summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_tlsext.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_tlsext.c')
-rw-r--r--src/lib/libssl/ssl_tlsext.c2519
1 files changed, 0 insertions, 2519 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
deleted file mode 100644
index 5dd4b69dc5..0000000000
--- a/src/lib/libssl/ssl_tlsext.c
+++ /dev/null
@@ -1,2519 +0,0 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.137 2023/04/28 18:14:59 tb Exp $ */
2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/socket.h>
21
22#include <arpa/inet.h>
23#include <netinet/in.h>
24
25#include <ctype.h>
26
27#include <openssl/ocsp.h>
28#include <openssl/opensslconf.h>
29
30#include "bytestring.h"
31#include "ssl_local.h"
32#include "ssl_sigalgs.h"
33#include "ssl_tlsext.h"
34
35#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation
36
37/*
38 * Supported Application-Layer Protocol Negotiation - RFC 7301
39 */
40
41static int
42tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
43{
44 /* ALPN protos have been specified and this is the initial handshake */
45 return s->alpn_client_proto_list != NULL &&
46 s->s3->hs.finished_len == 0;
47}
48
49static int
50tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
51{
52 CBB protolist;
53
54 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
55 return 0;
56
57 if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list,
58 s->alpn_client_proto_list_len))
59 return 0;
60
61 if (!CBB_flush(cbb))
62 return 0;
63
64 return 1;
65}
66
67int
68tlsext_alpn_check_format(CBS *cbs)
69{
70 CBS proto_name_list;
71
72 if (CBS_len(cbs) == 0)
73 return 0;
74
75 CBS_dup(cbs, &proto_name_list);
76 while (CBS_len(&proto_name_list) > 0) {
77 CBS proto_name;
78
79 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
80 return 0;
81 if (CBS_len(&proto_name) == 0)
82 return 0;
83 }
84
85 return 1;
86}
87
88static int
89tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
90{
91 CBS alpn, selected_cbs;
92 const unsigned char *selected;
93 unsigned char selected_len;
94 int r;
95
96 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
97 return 0;
98
99 if (!tlsext_alpn_check_format(&alpn))
100 return 0;
101
102 if (s->ctx->alpn_select_cb == NULL)
103 return 1;
104
105 /*
106 * XXX - A few things should be considered here:
107 * 1. Ensure that the same protocol is selected on session resumption.
108 * 2. Should the callback be called even if no ALPN extension was sent?
109 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
110 */
111 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
112 CBS_data(&alpn), CBS_len(&alpn),
113 s->ctx->alpn_select_cb_arg);
114
115 if (r == SSL_TLSEXT_ERR_OK) {
116 CBS_init(&selected_cbs, selected, selected_len);
117
118 if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected,
119 &s->s3->alpn_selected_len)) {
120 *alert = SSL_AD_INTERNAL_ERROR;
121 return 0;
122 }
123
124 return 1;
125 }
126
127 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
128 if (r == SSL_TLSEXT_ERR_NOACK)
129 return 1;
130
131 *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
132 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
133
134 return 0;
135}
136
137static int
138tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
139{
140 return s->s3->alpn_selected != NULL;
141}
142
143static int
144tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
145{
146 CBB list, selected;
147
148 if (!CBB_add_u16_length_prefixed(cbb, &list))
149 return 0;
150
151 if (!CBB_add_u8_length_prefixed(&list, &selected))
152 return 0;
153
154 if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
155 s->s3->alpn_selected_len))
156 return 0;
157
158 if (!CBB_flush(cbb))
159 return 0;
160
161 return 1;
162}
163
164static int
165tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
166{
167 CBS list, proto;
168
169 if (s->alpn_client_proto_list == NULL) {
170 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
171 return 0;
172 }
173
174 if (!CBS_get_u16_length_prefixed(cbs, &list))
175 return 0;
176
177 if (!CBS_get_u8_length_prefixed(&list, &proto))
178 return 0;
179
180 if (CBS_len(&list) != 0)
181 return 0;
182 if (CBS_len(&proto) == 0)
183 return 0;
184
185 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
186 return 0;
187
188 return 1;
189}
190
191/*
192 * Supported Groups - RFC 7919 section 2
193 */
194static int
195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
196{
197 return ssl_has_ecc_ciphers(s) ||
198 (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
199}
200
201static int
202tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
203{
204 const uint16_t *groups;
205 size_t groups_len;
206 CBB grouplist;
207 int i;
208
209 tls1_get_group_list(s, 0, &groups, &groups_len);
210 if (groups_len == 0) {
211 SSLerror(s, ERR_R_INTERNAL_ERROR);
212 return 0;
213 }
214
215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
216 return 0;
217
218 for (i = 0; i < groups_len; i++) {
219 if (!ssl_security_supported_group(s, groups[i]))
220 continue;
221 if (!CBB_add_u16(&grouplist, groups[i]))
222 return 0;
223 }
224
225 if (!CBB_flush(cbb))
226 return 0;
227
228 return 1;
229}
230
231static int
232tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
233 int *alert)
234{
235 CBS grouplist;
236 uint16_t *groups;
237 size_t groups_len;
238 int i;
239
240 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
241 return 0;
242
243 groups_len = CBS_len(&grouplist);
244 if (groups_len == 0 || groups_len % 2 != 0)
245 return 0;
246 groups_len /= 2;
247
248 if (s->hit)
249 return 1;
250
251 if (s->s3->hs.tls13.hrr) {
252 if (s->session->tlsext_supportedgroups == NULL) {
253 *alert = SSL_AD_HANDSHAKE_FAILURE;
254 return 0;
255 }
256
257 /*
258 * The ClientHello extension hashing ensures that the client
259 * did not change its list of supported groups.
260 */
261
262 return 1;
263 }
264
265 if (s->session->tlsext_supportedgroups != NULL)
266 return 0; /* XXX internal error? */
267
268 if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) {
269 *alert = SSL_AD_INTERNAL_ERROR;
270 return 0;
271 }
272
273 for (i = 0; i < groups_len; i++) {
274 if (!CBS_get_u16(&grouplist, &groups[i])) {
275 free(groups);
276 return 0;
277 }
278 }
279
280 if (CBS_len(&grouplist) != 0) {
281 free(groups);
282 return 0;
283 }
284
285 s->session->tlsext_supportedgroups = groups;
286 s->session->tlsext_supportedgroups_length = groups_len;
287
288 return 1;
289}
290
291/* This extension is never used by the server. */
292static int
293tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
294{
295 return 0;
296}
297
298static int
299tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
300{
301 return 0;
302}
303
304static int
305tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
306 int *alert)
307{
308 /*
309 * Servers should not send this extension per the RFC.
310 *
311 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
312 * from at least 2014 but as of 2017, there are still large sites with
313 * this unpatched in production. As a result, we need to currently skip
314 * over the extension and ignore its content:
315 *
316 * https://support.f5.com/csp/article/K37345003
317 */
318 if (!CBS_skip(cbs, CBS_len(cbs))) {
319 *alert = SSL_AD_INTERNAL_ERROR;
320 return 0;
321 }
322
323 return 1;
324}
325
326/*
327 * Supported Point Formats Extension - RFC 4492 section 5.1.2
328 */
329static int
330tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
331{
332 CBB ecpf;
333 size_t formats_len;
334 const uint8_t *formats;
335
336 tls1_get_formatlist(s, 0, &formats, &formats_len);
337
338 if (formats_len == 0) {
339 SSLerror(s, ERR_R_INTERNAL_ERROR);
340 return 0;
341 }
342
343 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
344 return 0;
345 if (!CBB_add_bytes(&ecpf, formats, formats_len))
346 return 0;
347 if (!CBB_flush(cbb))
348 return 0;
349
350 return 1;
351}
352
353static int
354tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
355{
356 CBS ecpf;
357
358 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
359 return 0;
360 if (CBS_len(&ecpf) == 0)
361 return 0;
362
363 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
364 if (!CBS_contains_zero_byte(&ecpf)) {
365 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
366 *alert = SSL_AD_ILLEGAL_PARAMETER;
367 return 0;
368 }
369
370 if (!s->hit) {
371 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
372 &(s->session->tlsext_ecpointformatlist_length))) {
373 *alert = SSL_AD_INTERNAL_ERROR;
374 return 0;
375 }
376 }
377
378 return 1;
379}
380
381static int
382tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
383{
384 return ssl_has_ecc_ciphers(s);
385}
386
387static int
388tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
389{
390 return tlsext_ecpf_build(s, msg_type, cbb);
391}
392
393static int
394tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
395{
396 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
397}
398
399static int
400tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
401{
402 return ssl_using_ecc_cipher(s);
403}
404
405static int
406tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
407{
408 return tlsext_ecpf_build(s, msg_type, cbb);
409}
410
411static int
412tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
413{
414 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
415}
416
417/*
418 * Renegotiation Indication - RFC 5746.
419 */
420static int
421tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
422{
423 return (s->renegotiate);
424}
425
426static int
427tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
428{
429 CBB reneg;
430
431 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
432 return 0;
433 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
434 s->s3->previous_client_finished_len))
435 return 0;
436 if (!CBB_flush(cbb))
437 return 0;
438
439 return 1;
440}
441
442static int
443tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
444{
445 CBS reneg;
446
447 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
448 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
449 return 0;
450 }
451
452 if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
453 s->s3->previous_client_finished_len)) {
454 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
455 *alert = SSL_AD_HANDSHAKE_FAILURE;
456 return 0;
457 }
458
459 s->s3->renegotiate_seen = 1;
460 s->s3->send_connection_binding = 1;
461
462 return 1;
463}
464
465static int
466tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
467{
468 return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
469 s->s3->send_connection_binding);
470}
471
472static int
473tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
474{
475 CBB reneg;
476
477 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
478 return 0;
479 if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
480 s->s3->previous_client_finished_len))
481 return 0;
482 if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
483 s->s3->previous_server_finished_len))
484 return 0;
485 if (!CBB_flush(cbb))
486 return 0;
487
488 return 1;
489}
490
491static int
492tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
493{
494 CBS reneg, prev_client, prev_server;
495
496 /*
497 * Ensure that the previous client and server values are both not
498 * present, or that they are both present.
499 */
500 if ((s->s3->previous_client_finished_len == 0 &&
501 s->s3->previous_server_finished_len != 0) ||
502 (s->s3->previous_client_finished_len != 0 &&
503 s->s3->previous_server_finished_len == 0)) {
504 *alert = SSL_AD_INTERNAL_ERROR;
505 return 0;
506 }
507
508 if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
509 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
510 return 0;
511 }
512 if (!CBS_get_bytes(&reneg, &prev_client,
513 s->s3->previous_client_finished_len)) {
514 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
515 return 0;
516 }
517 if (!CBS_get_bytes(&reneg, &prev_server,
518 s->s3->previous_server_finished_len)) {
519 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
520 return 0;
521 }
522 if (CBS_len(&reneg) != 0) {
523 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
524 return 0;
525 }
526
527 if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
528 s->s3->previous_client_finished_len)) {
529 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
530 *alert = SSL_AD_HANDSHAKE_FAILURE;
531 return 0;
532 }
533 if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
534 s->s3->previous_server_finished_len)) {
535 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
536 *alert = SSL_AD_HANDSHAKE_FAILURE;
537 return 0;
538 }
539
540 s->s3->renegotiate_seen = 1;
541 s->s3->send_connection_binding = 1;
542
543 return 1;
544}
545
546/*
547 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
548 */
549static int
550tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
551{
552 return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
553}
554
555static int
556tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
557{
558 uint16_t tls_version = s->s3->hs.negotiated_tls_version;
559 CBB sigalgs;
560
561 if (msg_type == SSL_TLSEXT_MSG_CH)
562 tls_version = s->s3->hs.our_min_tls_version;
563
564 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
565 return 0;
566 if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s)))
567 return 0;
568 if (!CBB_flush(cbb))
569 return 0;
570
571 return 1;
572}
573
574static int
575tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
576{
577 CBS sigalgs;
578
579 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
580 return 0;
581 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
582 return 0;
583 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
584 return 0;
585
586 return 1;
587}
588
589static int
590tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
591{
592 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
593}
594
595static int
596tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
597{
598 CBB sigalgs;
599
600 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
601 return 0;
602 if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs,
603 SSL_get_security_level(s)))
604 return 0;
605 if (!CBB_flush(cbb))
606 return 0;
607
608 return 1;
609}
610
611static int
612tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
613{
614 CBS sigalgs;
615
616 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
617 return 0;
618
619 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
620 return 0;
621 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
622 return 0;
623 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
624 return 0;
625
626 return 1;
627}
628
629/*
630 * Server Name Indication - RFC 6066, section 3.
631 */
632static int
633tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
634{
635 return (s->tlsext_hostname != NULL);
636}
637
638static int
639tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
640{
641 CBB server_name_list, host_name;
642
643 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
644 return 0;
645 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
646 return 0;
647 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
648 return 0;
649 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
650 strlen(s->tlsext_hostname)))
651 return 0;
652 if (!CBB_flush(cbb))
653 return 0;
654
655 return 1;
656}
657
658static int
659tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
660{
661 union {
662 struct in_addr ip4;
663 struct in6_addr ip6;
664 } addrbuf;
665 char *hostname = NULL;
666
667 *is_ip = 0;
668
669 if (!CBS_strdup(cbs, &hostname))
670 return 0;
671
672 if (inet_pton(AF_INET, hostname, &addrbuf) == 1 ||
673 inet_pton(AF_INET6, hostname, &addrbuf) == 1)
674 *is_ip = 1;
675
676 free(hostname);
677
678 return 1;
679}
680
681/*
682 * Validate that the CBS contains only a hostname consisting of RFC 5890
683 * compliant A-labels (see RFC 6066 section 3). Not a complete check
684 * since we don't parse punycode to verify its validity but limits to
685 * correct structure and character set.
686 */
687int
688tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
689{
690 uint8_t prev, c = 0;
691 int component = 0;
692 CBS hostname;
693
694 *is_ip = 0;
695
696 CBS_dup(cbs, &hostname);
697
698 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
699 return 0;
700
701 /* An IP literal is invalid as a host name (RFC 6066 section 3). */
702 if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
703 return 0;
704 if (*is_ip)
705 return 0;
706
707 while (CBS_len(&hostname) > 0) {
708 prev = c;
709 if (!CBS_get_u8(&hostname, &c))
710 return 0;
711 /* Everything has to be ASCII, with no NUL byte. */
712 if (!isascii(c) || c == '\0')
713 return 0;
714 /* It must be alphanumeric, a '-', or a '.' */
715 if (!isalnum(c) && c != '-' && c != '.')
716 return 0;
717 /* '-' and '.' must not start a component or be at the end. */
718 if (component == 0 || CBS_len(&hostname) == 0) {
719 if (c == '-' || c == '.')
720 return 0;
721 }
722 if (c == '.') {
723 /* Components can not end with a dash. */
724 if (prev == '-')
725 return 0;
726 /* Start new component */
727 component = 0;
728 continue;
729 }
730 /* Components must be 63 chars or less. */
731 if (++component > 63)
732 return 0;
733 }
734
735 return 1;
736}
737
738static int
739tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
740{
741 CBS server_name_list, host_name;
742 uint8_t name_type;
743 int is_ip;
744
745 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
746 goto err;
747
748 if (!CBS_get_u8(&server_name_list, &name_type))
749 goto err;
750
751 /*
752 * RFC 6066 section 3, only one type (host_name) is specified.
753 * We do not tolerate unknown types, neither does BoringSSL.
754 * other implementations appear more tolerant.
755 */
756 if (name_type != TLSEXT_NAMETYPE_host_name) {
757 *alert = SSL_AD_ILLEGAL_PARAMETER;
758 goto err;
759 }
760
761 /*
762 * RFC 6066 section 3 specifies a host name must be at least 1 byte
763 * so 0 length is a decode error.
764 */
765 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
766 goto err;
767 if (CBS_len(&host_name) < 1)
768 goto err;
769
770 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
771 /*
772 * Various pieces of software have been known to set the SNI
773 * host name to an IP address, even though that violates the
774 * RFC. If this is the case, pretend the SNI extension does
775 * not exist.
776 */
777 if (is_ip)
778 goto done;
779
780 *alert = SSL_AD_ILLEGAL_PARAMETER;
781 goto err;
782 }
783
784 if (s->hit || s->s3->hs.tls13.hrr) {
785 if (s->session->tlsext_hostname == NULL) {
786 *alert = SSL_AD_UNRECOGNIZED_NAME;
787 goto err;
788 }
789 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
790 strlen(s->session->tlsext_hostname))) {
791 *alert = SSL_AD_UNRECOGNIZED_NAME;
792 goto err;
793 }
794 } else {
795 if (s->session->tlsext_hostname != NULL)
796 goto err;
797 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
798 *alert = SSL_AD_INTERNAL_ERROR;
799 goto err;
800 }
801 }
802
803 done:
804 /*
805 * RFC 6066 section 3 forbids multiple host names with the same type,
806 * therefore we allow only one entry.
807 */
808 if (CBS_len(&server_name_list) != 0) {
809 *alert = SSL_AD_ILLEGAL_PARAMETER;
810 goto err;
811 }
812
813 return 1;
814
815 err:
816 return 0;
817}
818
819static int
820tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
821{
822 if (s->hit)
823 return 0;
824
825 return (s->session->tlsext_hostname != NULL);
826}
827
828static int
829tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
830{
831 return 1;
832}
833
834static int
835tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
836{
837 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
838 *alert = SSL_AD_UNRECOGNIZED_NAME;
839 return 0;
840 }
841
842 if (s->hit) {
843 if (s->session->tlsext_hostname == NULL) {
844 *alert = SSL_AD_UNRECOGNIZED_NAME;
845 return 0;
846 }
847 if (strcmp(s->tlsext_hostname,
848 s->session->tlsext_hostname) != 0) {
849 *alert = SSL_AD_UNRECOGNIZED_NAME;
850 return 0;
851 }
852 } else {
853 if (s->session->tlsext_hostname != NULL)
854 return 0;
855 if ((s->session->tlsext_hostname =
856 strdup(s->tlsext_hostname)) == NULL) {
857 *alert = SSL_AD_INTERNAL_ERROR;
858 return 0;
859 }
860 }
861
862 return 1;
863}
864
865/*
866 * Certificate Status Request - RFC 6066 section 8.
867 */
868
869static int
870tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
871{
872 if (msg_type != SSL_TLSEXT_MSG_CH)
873 return 0;
874
875 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
876}
877
878static int
879tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
880{
881 CBB respid_list, respid, exts;
882 unsigned char *ext_data;
883 size_t ext_len;
884 int i;
885
886 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
887 return 0;
888 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
889 return 0;
890 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
891 unsigned char *respid_data;
892 OCSP_RESPID *id;
893 size_t id_len;
894
895 if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids,
896 i)) == NULL)
897 return 0;
898 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
899 return 0;
900 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
901 return 0;
902 if (!CBB_add_space(&respid, &respid_data, id_len))
903 return 0;
904 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
905 return 0;
906 }
907 if (!CBB_add_u16_length_prefixed(cbb, &exts))
908 return 0;
909 if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts,
910 NULL)) == -1)
911 return 0;
912 if (!CBB_add_space(&exts, &ext_data, ext_len))
913 return 0;
914 if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) !=
915 ext_len))
916 return 0;
917 if (!CBB_flush(cbb))
918 return 0;
919 return 1;
920}
921
922static int
923tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
924{
925 int alert_desc = SSL_AD_DECODE_ERROR;
926 CBS respid_list, respid, exts;
927 const unsigned char *p;
928 uint8_t status_type;
929 int ret = 0;
930
931 if (msg_type != SSL_TLSEXT_MSG_CH)
932 goto err;
933
934 if (!CBS_get_u8(cbs, &status_type))
935 goto err;
936 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
937 /* ignore unknown status types */
938 s->tlsext_status_type = -1;
939
940 if (!CBS_skip(cbs, CBS_len(cbs))) {
941 *alert = SSL_AD_INTERNAL_ERROR;
942 return 0;
943 }
944 return 1;
945 }
946 s->tlsext_status_type = status_type;
947 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
948 goto err;
949
950 /* XXX */
951 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
952 s->tlsext_ocsp_ids = NULL;
953 if (CBS_len(&respid_list) > 0) {
954 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
955 if (s->tlsext_ocsp_ids == NULL) {
956 alert_desc = SSL_AD_INTERNAL_ERROR;
957 goto err;
958 }
959 }
960
961 while (CBS_len(&respid_list) > 0) {
962 OCSP_RESPID *id;
963
964 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
965 goto err;
966 p = CBS_data(&respid);
967 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
968 goto err;
969 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
970 alert_desc = SSL_AD_INTERNAL_ERROR;
971 OCSP_RESPID_free(id);
972 goto err;
973 }
974 }
975
976 /* Read in request_extensions */
977 if (!CBS_get_u16_length_prefixed(cbs, &exts))
978 goto err;
979 if (CBS_len(&exts) > 0) {
980 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
981 X509_EXTENSION_free);
982 p = CBS_data(&exts);
983 if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
984 &p, CBS_len(&exts))) == NULL)
985 goto err;
986 }
987
988 ret = 1;
989 err:
990 if (ret == 0)
991 *alert = alert_desc;
992 return ret;
993}
994
995static int
996tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
997{
998 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
999 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1000 s->ctx->tlsext_status_cb != NULL) {
1001 s->tlsext_status_expected = 0;
1002 if (s->ctx->tlsext_status_cb(s,
1003 s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
1004 s->tlsext_ocsp_resp_len > 0)
1005 s->tlsext_status_expected = 1;
1006 }
1007 return s->tlsext_status_expected;
1008}
1009
1010static int
1011tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1012{
1013 CBB ocsp_response;
1014
1015 if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1016 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1017 return 0;
1018 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1019 return 0;
1020 if (!CBB_add_bytes(&ocsp_response,
1021 s->tlsext_ocsp_resp,
1022 s->tlsext_ocsp_resp_len))
1023 return 0;
1024 if (!CBB_flush(cbb))
1025 return 0;
1026 }
1027 return 1;
1028}
1029
1030static int
1031tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1032{
1033 uint8_t status_type;
1034 CBS response;
1035
1036 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1037 if (msg_type == SSL_TLSEXT_MSG_CR) {
1038 /*
1039 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1040 * response with an empty status_request.
1041 */
1042 if (CBS_len(cbs) == 0)
1043 return 1;
1044
1045 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1046 return 0;
1047 }
1048 if (!CBS_get_u8(cbs, &status_type)) {
1049 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1050 return 0;
1051 }
1052 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1053 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1054 return 0;
1055 }
1056 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1057 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1058 return 0;
1059 }
1060 if (CBS_len(&response) > 65536) {
1061 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1062 return 0;
1063 }
1064 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1065 &s->tlsext_ocsp_resp_len)) {
1066 *alert = SSL_AD_INTERNAL_ERROR;
1067 return 0;
1068 }
1069 } else {
1070 if (s->tlsext_status_type == -1) {
1071 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1072 return 0;
1073 }
1074 /* Set flag to expect CertificateStatus message */
1075 s->tlsext_status_expected = 1;
1076 }
1077 return 1;
1078}
1079
1080/*
1081 * SessionTicket extension - RFC 5077 section 3.2
1082 */
1083static int
1084tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1085{
1086 /*
1087 * Send session ticket extension when enabled and not overridden.
1088 *
1089 * When renegotiating, send an empty session ticket to indicate support.
1090 */
1091 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1092 return 0;
1093
1094 if (!ssl_security_tickets(s))
1095 return 0;
1096
1097 if (s->new_session)
1098 return 1;
1099
1100 if (s->tlsext_session_ticket != NULL &&
1101 s->tlsext_session_ticket->data == NULL)
1102 return 0;
1103
1104 return 1;
1105}
1106
1107static int
1108tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1109{
1110 /*
1111 * Signal that we support session tickets by sending an empty
1112 * extension when renegotiating or no session found.
1113 */
1114 if (s->new_session || s->session == NULL)
1115 return 1;
1116
1117 if (s->session->tlsext_tick != NULL) {
1118 /* Attempt to resume with an existing session ticket */
1119 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1120 s->session->tlsext_ticklen))
1121 return 0;
1122
1123 } else if (s->tlsext_session_ticket != NULL) {
1124 /*
1125 * Attempt to resume with a custom provided session ticket set
1126 * by SSL_set_session_ticket_ext().
1127 */
1128 if (s->tlsext_session_ticket->length > 0) {
1129 size_t ticklen = s->tlsext_session_ticket->length;
1130
1131 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1132 return 0;
1133 memcpy(s->session->tlsext_tick,
1134 s->tlsext_session_ticket->data,
1135 ticklen);
1136 s->session->tlsext_ticklen = ticklen;
1137
1138 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1139 s->session->tlsext_ticklen))
1140 return 0;
1141 }
1142 }
1143
1144 if (!CBB_flush(cbb))
1145 return 0;
1146
1147 return 1;
1148}
1149
1150static int
1151tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1152 int *alert)
1153{
1154 if (s->tls_session_ticket_ext_cb) {
1155 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1156 (int)CBS_len(cbs),
1157 s->tls_session_ticket_ext_cb_arg)) {
1158 *alert = SSL_AD_INTERNAL_ERROR;
1159 return 0;
1160 }
1161 }
1162
1163 /* We need to signal that this was processed fully */
1164 if (!CBS_skip(cbs, CBS_len(cbs))) {
1165 *alert = SSL_AD_INTERNAL_ERROR;
1166 return 0;
1167 }
1168
1169 return 1;
1170}
1171
1172static int
1173tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1174{
1175 return (s->tlsext_ticket_expected &&
1176 !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
1177 ssl_security_tickets(s));
1178}
1179
1180static int
1181tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1182{
1183 /* Empty ticket */
1184 return 1;
1185}
1186
1187static int
1188tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1189 int *alert)
1190{
1191 if (s->tls_session_ticket_ext_cb) {
1192 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1193 (int)CBS_len(cbs),
1194 s->tls_session_ticket_ext_cb_arg)) {
1195 *alert = SSL_AD_INTERNAL_ERROR;
1196 return 0;
1197 }
1198 }
1199
1200 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1201 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1202 return 0;
1203 }
1204
1205 s->tlsext_ticket_expected = 1;
1206
1207 return 1;
1208}
1209
1210/*
1211 * DTLS extension for SRTP key establishment - RFC 5764
1212 */
1213
1214#ifndef OPENSSL_NO_SRTP
1215
1216static int
1217tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1218{
1219 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1220}
1221
1222static int
1223tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1224{
1225 CBB profiles, mki;
1226 int ct, i;
1227 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1228 const SRTP_PROTECTION_PROFILE *prof;
1229
1230 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1231 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1232 return 0;
1233 }
1234
1235 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1236 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1237 return 0;
1238 }
1239
1240 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1241 return 0;
1242
1243 for (i = 0; i < ct; i++) {
1244 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1245 return 0;
1246 if (!CBB_add_u16(&profiles, prof->id))
1247 return 0;
1248 }
1249
1250 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1251 return 0;
1252
1253 if (!CBB_flush(cbb))
1254 return 0;
1255
1256 return 1;
1257}
1258
1259static int
1260tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1261{
1262 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1263 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1264 int i, j;
1265 int ret;
1266 uint16_t id;
1267 CBS profiles, mki;
1268
1269 ret = 0;
1270
1271 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1272 goto err;
1273 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1274 goto err;
1275
1276 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1277 goto err;
1278
1279 while (CBS_len(&profiles) > 0) {
1280 if (!CBS_get_u16(&profiles, &id))
1281 goto err;
1282
1283 if (!srtp_find_profile_by_num(id, &cprof)) {
1284 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1285 goto err;
1286 }
1287 }
1288
1289 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1290 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1291 goto done;
1292 }
1293
1294 /*
1295 * Per RFC 5764 section 4.1.1
1296 *
1297 * Find the server preferred profile using the client's list.
1298 *
1299 * The server MUST send a profile if it sends the use_srtp
1300 * extension. If one is not found, it should fall back to the
1301 * negotiated DTLS cipher suite or return a DTLS alert.
1302 */
1303 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1304 goto err;
1305 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1306 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL)
1307 goto err;
1308
1309 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1310 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1311 == NULL)
1312 goto err;
1313
1314 if (cprof->id == sprof->id) {
1315 s->srtp_profile = sprof;
1316 ret = 1;
1317 goto done;
1318 }
1319 }
1320 }
1321
1322 /* If we didn't find anything, fall back to the negotiated */
1323 ret = 1;
1324 goto done;
1325
1326 err:
1327 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1328
1329 done:
1330 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1331 return ret;
1332}
1333
1334static int
1335tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1336{
1337 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1338}
1339
1340static int
1341tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1342{
1343 SRTP_PROTECTION_PROFILE *profile;
1344 CBB srtp, mki;
1345
1346 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1347 return 0;
1348
1349 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1350 return 0;
1351
1352 if (!CBB_add_u16(&srtp, profile->id))
1353 return 0;
1354
1355 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1356 return 0;
1357
1358 if (!CBB_flush(cbb))
1359 return 0;
1360
1361 return 1;
1362}
1363
1364static int
1365tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1366{
1367 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1368 const SRTP_PROTECTION_PROFILE *prof;
1369 int i;
1370 uint16_t id;
1371 CBS profile_ids, mki;
1372
1373 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1374 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1375 return 0;
1376 }
1377
1378 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1379 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1380 return 0;
1381 }
1382
1383 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1384 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1385 *alert = SSL_AD_ILLEGAL_PARAMETER;
1386 return 0;
1387 }
1388
1389 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1390 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1391 return 0;
1392 }
1393
1394 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1395 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1396 == NULL) {
1397 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1398 return 0;
1399 }
1400
1401 if (prof->id == id) {
1402 s->srtp_profile = prof;
1403 return 1;
1404 }
1405 }
1406
1407 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1408
1409 return 0;
1410}
1411
1412#endif /* OPENSSL_NO_SRTP */
1413
1414/*
1415 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1416 */
1417static int
1418tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1419{
1420 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1421}
1422
1423static int
1424tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1425{
1426 CBB client_shares, key_exchange;
1427
1428 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1429 return 0;
1430
1431 if (!CBB_add_u16(&client_shares,
1432 tls_key_share_group(s->s3->hs.key_share)))
1433 return 0;
1434 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1435 return 0;
1436 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1437 return 0;
1438
1439 if (!CBB_flush(cbb))
1440 return 0;
1441
1442 return 1;
1443}
1444
1445static int
1446tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1447{
1448 CBS client_shares, key_exchange;
1449 int decode_error;
1450 uint16_t group;
1451
1452 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1453 return 0;
1454
1455 while (CBS_len(&client_shares) > 0) {
1456
1457 /* Unpack client share. */
1458 if (!CBS_get_u16(&client_shares, &group))
1459 return 0;
1460 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1461 return 0;
1462
1463 /*
1464 * XXX - check key exchange against supported groups from client.
1465 * XXX - check that groups only appear once.
1466 */
1467
1468 /*
1469 * Ignore this client share if we're using earlier than TLSv1.3
1470 * or we've already selected a key share.
1471 */
1472 if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1473 continue;
1474 if (s->s3->hs.key_share != NULL)
1475 continue;
1476
1477 /* XXX - consider implementing server preference. */
1478 if (!tls1_check_group(s, group))
1479 continue;
1480
1481 /* Decode and store the selected key share. */
1482 if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1483 *alert = SSL_AD_INTERNAL_ERROR;
1484 return 0;
1485 }
1486 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1487 &key_exchange, &decode_error, NULL)) {
1488 if (!decode_error)
1489 *alert = SSL_AD_INTERNAL_ERROR;
1490 return 0;
1491 }
1492 }
1493
1494 return 1;
1495}
1496
1497static int
1498tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1499{
1500 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1501 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1502}
1503
1504static int
1505tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1506{
1507 CBB key_exchange;
1508
1509 /* In the case of a HRR, we only send the server selected group. */
1510 if (s->s3->hs.tls13.hrr) {
1511 if (s->s3->hs.tls13.server_group == 0)
1512 return 0;
1513 return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1514 }
1515
1516 if (s->s3->hs.key_share == NULL)
1517 return 0;
1518
1519 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1520 return 0;
1521 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1522 return 0;
1523 if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1524 return 0;
1525
1526 if (!CBB_flush(cbb))
1527 return 0;
1528
1529 return 1;
1530}
1531
1532static int
1533tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1534{
1535 CBS key_exchange;
1536 int decode_error;
1537 uint16_t group;
1538
1539 /* Unpack server share. */
1540 if (!CBS_get_u16(cbs, &group))
1541 return 0;
1542
1543 if (CBS_len(cbs) == 0) {
1544 /* HRR does not include an actual key share, only the group. */
1545 if (msg_type != SSL_TLSEXT_MSG_HRR)
1546 return 0;
1547
1548 s->s3->hs.tls13.server_group = group;
1549 return 1;
1550 }
1551
1552 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1553 return 0;
1554
1555 if (s->s3->hs.key_share == NULL) {
1556 *alert = SSL_AD_INTERNAL_ERROR;
1557 return 0;
1558 }
1559 if (tls_key_share_group(s->s3->hs.key_share) != group) {
1560 *alert = SSL_AD_INTERNAL_ERROR;
1561 return 0;
1562 }
1563 if (!tls_key_share_peer_public(s->s3->hs.key_share,
1564 &key_exchange, &decode_error, NULL)) {
1565 if (!decode_error)
1566 *alert = SSL_AD_INTERNAL_ERROR;
1567 return 0;
1568 }
1569
1570 return 1;
1571}
1572
1573/*
1574 * Supported Versions - RFC 8446 section 4.2.1.
1575 */
1576static int
1577tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1578{
1579 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1580}
1581
1582static int
1583tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1584{
1585 uint16_t max, min;
1586 uint16_t version;
1587 CBB versions;
1588
1589 max = s->s3->hs.our_max_tls_version;
1590 min = s->s3->hs.our_min_tls_version;
1591
1592 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1593 return 0;
1594
1595 /* XXX - fix, but contiguous for now... */
1596 for (version = max; version >= min; version--) {
1597 if (!CBB_add_u16(&versions, version))
1598 return 0;
1599 }
1600
1601 if (!CBB_flush(cbb))
1602 return 0;
1603
1604 return 1;
1605}
1606
1607static int
1608tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1609{
1610 CBS versions;
1611 uint16_t version;
1612 uint16_t max, min;
1613 uint16_t matched_version = 0;
1614
1615 max = s->s3->hs.our_max_tls_version;
1616 min = s->s3->hs.our_min_tls_version;
1617
1618 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1619 return 0;
1620
1621 while (CBS_len(&versions) > 0) {
1622 if (!CBS_get_u16(&versions, &version))
1623 return 0;
1624 /*
1625 * XXX What is below implements client preference, and
1626 * ignores any server preference entirely.
1627 */
1628 if (matched_version == 0 && version >= min && version <= max)
1629 matched_version = version;
1630 }
1631
1632 if (matched_version > 0) {
1633 /* XXX - this should be stored for later processing. */
1634 s->version = matched_version;
1635 return 1;
1636 }
1637
1638 *alert = SSL_AD_PROTOCOL_VERSION;
1639 return 0;
1640}
1641
1642static int
1643tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1644{
1645 return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1646}
1647
1648static int
1649tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1650{
1651 return CBB_add_u16(cbb, TLS1_3_VERSION);
1652}
1653
1654static int
1655tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1656{
1657 uint16_t selected_version;
1658
1659 if (!CBS_get_u16(cbs, &selected_version))
1660 return 0;
1661
1662 /* XXX - need to fix for DTLS 1.3 */
1663 if (selected_version < TLS1_3_VERSION) {
1664 *alert = SSL_AD_ILLEGAL_PARAMETER;
1665 return 0;
1666 }
1667
1668 /* XXX test between min and max once initialization code goes in */
1669 s->s3->hs.tls13.server_version = selected_version;
1670
1671 return 1;
1672}
1673
1674
1675/*
1676 * Cookie - RFC 8446 section 4.2.2.
1677 */
1678
1679static int
1680tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1681{
1682 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1683 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1684}
1685
1686static int
1687tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1688{
1689 CBB cookie;
1690
1691 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1692 return 0;
1693
1694 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1695 s->s3->hs.tls13.cookie_len))
1696 return 0;
1697
1698 if (!CBB_flush(cbb))
1699 return 0;
1700
1701 return 1;
1702}
1703
1704static int
1705tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1706{
1707 CBS cookie;
1708
1709 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1710 return 0;
1711
1712 if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1713 return 0;
1714
1715 /*
1716 * Check provided cookie value against what server previously
1717 * sent - client *MUST* send the same cookie with new CR after
1718 * a cookie is sent by the server with an HRR.
1719 */
1720 if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1721 s->s3->hs.tls13.cookie_len)) {
1722 /* XXX special cookie mismatch alert? */
1723 *alert = SSL_AD_ILLEGAL_PARAMETER;
1724 return 0;
1725 }
1726
1727 return 1;
1728}
1729
1730static int
1731tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1732{
1733 /*
1734 * Server needs to set cookie value in tls13 handshake
1735 * in order to send one, should only be sent with HRR.
1736 */
1737 return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1738 s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1739}
1740
1741static int
1742tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1743{
1744 CBB cookie;
1745
1746 /* XXX deduplicate with client code */
1747
1748 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1749 return 0;
1750
1751 if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1752 s->s3->hs.tls13.cookie_len))
1753 return 0;
1754
1755 if (!CBB_flush(cbb))
1756 return 0;
1757
1758 return 1;
1759}
1760
1761static int
1762tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1763{
1764 CBS cookie;
1765
1766 /*
1767 * XXX This currently assumes we will not get a second
1768 * HRR from a server with a cookie to process after accepting
1769 * one from the server in the same handshake
1770 */
1771 if (s->s3->hs.tls13.cookie != NULL ||
1772 s->s3->hs.tls13.cookie_len != 0) {
1773 *alert = SSL_AD_ILLEGAL_PARAMETER;
1774 return 0;
1775 }
1776
1777 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1778 return 0;
1779
1780 if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1781 &s->s3->hs.tls13.cookie_len))
1782 return 0;
1783
1784 return 1;
1785}
1786
1787/*
1788 * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9.
1789 */
1790
1791static int
1792tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type)
1793{
1794 return (s->s3->hs.tls13.use_psk_dhe_ke &&
1795 s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1796}
1797
1798static int
1799tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1800{
1801 CBB ke_modes;
1802
1803 if (!CBB_add_u8_length_prefixed(cbb, &ke_modes))
1804 return 0;
1805
1806 /* Only indicate support for PSK with DHE key establishment. */
1807 if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE))
1808 return 0;
1809
1810 if (!CBB_flush(cbb))
1811 return 0;
1812
1813 return 1;
1814}
1815
1816static int
1817tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1818 int *alert)
1819{
1820 CBS ke_modes;
1821 uint8_t ke_mode;
1822
1823 if (!CBS_get_u8_length_prefixed(cbs, &ke_modes))
1824 return 0;
1825
1826 while (CBS_len(&ke_modes) > 0) {
1827 if (!CBS_get_u8(&ke_modes, &ke_mode))
1828 return 0;
1829
1830 if (ke_mode == TLS13_PSK_DHE_KE)
1831 s->s3->hs.tls13.use_psk_dhe_ke = 1;
1832 }
1833
1834 return 1;
1835}
1836
1837static int
1838tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type)
1839{
1840 /* Servers MUST NOT send this extension. */
1841 return 0;
1842}
1843
1844static int
1845tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1846{
1847 return 0;
1848}
1849
1850static int
1851tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1852 int *alert)
1853{
1854 return 0;
1855}
1856
1857/*
1858 * Pre-Shared Key Extension - RFC 8446, 4.2.11
1859 */
1860
1861static int
1862tlsext_psk_client_needs(SSL *s, uint16_t msg_type)
1863{
1864 return 0;
1865}
1866
1867static int
1868tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1869{
1870 return 0;
1871}
1872
1873static int
1874tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1875{
1876 return CBS_skip(cbs, CBS_len(cbs));
1877}
1878
1879static int
1880tlsext_psk_server_needs(SSL *s, uint16_t msg_type)
1881{
1882 return 0;
1883}
1884
1885static int
1886tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1887{
1888 return 0;
1889}
1890
1891static int
1892tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1893{
1894 return CBS_skip(cbs, CBS_len(cbs));
1895}
1896
1897/*
1898 * QUIC transport parameters extension - RFC 9001 section 8.2.
1899 */
1900
1901static int
1902tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type)
1903{
1904 return SSL_is_quic(s) && s->quic_transport_params_len > 0;
1905}
1906
1907static int
1908tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type,
1909 CBB *cbb)
1910{
1911 if (!CBB_add_bytes(cbb, s->quic_transport_params,
1912 s->quic_transport_params_len))
1913 return 0;
1914
1915 return 1;
1916}
1917
1918static int
1919tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type,
1920 CBS *cbs, int *alert)
1921{
1922 if (!SSL_is_quic(s)) {
1923 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1924 return 0;
1925 }
1926
1927 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1928 &s->s3->peer_quic_transport_params_len))
1929 return 0;
1930 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1931 return 0;
1932
1933 return 1;
1934}
1935
1936static int
1937tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type)
1938{
1939 return SSL_is_quic(s) && s->quic_transport_params_len > 0;
1940}
1941
1942static int
1943tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type,
1944 CBB *cbb)
1945{
1946 if (!CBB_add_bytes(cbb, s->quic_transport_params,
1947 s->quic_transport_params_len))
1948 return 0;
1949
1950 return 1;
1951}
1952
1953static int
1954tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type,
1955 CBS *cbs, int *alert)
1956{
1957 if (!SSL_is_quic(s)) {
1958 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1959 return 0;
1960 }
1961
1962 if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1963 &s->s3->peer_quic_transport_params_len))
1964 return 0;
1965 if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1966 return 0;
1967
1968 return 1;
1969}
1970
1971struct tls_extension_funcs {
1972 int (*needs)(SSL *s, uint16_t msg_type);
1973 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1974 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1975};
1976
1977struct tls_extension {
1978 uint16_t type;
1979 uint16_t messages;
1980 struct tls_extension_funcs client;
1981 struct tls_extension_funcs server;
1982};
1983
1984static const struct tls_extension tls_extensions[] = {
1985 {
1986 .type = TLSEXT_TYPE_supported_versions,
1987 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1988 SSL_TLSEXT_MSG_HRR,
1989 .client = {
1990 .needs = tlsext_versions_client_needs,
1991 .build = tlsext_versions_client_build,
1992 .parse = tlsext_versions_client_parse,
1993 },
1994 .server = {
1995 .needs = tlsext_versions_server_needs,
1996 .build = tlsext_versions_server_build,
1997 .parse = tlsext_versions_server_parse,
1998 },
1999 },
2000 {
2001 .type = TLSEXT_TYPE_key_share,
2002 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
2003 SSL_TLSEXT_MSG_HRR,
2004 .client = {
2005 .needs = tlsext_keyshare_client_needs,
2006 .build = tlsext_keyshare_client_build,
2007 .parse = tlsext_keyshare_client_parse,
2008 },
2009 .server = {
2010 .needs = tlsext_keyshare_server_needs,
2011 .build = tlsext_keyshare_server_build,
2012 .parse = tlsext_keyshare_server_parse,
2013 },
2014 },
2015 {
2016 .type = TLSEXT_TYPE_server_name,
2017 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2018 .client = {
2019 .needs = tlsext_sni_client_needs,
2020 .build = tlsext_sni_client_build,
2021 .parse = tlsext_sni_client_parse,
2022 },
2023 .server = {
2024 .needs = tlsext_sni_server_needs,
2025 .build = tlsext_sni_server_build,
2026 .parse = tlsext_sni_server_parse,
2027 },
2028 },
2029 {
2030 .type = TLSEXT_TYPE_renegotiate,
2031 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2032 .client = {
2033 .needs = tlsext_ri_client_needs,
2034 .build = tlsext_ri_client_build,
2035 .parse = tlsext_ri_client_parse,
2036 },
2037 .server = {
2038 .needs = tlsext_ri_server_needs,
2039 .build = tlsext_ri_server_build,
2040 .parse = tlsext_ri_server_parse,
2041 },
2042 },
2043 {
2044 .type = TLSEXT_TYPE_status_request,
2045 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
2046 SSL_TLSEXT_MSG_CT,
2047 .client = {
2048 .needs = tlsext_ocsp_client_needs,
2049 .build = tlsext_ocsp_client_build,
2050 .parse = tlsext_ocsp_client_parse,
2051 },
2052 .server = {
2053 .needs = tlsext_ocsp_server_needs,
2054 .build = tlsext_ocsp_server_build,
2055 .parse = tlsext_ocsp_server_parse,
2056 },
2057 },
2058 {
2059 .type = TLSEXT_TYPE_ec_point_formats,
2060 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2061 .client = {
2062 .needs = tlsext_ecpf_client_needs,
2063 .build = tlsext_ecpf_client_build,
2064 .parse = tlsext_ecpf_client_parse,
2065 },
2066 .server = {
2067 .needs = tlsext_ecpf_server_needs,
2068 .build = tlsext_ecpf_server_build,
2069 .parse = tlsext_ecpf_server_parse,
2070 },
2071 },
2072 {
2073 .type = TLSEXT_TYPE_supported_groups,
2074 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2075 .client = {
2076 .needs = tlsext_supportedgroups_client_needs,
2077 .build = tlsext_supportedgroups_client_build,
2078 .parse = tlsext_supportedgroups_client_parse,
2079 },
2080 .server = {
2081 .needs = tlsext_supportedgroups_server_needs,
2082 .build = tlsext_supportedgroups_server_build,
2083 .parse = tlsext_supportedgroups_server_parse,
2084 },
2085 },
2086 {
2087 .type = TLSEXT_TYPE_session_ticket,
2088 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2089 .client = {
2090 .needs = tlsext_sessionticket_client_needs,
2091 .build = tlsext_sessionticket_client_build,
2092 .parse = tlsext_sessionticket_client_parse,
2093 },
2094 .server = {
2095 .needs = tlsext_sessionticket_server_needs,
2096 .build = tlsext_sessionticket_server_build,
2097 .parse = tlsext_sessionticket_server_parse,
2098 },
2099 },
2100 {
2101 .type = TLSEXT_TYPE_signature_algorithms,
2102 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
2103 .client = {
2104 .needs = tlsext_sigalgs_client_needs,
2105 .build = tlsext_sigalgs_client_build,
2106 .parse = tlsext_sigalgs_client_parse,
2107 },
2108 .server = {
2109 .needs = tlsext_sigalgs_server_needs,
2110 .build = tlsext_sigalgs_server_build,
2111 .parse = tlsext_sigalgs_server_parse,
2112 },
2113 },
2114 {
2115 .type = TLSEXT_TYPE_alpn,
2116 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2117 .client = {
2118 .needs = tlsext_alpn_client_needs,
2119 .build = tlsext_alpn_client_build,
2120 .parse = tlsext_alpn_client_parse,
2121 },
2122 .server = {
2123 .needs = tlsext_alpn_server_needs,
2124 .build = tlsext_alpn_server_build,
2125 .parse = tlsext_alpn_server_parse,
2126 },
2127 },
2128 {
2129 .type = TLSEXT_TYPE_cookie,
2130 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
2131 .client = {
2132 .needs = tlsext_cookie_client_needs,
2133 .build = tlsext_cookie_client_build,
2134 .parse = tlsext_cookie_client_parse,
2135 },
2136 .server = {
2137 .needs = tlsext_cookie_server_needs,
2138 .build = tlsext_cookie_server_build,
2139 .parse = tlsext_cookie_server_parse,
2140 },
2141 },
2142#ifndef OPENSSL_NO_SRTP
2143 {
2144 .type = TLSEXT_TYPE_use_srtp,
2145 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
2146 SSL_TLSEXT_MSG_EE,
2147 .client = {
2148 .needs = tlsext_srtp_client_needs,
2149 .build = tlsext_srtp_client_build,
2150 .parse = tlsext_srtp_client_parse,
2151 },
2152 .server = {
2153 .needs = tlsext_srtp_server_needs,
2154 .build = tlsext_srtp_server_build,
2155 .parse = tlsext_srtp_server_parse,
2156 },
2157 },
2158#endif /* OPENSSL_NO_SRTP */
2159 {
2160 .type = TLSEXT_TYPE_quic_transport_parameters,
2161 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2162 .client = {
2163 .needs = tlsext_quic_transport_parameters_client_needs,
2164 .build = tlsext_quic_transport_parameters_client_build,
2165 .parse = tlsext_quic_transport_parameters_client_parse,
2166 },
2167 .server = {
2168 .needs = tlsext_quic_transport_parameters_server_needs,
2169 .build = tlsext_quic_transport_parameters_server_build,
2170 .parse = tlsext_quic_transport_parameters_server_parse,
2171 },
2172 },
2173 {
2174 .type = TLSEXT_TYPE_psk_key_exchange_modes,
2175 .messages = SSL_TLSEXT_MSG_CH,
2176 .client = {
2177 .needs = tlsext_psk_kex_modes_client_needs,
2178 .build = tlsext_psk_kex_modes_client_build,
2179 .parse = tlsext_psk_kex_modes_client_parse,
2180 },
2181 .server = {
2182 .needs = tlsext_psk_kex_modes_server_needs,
2183 .build = tlsext_psk_kex_modes_server_build,
2184 .parse = tlsext_psk_kex_modes_server_parse,
2185 },
2186 },
2187 {
2188 /* MUST be last extension in CH per RFC 8446 section 4.2. */
2189
2190 .type = TLSEXT_TYPE_pre_shared_key,
2191 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2192 .client = {
2193 .needs = tlsext_psk_client_needs,
2194 .build = tlsext_psk_client_build,
2195 .parse = tlsext_psk_client_parse,
2196 },
2197 .server = {
2198 .needs = tlsext_psk_server_needs,
2199 .build = tlsext_psk_server_build,
2200 .parse = tlsext_psk_server_parse,
2201 },
2202 },
2203};
2204
2205#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
2206
2207/* Ensure that extensions fit in a uint32_t bitmask. */
2208CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2209
2210uint16_t
2211tls_extension_type(const struct tls_extension *extension)
2212{
2213 return extension->type;
2214}
2215
2216const struct tls_extension *
2217tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2218{
2219 size_t i;
2220
2221 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2222 if (tls_extensions[i].type == type) {
2223 *tls_extensions_idx = i;
2224 return &tls_extensions[i];
2225 }
2226 }
2227
2228 return NULL;
2229}
2230
2231int
2232tlsext_extension_seen(SSL *s, uint16_t type)
2233{
2234 size_t idx;
2235
2236 if (tls_extension_find(type, &idx) == NULL)
2237 return 0;
2238 return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2239}
2240
2241const struct tls_extension_funcs *
2242tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2243{
2244 if (is_server)
2245 return &tlsext->server;
2246
2247 return &tlsext->client;
2248}
2249
2250int
2251tlsext_randomize_build_order(SSL *s)
2252{
2253 size_t idx, new_idx, psk_idx;
2254 size_t alpn_idx = 0, sni_idx = 0;
2255
2256 free(s->tlsext_build_order);
2257 s->tlsext_build_order_len = 0;
2258
2259 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
2260 N_TLS_EXTENSIONS)) == NULL)
2261 return 0;
2262 s->tlsext_build_order_len = N_TLS_EXTENSIONS;
2263
2264 /* RFC 8446, section 4.2: PSK must be the last extension in the CH. */
2265 psk_idx = N_TLS_EXTENSIONS - 1;
2266 s->tlsext_build_order[psk_idx] = &tls_extensions[psk_idx];
2267
2268 /* Fisher-Yates shuffle with PSK fixed. */
2269 for (idx = 0; idx < psk_idx; idx++) {
2270 new_idx = arc4random_uniform(idx + 1);
2271 s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx];
2272 s->tlsext_build_order[new_idx] = &tls_extensions[idx];
2273 }
2274
2275 /*
2276 * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN
2277 * for clients so that virtual host setups work correctly.
2278 */
2279
2280 if (s->server)
2281 return 1;
2282
2283 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
2284 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn)
2285 alpn_idx = idx;
2286 if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name)
2287 sni_idx = idx;
2288 }
2289 if (alpn_idx < sni_idx) {
2290 const struct tls_extension *tmp;
2291
2292 tmp = s->tlsext_build_order[alpn_idx];
2293 s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx];
2294 s->tlsext_build_order[sni_idx] = tmp;
2295 }
2296
2297 return 1;
2298}
2299
2300int
2301tlsext_linearize_build_order(SSL *s)
2302{
2303 size_t idx;
2304
2305 free(s->tlsext_build_order);
2306 s->tlsext_build_order_len = 0;
2307
2308 if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
2309 N_TLS_EXTENSIONS)) == NULL)
2310 return 0;
2311 s->tlsext_build_order_len = N_TLS_EXTENSIONS;
2312
2313 for (idx = 0; idx < N_TLS_EXTENSIONS; idx++)
2314 s->tlsext_build_order[idx] = &tls_extensions[idx];
2315
2316 return 1;
2317}
2318
2319static int
2320tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2321{
2322 const struct tls_extension_funcs *ext;
2323 const struct tls_extension *tlsext;
2324 CBB extensions, extension_data;
2325 int extensions_present = 0;
2326 uint16_t tls_version;
2327 size_t i;
2328
2329 tls_version = ssl_effective_tls_version(s);
2330
2331 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2332 return 0;
2333
2334 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2335 tlsext = s->tlsext_build_order[i];
2336 ext = tlsext_funcs(tlsext, is_server);
2337
2338 /* RFC 8446 Section 4.2 */
2339 if (tls_version >= TLS1_3_VERSION &&
2340 !(tlsext->messages & msg_type))
2341 continue;
2342
2343 if (!ext->needs(s, msg_type))
2344 continue;
2345
2346 if (!CBB_add_u16(&extensions, tlsext->type))
2347 return 0;
2348 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2349 return 0;
2350
2351 if (!ext->build(s, msg_type, &extension_data))
2352 return 0;
2353
2354 extensions_present = 1;
2355 }
2356
2357 if (!extensions_present &&
2358 (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2359 CBB_discard_child(cbb);
2360
2361 if (!CBB_flush(cbb))
2362 return 0;
2363
2364 return 1;
2365}
2366
2367int
2368tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2369{
2370 /*
2371 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2372 * cookie may be added, padding may be removed.
2373 */
2374 struct tls13_ctx *ctx = s->tls13;
2375
2376 if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2377 type == TLSEXT_TYPE_padding)
2378 return 1;
2379 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2380 sizeof(type)))
2381 return 0;
2382 /*
2383 * key_share data may be changed, and pre_shared_key data may
2384 * be changed
2385 */
2386 if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2387 return 1;
2388 if (!tls13_clienthello_hash_update(ctx, cbs))
2389 return 0;
2390
2391 return 1;
2392}
2393
2394static int
2395tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2396{
2397 const struct tls_extension_funcs *ext;
2398 const struct tls_extension *tlsext;
2399 CBS extensions, extension_data;
2400 uint16_t type;
2401 size_t idx;
2402 uint16_t tls_version;
2403 int alert_desc;
2404
2405 tls_version = ssl_effective_tls_version(s);
2406
2407 s->s3->hs.extensions_seen = 0;
2408
2409 /* An empty extensions block is valid. */
2410 if (CBS_len(cbs) == 0)
2411 return 1;
2412
2413 alert_desc = SSL_AD_DECODE_ERROR;
2414
2415 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2416 goto err;
2417
2418 while (CBS_len(&extensions) > 0) {
2419 if (!CBS_get_u16(&extensions, &type))
2420 goto err;
2421 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2422 goto err;
2423
2424 if (s->tlsext_debug_cb != NULL)
2425 s->tlsext_debug_cb(s, !is_server, type,
2426 (unsigned char *)CBS_data(&extension_data),
2427 CBS_len(&extension_data),
2428 s->tlsext_debug_arg);
2429
2430 /* Unknown extensions are ignored. */
2431 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2432 continue;
2433
2434 if (tls_version >= TLS1_3_VERSION && is_server &&
2435 msg_type == SSL_TLSEXT_MSG_CH) {
2436 if (!tlsext_clienthello_hash_extension(s, type,
2437 &extension_data))
2438 goto err;
2439 }
2440
2441 /* RFC 8446 Section 4.2 */
2442 if (tls_version >= TLS1_3_VERSION &&
2443 !(tlsext->messages & msg_type)) {
2444 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2445 goto err;
2446 }
2447
2448 /* Check for duplicate known extensions. */
2449 if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2450 goto err;
2451 s->s3->hs.extensions_seen |= (1 << idx);
2452
2453 ext = tlsext_funcs(tlsext, is_server);
2454 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2455 goto err;
2456
2457 if (CBS_len(&extension_data) != 0)
2458 goto err;
2459 }
2460
2461 return 1;
2462
2463 err:
2464 *alert = alert_desc;
2465
2466 return 0;
2467}
2468
2469static void
2470tlsext_server_reset_state(SSL *s)
2471{
2472 s->tlsext_status_type = -1;
2473 s->s3->renegotiate_seen = 0;
2474 free(s->s3->alpn_selected);
2475 s->s3->alpn_selected = NULL;
2476 s->s3->alpn_selected_len = 0;
2477 s->srtp_profile = NULL;
2478}
2479
2480int
2481tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2482{
2483 return tlsext_build(s, 1, msg_type, cbb);
2484}
2485
2486int
2487tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2488{
2489 /* XXX - this should be done by the caller... */
2490 if (msg_type == SSL_TLSEXT_MSG_CH)
2491 tlsext_server_reset_state(s);
2492
2493 return tlsext_parse(s, 1, msg_type, cbs, alert);
2494}
2495
2496static void
2497tlsext_client_reset_state(SSL *s)
2498{
2499 s->s3->renegotiate_seen = 0;
2500 free(s->s3->alpn_selected);
2501 s->s3->alpn_selected = NULL;
2502 s->s3->alpn_selected_len = 0;
2503}
2504
2505int
2506tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2507{
2508 return tlsext_build(s, 0, msg_type, cbb);
2509}
2510
2511int
2512tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2513{
2514 /* XXX - this should be done by the caller... */
2515 if (msg_type == SSL_TLSEXT_MSG_SH)
2516 tlsext_client_reset_state(s);
2517
2518 return tlsext_parse(s, 0, msg_type, cbs, alert);
2519}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 22:30:58 +0000