summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_tlsext.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_tlsext.c2180
1 files changed, 0 insertions, 2180 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
deleted file mode 100644
index 2eac4947e9..0000000000
--- a/src/lib/libssl/ssl_tlsext.c
+++ /dev/null
@@ -1,2180 +0,0 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.97 2021/06/29 19:31:16 jsing Exp $ */
2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <ctype.h>
21
22#include <openssl/ocsp.h>
23#include <openssl/opensslconf.h>
24
25#include "bytestring.h"
26#include "ssl_locl.h"
27#include "ssl_sigalgs.h"
28#include "ssl_tlsext.h"
29
30/*
31 * Supported Application-Layer Protocol Negotiation - RFC 7301
32 */
33
34int
35tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
36{
37 /* ALPN protos have been specified and this is the initial handshake */
38 return s->internal->alpn_client_proto_list != NULL &&
39 S3I(s)->hs.finished_len == 0;
40}
41
42int
43tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
44{
45 CBB protolist;
46
47 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
48 return 0;
49
50 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
51 s->internal->alpn_client_proto_list_len))
52 return 0;
53
54 if (!CBB_flush(cbb))
55 return 0;
56
57 return 1;
58}
59
60int
61tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
62{
63 CBS proto_name_list, alpn;
64 const unsigned char *selected;
65 unsigned char selected_len;
66 int r;
67
68 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
69 goto err;
70 if (CBS_len(&alpn) < 2)
71 goto err;
72 if (CBS_len(cbs) != 0)
73 goto err;
74
75 CBS_dup(&alpn, &proto_name_list);
76 while (CBS_len(&proto_name_list) > 0) {
77 CBS proto_name;
78
79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
80 goto err;
81 if (CBS_len(&proto_name) == 0)
82 goto err;
83 }
84
85 if (s->ctx->internal->alpn_select_cb == NULL)
86 return 1;
87
88 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
89 CBS_data(&alpn), CBS_len(&alpn),
90 s->ctx->internal->alpn_select_cb_arg);
91 if (r == SSL_TLSEXT_ERR_OK) {
92 free(S3I(s)->alpn_selected);
93 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
94 S3I(s)->alpn_selected_len = 0;
95 *alert = SSL_AD_INTERNAL_ERROR;
96 return 0;
97 }
98 memcpy(S3I(s)->alpn_selected, selected, selected_len);
99 S3I(s)->alpn_selected_len = selected_len;
100 }
101
102 return 1;
103
104 err:
105 *alert = SSL_AD_DECODE_ERROR;
106 return 0;
107}
108
109int
110tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
111{
112 return S3I(s)->alpn_selected != NULL;
113}
114
115int
116tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
117{
118 CBB list, selected;
119
120 if (!CBB_add_u16_length_prefixed(cbb, &list))
121 return 0;
122
123 if (!CBB_add_u8_length_prefixed(&list, &selected))
124 return 0;
125
126 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected,
127 S3I(s)->alpn_selected_len))
128 return 0;
129
130 if (!CBB_flush(cbb))
131 return 0;
132
133 return 1;
134}
135
136int
137tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
138{
139 CBS list, proto;
140
141 if (s->internal->alpn_client_proto_list == NULL) {
142 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
143 return 0;
144 }
145
146 if (!CBS_get_u16_length_prefixed(cbs, &list))
147 goto err;
148 if (CBS_len(cbs) != 0)
149 goto err;
150
151 if (!CBS_get_u8_length_prefixed(&list, &proto))
152 goto err;
153
154 if (CBS_len(&list) != 0)
155 goto err;
156 if (CBS_len(&proto) == 0)
157 goto err;
158
159 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected),
160 &(S3I(s)->alpn_selected_len)))
161 goto err;
162
163 return 1;
164
165 err:
166 *alert = SSL_AD_DECODE_ERROR;
167 return 0;
168}
169
170/*
171 * Supported Groups - RFC 7919 section 2
172 */
173int
174tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
175{
176 return ssl_has_ecc_ciphers(s) ||
177 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
178}
179
180int
181tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
182{
183 const uint16_t *groups;
184 size_t groups_len;
185 CBB grouplist;
186 int i;
187
188 tls1_get_group_list(s, 0, &groups, &groups_len);
189 if (groups_len == 0) {
190 SSLerror(s, ERR_R_INTERNAL_ERROR);
191 return 0;
192 }
193
194 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
195 return 0;
196
197 for (i = 0; i < groups_len; i++) {
198 if (!CBB_add_u16(&grouplist, groups[i]))
199 return 0;
200 }
201
202 if (!CBB_flush(cbb))
203 return 0;
204
205 return 1;
206}
207
208int
209tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
210 int *alert)
211{
212 CBS grouplist;
213 size_t groups_len;
214
215 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
216 goto err;
217 if (CBS_len(cbs) != 0)
218 goto err;
219
220 groups_len = CBS_len(&grouplist);
221 if (groups_len == 0 || groups_len % 2 != 0)
222 goto err;
223 groups_len /= 2;
224
225 if (!s->internal->hit) {
226 uint16_t *groups;
227 int i;
228
229 if (S3I(s)->hs.tls13.hrr) {
230 if (SSI(s)->tlsext_supportedgroups == NULL) {
231 *alert = SSL_AD_HANDSHAKE_FAILURE;
232 return 0;
233 }
234 /*
235 * In the case of TLSv1.3 the client cannot change
236 * the supported groups.
237 */
238 if (groups_len != SSI(s)->tlsext_supportedgroups_length) {
239 *alert = SSL_AD_ILLEGAL_PARAMETER;
240 return 0;
241 }
242 for (i = 0; i < groups_len; i++) {
243 uint16_t group;
244
245 if (!CBS_get_u16(&grouplist, &group))
246 goto err;
247 if (SSI(s)->tlsext_supportedgroups[i] != group) {
248 *alert = SSL_AD_ILLEGAL_PARAMETER;
249 return 0;
250 }
251 }
252
253 return 1;
254 }
255
256 if (SSI(s)->tlsext_supportedgroups != NULL)
257 goto err;
258
259 if ((groups = reallocarray(NULL, groups_len,
260 sizeof(uint16_t))) == NULL) {
261 *alert = SSL_AD_INTERNAL_ERROR;
262 return 0;
263 }
264
265 for (i = 0; i < groups_len; i++) {
266 if (!CBS_get_u16(&grouplist, &groups[i])) {
267 free(groups);
268 goto err;
269 }
270 }
271
272 if (CBS_len(&grouplist) != 0) {
273 free(groups);
274 goto err;
275 }
276
277 SSI(s)->tlsext_supportedgroups = groups;
278 SSI(s)->tlsext_supportedgroups_length = groups_len;
279 }
280
281 return 1;
282
283 err:
284 *alert = SSL_AD_DECODE_ERROR;
285 return 0;
286}
287
288/* This extension is never used by the server. */
289int
290tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
291{
292 return 0;
293}
294
295int
296tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
297{
298 return 0;
299}
300
301int
302tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
303 int *alert)
304{
305 /*
306 * Servers should not send this extension per the RFC.
307 *
308 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
309 * from at least 2014 but as of 2017, there are still large sites with
310 * this unpatched in production. As a result, we need to currently skip
311 * over the extension and ignore its content:
312 *
313 * https://support.f5.com/csp/article/K37345003
314 */
315 if (!CBS_skip(cbs, CBS_len(cbs))) {
316 *alert = SSL_AD_INTERNAL_ERROR;
317 return 0;
318 }
319
320 return 1;
321}
322
323/*
324 * Supported Point Formats Extension - RFC 4492 section 5.1.2
325 */
326static int
327tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
328{
329 CBB ecpf;
330 size_t formats_len;
331 const uint8_t *formats;
332
333 tls1_get_formatlist(s, 0, &formats, &formats_len);
334
335 if (formats_len == 0) {
336 SSLerror(s, ERR_R_INTERNAL_ERROR);
337 return 0;
338 }
339
340 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
341 return 0;
342 if (!CBB_add_bytes(&ecpf, formats, formats_len))
343 return 0;
344 if (!CBB_flush(cbb))
345 return 0;
346
347 return 1;
348}
349
350static int
351tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
352{
353 CBS ecpf;
354
355 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
356 return 0;
357 if (CBS_len(&ecpf) == 0)
358 return 0;
359 if (CBS_len(cbs) != 0)
360 return 0;
361
362 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
363 if (!CBS_contains_zero_byte(&ecpf)) {
364 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
365 *alert = SSL_AD_ILLEGAL_PARAMETER;
366 return 0;
367 }
368
369 if (!s->internal->hit) {
370 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
371 &(SSI(s)->tlsext_ecpointformatlist_length))) {
372 *alert = SSL_AD_INTERNAL_ERROR;
373 return 0;
374 }
375 }
376
377 return 1;
378}
379
380int
381tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
382{
383 return ssl_has_ecc_ciphers(s);
384}
385
386int
387tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
388{
389 return tlsext_ecpf_build(s, msg_type, cbb);
390}
391
392int
393tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
394{
395 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
396}
397
398int
399tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
400{
401 return ssl_using_ecc_cipher(s);
402}
403
404int
405tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
406{
407 return tlsext_ecpf_build(s, msg_type, cbb);
408}
409
410int
411tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
412{
413 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
414}
415
416/*
417 * Renegotiation Indication - RFC 5746.
418 */
419int
420tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
421{
422 return (s->internal->renegotiate);
423}
424
425int
426tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
427{
428 CBB reneg;
429
430 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
431 return 0;
432 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
433 S3I(s)->previous_client_finished_len))
434 return 0;
435 if (!CBB_flush(cbb))
436 return 0;
437
438 return 1;
439}
440
441int
442tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
443{
444 CBS reneg;
445
446 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
447 goto err;
448 if (CBS_len(cbs) != 0)
449 goto err;
450
451 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
452 S3I(s)->previous_client_finished_len)) {
453 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
454 *alert = SSL_AD_HANDSHAKE_FAILURE;
455 return 0;
456 }
457
458 S3I(s)->renegotiate_seen = 1;
459 S3I(s)->send_connection_binding = 1;
460
461 return 1;
462
463 err:
464 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
465 *alert = SSL_AD_DECODE_ERROR;
466 return 0;
467}
468
469int
470tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
471{
472 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
473 S3I(s)->send_connection_binding);
474}
475
476int
477tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
478{
479 CBB reneg;
480
481 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
482 return 0;
483 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
484 S3I(s)->previous_client_finished_len))
485 return 0;
486 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished,
487 S3I(s)->previous_server_finished_len))
488 return 0;
489 if (!CBB_flush(cbb))
490 return 0;
491
492 return 1;
493}
494
495int
496tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
497{
498 CBS reneg, prev_client, prev_server;
499
500 /*
501 * Ensure that the previous client and server values are both not
502 * present, or that they are both present.
503 */
504 if ((S3I(s)->previous_client_finished_len == 0 &&
505 S3I(s)->previous_server_finished_len != 0) ||
506 (S3I(s)->previous_client_finished_len != 0 &&
507 S3I(s)->previous_server_finished_len == 0)) {
508 *alert = SSL_AD_INTERNAL_ERROR;
509 return 0;
510 }
511
512 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
513 goto err;
514 if (!CBS_get_bytes(&reneg, &prev_client,
515 S3I(s)->previous_client_finished_len))
516 goto err;
517 if (!CBS_get_bytes(&reneg, &prev_server,
518 S3I(s)->previous_server_finished_len))
519 goto err;
520 if (CBS_len(&reneg) != 0)
521 goto err;
522 if (CBS_len(cbs) != 0)
523 goto err;
524
525 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished,
526 S3I(s)->previous_client_finished_len)) {
527 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
528 *alert = SSL_AD_HANDSHAKE_FAILURE;
529 return 0;
530 }
531 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished,
532 S3I(s)->previous_server_finished_len)) {
533 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
534 *alert = SSL_AD_HANDSHAKE_FAILURE;
535 return 0;
536 }
537
538 S3I(s)->renegotiate_seen = 1;
539 S3I(s)->send_connection_binding = 1;
540
541 return 1;
542
543 err:
544 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
545 *alert = SSL_AD_DECODE_ERROR;
546 return 0;
547}
548
549/*
550 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
551 */
552int
553tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
554{
555 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION);
556}
557
558int
559tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
560{
561 uint16_t tls_version = S3I(s)->hs.negotiated_tls_version;
562 CBB sigalgs;
563
564 if (msg_type == SSL_TLSEXT_MSG_CH)
565 tls_version = S3I(s)->hs.our_min_tls_version;
566
567 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
568 return 0;
569 if (!ssl_sigalgs_build(tls_version, &sigalgs))
570 return 0;
571 if (!CBB_flush(cbb))
572 return 0;
573
574 return 1;
575}
576
577int
578tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
579{
580 CBS sigalgs;
581
582 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
583 return 0;
584 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
585 return 0;
586 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len))
587 return 0;
588
589 return 1;
590}
591
592int
593tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
594{
595 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
596}
597
598int
599tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
600{
601 CBB sigalgs;
602
603 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
604 return 0;
605 if (!ssl_sigalgs_build(S3I(s)->hs.negotiated_tls_version, &sigalgs))
606 return 0;
607 if (!CBB_flush(cbb))
608 return 0;
609
610 return 1;
611}
612
613int
614tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
615{
616 CBS sigalgs;
617
618 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
619 return 0;
620
621 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
622 return 0;
623 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
624 return 0;
625 if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len))
626 return 0;
627
628 return 1;
629}
630
631/*
632 * Server Name Indication - RFC 6066, section 3.
633 */
634int
635tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
636{
637 return (s->tlsext_hostname != NULL);
638}
639
640int
641tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
642{
643 CBB server_name_list, host_name;
644
645 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
646 return 0;
647 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
648 return 0;
649 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
650 return 0;
651 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
652 strlen(s->tlsext_hostname)))
653 return 0;
654 if (!CBB_flush(cbb))
655 return 0;
656
657 return 1;
658}
659
660/*
661 * Validate that the CBS contains only a hostname consisting of RFC 5890
662 * compliant A-labels (see RFC 6066 section 3). Not a complete check
663 * since we don't parse punycode to verify its validity but limits to
664 * correct structure and character set.
665 */
666int
667tlsext_sni_is_valid_hostname(CBS *cbs)
668{
669 uint8_t prev, c = 0;
670 int component = 0;
671 CBS hostname;
672
673 CBS_dup(cbs, &hostname);
674
675 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
676 return 0;
677
678 while(CBS_len(&hostname) > 0) {
679 prev = c;
680 if (!CBS_get_u8(&hostname, &c))
681 return 0;
682 /* Everything has to be ASCII, with no NUL byte. */
683 if (!isascii(c) || c == '\0')
684 return 0;
685 /* It must be alphanumeric, a '-', or a '.' */
686 if (!isalnum(c) && c != '-' && c != '.')
687 return 0;
688 /* '-' and '.' must not start a component or be at the end. */
689 if (component == 0 || CBS_len(&hostname) == 0) {
690 if (c == '-' || c == '.')
691 return 0;
692 }
693 if (c == '.') {
694 /* Components can not end with a dash. */
695 if (prev == '-')
696 return 0;
697 /* Start new component */
698 component = 0;
699 continue;
700 }
701 /* Components must be 63 chars or less. */
702 if (++component > 63)
703 return 0;
704 }
705
706 return 1;
707}
708
709int
710tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
711{
712 CBS server_name_list, host_name;
713 uint8_t name_type;
714
715 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
716 goto err;
717
718 if (!CBS_get_u8(&server_name_list, &name_type))
719 goto err;
720 /*
721 * RFC 6066 section 3, only one type (host_name) is specified.
722 * We do not tolerate unknown types, neither does BoringSSL.
723 * other implementations appear more tolerant.
724 */
725 if (name_type != TLSEXT_NAMETYPE_host_name) {
726 *alert = SSL_AD_ILLEGAL_PARAMETER;
727 goto err;
728 }
729
730
731 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
732 goto err;
733 /*
734 * RFC 6066 section 3 specifies a host name must be at least 1 byte
735 * so 0 length is a decode error.
736 */
737 if (CBS_len(&host_name) < 1)
738 goto err;
739
740 if (!tlsext_sni_is_valid_hostname(&host_name)) {
741 *alert = SSL_AD_ILLEGAL_PARAMETER;
742 goto err;
743 }
744
745 if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
746 if (s->session->tlsext_hostname == NULL) {
747 *alert = SSL_AD_UNRECOGNIZED_NAME;
748 goto err;
749 }
750 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
751 strlen(s->session->tlsext_hostname))) {
752 *alert = SSL_AD_UNRECOGNIZED_NAME;
753 goto err;
754 }
755 } else {
756 if (s->session->tlsext_hostname != NULL)
757 goto err;
758 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
759 *alert = SSL_AD_INTERNAL_ERROR;
760 goto err;
761 }
762 }
763
764 /*
765 * RFC 6066 section 3 forbids multiple host names with the same type,
766 * therefore we allow only one entry.
767 */
768 if (CBS_len(&server_name_list) != 0) {
769 *alert = SSL_AD_ILLEGAL_PARAMETER;
770 goto err;
771 }
772 if (CBS_len(cbs) != 0)
773 goto err;
774
775 return 1;
776
777 err:
778 return 0;
779}
780
781int
782tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
783{
784 if (s->internal->hit)
785 return 0;
786
787 return (s->session->tlsext_hostname != NULL);
788}
789
790int
791tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
792{
793 return 1;
794}
795
796int
797tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
798{
799 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
800 *alert = SSL_AD_UNRECOGNIZED_NAME;
801 return 0;
802 }
803
804 if (s->internal->hit) {
805 if (s->session->tlsext_hostname == NULL) {
806 *alert = SSL_AD_UNRECOGNIZED_NAME;
807 return 0;
808 }
809 if (strcmp(s->tlsext_hostname,
810 s->session->tlsext_hostname) != 0) {
811 *alert = SSL_AD_UNRECOGNIZED_NAME;
812 return 0;
813 }
814 } else {
815 if (s->session->tlsext_hostname != NULL) {
816 *alert = SSL_AD_DECODE_ERROR;
817 return 0;
818 }
819 if ((s->session->tlsext_hostname =
820 strdup(s->tlsext_hostname)) == NULL) {
821 *alert = SSL_AD_INTERNAL_ERROR;
822 return 0;
823 }
824 }
825
826 return 1;
827}
828
829
830/*
831 * Certificate Status Request - RFC 6066 section 8.
832 */
833
834int
835tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
836{
837 if (msg_type != SSL_TLSEXT_MSG_CH)
838 return 0;
839
840 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
841}
842
843int
844tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
845{
846 CBB respid_list, respid, exts;
847 unsigned char *ext_data;
848 size_t ext_len;
849 int i;
850
851 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
852 return 0;
853 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
854 return 0;
855 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
856 unsigned char *respid_data;
857 OCSP_RESPID *id;
858 size_t id_len;
859
860 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
861 i)) == NULL)
862 return 0;
863 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
864 return 0;
865 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
866 return 0;
867 if (!CBB_add_space(&respid, &respid_data, id_len))
868 return 0;
869 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
870 return 0;
871 }
872 if (!CBB_add_u16_length_prefixed(cbb, &exts))
873 return 0;
874 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
875 NULL)) == -1)
876 return 0;
877 if (!CBB_add_space(&exts, &ext_data, ext_len))
878 return 0;
879 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
880 ext_len))
881 return 0;
882 if (!CBB_flush(cbb))
883 return 0;
884 return 1;
885}
886
887int
888tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
889{
890 int alert_desc = SSL_AD_DECODE_ERROR;
891 CBS respid_list, respid, exts;
892 const unsigned char *p;
893 uint8_t status_type;
894 int ret = 0;
895
896 if (msg_type != SSL_TLSEXT_MSG_CH)
897 goto err;
898
899 if (!CBS_get_u8(cbs, &status_type))
900 goto err;
901 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
902 /* ignore unknown status types */
903 s->tlsext_status_type = -1;
904
905 if (!CBS_skip(cbs, CBS_len(cbs))) {
906 *alert = SSL_AD_INTERNAL_ERROR;
907 return 0;
908 }
909 return 1;
910 }
911 s->tlsext_status_type = status_type;
912 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
913 goto err;
914
915 /* XXX */
916 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
917 s->internal->tlsext_ocsp_ids = NULL;
918 if (CBS_len(&respid_list) > 0) {
919 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
920 if (s->internal->tlsext_ocsp_ids == NULL) {
921 alert_desc = SSL_AD_INTERNAL_ERROR;
922 goto err;
923 }
924 }
925
926 while (CBS_len(&respid_list) > 0) {
927 OCSP_RESPID *id;
928
929 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
930 goto err;
931 p = CBS_data(&respid);
932 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
933 goto err;
934 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
935 alert_desc = SSL_AD_INTERNAL_ERROR;
936 OCSP_RESPID_free(id);
937 goto err;
938 }
939 }
940
941 /* Read in request_extensions */
942 if (!CBS_get_u16_length_prefixed(cbs, &exts))
943 goto err;
944 if (CBS_len(&exts) > 0) {
945 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
946 X509_EXTENSION_free);
947 p = CBS_data(&exts);
948 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
949 &p, CBS_len(&exts))) == NULL)
950 goto err;
951 }
952
953 /* should be nothing left */
954 if (CBS_len(cbs) > 0)
955 goto err;
956
957 ret = 1;
958 err:
959 if (ret == 0)
960 *alert = alert_desc;
961 return ret;
962}
963
964int
965tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
966{
967 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
968 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
969 s->ctx->internal->tlsext_status_cb != NULL) {
970 s->internal->tlsext_status_expected = 0;
971 if (s->ctx->internal->tlsext_status_cb(s,
972 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
973 s->internal->tlsext_ocsp_resp_len > 0)
974 s->internal->tlsext_status_expected = 1;
975 }
976 return s->internal->tlsext_status_expected;
977}
978
979int
980tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
981{
982 CBB ocsp_response;
983
984 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
985 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
986 return 0;
987 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
988 return 0;
989 if (!CBB_add_bytes(&ocsp_response,
990 s->internal->tlsext_ocsp_resp,
991 s->internal->tlsext_ocsp_resp_len))
992 return 0;
993 if (!CBB_flush(cbb))
994 return 0;
995 }
996 return 1;
997}
998
999int
1000tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1001{
1002 uint8_t status_type;
1003 CBS response;
1004
1005 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1006 if (msg_type == SSL_TLSEXT_MSG_CR) {
1007 /*
1008 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1009 * response with an empty status_request.
1010 */
1011 if (CBS_len(cbs) == 0)
1012 return 1;
1013
1014 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1015 return 0;
1016 }
1017 if (!CBS_get_u8(cbs, &status_type)) {
1018 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1019 return 0;
1020 }
1021 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1022 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1023 return 0;
1024 }
1025 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1026 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1027 return 0;
1028 }
1029 if (CBS_len(&response) > 65536) {
1030 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1031 return 0;
1032 }
1033 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1034 &s->internal->tlsext_ocsp_resp_len)) {
1035 *alert = SSL_AD_INTERNAL_ERROR;
1036 return 0;
1037 }
1038 } else {
1039 if (s->tlsext_status_type == -1) {
1040 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1041 return 0;
1042 }
1043 /* Set flag to expect CertificateStatus message */
1044 s->internal->tlsext_status_expected = 1;
1045 }
1046 return 1;
1047}
1048
1049/*
1050 * SessionTicket extension - RFC 5077 section 3.2
1051 */
1052int
1053tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1054{
1055 /*
1056 * Send session ticket extension when enabled and not overridden.
1057 *
1058 * When renegotiating, send an empty session ticket to indicate support.
1059 */
1060 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1061 return 0;
1062
1063 if (s->internal->new_session)
1064 return 1;
1065
1066 if (s->internal->tlsext_session_ticket != NULL &&
1067 s->internal->tlsext_session_ticket->data == NULL)
1068 return 0;
1069
1070 return 1;
1071}
1072
1073int
1074tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1075{
1076 /*
1077 * Signal that we support session tickets by sending an empty
1078 * extension when renegotiating or no session found.
1079 */
1080 if (s->internal->new_session || s->session == NULL)
1081 return 1;
1082
1083 if (s->session->tlsext_tick != NULL) {
1084 /* Attempt to resume with an existing session ticket */
1085 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1086 s->session->tlsext_ticklen))
1087 return 0;
1088
1089 } else if (s->internal->tlsext_session_ticket != NULL) {
1090 /*
1091 * Attempt to resume with a custom provided session ticket set
1092 * by SSL_set_session_ticket_ext().
1093 */
1094 if (s->internal->tlsext_session_ticket->length > 0) {
1095 size_t ticklen = s->internal->tlsext_session_ticket->length;
1096
1097 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1098 return 0;
1099 memcpy(s->session->tlsext_tick,
1100 s->internal->tlsext_session_ticket->data,
1101 ticklen);
1102 s->session->tlsext_ticklen = ticklen;
1103
1104 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1105 s->session->tlsext_ticklen))
1106 return 0;
1107 }
1108 }
1109
1110 if (!CBB_flush(cbb))
1111 return 0;
1112
1113 return 1;
1114}
1115
1116int
1117tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1118 int *alert)
1119{
1120 if (s->internal->tls_session_ticket_ext_cb) {
1121 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1122 (int)CBS_len(cbs),
1123 s->internal->tls_session_ticket_ext_cb_arg)) {
1124 *alert = SSL_AD_INTERNAL_ERROR;
1125 return 0;
1126 }
1127 }
1128
1129 /* We need to signal that this was processed fully */
1130 if (!CBS_skip(cbs, CBS_len(cbs))) {
1131 *alert = SSL_AD_INTERNAL_ERROR;
1132 return 0;
1133 }
1134
1135 return 1;
1136}
1137
1138int
1139tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1140{
1141 return (s->internal->tlsext_ticket_expected &&
1142 !(SSL_get_options(s) & SSL_OP_NO_TICKET));
1143}
1144
1145int
1146tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1147{
1148 /* Empty ticket */
1149 return 1;
1150}
1151
1152int
1153tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1154 int *alert)
1155{
1156 if (s->internal->tls_session_ticket_ext_cb) {
1157 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1158 (int)CBS_len(cbs),
1159 s->internal->tls_session_ticket_ext_cb_arg)) {
1160 *alert = SSL_AD_INTERNAL_ERROR;
1161 return 0;
1162 }
1163 }
1164
1165 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1166 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1167 return 0;
1168 }
1169
1170 s->internal->tlsext_ticket_expected = 1;
1171
1172 return 1;
1173}
1174
1175/*
1176 * DTLS extension for SRTP key establishment - RFC 5764
1177 */
1178
1179#ifndef OPENSSL_NO_SRTP
1180
1181int
1182tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1183{
1184 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1185}
1186
1187int
1188tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1189{
1190 CBB profiles, mki;
1191 int ct, i;
1192 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1193 const SRTP_PROTECTION_PROFILE *prof;
1194
1195 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1196 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1197 return 0;
1198 }
1199
1200 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1201 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1202 return 0;
1203 }
1204
1205 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1206 return 0;
1207
1208 for (i = 0; i < ct; i++) {
1209 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1210 return 0;
1211 if (!CBB_add_u16(&profiles, prof->id))
1212 return 0;
1213 }
1214
1215 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1216 return 0;
1217
1218 if (!CBB_flush(cbb))
1219 return 0;
1220
1221 return 1;
1222}
1223
1224int
1225tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1226{
1227 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1228 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1229 int i, j;
1230 int ret;
1231 uint16_t id;
1232 CBS profiles, mki;
1233
1234 ret = 0;
1235
1236 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1237 goto err;
1238 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1239 goto err;
1240
1241 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1242 goto err;
1243
1244 while (CBS_len(&profiles) > 0) {
1245 if (!CBS_get_u16(&profiles, &id))
1246 goto err;
1247
1248 if (!srtp_find_profile_by_num(id, &cprof)) {
1249 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1250 goto err;
1251 }
1252 }
1253
1254 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1255 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1256 *alert = SSL_AD_DECODE_ERROR;
1257 goto done;
1258 }
1259 if (CBS_len(cbs) != 0)
1260 goto err;
1261
1262 /*
1263 * Per RFC 5764 section 4.1.1
1264 *
1265 * Find the server preferred profile using the client's list.
1266 *
1267 * The server MUST send a profile if it sends the use_srtp
1268 * extension. If one is not found, it should fall back to the
1269 * negotiated DTLS cipher suite or return a DTLS alert.
1270 */
1271 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1272 goto err;
1273 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1274 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1275 == NULL)
1276 goto err;
1277
1278 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1279 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1280 == NULL)
1281 goto err;
1282
1283 if (cprof->id == sprof->id) {
1284 s->internal->srtp_profile = sprof;
1285 ret = 1;
1286 goto done;
1287 }
1288 }
1289 }
1290
1291 /* If we didn't find anything, fall back to the negotiated */
1292 ret = 1;
1293 goto done;
1294
1295 err:
1296 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1297 *alert = SSL_AD_DECODE_ERROR;
1298
1299 done:
1300 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1301 return ret;
1302}
1303
1304int
1305tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1306{
1307 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1308}
1309
1310int
1311tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1312{
1313 SRTP_PROTECTION_PROFILE *profile;
1314 CBB srtp, mki;
1315
1316 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1317 return 0;
1318
1319 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1320 return 0;
1321
1322 if (!CBB_add_u16(&srtp, profile->id))
1323 return 0;
1324
1325 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1326 return 0;
1327
1328 if (!CBB_flush(cbb))
1329 return 0;
1330
1331 return 1;
1332}
1333
1334int
1335tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1336{
1337 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1338 const SRTP_PROTECTION_PROFILE *prof;
1339 int i;
1340 uint16_t id;
1341 CBS profile_ids, mki;
1342
1343 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1344 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1345 goto err;
1346 }
1347
1348 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1349 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1350 goto err;
1351 }
1352
1353 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1354 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1355 *alert = SSL_AD_ILLEGAL_PARAMETER;
1356 return 0;
1357 }
1358
1359 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1360 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1361 goto err;
1362 }
1363
1364 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1365 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1366 == NULL) {
1367 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1368 goto err;
1369 }
1370
1371 if (prof->id == id) {
1372 s->internal->srtp_profile = prof;
1373 return 1;
1374 }
1375 }
1376
1377 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1378 err:
1379 *alert = SSL_AD_DECODE_ERROR;
1380 return 0;
1381}
1382
1383#endif /* OPENSSL_NO_SRTP */
1384
1385/*
1386 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1387 */
1388int
1389tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1390{
1391 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
1392}
1393
1394int
1395tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1396{
1397 CBB client_shares;
1398
1399 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1400 return 0;
1401
1402 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share,
1403 &client_shares))
1404 return 0;
1405
1406 if (!CBB_flush(cbb))
1407 return 0;
1408
1409 return 1;
1410}
1411
1412int
1413tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1414{
1415 CBS client_shares, key_exchange;
1416 uint16_t group;
1417
1418 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1419 goto err;
1420
1421 while (CBS_len(&client_shares) > 0) {
1422
1423 /* Unpack client share. */
1424 if (!CBS_get_u16(&client_shares, &group))
1425 goto err;
1426 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1427 return 0;
1428
1429 /*
1430 * XXX - check key exchange against supported groups from client.
1431 * XXX - check that groups only appear once.
1432 */
1433
1434 /*
1435 * Ignore this client share if we're using earlier than TLSv1.3
1436 * or we've already selected a key share.
1437 */
1438 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
1439 continue;
1440 if (S3I(s)->hs.tls13.key_share != NULL)
1441 continue;
1442
1443 /* XXX - consider implementing server preference. */
1444 if (!tls1_check_curve(s, group))
1445 continue;
1446
1447 /* Decode and store the selected key share. */
1448 S3I(s)->hs.tls13.key_share = tls13_key_share_new(group);
1449 if (S3I(s)->hs.tls13.key_share == NULL)
1450 goto err;
1451 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
1452 group, &key_exchange))
1453 goto err;
1454 }
1455
1456 return 1;
1457
1458 err:
1459 *alert = SSL_AD_DECODE_ERROR;
1460 return 0;
1461}
1462
1463int
1464tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1465{
1466 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1467 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1468}
1469
1470int
1471tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1472{
1473 /* In the case of a HRR, we only send the server selected group. */
1474 if (S3I(s)->hs.tls13.hrr) {
1475 if (S3I(s)->hs.tls13.server_group == 0)
1476 return 0;
1477 return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group);
1478 }
1479
1480 if (S3I(s)->hs.tls13.key_share == NULL)
1481 return 0;
1482
1483 if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb))
1484 return 0;
1485
1486 return 1;
1487}
1488
1489int
1490tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1491{
1492 CBS key_exchange;
1493 uint16_t group;
1494
1495 /* Unpack server share. */
1496 if (!CBS_get_u16(cbs, &group))
1497 goto err;
1498
1499 if (CBS_len(cbs) == 0) {
1500 /* HRR does not include an actual key share. */
1501 /* XXX - we should know that we are in a HRR... */
1502 S3I(s)->hs.tls13.server_group = group;
1503 return 1;
1504 }
1505
1506 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1507 return 0;
1508
1509 if (S3I(s)->hs.tls13.key_share == NULL)
1510 return 0;
1511
1512 if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
1513 group, &key_exchange))
1514 goto err;
1515
1516 return 1;
1517
1518 err:
1519 *alert = SSL_AD_DECODE_ERROR;
1520 return 0;
1521}
1522
1523/*
1524 * Supported Versions - RFC 8446 section 4.2.1.
1525 */
1526int
1527tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1528{
1529 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
1530}
1531
1532int
1533tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1534{
1535 uint16_t max, min;
1536 uint16_t version;
1537 CBB versions;
1538
1539 max = S3I(s)->hs.our_max_tls_version;
1540 min = S3I(s)->hs.our_min_tls_version;
1541
1542 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1543 return 0;
1544
1545 /* XXX - fix, but contiguous for now... */
1546 for (version = max; version >= min; version--) {
1547 if (!CBB_add_u16(&versions, version))
1548 return 0;
1549 }
1550
1551 if (!CBB_flush(cbb))
1552 return 0;
1553
1554 return 1;
1555}
1556
1557int
1558tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1559{
1560 CBS versions;
1561 uint16_t version;
1562 uint16_t max, min;
1563 uint16_t matched_version = 0;
1564
1565 max = S3I(s)->hs.our_max_tls_version;
1566 min = S3I(s)->hs.our_min_tls_version;
1567
1568 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1569 goto err;
1570
1571 while (CBS_len(&versions) > 0) {
1572 if (!CBS_get_u16(&versions, &version))
1573 goto err;
1574 /*
1575 * XXX What is below implements client preference, and
1576 * ignores any server preference entirely.
1577 */
1578 if (matched_version == 0 && version >= min && version <= max)
1579 matched_version = version;
1580 }
1581
1582 if (matched_version > 0) {
1583 /* XXX - this should be stored for later processing. */
1584 s->version = matched_version;
1585 return 1;
1586 }
1587
1588 *alert = SSL_AD_PROTOCOL_VERSION;
1589 return 0;
1590
1591 err:
1592 *alert = SSL_AD_DECODE_ERROR;
1593 return 0;
1594}
1595
1596int
1597tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1598{
1599 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
1600}
1601
1602int
1603tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1604{
1605 return CBB_add_u16(cbb, TLS1_3_VERSION);
1606}
1607
1608int
1609tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1610{
1611 uint16_t selected_version;
1612
1613 if (!CBS_get_u16(cbs, &selected_version)) {
1614 *alert = SSL_AD_DECODE_ERROR;
1615 return 0;
1616 }
1617
1618 /* XXX - need to fix for DTLS 1.3 */
1619 if (selected_version < TLS1_3_VERSION) {
1620 *alert = SSL_AD_ILLEGAL_PARAMETER;
1621 return 0;
1622 }
1623
1624 /* XXX test between min and max once initialization code goes in */
1625 S3I(s)->hs.tls13.server_version = selected_version;
1626
1627 return 1;
1628}
1629
1630
1631/*
1632 * Cookie - RFC 8446 section 4.2.2.
1633 */
1634
1635int
1636tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1637{
1638 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
1639 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
1640}
1641
1642int
1643tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1644{
1645 CBB cookie;
1646
1647 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1648 return 0;
1649
1650 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
1651 S3I(s)->hs.tls13.cookie_len))
1652 return 0;
1653
1654 if (!CBB_flush(cbb))
1655 return 0;
1656
1657 return 1;
1658}
1659
1660int
1661tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1662{
1663 CBS cookie;
1664
1665 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1666 goto err;
1667
1668 if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len)
1669 goto err;
1670
1671 /*
1672 * Check provided cookie value against what server previously
1673 * sent - client *MUST* send the same cookie with new CR after
1674 * a cookie is sent by the server with an HRR.
1675 */
1676 if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie,
1677 S3I(s)->hs.tls13.cookie_len)) {
1678 /* XXX special cookie mismatch alert? */
1679 *alert = SSL_AD_ILLEGAL_PARAMETER;
1680 return 0;
1681 }
1682
1683 return 1;
1684
1685 err:
1686 *alert = SSL_AD_DECODE_ERROR;
1687 return 0;
1688}
1689
1690int
1691tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1692{
1693 /*
1694 * Server needs to set cookie value in tls13 handshake
1695 * in order to send one, should only be sent with HRR.
1696 */
1697 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
1698 S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
1699}
1700
1701int
1702tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1703{
1704 CBB cookie;
1705
1706 /* XXX deduplicate with client code */
1707
1708 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1709 return 0;
1710
1711 if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
1712 S3I(s)->hs.tls13.cookie_len))
1713 return 0;
1714
1715 if (!CBB_flush(cbb))
1716 return 0;
1717
1718 return 1;
1719}
1720
1721int
1722tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1723{
1724 CBS cookie;
1725
1726 /*
1727 * XXX This currently assumes we will not get a second
1728 * HRR from a server with a cookie to process after accepting
1729 * one from the server in the same handshake
1730 */
1731 if (S3I(s)->hs.tls13.cookie != NULL ||
1732 S3I(s)->hs.tls13.cookie_len != 0) {
1733 *alert = SSL_AD_ILLEGAL_PARAMETER;
1734 return 0;
1735 }
1736
1737 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1738 goto err;
1739
1740 if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie,
1741 &S3I(s)->hs.tls13.cookie_len))
1742 goto err;
1743
1744 return 1;
1745
1746 err:
1747 *alert = SSL_AD_DECODE_ERROR;
1748 return 0;
1749}
1750
1751struct tls_extension_funcs {
1752 int (*needs)(SSL *s, uint16_t msg_type);
1753 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1754 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1755};
1756
1757struct tls_extension {
1758 uint16_t type;
1759 uint16_t messages;
1760 struct tls_extension_funcs client;
1761 struct tls_extension_funcs server;
1762};
1763
1764static const struct tls_extension tls_extensions[] = {
1765 {
1766 .type = TLSEXT_TYPE_supported_versions,
1767 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1768 SSL_TLSEXT_MSG_HRR,
1769 .client = {
1770 .needs = tlsext_versions_client_needs,
1771 .build = tlsext_versions_client_build,
1772 .parse = tlsext_versions_client_parse,
1773 },
1774 .server = {
1775 .needs = tlsext_versions_server_needs,
1776 .build = tlsext_versions_server_build,
1777 .parse = tlsext_versions_server_parse,
1778 },
1779 },
1780 {
1781 .type = TLSEXT_TYPE_key_share,
1782 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1783 SSL_TLSEXT_MSG_HRR,
1784 .client = {
1785 .needs = tlsext_keyshare_client_needs,
1786 .build = tlsext_keyshare_client_build,
1787 .parse = tlsext_keyshare_client_parse,
1788 },
1789 .server = {
1790 .needs = tlsext_keyshare_server_needs,
1791 .build = tlsext_keyshare_server_build,
1792 .parse = tlsext_keyshare_server_parse,
1793 },
1794 },
1795 {
1796 .type = TLSEXT_TYPE_server_name,
1797 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1798 .client = {
1799 .needs = tlsext_sni_client_needs,
1800 .build = tlsext_sni_client_build,
1801 .parse = tlsext_sni_client_parse,
1802 },
1803 .server = {
1804 .needs = tlsext_sni_server_needs,
1805 .build = tlsext_sni_server_build,
1806 .parse = tlsext_sni_server_parse,
1807 },
1808 },
1809 {
1810 .type = TLSEXT_TYPE_renegotiate,
1811 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1812 .client = {
1813 .needs = tlsext_ri_client_needs,
1814 .build = tlsext_ri_client_build,
1815 .parse = tlsext_ri_client_parse,
1816 },
1817 .server = {
1818 .needs = tlsext_ri_server_needs,
1819 .build = tlsext_ri_server_build,
1820 .parse = tlsext_ri_server_parse,
1821 },
1822 },
1823 {
1824 .type = TLSEXT_TYPE_status_request,
1825 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
1826 SSL_TLSEXT_MSG_CT,
1827 .client = {
1828 .needs = tlsext_ocsp_client_needs,
1829 .build = tlsext_ocsp_client_build,
1830 .parse = tlsext_ocsp_client_parse,
1831 },
1832 .server = {
1833 .needs = tlsext_ocsp_server_needs,
1834 .build = tlsext_ocsp_server_build,
1835 .parse = tlsext_ocsp_server_parse,
1836 },
1837 },
1838 {
1839 .type = TLSEXT_TYPE_ec_point_formats,
1840 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1841 .client = {
1842 .needs = tlsext_ecpf_client_needs,
1843 .build = tlsext_ecpf_client_build,
1844 .parse = tlsext_ecpf_client_parse,
1845 },
1846 .server = {
1847 .needs = tlsext_ecpf_server_needs,
1848 .build = tlsext_ecpf_server_build,
1849 .parse = tlsext_ecpf_server_parse,
1850 },
1851 },
1852 {
1853 .type = TLSEXT_TYPE_supported_groups,
1854 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1855 .client = {
1856 .needs = tlsext_supportedgroups_client_needs,
1857 .build = tlsext_supportedgroups_client_build,
1858 .parse = tlsext_supportedgroups_client_parse,
1859 },
1860 .server = {
1861 .needs = tlsext_supportedgroups_server_needs,
1862 .build = tlsext_supportedgroups_server_build,
1863 .parse = tlsext_supportedgroups_server_parse,
1864 },
1865 },
1866 {
1867 .type = TLSEXT_TYPE_session_ticket,
1868 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
1869 .client = {
1870 .needs = tlsext_sessionticket_client_needs,
1871 .build = tlsext_sessionticket_client_build,
1872 .parse = tlsext_sessionticket_client_parse,
1873 },
1874 .server = {
1875 .needs = tlsext_sessionticket_server_needs,
1876 .build = tlsext_sessionticket_server_build,
1877 .parse = tlsext_sessionticket_server_parse,
1878 },
1879 },
1880 {
1881 .type = TLSEXT_TYPE_signature_algorithms,
1882 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
1883 .client = {
1884 .needs = tlsext_sigalgs_client_needs,
1885 .build = tlsext_sigalgs_client_build,
1886 .parse = tlsext_sigalgs_client_parse,
1887 },
1888 .server = {
1889 .needs = tlsext_sigalgs_server_needs,
1890 .build = tlsext_sigalgs_server_build,
1891 .parse = tlsext_sigalgs_server_parse,
1892 },
1893 },
1894 {
1895 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1896 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
1897 .client = {
1898 .needs = tlsext_alpn_client_needs,
1899 .build = tlsext_alpn_client_build,
1900 .parse = tlsext_alpn_client_parse,
1901 },
1902 .server = {
1903 .needs = tlsext_alpn_server_needs,
1904 .build = tlsext_alpn_server_build,
1905 .parse = tlsext_alpn_server_parse,
1906 },
1907 },
1908 {
1909 .type = TLSEXT_TYPE_cookie,
1910 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
1911 .client = {
1912 .needs = tlsext_cookie_client_needs,
1913 .build = tlsext_cookie_client_build,
1914 .parse = tlsext_cookie_client_parse,
1915 },
1916 .server = {
1917 .needs = tlsext_cookie_server_needs,
1918 .build = tlsext_cookie_server_build,
1919 .parse = tlsext_cookie_server_parse,
1920 },
1921 },
1922#ifndef OPENSSL_NO_SRTP
1923 {
1924 .type = TLSEXT_TYPE_use_srtp,
1925 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
1926 SSL_TLSEXT_MSG_EE,
1927 .client = {
1928 .needs = tlsext_srtp_client_needs,
1929 .build = tlsext_srtp_client_build,
1930 .parse = tlsext_srtp_client_parse,
1931 },
1932 .server = {
1933 .needs = tlsext_srtp_server_needs,
1934 .build = tlsext_srtp_server_build,
1935 .parse = tlsext_srtp_server_parse,
1936 },
1937 }
1938#endif /* OPENSSL_NO_SRTP */
1939};
1940
1941#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1942
1943/* Ensure that extensions fit in a uint32_t bitmask. */
1944CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1945
1946const struct tls_extension *
1947tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1948{
1949 size_t i;
1950
1951 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1952 if (tls_extensions[i].type == type) {
1953 *tls_extensions_idx = i;
1954 return &tls_extensions[i];
1955 }
1956 }
1957
1958 return NULL;
1959}
1960
1961int
1962tlsext_extension_seen(SSL *s, uint16_t type)
1963{
1964 size_t idx;
1965
1966 if (tls_extension_find(type, &idx) == NULL)
1967 return 0;
1968 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1969}
1970
1971static const struct tls_extension_funcs *
1972tlsext_funcs(const struct tls_extension *tlsext, int is_server)
1973{
1974 if (is_server)
1975 return &tlsext->server;
1976
1977 return &tlsext->client;
1978}
1979
1980static int
1981tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
1982{
1983 const struct tls_extension_funcs *ext;
1984 const struct tls_extension *tlsext;
1985 CBB extensions, extension_data;
1986 int extensions_present = 0;
1987 uint16_t tls_version;
1988 size_t i;
1989
1990 tls_version = ssl_effective_tls_version(s);
1991
1992 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
1993 return 0;
1994
1995 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1996 tlsext = &tls_extensions[i];
1997 ext = tlsext_funcs(tlsext, is_server);
1998
1999 /* RFC 8446 Section 4.2 */
2000 if (tls_version >= TLS1_3_VERSION &&
2001 !(tlsext->messages & msg_type))
2002 continue;
2003
2004 if (!ext->needs(s, msg_type))
2005 continue;
2006
2007 if (!CBB_add_u16(&extensions, tlsext->type))
2008 return 0;
2009 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2010 return 0;
2011
2012 if (!ext->build(s, msg_type, &extension_data))
2013 return 0;
2014
2015 extensions_present = 1;
2016 }
2017
2018 if (!extensions_present &&
2019 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2020 CBB_discard_child(cbb);
2021
2022 if (!CBB_flush(cbb))
2023 return 0;
2024
2025 return 1;
2026}
2027
2028int
2029tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2030{
2031 /*
2032 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2033 * cookie may be added, padding may be removed.
2034 */
2035 struct tls13_ctx *ctx = s->internal->tls13;
2036
2037 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2038 type == TLSEXT_TYPE_padding)
2039 return 1;
2040 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2041 sizeof(type)))
2042 return 0;
2043 /*
2044 * key_share data may be changed, and pre_shared_key data may
2045 * be changed
2046 */
2047 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2048 return 1;
2049 if (!tls13_clienthello_hash_update(ctx, cbs))
2050 return 0;
2051
2052 return 1;
2053}
2054
2055static int
2056tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2057{
2058 const struct tls_extension_funcs *ext;
2059 const struct tls_extension *tlsext;
2060 CBS extensions, extension_data;
2061 uint16_t type;
2062 size_t idx;
2063 uint16_t tls_version;
2064 int alert_desc;
2065
2066 tls_version = ssl_effective_tls_version(s);
2067
2068 S3I(s)->hs.extensions_seen = 0;
2069
2070 /* An empty extensions block is valid. */
2071 if (CBS_len(cbs) == 0)
2072 return 1;
2073
2074 alert_desc = SSL_AD_DECODE_ERROR;
2075
2076 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2077 goto err;
2078
2079 while (CBS_len(&extensions) > 0) {
2080 if (!CBS_get_u16(&extensions, &type))
2081 goto err;
2082 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2083 goto err;
2084
2085 if (s->internal->tlsext_debug_cb != NULL)
2086 s->internal->tlsext_debug_cb(s, is_server, type,
2087 (unsigned char *)CBS_data(&extension_data),
2088 CBS_len(&extension_data),
2089 s->internal->tlsext_debug_arg);
2090
2091 /* Unknown extensions are ignored. */
2092 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2093 continue;
2094
2095 if (tls_version >= TLS1_3_VERSION && is_server &&
2096 msg_type == SSL_TLSEXT_MSG_CH) {
2097 if (!tlsext_clienthello_hash_extension(s, type,
2098 &extension_data))
2099 goto err;
2100 }
2101
2102 /* RFC 8446 Section 4.2 */
2103 if (tls_version >= TLS1_3_VERSION &&
2104 !(tlsext->messages & msg_type)) {
2105 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2106 goto err;
2107 }
2108
2109 /* Check for duplicate known extensions. */
2110 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
2111 goto err;
2112 S3I(s)->hs.extensions_seen |= (1 << idx);
2113
2114 ext = tlsext_funcs(tlsext, is_server);
2115 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2116 goto err;
2117
2118 if (CBS_len(&extension_data) != 0)
2119 goto err;
2120 }
2121
2122 return 1;
2123
2124 err:
2125 *alert = alert_desc;
2126
2127 return 0;
2128}
2129
2130static void
2131tlsext_server_reset_state(SSL *s)
2132{
2133 s->tlsext_status_type = -1;
2134 S3I(s)->renegotiate_seen = 0;
2135 free(S3I(s)->alpn_selected);
2136 S3I(s)->alpn_selected = NULL;
2137 S3I(s)->alpn_selected_len = 0;
2138 s->internal->srtp_profile = NULL;
2139}
2140
2141int
2142tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2143{
2144 return tlsext_build(s, 1, msg_type, cbb);
2145}
2146
2147int
2148tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2149{
2150 /* XXX - this should be done by the caller... */
2151 if (msg_type == SSL_TLSEXT_MSG_CH)
2152 tlsext_server_reset_state(s);
2153
2154 return tlsext_parse(s, 1, msg_type, cbs, alert);
2155}
2156
2157static void
2158tlsext_client_reset_state(SSL *s)
2159{
2160 S3I(s)->renegotiate_seen = 0;
2161 free(S3I(s)->alpn_selected);
2162 S3I(s)->alpn_selected = NULL;
2163 S3I(s)->alpn_selected_len = 0;
2164}
2165
2166int
2167tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2168{
2169 return tlsext_build(s, 0, msg_type, cbb);
2170}
2171
2172int
2173tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2174{
2175 /* XXX - this should be done by the caller... */
2176 if (msg_type == SSL_TLSEXT_MSG_SH)
2177 tlsext_client_reset_state(s);
2178
2179 return tlsext_parse(s, 0, msg_type, cbs, alert);
2180}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 17:47:49 +0000