLSEXT_ERR_NOACK)
118 return 1;
119
120 *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
121 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
122
123 return 0;
124
125 err:
126 *alert = SSL_AD_DECODE_ERROR;
127 return 0;
128}
129
130int
131tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
132{
133 return s->s3->alpn_selected != NULL;
134}
135
136int
137tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
138{
139 CBB list, selected;
140
141 if (!CBB_add_u16_length_prefixed(cbb, &list))
142 return 0;
143
144 if (!CBB_add_u8_length_prefixed(&list, &selected))
145 return 0;
146
147 if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
148 s->s3->alpn_selected_len))
149 return 0;
150
151 if (!CBB_flush(cbb))
152 return 0;
153
154 return 1;
155}
156
157int
158tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
159{
160 CBS list, proto;
161
162 if (s->internal->alpn_client_proto_list == NULL) {
163 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
164 return 0;
165 }
166
167 if (!CBS_get_u16_length_prefixed(cbs, &list))
168 goto err;
169 if (CBS_len(cbs) != 0)
170 goto err;
171
172 if (!CBS_get_u8_length_prefixed(&list, &proto))
173 goto err;
174
175 if (CBS_len(&list) != 0)
176 goto err;
177 if (CBS_len(&proto) == 0)
178 goto err;
179
180 if (!CBS_stow(&proto, &(s->s3->alpn_selected),
181 &(s->s3->alpn_selected_len)))
182 goto err;
183
184 return 1;
185
186 err:
187 *alert = SSL_AD_DECODE_ERROR;
188 return 0;
189}
190
191/*
192 * Supported Groups - RFC 7919 section 2
193 */
194int
195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
196{
197 return ssl_has_ecc_ciphers(s) ||
198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
199}
200
201int
202tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
203{
204 const uint16_t *groups;
205 size_t groups_len;
206 CBB grouplist;
207 int i;
208
209 tls1_get_group_list(s, 0, &groups, &groups_len);
210 if (groups_len == 0) {
211 SSLerror(s, ERR_R_INTERNAL_ERROR);
212 return 0;
213 }
214
215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
216 return 0;
217
218 for (i = 0; i < groups_len; i++) {
219 if (!CBB_add_u16(&grouplist, groups[i]))
220 return 0;
221 }
222
223 if (!CBB_flush(cbb))
224 return 0;
225
226 return 1;
227}
228
229int
230tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
231 int *alert)
232{
233 CBS grouplist;
234 size_t groups_len;
235
236 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
237 goto err;
238 if (CBS_len(cbs) != 0)
239 goto err;
240
241 groups_len = CBS_len(&grouplist);
242 if (groups_len == 0 || groups_len % 2 != 0)
243 goto err;
244 groups_len /= 2;
245
246 if (!s->internal->hit) {
247 uint16_t *groups;
248 int i;
249
250 if (s->s3->hs.tls13.hrr) {
251 if (s->session->tlsext_supportedgroups == NULL) {
252 *alert = SSL_AD_HANDSHAKE_FAILURE;
253 return 0;
254 }
255 /*
256 * In the case of TLSv1.3 the client cannot change
257 * the supported groups.
258 */
259 if (groups_len != s->session->tlsext_supportedgroups_length) {
260 *alert = SSL_AD_ILLEGAL_PARAMETER;
261 return 0;
262 }
263 for (i = 0; i < groups_len; i++) {
264 uint16_t group;
265
266 if (!CBS_get_u16(&grouplist, &group))
267 goto err;
268 if (s->session->tlsext_supportedgroups[i] != group) {
269 *alert = SSL_AD_ILLEGAL_PARAMETER;
270 return 0;
271 }
272 }
273
274 return 1;
275 }
276
277 if (s->session->tlsext_supportedgroups != NULL)
278 goto err;
279
280 if ((groups = reallocarray(NULL, groups_len,
281 sizeof(uint16_t))) == NULL) {
282 *alert = SSL_AD_INTERNAL_ERROR;
283 return 0;
284 }
285
286 for (i = 0; i < groups_len; i++) {
287 if (!CBS_get_u16(&grouplist, &groups[i])) {
288 free(groups);
289 goto err;
290 }
291 }
292
293 if (CBS_len(&grouplist) != 0) {
294 free(groups);
295 goto err;
296 }
297
298 s->session->tlsext_supportedgroups = groups;
299 s->session->tlsext_supportedgroups_length = groups_len;
300 }
301
302 return 1;
303
304 err:
305 *alert = SSL_AD_DECODE_ERROR;
306 return 0;
307}
308
309/* This extension is never used by the server. */
310int
311tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
312{
313 return 0;
314}
315
316int
317tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
318{
319 return 0;
320}
321
322int
323tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
324 int *alert)
325{
326 /*
327 * Servers should not send this extension per the RFC.
328 *
329 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
330 * from at least 2014 but as of 2017, there are still large sites with
331 * this unpatched in production. As a result, we need to currently skip
332 * over the extension and ignore its content:
333 *
334 * https://support.f5.com/csp/article/K37345003
335 */
336 if (!CBS_skip(cbs, CBS_len(cbs))) {
337 *alert = SSL_AD_INTERNAL_ERROR;
338 return 0;
339 }
340
341 return 1;
342}
343
344/*
345 * Supported Point Formats Extension - RFC 4492 section 5.1.2
346 */
347static int
348tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
349{
350 CBB ecpf;
351 size_t formats_len;
352 const uint8_t *formats;
353
354 tls1_get_formatlist(s, 0, &formats, &formats_len);
355
356 if (formats_len == 0) {
357 SSLerror(s, ERR_R_INTERNAL_ERROR);
358 return 0;
359 }
360
361 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
362 return 0;
363 if (!CBB_add_bytes(&ecpf, formats, formats_len))
364 return 0;
365 if (!CBB_flush(cbb))
366 return 0;
367
368 return 1;
369}
370
371static int
372tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
373{
374 CBS ecpf;
375
376 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
377 return 0;
378 if (CBS_len(&ecpf) == 0)
379 return 0;
380 if (CBS_len(cbs) != 0)
381 return 0;
382
383 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
384 if (!CBS_contains_zero_byte(&ecpf)) {
385 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
386 *alert = SSL_AD_ILLEGAL_PARAMETER;
387 return 0;
388 }
389
390 if (!s->internal->hit) {
391 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
392 &(s->session->tlsext_ecpointformatlist_length))) {
393 *alert = SSL_AD_INTERNAL_ERROR;
394 return 0;
395 }
396 }
397
398 return 1;
399}
400
401int
402tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
403{
404 return ssl_has_ecc_ciphers(s);
405}
406
407int
408tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
409{
410 return tlsext_ecpf_build(s, msg_type, cbb);
411}
412
413int
414tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
415{
416 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
417}
418
419int
420tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
421{
422 return ssl_using_ecc_cipher(s);
423}
424
425int
426tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
427{
428 return tlsext_ecpf_build(s, msg_type, cbb);
429}
430
431int
432tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
433{
434 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
435}
436
437/*
438 * Renegotiation Indication - RFC 5746.
439 */
440int
441tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
442{
443 return (s->internal->renegotiate);
444}
445
446int
447tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
448{
449 CBB reneg;
450
451 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
452 return 0;
453 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
454 s->s3->previous_client_finished_len))
455 return 0;
456 if (!CBB_flush(cbb))
457 return 0;
458
459 return 1;
460}
461
462int
463tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
464{
465 CBS reneg;
466
467 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
468 goto err;
469 if (CBS_len(cbs) != 0)
470 goto err;
471
472 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
473 s->s3->previous_client_finished_len)) {
474 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
475 *alert = SSL_AD_HANDSHAKE_FAILURE;
476 return 0;
477 }
478
479 s->s3->renegotiate_seen = 1;
480 s->s3->send_connection_binding = 1;
481
482 return 1;
483
484 err:
485 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
486 *alert = SSL_AD_DECODE_ERROR;
487 return 0;
488}
489
490int
491tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
492{
493 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
494 s->s3->send_connection_binding);
495}
496
497int
498tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
499{
500 CBB reneg;
501
502 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
503 return 0;
504 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
505 s->s3->previous_client_finished_len))
506 return 0;
507 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
508 s->s3->previous_server_finished_len))
509 return 0;
510 if (!CBB_flush(cbb))
511 return 0;
512
513 return 1;
514}
515
516int
517tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
518{
519 CBS reneg, prev_client, prev_server;
520
521 /*
522 * Ensure that the previous client and server values are both not
523 * present, or that they are both present.
524 */
525 if ((s->s3->previous_client_finished_len == 0 &&
526 s->s3->previous_server_finished_len != 0) ||
527 (s->s3->previous_client_finished_len != 0 &&
528 s->s3->previous_server_finished_len == 0)) {
529 *alert = SSL_AD_INTERNAL_ERROR;
530 return 0;
531 }
532
533 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
534 goto err;
535 if (!CBS_get_bytes(&reneg, &prev_client,
536 s->s3->previous_client_finished_len))
537 goto err;
538 if (!CBS_get_bytes(&reneg, &prev_server,
539 s->s3->previous_server_finished_len))
540 goto err;
541 if (CBS_len(&reneg) != 0)
542 goto err;
543 if (CBS_len(cbs) != 0)
544 goto err;
545
546 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
547 s->s3->previous_client_finished_len)) {
548 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
549 *alert = SSL_AD_HANDSHAKE_FAILURE;
550 return 0;
551 }
552 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
553 s->s3->previous_server_finished_len)) {
554 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
555 *alert = SSL_AD_HANDSHAKE_FAILURE;
556 return 0;
557 }
558
559 s->s3->renegotiate_seen = 1;
560 s->s3->send_connection_binding = 1;
561
562 return 1;
563
564 err:
565 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
566 *alert = SSL_AD_DECODE_ERROR;
567 return 0;
568}
569
570/*
571 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
572 */
573int
574tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
575{
576 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
577}
578
579int
580tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
581{
582 uint16_t tls_version = s->s3->hs.negotiated_tls_version;
583 CBB sigalgs;
584
585 if (msg_type == SSL_TLSEXT_MSG_CH)
586 tls_version = s->s3->hs.our_min_tls_version;
587
588 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
589 return 0;
590 if (!ssl_sigalgs_build(tls_version, &sigalgs))
591 return 0;
592 if (!CBB_flush(cbb))
593 return 0;
594
595 return 1;
596}
597
598int
599tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
600{
601 CBS sigalgs;
602
603 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
604 return 0;
605 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
606 return 0;
607 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
608 return 0;
609
610 return 1;
611}
612
613int
614tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
615{
616 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
617}
618
619int
620tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
621{
622 CBB sigalgs;
623
624 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
625 return 0;
626 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs))
627 return 0;
628 if (!CBB_flush(cbb))
629 return 0;
630
631 return 1;
632}
633
634int
635tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
636{
637 CBS sigalgs;
638
639 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
640 return 0;
641
642 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
643 return 0;
644 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
645 return 0;
646 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
647 return 0;
648
649 return 1;
650}
651
652/*
653 * Server Name Indication - RFC 6066, section 3.
654 */
655int
656tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
657{
658 return (s->tlsext_hostname != NULL);
659}
660
661int
662tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
663{
664 CBB server_name_list, host_name;
665
666 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
667 return 0;
668 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
669 return 0;
670 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
671 return 0;
672 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
673 strlen(s->tlsext_hostname)))
674 return 0;
675 if (!CBB_flush(cbb))
676 return 0;
677
678 return 1;
679}
680
681static int
682tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
683{
684 union {
685 struct in_addr ip4;
686 struct in6_addr ip6;
687 } addrbuf;
688 char *hostname = NULL;
689
690 *is_ip = 0;
691
692 if (!CBS_strdup(cbs, &hostname))
693 return 0;
694
695 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 ||
696 inet_pton(AF_INET6, hostname, &addrbuf) == 1)
697 *is_ip = 1;
698
699 free(hostname);
700
701 return 1;
702}
703
704/*
705 * Validate that the CBS contains only a hostname consisting of RFC 5890
706 * compliant A-labels (see RFC 6066 section 3). Not a complete check
707 * since we don't parse punycode to verify its validity but limits to
708 * correct structure and character set.
709 */
710int
711tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
712{
713 uint8_t prev, c = 0;
714 int component = 0;
715 CBS hostname;
716
717 *is_ip = 0;
718
719 CBS_dup(cbs, &hostname);
720
721 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
722 return 0;
723
724 /* An IP literal is invalid as a host name (RFC 6066 section 3). */
725 if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
726 return 0;
727 if (*is_ip)
728 return 0;
729
730 while (CBS_len(&hostname) > 0) {
731 prev = c;
732 if (!CBS_get_u8(&hostname, &c))
733 return 0;
734 /* Everything has to be ASCII, with no NUL byte. */
735 if (!isascii(c) || c == '\0')
736 return 0;
737 /* It must be alphanumeric, a '-', or a '.' */
738 if (!isalnum(c) && c != '-' && c != '.')
739 return 0;
740 /* '-' and '.' must not start a component or be at the end. */
741 if (component == 0 || CBS_len(&hostname) == 0) {
742 if (c == '-' || c == '.')
743 return 0;
744 }
745 if (c == '.') {
746 /* Components can not end with a dash. */
747 if (prev == '-')
748 return 0;
749 /* Start new component */
750 component = 0;
751 continue;
752 }
753 /* Components must be 63 chars or less. */
754 if (++component > 63)
755 return 0;
756 }
757
758 return 1;
759}
760
761int
762tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
763{
764 CBS server_name_list, host_name;
765 uint8_t name_type;
766 int is_ip;
767
768 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
769 goto err;
770
771 if (!CBS_get_u8(&server_name_list, &name_type))
772 goto err;
773
774 /*
775 * RFC 6066 section 3, only one type (host_name) is specified.
776 * We do not tolerate unknown types, neither does BoringSSL.
777 * other implementations appear more tolerant.
778 */
779 if (name_type != TLSEXT_NAMETYPE_host_name) {
780 *alert = SSL_AD_ILLEGAL_PARAMETER;
781 goto err;
782 }
783
784 /*
785 * RFC 6066 section 3 specifies a host name must be at least 1 byte
786 * so 0 length is a decode error.
787 */
788 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
789 goto err;
790 if (CBS_len(&host_name) < 1)
791 goto err;
792
793 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
794 /*
795 * Various pieces of software have been known to set the SNI
796 * host name to an IP address, even though that violates the
797 * RFC. If this is the case, pretend the SNI extension does
798 * not exist.
799 */
800 if (is_ip)
801 goto done;
802
803 *alert = SSL_AD_ILLEGAL_PARAMETER;
804 goto err;
805 }
806
807 if (s->internal->hit || s->s3->hs.tls13.hrr) {
808 if (s->session->tlsext_hostname == NULL) {
809 *alert = SSL_AD_UNRECOGNIZED_NAME;
810 goto err;
811 }
812 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
813 strlen(s->session->tlsext_hostname))) {
814 *alert = SSL_AD_UNRECOGNIZED_NAME;
815 goto err;
816 }
817 } else {
818 if (s->session->tlsext_hostname != NULL)
819 goto err;
820 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
821 *alert = SSL_AD_INTERNAL_ERROR;
822 goto err;
823 }
824 }
825
826 done:
827 /*
828 * RFC 6066 section 3 forbids multiple host names with the same type,
829 * therefore we allow only one entry.
830 */
831 if (CBS_len(&server_name_list) != 0) {
832 *alert = SSL_AD_ILLEGAL_PARAMETER;
833 goto err;
834 }
835 if (CBS_len(cbs) != 0)
836 goto err;
837
838 return 1;
839
840 err:
841 return 0;
842}
843
844int
845tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
846{
847 if (s->internal->hit)
848 return 0;
849
850 return (s->session->tlsext_hostname != NULL);
851}
852
853int
854tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
855{
856 return 1;
857}
858
859int
860tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
861{
862 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
863 *alert = SSL_AD_UNRECOGNIZED_NAME;
864 return 0;
865 }
866
867 if (s->internal->hit) {
868 if (s->session->tlsext_hostname == NULL) {
869 *alert = SSL_AD_UNRECOGNIZED_NAME;
870 return 0;
871 }
872 if (strcmp(s->tlsext_hostname,
873 s->session->tlsext_hostname) != 0) {
874 *alert = SSL_AD_UNRECOGNIZED_NAME;
875 return 0;
876 }
877 } else {
878 if (s->session->tlsext_hostname != NULL) {
879 *alert = SSL_AD_DECODE_ERROR;
880 return 0;
881 }
882 if ((s->session->tlsext_hostname =
883 strdup(s->tlsext_hostname)) == NULL) {
884 *alert = SSL_AD_INTERNAL_ERROR;
885 return 0;
886 }
887 }
888
889 return 1;
890}
891
892
893/*
894 * Certificate Status Request - RFC 6066 section 8.
895 */
896
897int
898tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
899{
900 if (msg_type != SSL_TLSEXT_MSG_CH)
901 return 0;
902
903 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
904}
905
906int
907tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
908{
909 CBB respid_list, respid, exts;
910 unsigned char *ext_data;
911 size_t ext_len;
912 int i;
913
914 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
915 return 0;
916 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
917 return 0;
918 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
919 unsigned char *respid_data;
920 OCSP_RESPID *id;
921 size_t id_len;
922
923 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
924 i)) == NULL)
925 return 0;
926 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
927 return 0;
928 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
929 return 0;
930 if (!CBB_add_space(&respid, &respid_data, id_len))
931 return 0;
932 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
933 return 0;
934 }
935 if (!CBB_add_u16_length_prefixed(cbb, &exts))
936 return 0;
937 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
938 NULL)) == -1)
939 return 0;
940 if (!CBB_add_space(&exts, &ext_data, ext_len))
941 return 0;
942 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
943 ext_len))
944 return 0;
945 if (!CBB_flush(cbb))
946 return 0;
947 return 1;
948}
949
950int
951tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
952{
953 int alert_desc = SSL_AD_DECODE_ERROR;
954 CBS respid_list, respid, exts;
955 const unsigned char *p;
956 uint8_t status_type;
957 int ret = 0;
958
959 if (msg_type != SSL_TLSEXT_MSG_CH)
960 goto err;
961
962 if (!CBS_get_u8(cbs, &status_type))
963 goto err;
964 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
965 /* ignore unknown status types */
966 s->tlsext_status_type = -1;
967
968 if (!CBS_skip(cbs, CBS_len(cbs))) {
969 *alert = SSL_AD_INTERNAL_ERROR;
970 return 0;
971 }
972 return 1;
973 }
974 s->tlsext_status_type = status_type;
975 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
976 goto err;
977
978 /* XXX */
979 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
980 s->internal->tlsext_ocsp_ids = NULL;
981 if (CBS_len(&respid_list) > 0) {
982 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
983 if (s->internal->tlsext_ocsp_ids == NULL) {
984 alert_desc = SSL_AD_INTERNAL_ERROR;
985 goto err;
986 }
987 }
988
989 while (CBS_len(&respid_list) > 0) {
990 OCSP_RESPID *id;
991
992 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
993 goto err;
994 p = CBS_data(&respid);
995 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
996 goto err;
997 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
998 alert_desc = SSL_AD_INTERNAL_ERROR;
999 OCSP_RESPID_free(id);
1000 goto err;
1001 }
1002 }
1003
1004 /* Read in request_extensions */
1005 if (!CBS_get_u16_length_prefixed(cbs, &exts))
1006 goto err;
1007 if (CBS_len(&exts) > 0) {
1008 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
1009 X509_EXTENSION_free);
1010 p = CBS_data(&exts);
1011 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
1012 &p, CBS_len(&exts))) == NULL)
1013 goto err;
1014 }
1015
1016 /* should be nothing left */
1017 if (CBS_len(cbs) > 0)
1018 goto err;
1019
1020 ret = 1;
1021 err:
1022 if (ret == 0)
1023 *alert = alert_desc;
1024 return ret;
1025}
1026
1027int
1028tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
1029{
1030 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1031 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1032 s->ctx->internal->tlsext_status_cb != NULL) {
1033 s->internal->tlsext_status_expected = 0;
1034 if (s->ctx->internal->tlsext_status_cb(s,
1035 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
1036 s->internal->tlsext_ocsp_resp_len > 0)
1037 s->internal->tlsext_status_expected = 1;
1038 }
1039 return s->internal->tlsext_status_expected;
1040}
1041
1042int
1043tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1044{
1045 CBB ocsp_response;
1046
1047 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1048 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1049 return 0;
1050 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1051 return 0;
1052 if (!CBB_add_bytes(&ocsp_response,
1053 s->internal->tlsext_ocsp_resp,
1054 s->internal->tlsext_ocsp_resp_len))
1055 return 0;
1056 if (!CBB_flush(cbb))
1057 return 0;
1058 }
1059 return 1;
1060}
1061
1062int
1063tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1064{
1065 uint8_t status_type;
1066 CBS response;
1067
1068 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1069 if (msg_type == SSL_TLSEXT_MSG_CR) {
1070 /*
1071 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1072 * response with an empty status_request.
1073 */
1074 if (CBS_len(cbs) == 0)
1075 return 1;
1076
1077 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1078 return 0;
1079 }
1080 if (!CBS_get_u8(cbs, &status_type)) {
1081 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1082 return 0;
1083 }
1084 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1085 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1086 return 0;
1087 }
1088 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1089 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1090 return 0;
1091 }
1092 if (CBS_len(&response) > 65536) {
1093 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1094 return 0;
1095 }
1096 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1097 &s->internal->tlsext_ocsp_resp_len)) {
1098 *alert = SSL_AD_INTERNAL_ERROR;
1099 return 0;
1100 }
1101 } else {
1102 if (s->tlsext_status_type == -1) {
1103 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1104 return 0;
1105 }
1106 /* Set flag to expect CertificateStatus message */
1107 s->internal->tlsext_status_expected = 1;
1108 }
1109 return 1;
1110}
1111
1112/*
1113 * SessionTicket extension - RFC 5077 section 3.2
1114 */
1115int
1116tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1117{
1118 /*
1119 * Send session ticket extension when enabled and not overridden.
1120 *
1121 * When renegotiating, send an empty session ticket to indicate support.
1122 */
1123 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1124 return 0;
1125
1126 if (s->internal->new_session)
1127 return 1;
1128
1129 if (s->internal->tlsext_session_ticket != NULL &&
1130 s->internal->tlsext_session_ticket->data == NULL)
1131 return 0;
1132
1133 return 1;
1134}
1135
1136int
1137tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1138{
1139 /*
1140 * Signal that we support session tickets by sending an empty
1141 * extension when renegotiating or no session found.
1142 */
1143 if (s->internal->new_session || s->session == NULL)
1144 return 1;
1145
1146 if (s->session->tlsext_tick != NULL) {
1147 /* Attempt to resume with an existing session ticket */
1148 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1149 s->session->tlsext_ticklen))
1150 return 0;
1151
1152 } else if (s->internal->tlsext_session_ticket != NULL) {
1153 /*
1154 * Attempt to resume with a custom provided session ticket set
1155 * by SSL_set_session_ticket_ext().
1156 */
1157 if (s->internal->tlsext_session_ticket->length > 0) {
1158 size_t ticklen = s->internal->tlsext_session_ticket->length;
1159
1160 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1161 return 0;
1162 memcpy(s->session->tlsext_tick,
1163 s->internal->tlsext_session_ticket->data,
1164 ticklen);
1165 s->session->tlsext_ticklen = ticklen;
1166
1167 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1168 s->session->tlsext_ticklen))
1169 return 0;
1170 }
1171 }
1172
1173 if (!CBB_flush(cbb))
1174 return 0;
1175
1176 return 1;
1177}
1178
1179int
1180tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1181 int *alert)
1182{
1183 if (s->internal->tls_session_ticket_ext_cb) {
1184 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1185 (int)CBS_len(cbs),
1186 s->internal->tls_session_ticket_ext_cb_arg)) {
1187 *alert = SSL_AD_INTERNAL_ERROR;
1188 return 0;
1189 }
1190 }
1191
1192 /* We need to signal that this was processed fully */
1193 if (!CBS_skip(cbs, CBS_len(cbs))) {
1194 *alert = SSL_AD_INTERNAL_ERROR;
1195 return 0;
1196 }
1197
1198 return 1;
1199}
1200
1201int
1202tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1203{
1204 return (s->internal->tlsext_ticket_expected &&
1205 !(SSL_get_options(s) & SSL_OP_NO_TICKET));
1206}
1207
1208int
1209tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1210{
1211 /* Empty ticket */
1212 return 1;
1213}
1214
1215int
1216tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1217 int *alert)
1218{
1219 if (s->internal->tls_session_ticket_ext_cb) {
1220 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1221 (int)CBS_len(cbs),
1222 s->internal->tls_session_ticket_ext_cb_arg)) {
1223 *alert = SSL_AD_INTERNAL_ERROR;
1224 return 0;
1225 }
1226 }
1227
1228 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1229 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1230 return 0;
1231 }
1232
1233 s->internal->tlsext_ticket_expected = 1;
1234
1235 return 1;
1236}
1237
1238/*
1239 * DTLS extension for SRTP key establishment - RFC 5764
1240 */
1241
1242#ifndef OPENSSL_NO_SRTP
1243
1244int
1245tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1246{
1247 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1248}
1249
1250int
1251tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1252{
1253 CBB profiles, mki;
1254 int ct, i;
1255 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1256 const SRTP_PROTECTION_PROFILE *prof;
1257
1258 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1259 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1260 return 0;
1261 }
1262
1263 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1264 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1265 return 0;
1266 }
1267
1268 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1269 return 0;
1270
1271 for (i = 0; i < ct; i++) {
1272 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1273 return 0;
1274 if (!CBB_add_u16(&profiles, prof->id))
1275 return 0;
1276 }
1277
1278 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1279 return 0;
1280
1281 if (!CBB_flush(cbb))
1282 return 0;
1283
1284 return 1;
1285}
1286
1287int
1288tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1289{
1290 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1291 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1292 int i, j;
1293 int ret;
1294 uint16_t id;
1295 CBS profiles, mki;
1296
1297 ret = 0;
1298
1299 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1300 goto err;
1301 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1302 goto err;
1303
1304 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1305 goto err;
1306
1307 while (CBS_len(&profiles) > 0) {
1308 if (!CBS_get_u16(&profiles, &id))
1309 goto err;
1310
1311 if (!srtp_find_profile_by_num(id, &cprof)) {
1312 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1313 goto err;
1314 }
1315 }
1316
1317 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1318 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1319 *alert = SSL_AD_DECODE_ERROR;
1320 goto done;
1321 }
1322 if (CBS_len(cbs) != 0)
1323 goto err;
1324
1325 /*
1326 * Per RFC 5764 section 4.1.1
1327 *
1328 * Find the server preferred profile using the client's list.
1329 *
1330 * The server MUST send a profile if it sends the use_srtp
1331 * extension. If one is not found, it should fall back to the
1332 * negotiated DTLS cipher suite or return a DTLS alert.
1333 */
1334 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1335 goto err;
1336 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1337 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1338 == NULL)
1339 goto err;
1340
1341 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1342 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1343 == NULL)
1344 goto err;
1345
1346 if (cprof->id == sprof->id) {
1347 s->internal->srtp_profile = sprof;
1348 ret = 1;
1349 goto done;
1350 }
1351 }
1352 }
1353
1354 /* If we didn't find anything, fall back to the negotiated */
1355 ret = 1;
1356 goto done;
1357
1358 err:
1359 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1360 *alert = SSL_AD_DECODE_ERROR;
1361
1362 done:
1363 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1364 return ret;
1365}
1366
1367int
1368tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1369{
1370 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1371}
1372
1373int
1374tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1375{
1376 SRTP_PROTECTION_PROFILE *profile;
1377 CBB srtp, mki;
1378
1379 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1380 return 0;
1381
1382 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1383 return 0;
1384
1385 if (!CBB_add_u16(&srtp, profile->id))
1386 return 0;
1387
1388 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1389 return 0;
1390
1391 if (!CBB_flush(cbb))
1392 return 0;
1393
1394 return 1;
1395}
1396
1397int
1398tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1399{
1400 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1401 const SRTP_PROTECTION_PROFILE *prof;
1402 int i;
1403 uint16_t id;
1404 CBS profile_ids, mki;
1405
1406 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1407 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1408 goto err;
1409 }
1410
1411 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1412 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1413 goto err;
1414 }
1415
1416 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1417 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1418 *alert = SSL_AD_ILLEGAL_PARAMETER;
1419 return 0;
1420 }
1421
1422 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1423 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1424 goto err;
1425 }
1426
1427 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1428 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1429 == NULL) {
1430 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1431 goto err;
1432 }
1433
1434 if (prof->id == id) {
1435 s->internal->srtp_profile = prof;
1436 return 1;
1437 }
1438 }
1439
1440 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1441 err:
1442 *alert = SSL_AD_DECODE_ERROR;
1443 return 0;
1444}
1445
1446#endif /* OPENSSL_NO_SRTP */
1447
1448/*
1449 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1450 */
1451int
1452tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1453{
1454 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1455}
1456
1457int
1458tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1459{
1460 CBB client_shares, key_exchange;
1461
1462 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1463 return 0;
1464
1465 if (!CBB_add_u16(&client_shares,
1466 tls_key_share_group(s->s3->hs.key_share)))
1467 return 0;
1468 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1469 return 0;
1470 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1471 return 0;
1472
1473 if (!CBB_flush(cbb))
1474 return 0;
1475
1476 return 1;
1477}
1478
1479int
1480tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1481{
1482 CBS client_shares, key_exchange;
1483 int decode_error;
1484 uint16_t group;
1485
1486 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1487 return 0;
1488
1489 while (CBS_len(&client_shares) > 0) {
1490
1491 /* Unpack client share. */
1492 if (!CBS_get_u16(&client_shares, &group))
1493 return 0;
1494 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1495 return 0;
1496
1497 /*
1498 * XXX - check key exchange against supported groups from client.
1499 * XXX - check that groups only appear once.
1500 */
1501
1502 /*
1503 * Ignore this client share if we're using earlier than TLSv1.3
1504 * or we've already selected a key share.
1505 */
1506 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1507 continue;
1508 if (s->s3->hs.key_share != NULL)
1509 continue;
1510
1511 /* XXX - consider implementing server preference. */
1512 if (!tls1_check_curve(s, group))
1513 continue;
1514
1515 /* Decode and store the selected key share. */
1516 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1517 *alert = SSL_AD_INTERNAL_ERROR;
1518 return 0;
1519 }
1520 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1521 &key_exchange, &decode_error, NULL)) {
1522 if (!decode_error)
1523 *alert = SSL_AD_INTERNAL_ERROR;
1524 return 0;
1525 }
1526 }
1527
1528 return 1;
1529}
1530
1531int
1532tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1533{
1534 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1535 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1536}
1537
1538int
1539tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1540{
1541 CBB key_exchange;
1542
1543 /* In the case of a HRR, we only send the server selected group. */
1544 if (s->s3->hs.tls13.hrr) {
1545 if (s->s3->hs.tls13.server_group == 0)
1546 return 0;
1547 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1548 }
1549
1550 if (s->s3->hs.key_share == NULL)
1551 return 0;
1552
1553 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1554 return 0;
1555 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1556 return 0;
1557 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1558 return 0;
1559
1560 if (!CBB_flush(cbb))
1561 return 0;
1562
1563 return 1;
1564}
1565
1566int
1567tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1568{
1569 CBS key_exchange;
1570 int decode_error;
1571 uint16_t group;
1572
1573 /* Unpack server share. */
1574 if (!CBS_get_u16(cbs, &group))
1575 return 0;
1576
1577 if (CBS_len(cbs) == 0) {
1578 /* HRR does not include an actual key share, only the group. */
1579 if (msg_type != SSL_TLSEXT_MSG_HRR)
1580 return 0;
1581
1582 s->s3->hs.tls13.server_group = group;
1583 return 1;
1584 }
1585
1586 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1587 return 0;
1588
1589 if (s->s3->hs.key_share == NULL) {
1590 *alert = SSL_AD_INTERNAL_ERROR;
1591 return 0;
1592 }
1593 if (tls_key_share_group(s->s3->hs.key_share) != group) {
1594 *alert = SSL_AD_INTERNAL_ERROR;
1595 return 0;
1596 }
1597 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1598 &key_exchange, &decode_error, NULL)) {
1599 if (!decode_error)
1600 *alert = SSL_AD_INTERNAL_ERROR;
1601 return 0;
1602 }
1603
1604 return 1;
1605}
1606
1607/*
1608 * Supported Versions - RFC 8446 section 4.2.1.
1609 */
1610int
1611tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1612{
1613 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1614}
1615
1616int
1617tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1618{
1619 uint16_t max, min;
1620 uint16_t version;
1621 CBB versions;
1622
1623 max = s->s3->hs.our_max_tls_version;
1624 min = s->s3->hs.our_min_tls_version;
1625
1626 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1627 return 0;
1628
1629 /* XXX - fix, but contiguous for now... */
1630 for (version = max; version >= min; version--) {
1631 if (!CBB_add_u16(&versions, version))
1632 return 0;
1633 }
1634
1635 if (!CBB_flush(cbb))
1636 return 0;
1637
1638 return 1;
1639}
1640
1641int
1642tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1643{
1644 CBS versions;
1645 uint16_t version;
1646 uint16_t max, min;
1647 uint16_t matched_version = 0;
1648
1649 max = s->s3->hs.our_max_tls_version;
1650 min = s->s3->hs.our_min_tls_version;
1651
1652 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1653 goto err;
1654
1655 while (CBS_len(&versions) > 0) {
1656 if (!CBS_get_u16(&versions, &version))
1657 goto err;
1658 /*
1659 * XXX What is below implements client preference, and
1660 * ignores any server preference entirely.
1661 */
1662 if (matched_version == 0 && version >= min && version <= max)
1663 matched_version = version;
1664 }
1665
1666 if (matched_version > 0) {
1667 /* XXX - this should be stored for later processing. */
1668 s->version = matched_version;
1669 return 1;
1670 }
1671
1672 *alert = SSL_AD_PROTOCOL_VERSION;
1673 return 0;
1674
1675 err:
1676 *alert = SSL_AD_DECODE_ERROR;
1677 return 0;
1678}
1679
1680int
1681tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1682{
1683 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1684}
1685
1686int
1687tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1688{
1689 return CBB_add_u16(cbb, TLS1_3_VERSION);
1690}
1691
1692int
1693tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1694{
1695 uint16_t selected_version;
1696
1697 if (!CBS_get_u16(cbs, &selected_version)) {
1698 *alert = SSL_AD_DECODE_ERROR;
1699 return 0;
1700 }
1701
1702 /* XXX - need to fix for DTLS 1.3 */
1703 if (selected_version < TLS1_3_VERSION) {
1704 *alert = SSL_AD_ILLEGAL_PARAMETER;
1705 return 0;
1706 }
1707
1708 /* XXX test between min and max once initialization code goes in */
1709 s->s3->hs.tls13.server_version = selected_version;
1710
1711 return 1;
1712}
1713
1714
1715/*
1716 * Cookie - RFC 8446 section 4.2.2.
1717 */
1718
1719int
1720tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1721{
1722 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1723 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1724}
1725
1726int
1727tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1728{
1729 CBB cookie;
1730
1731 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1732 return 0;
1733
1734 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1735 s->s3->hs.tls13.cookie_len))
1736 return 0;
1737
1738 if (!CBB_flush(cbb))
1739 return 0;
1740
1741 return 1;
1742}
1743
1744int
1745tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1746{
1747 CBS cookie;
1748
1749 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1750 goto err;
1751
1752 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1753 goto err;
1754
1755 /*
1756 * Check provided cookie value against what server previously
1757 * sent - client *MUST* send the same cookie with new CR after
1758 * a cookie is sent by the server with an HRR.
1759 */
1760 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1761 s->s3->hs.tls13.cookie_len)) {
1762 /* XXX special cookie mismatch alert? */
1763 *alert = SSL_AD_ILLEGAL_PARAMETER;
1764 return 0;
1765 }
1766
1767 return 1;
1768
1769 err:
1770 *alert = SSL_AD_DECODE_ERROR;
1771 return 0;
1772}
1773
1774int
1775tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1776{
1777 /*
1778 * Server needs to set cookie value in tls13 handshake
1779 * in order to send one, should only be sent with HRR.
1780 */
1781 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1782 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1783}
1784
1785int
1786tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1787{
1788 CBB cookie;
1789
1790 /* XXX deduplicate with client code */
1791
1792 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1793 return 0;
1794
1795 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1796 s->s3->hs.tls13.cookie_len))
1797 return 0;
1798
1799 if (!CBB_flush(cbb))
1800 return 0;
1801
1802 return 1;
1803}
1804
1805int
1806tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1807{
1808 CBS cookie;
1809
1810 /*
1811 * XXX This currently assumes we will not get a second
1812 * HRR from a server with a cookie to process after accepting
1813 * one from the server in the same handshake
1814 */
1815 if (s->s3->hs.tls13.cookie != NULL ||
1816 s->s3->hs.tls13.cookie_len != 0) {
1817 *alert = SSL_AD_ILLEGAL_PARAMETER;
1818 return 0;
1819 }
1820
1821 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1822 goto err;
1823
1824 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1825 &s->s3->hs.tls13.cookie_len))
1826 goto err;
1827
1828 return 1;
1829
1830 err:
1831 *alert = SSL_AD_DECODE_ERROR;
1832 return 0;
1833}
1834
1835struct tls_extension_funcs {
1836 int (*needs)(SSL *s, uint16_t msg_type);
1837 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1838 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1839};
1840
1841struct tls_extension {
1842 uint16_t type;
1843 uint16_t messages;
1844 struct tls_extension_funcs client;
1845 struct tls_extension_funcs server;
1846};
1847
1848static const struct tls_extension tls_extensions[] = {
1849 {
1850 .type = TLSEXT_TYPE_supported_versions,
1851 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1852 SSL_TLSEXT_MSG_HRR,
1853 .client = {
1854 .needs = tlsext_versions_client_needs,
1855 .build = tlsext_versions_client_build,
1856 .parse = tlsext_versions_client_parse,
1857 },
1858 .server = {
1859 .needs = tlsext_versions_server_needs,
1860 .build = tlsext_versions_server_build,
1861 .parse = tlsext_versions_server_parse,
1862 },
1863 },
1864 {
1865 .type = TLSEXT_TYPE_key_share,
1866 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1867 SSL_TLSEXT_MSG_HRR,
1868 .client = {
1869 .needs = tlsext_keyshare_client_needs,
1870 .build = tlsext_keyshare_client_build,
1871 .parse = tlsext_keyshare_client_parse,
1872 },
1873 .server = {
1874 .needs = tlsext_keyshare_server_needs,
1875 .build = tlsext_keyshare_server_build,
1876 .parse = tlsext_keyshare_server_parse,
1877 },
1878 },
1879 {
1880 .type = TLSEXT_TYPE_server_name,
1881 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1882 .client = {
1883 .needs = tlsext_sni_client_needs,
1884 .build = tlsext_sni_client_build,
1885 .parse = tlsext_sni_client_parse,
1886 },
1887 .server = {
1888 .needs = tlsext_sni_server_needs,
1889 .build = tlsext_sni_server_build,
1890 .parse = tlsext_sni_server_parse,
1891 },
1892 },
1893 {
1894 .type = TLSEXT_TYPE_renegotiate,
1895 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1896 .client = {
1897 .needs = tlsext_ri_client_needs,
1898 .build = tlsext_ri_client_build,
1899 .parse = tlsext_ri_client_parse,
1900 },
1901 .server = {
1902 .needs = tlsext_ri_server_needs,
1903 .build = tlsext_ri_server_build,
1904 .parse = tlsext_ri_server_parse,
1905 },
1906 },
1907 {
1908 .type = TLSEXT_TYPE_status_request,
1909 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
1910 SSL_TLSEXT_MSG_CT,
1911 .client = {
1912 .needs = tlsext_ocsp_client_needs,
1913 .build = tlsext_ocsp_client_build,
1914 .parse = tlsext_ocsp_client_parse,
1915 },
1916 .server = {
1917 .needs = tlsext_ocsp_server_needs,
1918 .build = tlsext_ocsp_server_build,
1919 .parse = tlsext_ocsp_server_parse,
1920 },
1921 },
1922 {
1923 .type = TLSEXT_TYPE_ec_point_formats,
1924 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1925 .client = {
1926 .needs = tlsext_ecpf_client_needs,
1927 .build = tlsext_ecpf_client_build,
1928 .parse = tlsext_ecpf_client_parse,
1929 },
1930 .server = {
1931 .needs = tlsext_ecpf_server_needs,
1932 .build = tlsext_ecpf_server_build,
1933 .parse = tlsext_ecpf_server_parse,
1934 },
1935 },
1936 {
1937 .type = TLSEXT_TYPE_supported_groups,
1938 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1939 .client = {
1940 .needs = tlsext_supportedgroups_client_needs,
1941 .build = tlsext_supportedgroups_client_build,
1942 .parse = tlsext_supportedgroups_client_parse,
1943 },
1944 .server = {
1945 .needs = tlsext_supportedgroups_server_needs,
1946 .build = tlsext_supportedgroups_server_build,
1947 .parse = tlsext_supportedgroups_server_parse,
1948 },
1949 },
1950 {
1951 .type = TLSEXT_TYPE_session_ticket,
1952 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1953 .client = {
1954 .needs = tlsext_sessionticket_client_needs,
1955 .build = tlsext_sessionticket_client_build,
1956 .parse = tlsext_sessionticket_client_parse,
1957 },
1958 .server = {
1959 .needs = tlsext_sessionticket_server_needs,
1960 .build = tlsext_sessionticket_server_build,
1961 .parse = tlsext_sessionticket_server_parse,
1962 },
1963 },
1964 {
1965 .type = TLSEXT_TYPE_signature_algorithms,
1966 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
1967 .client = {
1968 .needs = tlsext_sigalgs_client_needs,
1969 .build = tlsext_sigalgs_client_build,
1970 .parse = tlsext_sigalgs_client_parse,
1971 },
1972 .server = {
1973 .needs = tlsext_sigalgs_server_needs,
1974 .build = tlsext_sigalgs_server_build,
1975 .parse = tlsext_sigalgs_server_parse,
1976 },
1977 },
1978 {
1979 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1980 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1981 .client = {
1982 .needs = tlsext_alpn_client_needs,
1983 .build = tlsext_alpn_client_build,
1984 .parse = tlsext_alpn_client_parse,
1985 },
1986 .server = {
1987 .needs = tlsext_alpn_server_needs,
1988 .build = tlsext_alpn_server_build,
1989 .parse = tlsext_alpn_server_parse,
1990 },
1991 },
1992 {
1993 .type = TLSEXT_TYPE_cookie,
1994 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
1995 .client = {
1996 .needs = tlsext_cookie_client_needs,
1997 .build = tlsext_cookie_client_build,
1998 .parse = tlsext_cookie_client_parse,
1999 },
2000 .server = {
2001 .needs = tlsext_cookie_server_needs,
2002 .build = tlsext_cookie_server_build,
2003 .parse = tlsext_cookie_server_parse,
2004 },
2005 },
2006#ifndef OPENSSL_NO_SRTP
2007 {
2008 .type = TLSEXT_TYPE_use_srtp,
2009 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
2010 SSL_TLSEXT_MSG_EE,
2011 .client = {
2012 .needs = tlsext_srtp_client_needs,
2013 .build = tlsext_srtp_client_build,
2014 .parse = tlsext_srtp_client_parse,
2015 },
2016 .server = {
2017 .needs = tlsext_srtp_server_needs,
2018 .build = tlsext_srtp_server_build,
2019 .parse = tlsext_srtp_server_parse,
2020 },
2021 }
2022#endif /* OPENSSL_NO_SRTP */
2023};
2024
2025#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
2026
2027/* Ensure that extensions fit in a uint32_t bitmask. */
2028CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2029
2030const struct tls_extension *
2031tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2032{
2033 size_t i;
2034
2035 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2036 if (tls_extensions[i].type == type) {
2037 *tls_extensions_idx = i;
2038 return &tls_extensions[i];
2039 }
2040 }
2041
2042 return NULL;
2043}
2044
2045int
2046tlsext_extension_seen(SSL *s, uint16_t type)
2047{
2048 size_t idx;
2049
2050 if (tls_extension_find(type, &idx) == NULL)
2051 return 0;
2052 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2053}
2054
2055static const struct tls_extension_funcs *
2056tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2057{
2058 if (is_server)
2059 return &tlsext->server;
2060
2061 return &tlsext->client;
2062}
2063
2064static int
2065tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2066{
2067 const struct tls_extension_funcs *ext;
2068 const struct tls_extension *tlsext;
2069 CBB extensions, extension_data;
2070 int extensions_present = 0;
2071 uint16_t tls_version;
2072 size_t i;
2073
2074 tls_version = ssl_effective_tls_version(s);
2075
2076 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2077 return 0;
2078
2079 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2080 tlsext = &tls_extensions[i];
2081 ext = tlsext_funcs(tlsext, is_server);
2082
2083 /* RFC 8446 Section 4.2 */
2084 if (tls_version >= TLS1_3_VERSION &&
2085 !(tlsext->messages & msg_type))
2086 continue;
2087
2088 if (!ext->needs(s, msg_type))
2089 continue;
2090
2091 if (!CBB_add_u16(&extensions, tlsext->type))
2092 return 0;
2093 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2094 return 0;
2095
2096 if (!ext->build(s, msg_type, &extension_data))
2097 return 0;
2098
2099 extensions_present = 1;
2100 }
2101
2102 if (!extensions_present &&
2103 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2104 CBB_discard_child(cbb);
2105
2106 if (!CBB_flush(cbb))
2107 return 0;
2108
2109 return 1;
2110}
2111
2112int
2113tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2114{
2115 /*
2116 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2117 * cookie may be added, padding may be removed.
2118 */
2119 struct tls13_ctx *ctx = s->internal->tls13;
2120
2121 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2122 type == TLSEXT_TYPE_padding)
2123 return 1;
2124 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2125 sizeof(type)))
2126 return 0;
2127 /*
2128 * key_share data may be changed, and pre_shared_key data may
2129 * be changed
2130 */
2131 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2132 return 1;
2133 if (!tls13_clienthello_hash_update(ctx, cbs))
2134 return 0;
2135
2136 return 1;
2137}
2138
2139static int
2140tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2141{
2142 const struct tls_extension_funcs *ext;
2143 const struct tls_extension *tlsext;
2144 CBS extensions, extension_data;
2145 uint16_t type;
2146 size_t idx;
2147 uint16_t tls_version;
2148 int alert_desc;
2149
2150 tls_version = ssl_effective_tls_version(s);
2151
2152 s->s3->hs.extensions_seen = 0;
2153
2154 /* An empty extensions block is valid. */
2155 if (CBS_len(cbs) == 0)
2156 return 1;
2157
2158 alert_desc = SSL_AD_DECODE_ERROR;
2159
2160 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2161 goto err;
2162
2163 while (CBS_len(&extensions) > 0) {
2164 if (!CBS_get_u16(&extensions, &type))
2165 goto err;
2166 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2167 goto err;
2168
2169 if (s->internal->tlsext_debug_cb != NULL)
2170 s->internal->tlsext_debug_cb(s, !is_server, type,
2171 (unsigned char *)CBS_data(&extension_data),
2172 CBS_len(&extension_data),
2173 s->internal->tlsext_debug_arg);
2174
2175 /* Unknown extensions are ignored. */
2176 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2177 continue;
2178
2179 if (tls_version >= TLS1_3_VERSION && is_server &&
2180 msg_type == SSL_TLSEXT_MSG_CH) {
2181 if (!tlsext_clienthello_hash_extension(s, type,
2182 &extension_data))
2183 goto err;
2184 }
2185
2186 /* RFC 8446 Section 4.2 */
2187 if (tls_version >= TLS1_3_VERSION &&
2188 !(tlsext->messages & msg_type)) {
2189 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2190 goto err;
2191 }
2192
2193 /* Check for duplicate known extensions. */
2194 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2195 goto err;
2196 s->s3->hs.extensions_seen |= (1 << idx);
2197
2198 ext = tlsext_funcs(tlsext, is_server);
2199 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2200 goto err;
2201
2202 if (CBS_len(&extension_data) != 0)
2203 goto err;
2204 }
2205
2206 return 1;
2207
2208 err:
2209 *alert = alert_desc;
2210
2211 return 0;
2212}
2213
2214static void
2215tlsext_server_reset_state(SSL *s)
2216{
2217 s->tlsext_status_type = -1;
2218 s->s3->renegotiate_seen = 0;
2219 free(s->s3->alpn_selected);
2220 s->s3->alpn_selected = NULL;
2221 s->s3->alpn_selected_len = 0;
2222 s->internal->srtp_profile = NULL;
2223}
2224
2225int
2226tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2227{
2228 return tlsext_build(s, 1, msg_type, cbb);
2229}
2230
2231int
2232tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2233{
2234 /* XXX - this should be done by the caller... */
2235 if (msg_type == SSL_TLSEXT_MSG_CH)
2236 tlsext_server_reset_state(s);
2237
2238 return tlsext_parse(s, 1, msg_type, cbs, alert);
2239}
2240
2241static void
2242tlsext_client_reset_state(SSL *s)
2243{
2244 s->s3->renegotiate_seen = 0;
2245 free(s->s3->alpn_selected);
2246 s->s3->alpn_selected = NULL;
2247 s->s3->alpn_selected_len = 0;
2248}
2249
2250int
2251tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2252{
2253 return tlsext_build(s, 0, msg_type, cbb);
2254}
2255
2256int
2257tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2258{
2259 /* XXX - this should be done by the caller... */
2260 if (msg_type == SSL_TLSEXT_MSG_SH)
2261 tlsext_client_reset_state(s);
2262
2263 return tlsext_parse(s, 0, msg_type, cbs, alert);
2264}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-14 06:01:05 +0000