summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/Makefile4
-rw-r--r--src/lib/libssl/tls13_tlsext.c1497
-rw-r--r--src/lib/libssl/tls13_tlsext.h97
3 files changed, 1596 insertions, 2 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 17f73a8c4f..8923c05bd4 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.43 2018/11/09 00:34:55 beck Exp $ 1# $OpenBSD: Makefile,v 1.44 2019/01/17 00:56:57 beck Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.ifndef NOMAN 4.ifndef NOMAN
@@ -34,7 +34,7 @@ SRCS= \
34 ssl_asn1.c ssl_txt.c ssl_algs.c \ 34 ssl_asn1.c ssl_txt.c ssl_algs.c \
35 bio_ssl.c ssl_err.c ssl_methods.c \ 35 bio_ssl.c ssl_err.c ssl_methods.c \
36 ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \ 36 ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \
37 tls13_handshake.c tls13_key_schedule.c ssl_sigalgs.c 37 tls13_handshake.c tls13_key_schedule.c tls13_tlsext.c ssl_sigalgs.c
38SRCS+= s3_cbc.c 38SRCS+= s3_cbc.c
39SRCS+= bs_ber.c bs_cbb.c bs_cbs.c 39SRCS+= bs_ber.c bs_cbb.c bs_cbs.c
40 40
diff --git a/src/lib/libssl/tls13_tlsext.c b/src/lib/libssl/tls13_tlsext.c
new file mode 100644
index 0000000000..4d44301bca
--- /dev/null
+++ b/src/lib/libssl/tls13_tlsext.c
@@ -0,0 +1,1497 @@
1/* $OpenBSD: tls13_tlsext.c,v 1.1 2019/01/17 00:56:57 beck Exp $ */
2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19#include <openssl/ocsp.h>
20
21#include "ssl_locl.h"
22
23#include "bytestring.h"
24#include "ssl_tlsext.h"
25#include "ssl_sigalgs.h"
26
27/*
28 * Supported Application-Layer Protocol Negotiation - RFC 7301
29 */
30
31int
32tls13_tlsext_alpn_clienthello_needs(SSL *s)
33{
34 /* ALPN protos have been specified and this is the initial handshake */
35 return s->internal->alpn_client_proto_list != NULL &&
36 S3I(s)->tmp.finish_md_len == 0;
37}
38
39int
40tls13_tlsext_alpn_clienthello_build(SSL *s, CBB *cbb)
41{
42 CBB protolist;
43
44 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
45 return 0;
46
47 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
48 s->internal->alpn_client_proto_list_len))
49 return 0;
50
51 if (!CBB_flush(cbb))
52 return 0;
53
54 return 1;
55}
56
57int
58tls13_tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert)
59{
60 CBS proto_name_list, alpn;
61 const unsigned char *selected;
62 unsigned char selected_len;
63 int r;
64
65 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
66 goto err;
67 if (CBS_len(&alpn) < 2)
68 goto err;
69 if (CBS_len(cbs) != 0)
70 goto err;
71
72 CBS_dup(&alpn, &proto_name_list);
73 while (CBS_len(&proto_name_list) > 0) {
74 CBS proto_name;
75
76 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
77 goto err;
78 if (CBS_len(&proto_name) == 0)
79 goto err;
80 }
81
82 if (s->ctx->internal->alpn_select_cb == NULL)
83 return 1;
84
85 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
86 CBS_data(&alpn), CBS_len(&alpn),
87 s->ctx->internal->alpn_select_cb_arg);
88 if (r == SSL_TLSEXT_ERR_OK) {
89 free(S3I(s)->alpn_selected);
90 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
91 *alert = SSL_AD_INTERNAL_ERROR;
92 return 0;
93 }
94 memcpy(S3I(s)->alpn_selected, selected, selected_len);
95 S3I(s)->alpn_selected_len = selected_len;
96 }
97
98 return 1;
99
100 err:
101 *alert = SSL_AD_DECODE_ERROR;
102 return 0;
103}
104
105int
106tls13_tlsext_alpn_serverhello_needs(SSL *s)
107{
108 return S3I(s)->alpn_selected != NULL;
109}
110
111int
112tls13_tlsext_alpn_serverhello_build(SSL *s, CBB *cbb)
113{
114 CBB list, selected;
115
116 if (!CBB_add_u16_length_prefixed(cbb, &list))
117 return 0;
118
119 if (!CBB_add_u8_length_prefixed(&list, &selected))
120 return 0;
121
122 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected,
123 S3I(s)->alpn_selected_len))
124 return 0;
125
126 if (!CBB_flush(cbb))
127 return 0;
128
129 return 1;
130}
131
132int
133tls13_tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert)
134{
135 CBS list, proto;
136
137 if (s->internal->alpn_client_proto_list == NULL) {
138 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
139 return 0;
140 }
141
142 if (!CBS_get_u16_length_prefixed(cbs, &list))
143 goto err;
144 if (CBS_len(cbs) != 0)
145 goto err;
146
147 if (!CBS_get_u8_length_prefixed(&list, &proto))
148 goto err;
149
150 if (CBS_len(&list) != 0)
151 goto err;
152 if (CBS_len(&proto) == 0)
153 goto err;
154
155 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected),
156 &(S3I(s)->alpn_selected_len)))
157 goto err;
158
159 return 1;
160
161 err:
162 *alert = TLS1_AD_DECODE_ERROR;
163 return 0;
164}
165
166/*
167 * Supported Groups - RFC 7919 section 2
168 */
169int
170tls13_tlsext_supportedgroups_clienthello_needs(SSL *s)
171{
172 return ssl_has_ecc_ciphers(s);
173}
174
175int
176tls13_tlsext_supportedgroups_clienthello_build(SSL *s, CBB *cbb)
177{
178 const uint16_t *groups;
179 size_t groups_len;
180 CBB grouplist;
181 int i;
182
183 tls1_get_group_list(s, 0, &groups, &groups_len);
184 if (groups_len == 0) {
185 SSLerror(s, ERR_R_INTERNAL_ERROR);
186 return 0;
187 }
188
189 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
190 return 0;
191
192 for (i = 0; i < groups_len; i++) {
193 if (!CBB_add_u16(&grouplist, groups[i]))
194 return 0;
195 }
196
197 if (!CBB_flush(cbb))
198 return 0;
199
200 return 1;
201}
202
203int
204tls13_tlsext_supportedgroups_clienthello_parse(SSL *s, CBS *cbs, int *alert)
205{
206 CBS grouplist;
207 size_t groups_len;
208
209 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
210 goto err;
211 if (CBS_len(cbs) != 0)
212 goto err;
213
214 groups_len = CBS_len(&grouplist);
215 if (groups_len == 0 || groups_len % 2 != 0)
216 goto err;
217 groups_len /= 2;
218
219 if (!s->internal->hit) {
220 uint16_t *groups;
221 int i;
222
223 if (SSI(s)->tlsext_supportedgroups != NULL)
224 goto err;
225
226 if ((groups = reallocarray(NULL, groups_len,
227 sizeof(uint16_t))) == NULL) {
228 *alert = TLS1_AD_INTERNAL_ERROR;
229 return 0;
230 }
231
232 for (i = 0; i < groups_len; i++) {
233 if (!CBS_get_u16(&grouplist, &groups[i])) {
234 free(groups);
235 goto err;
236 }
237 }
238
239 if (CBS_len(&grouplist) != 0) {
240 free(groups);
241 goto err;
242 }
243
244 SSI(s)->tlsext_supportedgroups = groups;
245 SSI(s)->tlsext_supportedgroups_length = groups_len;
246 }
247
248 return 1;
249
250 err:
251 *alert = TLS1_AD_DECODE_ERROR;
252 return 0;
253}
254
255/* This extension is never used by the server. */
256int
257tls13_tlsext_supportedgroups_serverhello_needs(SSL *s)
258{
259 return 0;
260}
261
262int
263tls13_tlsext_supportedgroups_serverhello_build(SSL *s, CBB *cbb)
264{
265 return 0;
266}
267
268int
269tls13_tlsext_supportedgroups_serverhello_parse(SSL *s, CBS *cbs, int *alert)
270{
271 /*
272 * Servers should not send this extension per the RFC.
273 *
274 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
275 * from at least 2014 but as of 2017, there are still large sites with
276 * this unpatched in production. As a result, we need to currently skip
277 * over the extension and ignore its content:
278 *
279 * https://support.f5.com/csp/article/K37345003
280 */
281 if (!CBS_skip(cbs, CBS_len(cbs))) {
282 *alert = TLS1_AD_INTERNAL_ERROR;
283 return 0;
284 }
285
286 return 1;
287}
288
289/*
290 * Supported Point Formats Extension - RFC 4492 section 5.1.2
291 */
292static int
293tls13_tlsext_ecpf_build(SSL *s, CBB *cbb)
294{
295 CBB ecpf;
296 size_t formats_len;
297 const uint8_t *formats;
298
299 tls1_get_formatlist(s, 0, &formats, &formats_len);
300
301 if (formats_len == 0) {
302 SSLerror(s, ERR_R_INTERNAL_ERROR);
303 return 0;
304 }
305
306 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
307 return 0;
308 if (!CBB_add_bytes(&ecpf, formats, formats_len))
309 return 0;
310 if (!CBB_flush(cbb))
311 return 0;
312
313 return 1;
314}
315
316static int
317tls13_tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert)
318{
319 CBS ecpf;
320
321 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
322 goto err;
323 if (CBS_len(&ecpf) == 0)
324 goto err;
325 if (CBS_len(cbs) != 0)
326 goto err;
327
328 /* Must contain uncompressed (0) */
329 if (!CBS_contains_zero_byte(&ecpf)) {
330 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
331 goto err;
332 }
333
334 if (!s->internal->hit) {
335 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
336 &(SSI(s)->tlsext_ecpointformatlist_length))) {
337 *alert = TLS1_AD_INTERNAL_ERROR;
338 return 0;
339 }
340 }
341
342 return 1;
343
344 err:
345 *alert = SSL_AD_DECODE_ERROR;
346 return 0;
347}
348
349int
350tls13_tlsext_ecpf_clienthello_needs(SSL *s)
351{
352 return ssl_has_ecc_ciphers(s);
353}
354
355int
356tls13_tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb)
357{
358 return tls13_tlsext_ecpf_build(s, cbb);
359}
360
361int
362tls13_tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert)
363{
364 return tls13_tlsext_ecpf_parse(s, cbs, alert);
365}
366
367int
368tls13_tlsext_ecpf_serverhello_needs(SSL *s)
369{
370 if (s->version == DTLS1_VERSION)
371 return 0;
372
373 return ssl_using_ecc_cipher(s);
374}
375
376int
377tls13_tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb)
378{
379 return tls13_tlsext_ecpf_build(s, cbb);
380}
381
382int
383tls13_tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert)
384{
385 return tls13_tlsext_ecpf_parse(s, cbs, alert);
386}
387
388/*
389 * Renegotiation Indication - RFC 5746.
390 */
391int
392tls13_tlsext_ri_clienthello_needs(SSL *s)
393{
394 return (s->internal->renegotiate);
395}
396
397int
398tls13_tlsext_ri_clienthello_build(SSL *s, CBB *cbb)
399{
400 CBB reneg;
401
402 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
403 return 0;
404 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
405 S3I(s)->previous_client_finished_len))
406 return 0;
407 if (!CBB_flush(cbb))
408 return 0;
409
410 return 1;
411}
412
413int
414tls13_tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert)
415{
416 CBS reneg;
417
418 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
419 goto err;
420 if (CBS_len(cbs) != 0)
421 goto err;
422
423 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
424 S3I(s)->previous_client_finished_len)) {
425 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
426 *alert = SSL_AD_HANDSHAKE_FAILURE;
427 return 0;
428 }
429
430 S3I(s)->renegotiate_seen = 1;
431 S3I(s)->send_connection_binding = 1;
432
433 return 1;
434
435 err:
436 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
437 *alert = SSL_AD_DECODE_ERROR;
438 return 0;
439}
440
441int
442tls13_tlsext_ri_serverhello_needs(SSL *s)
443{
444 return (S3I(s)->send_connection_binding);
445}
446
447int
448tls13_tlsext_ri_serverhello_build(SSL *s, CBB *cbb)
449{
450 CBB reneg;
451
452 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
453 return 0;
454 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
455 S3I(s)->previous_client_finished_len))
456 return 0;
457 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished,
458 S3I(s)->previous_server_finished_len))
459 return 0;
460 if (!CBB_flush(cbb))
461 return 0;
462
463 return 1;
464}
465
466int
467tls13_tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert)
468{
469 CBS reneg, prev_client, prev_server;
470
471 /*
472 * Ensure that the previous client and server values are both not
473 * present, or that they are both present.
474 */
475 if ((S3I(s)->previous_client_finished_len == 0 &&
476 S3I(s)->previous_server_finished_len != 0) ||
477 (S3I(s)->previous_client_finished_len != 0 &&
478 S3I(s)->previous_server_finished_len == 0)) {
479 *alert = TLS1_AD_INTERNAL_ERROR;
480 return 0;
481 }
482
483 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
484 goto err;
485 if (!CBS_get_bytes(&reneg, &prev_client,
486 S3I(s)->previous_client_finished_len))
487 goto err;
488 if (!CBS_get_bytes(&reneg, &prev_server,
489 S3I(s)->previous_server_finished_len))
490 goto err;
491 if (CBS_len(&reneg) != 0)
492 goto err;
493 if (CBS_len(cbs) != 0)
494 goto err;
495
496 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished,
497 S3I(s)->previous_client_finished_len)) {
498 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
499 *alert = SSL_AD_HANDSHAKE_FAILURE;
500 return 0;
501 }
502 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished,
503 S3I(s)->previous_server_finished_len)) {
504 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
505 *alert = SSL_AD_HANDSHAKE_FAILURE;
506 return 0;
507 }
508
509 S3I(s)->renegotiate_seen = 1;
510 S3I(s)->send_connection_binding = 1;
511
512 return 1;
513
514 err:
515 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
516 *alert = SSL_AD_DECODE_ERROR;
517 return 0;
518}
519
520/*
521 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
522 */
523int
524tls13_tlsext_sigalgs_clienthello_needs(SSL *s)
525{
526 return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
527}
528
529int
530tls13_tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
531{
532 CBB sigalgs;
533
534 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
535 return 0;
536
537 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
538 return 0;
539
540 if (!CBB_flush(cbb))
541 return 0;
542
543 return 1;
544}
545
546int
547tls13_tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert)
548{
549 CBS sigalgs;
550
551 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
552 return 0;
553
554 return tls1_process_sigalgs(s, &sigalgs);
555}
556
557int
558tls13_tlsext_sigalgs_serverhello_needs(SSL *s)
559{
560 return 0;
561}
562
563int
564tls13_tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb)
565{
566 return 0;
567}
568
569int
570tls13_tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert)
571{
572 /* As per the RFC, servers must not send this extension. */
573 return 0;
574}
575
576/*
577 * Server Name Indication - RFC 6066, section 3.
578 */
579int
580tls13_tlsext_sni_clienthello_needs(SSL *s)
581{
582 return (s->tlsext_hostname != NULL);
583}
584
585int
586tls13_tlsext_sni_clienthello_build(SSL *s, CBB *cbb)
587{
588 CBB server_name_list, host_name;
589
590 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
591 return 0;
592 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
593 return 0;
594 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
595 return 0;
596 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
597 strlen(s->tlsext_hostname)))
598 return 0;
599 if (!CBB_flush(cbb))
600 return 0;
601
602 return 1;
603}
604
605int
606tls13_tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert)
607{
608 CBS server_name_list, host_name;
609 uint8_t name_type;
610
611 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
612 goto err;
613
614 /*
615 * RFC 6066 section 3 forbids multiple host names with the same type.
616 * Additionally, only one type (host_name) is specified.
617 */
618 if (!CBS_get_u8(&server_name_list, &name_type))
619 goto err;
620 if (name_type != TLSEXT_NAMETYPE_host_name)
621 goto err;
622
623 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
624 goto err;
625 if (CBS_len(&host_name) == 0 ||
626 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
627 CBS_contains_zero_byte(&host_name)) {
628 *alert = TLS1_AD_UNRECOGNIZED_NAME;
629 return 0;
630 }
631
632 if (s->internal->hit) {
633 if (s->session->tlsext_hostname == NULL) {
634 *alert = TLS1_AD_UNRECOGNIZED_NAME;
635 return 0;
636 }
637 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
638 strlen(s->session->tlsext_hostname))) {
639 *alert = TLS1_AD_UNRECOGNIZED_NAME;
640 return 0;
641 }
642 } else {
643 if (s->session->tlsext_hostname != NULL)
644 goto err;
645 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
646 *alert = TLS1_AD_INTERNAL_ERROR;
647 return 0;
648 }
649 }
650
651 if (CBS_len(&server_name_list) != 0)
652 goto err;
653 if (CBS_len(cbs) != 0)
654 goto err;
655
656 return 1;
657
658 err:
659 *alert = SSL_AD_DECODE_ERROR;
660 return 0;
661}
662
663int
664tls13_tlsext_sni_serverhello_needs(SSL *s)
665{
666 return (s->session->tlsext_hostname != NULL);
667}
668
669int
670tls13_tlsext_sni_serverhello_build(SSL *s, CBB *cbb)
671{
672 return 1;
673}
674
675int
676tls13_tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
677{
678 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
679 *alert = TLS1_AD_UNRECOGNIZED_NAME;
680 return 0;
681 }
682
683 if (s->internal->hit) {
684 if (s->session->tlsext_hostname == NULL) {
685 *alert = TLS1_AD_UNRECOGNIZED_NAME;
686 return 0;
687 }
688 if (strcmp(s->tlsext_hostname,
689 s->session->tlsext_hostname) != 0) {
690 *alert = TLS1_AD_UNRECOGNIZED_NAME;
691 return 0;
692 }
693 } else {
694 if (s->session->tlsext_hostname != NULL) {
695 *alert = SSL_AD_DECODE_ERROR;
696 return 0;
697 }
698 if ((s->session->tlsext_hostname =
699 strdup(s->tlsext_hostname)) == NULL) {
700 *alert = TLS1_AD_INTERNAL_ERROR;
701 return 0;
702 }
703 }
704
705 return 1;
706}
707
708
709/*
710 *Certificate Status Request - RFC 6066 section 8.
711 */
712
713int
714tls13_tlsext_ocsp_clienthello_needs(SSL *s)
715{
716 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
717 s->version != DTLS1_VERSION);
718}
719
720int
721tls13_tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb)
722{
723 CBB respid_list, respid, exts;
724 unsigned char *ext_data;
725 size_t ext_len;
726 int i;
727
728 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
729 return 0;
730 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
731 return 0;
732 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
733 unsigned char *respid_data;
734 OCSP_RESPID *id;
735 size_t id_len;
736
737 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
738 i)) == NULL)
739 return 0;
740 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
741 return 0;
742 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
743 return 0;
744 if (!CBB_add_space(&respid, &respid_data, id_len))
745 return 0;
746 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
747 return 0;
748 }
749 if (!CBB_add_u16_length_prefixed(cbb, &exts))
750 return 0;
751 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
752 NULL)) == -1)
753 return 0;
754 if (!CBB_add_space(&exts, &ext_data, ext_len))
755 return 0;
756 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
757 ext_len))
758 return 0;
759 if (!CBB_flush(cbb))
760 return 0;
761 return 1;
762}
763
764int
765tls13_tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
766{
767 int failure = SSL_AD_DECODE_ERROR;
768 CBS respid_list, respid, exts;
769 const unsigned char *p;
770 uint8_t status_type;
771 int ret = 0;
772
773 if (!CBS_get_u8(cbs, &status_type))
774 goto err;
775 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
776 /* ignore unknown status types */
777 s->tlsext_status_type = -1;
778
779 if (!CBS_skip(cbs, CBS_len(cbs))) {
780 *alert = TLS1_AD_INTERNAL_ERROR;
781 return 0;
782 }
783 return 1;
784 }
785 s->tlsext_status_type = status_type;
786 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
787 goto err;
788
789 /* XXX */
790 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
791 s->internal->tlsext_ocsp_ids = NULL;
792 if (CBS_len(&respid_list) > 0) {
793 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
794 if (s->internal->tlsext_ocsp_ids == NULL) {
795 failure = SSL_AD_INTERNAL_ERROR;
796 goto err;
797 }
798 }
799
800 while (CBS_len(&respid_list) > 0) {
801 OCSP_RESPID *id;
802
803 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
804 goto err;
805 p = CBS_data(&respid);
806 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
807 goto err;
808 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
809 failure = SSL_AD_INTERNAL_ERROR;
810 OCSP_RESPID_free(id);
811 goto err;
812 }
813 }
814
815 /* Read in request_extensions */
816 if (!CBS_get_u16_length_prefixed(cbs, &exts))
817 goto err;
818 if (CBS_len(&exts) > 0) {
819 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
820 X509_EXTENSION_free);
821 p = CBS_data(&exts);
822 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
823 &p, CBS_len(&exts))) == NULL)
824 goto err;
825 }
826
827 /* should be nothing left */
828 if (CBS_len(cbs) > 0)
829 goto err;
830
831 ret = 1;
832 err:
833 if (ret == 0)
834 *alert = failure;
835 return ret;
836}
837
838int
839tls13_tlsext_ocsp_serverhello_needs(SSL *s)
840{
841 return s->internal->tlsext_status_expected;
842}
843
844int
845tls13_tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb)
846{
847 return 1;
848}
849
850int
851tls13_tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
852{
853 if (s->tlsext_status_type == -1) {
854 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
855 return 0;
856 }
857 /* Set flag to expect CertificateStatus message */
858 s->internal->tlsext_status_expected = 1;
859 return 1;
860}
861
862/*
863 * SessionTicket extension - RFC 5077 section 3.2
864 */
865int
866tls13_tlsext_sessionticket_clienthello_needs(SSL *s)
867{
868 /*
869 * Send session ticket extension when enabled and not overridden.
870 *
871 * When renegotiating, send an empty session ticket to indicate support.
872 */
873 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
874 return 0;
875
876 if (s->internal->new_session)
877 return 1;
878
879 if (s->internal->tlsext_session_ticket != NULL &&
880 s->internal->tlsext_session_ticket->data == NULL)
881 return 0;
882
883 return 1;
884}
885
886int
887tls13_tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb)
888{
889 /*
890 * Signal that we support session tickets by sending an empty
891 * extension when renegotiating or no session found.
892 */
893 if (s->internal->new_session || s->session == NULL)
894 return 1;
895
896 if (s->session->tlsext_tick != NULL) {
897 /* Attempt to resume with an existing session ticket */
898 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
899 s->session->tlsext_ticklen))
900 return 0;
901
902 } else if (s->internal->tlsext_session_ticket != NULL) {
903 /*
904 * Attempt to resume with a custom provided session ticket set
905 * by SSL_set_session_ticket_ext().
906 */
907 if (s->internal->tlsext_session_ticket->length > 0) {
908 size_t ticklen = s->internal->tlsext_session_ticket->length;
909
910 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
911 return 0;
912 memcpy(s->session->tlsext_tick,
913 s->internal->tlsext_session_ticket->data,
914 ticklen);
915 s->session->tlsext_ticklen = ticklen;
916
917 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
918 s->session->tlsext_ticklen))
919 return 0;
920 }
921 }
922
923 if (!CBB_flush(cbb))
924 return 0;
925
926 return 1;
927}
928
929int
930tls13_tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert)
931{
932 if (s->internal->tls_session_ticket_ext_cb) {
933 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
934 (int)CBS_len(cbs),
935 s->internal->tls_session_ticket_ext_cb_arg)) {
936 *alert = TLS1_AD_INTERNAL_ERROR;
937 return 0;
938 }
939 }
940
941 /* We need to signal that this was processed fully */
942 if (!CBS_skip(cbs, CBS_len(cbs))) {
943 *alert = TLS1_AD_INTERNAL_ERROR;
944 return 0;
945 }
946
947 return 1;
948}
949
950int
951tls13_tlsext_sessionticket_serverhello_needs(SSL *s)
952{
953 return (s->internal->tlsext_ticket_expected &&
954 !(SSL_get_options(s) & SSL_OP_NO_TICKET));
955}
956
957int
958tls13_tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb)
959{
960 /* Empty ticket */
961
962 return 1;
963}
964
965int
966tls13_tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert)
967{
968 if (s->internal->tls_session_ticket_ext_cb) {
969 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
970 (int)CBS_len(cbs),
971 s->internal->tls_session_ticket_ext_cb_arg)) {
972 *alert = TLS1_AD_INTERNAL_ERROR;
973 return 0;
974 }
975 }
976
977 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
978 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
979 return 0;
980 }
981
982 s->internal->tlsext_ticket_expected = 1;
983
984 return 1;
985}
986
987/*
988 * DTLS extension for SRTP key establishment - RFC 5764
989 */
990
991#ifndef OPENSSL_NO_SRTP
992
993int
994tls13_tlsext_srtp_clienthello_needs(SSL *s)
995{
996 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL;
997}
998
999int
1000tls13_tlsext_srtp_clienthello_build(SSL *s, CBB *cbb)
1001{
1002 CBB profiles, mki;
1003 int ct, i;
1004 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1005 SRTP_PROTECTION_PROFILE *prof;
1006
1007 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1008 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1009 return 0;
1010 }
1011
1012 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1013 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1014 return 0;
1015 }
1016
1017 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1018 return 0;
1019
1020 for (i = 0; i < ct; i++) {
1021 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1022 return 0;
1023 if (!CBB_add_u16(&profiles, prof->id))
1024 return 0;
1025 }
1026
1027 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1028 return 0;
1029
1030 if (!CBB_flush(cbb))
1031 return 0;
1032
1033 return 1;
1034}
1035
1036int
1037tls13_tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1038{
1039 SRTP_PROTECTION_PROFILE *cprof, *sprof;
1040 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1041 int i, j;
1042 int ret;
1043 uint16_t id;
1044 CBS profiles, mki;
1045
1046 ret = 0;
1047
1048 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1049 goto err;
1050 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1051 goto err;
1052
1053 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1054 goto err;
1055
1056 while (CBS_len(&profiles) > 0) {
1057 if (!CBS_get_u16(&profiles, &id))
1058 goto err;
1059
1060 if (!srtp_find_profile_by_num(id, &cprof)) {
1061 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1062 goto err;
1063 }
1064 }
1065
1066 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1067 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1068 *alert = SSL_AD_DECODE_ERROR;
1069 goto done;
1070 }
1071 if (CBS_len(cbs) != 0)
1072 goto err;
1073
1074 /*
1075 * Per RFC 5764 section 4.1.1
1076 *
1077 * Find the server preferred profile using the client's list.
1078 *
1079 * The server MUST send a profile if it sends the use_srtp
1080 * extension. If one is not found, it should fall back to the
1081 * negotiated DTLS cipher suite or return a DTLS alert.
1082 */
1083 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1084 goto err;
1085 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1086 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1087 == NULL)
1088 goto err;
1089
1090 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1091 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1092 == NULL)
1093 goto err;
1094
1095 if (cprof->id == sprof->id) {
1096 s->internal->srtp_profile = sprof;
1097 ret = 1;
1098 goto done;
1099 }
1100 }
1101 }
1102
1103 /* If we didn't find anything, fall back to the negotiated */
1104 ret = 1;
1105 goto done;
1106
1107 err:
1108 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1109 *alert = SSL_AD_DECODE_ERROR;
1110
1111 done:
1112 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1113 return ret;
1114}
1115
1116int
1117tls13_tlsext_srtp_serverhello_needs(SSL *s)
1118{
1119 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL;
1120}
1121
1122int
1123tls13_tlsext_srtp_serverhello_build(SSL *s, CBB *cbb)
1124{
1125 SRTP_PROTECTION_PROFILE *profile;
1126 CBB srtp, mki;
1127
1128 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1129 return 0;
1130
1131 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1132 return 0;
1133
1134 if (!CBB_add_u16(&srtp, profile->id))
1135 return 0;
1136
1137 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1138 return 0;
1139
1140 if (!CBB_flush(cbb))
1141 return 0;
1142
1143 return 1;
1144}
1145
1146int
1147tls13_tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1148{
1149 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1150 SRTP_PROTECTION_PROFILE *prof;
1151 int i;
1152 uint16_t id;
1153 CBS profile_ids, mki;
1154
1155 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1156 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1157 goto err;
1158 }
1159
1160 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1161 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1162 goto err;
1163 }
1164
1165 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1166 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1167 *alert = SSL_AD_ILLEGAL_PARAMETER;
1168 return 0;
1169 }
1170
1171 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1172 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1173 goto err;
1174 }
1175
1176 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1177 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1178 == NULL) {
1179 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1180 goto err;
1181 }
1182
1183 if (prof->id == id) {
1184 s->internal->srtp_profile = prof;
1185 return 1;
1186 }
1187 }
1188
1189 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1190 err:
1191 *alert = SSL_AD_DECODE_ERROR;
1192 return 0;
1193}
1194
1195#endif /* OPENSSL_NO_SRTP */
1196
1197struct tls_extension_funcs {
1198 int (*needs)(SSL *s);
1199 int (*build)(SSL *s, CBB *cbb);
1200 int (*parse)(SSL *s, CBS *cbs, int *alert);
1201};
1202
1203struct tls_extension {
1204 uint16_t type;
1205 struct tls_extension_funcs clienthello;
1206 struct tls_extension_funcs serverhello;
1207};
1208
1209static struct tls_extension tls_extensions[] = {
1210 {
1211 .type = TLSEXT_TYPE_server_name,
1212 .clienthello = {
1213 .needs = tls13_tlsext_sni_clienthello_needs,
1214 .build = tls13_tlsext_sni_clienthello_build,
1215 .parse = tls13_tlsext_sni_clienthello_parse,
1216 },
1217 .serverhello = {
1218 .needs = tls13_tlsext_sni_serverhello_needs,
1219 .build = tls13_tlsext_sni_serverhello_build,
1220 .parse = tls13_tlsext_sni_serverhello_parse,
1221 },
1222 },
1223 {
1224 .type = TLSEXT_TYPE_renegotiate,
1225 .clienthello = {
1226 .needs = tls13_tlsext_ri_clienthello_needs,
1227 .build = tls13_tlsext_ri_clienthello_build,
1228 .parse = tls13_tlsext_ri_clienthello_parse,
1229 },
1230 .serverhello = {
1231 .needs = tls13_tlsext_ri_serverhello_needs,
1232 .build = tls13_tlsext_ri_serverhello_build,
1233 .parse = tls13_tlsext_ri_serverhello_parse,
1234 },
1235 },
1236 {
1237 .type = TLSEXT_TYPE_status_request,
1238 .clienthello = {
1239 .needs = tls13_tlsext_ocsp_clienthello_needs,
1240 .build = tls13_tlsext_ocsp_clienthello_build,
1241 .parse = tls13_tlsext_ocsp_clienthello_parse,
1242 },
1243 .serverhello = {
1244 .needs = tls13_tlsext_ocsp_serverhello_needs,
1245 .build = tls13_tlsext_ocsp_serverhello_build,
1246 .parse = tls13_tlsext_ocsp_serverhello_parse,
1247 },
1248 },
1249 {
1250 .type = TLSEXT_TYPE_ec_point_formats,
1251 .clienthello = {
1252 .needs = tls13_tlsext_ecpf_clienthello_needs,
1253 .build = tls13_tlsext_ecpf_clienthello_build,
1254 .parse = tls13_tlsext_ecpf_clienthello_parse,
1255 },
1256 .serverhello = {
1257 .needs = tls13_tlsext_ecpf_serverhello_needs,
1258 .build = tls13_tlsext_ecpf_serverhello_build,
1259 .parse = tls13_tlsext_ecpf_serverhello_parse,
1260 },
1261 },
1262 {
1263 .type = TLSEXT_TYPE_supported_groups,
1264 .clienthello = {
1265 .needs = tls13_tlsext_supportedgroups_clienthello_needs,
1266 .build = tls13_tlsext_supportedgroups_clienthello_build,
1267 .parse = tls13_tlsext_supportedgroups_clienthello_parse,
1268 },
1269 .serverhello = {
1270 .needs = tls13_tlsext_supportedgroups_serverhello_needs,
1271 .build = tls13_tlsext_supportedgroups_serverhello_build,
1272 .parse = tls13_tlsext_supportedgroups_serverhello_parse,
1273 },
1274 },
1275 {
1276 .type = TLSEXT_TYPE_session_ticket,
1277 .clienthello = {
1278 .needs = tls13_tlsext_sessionticket_clienthello_needs,
1279 .build = tls13_tlsext_sessionticket_clienthello_build,
1280 .parse = tls13_tlsext_sessionticket_clienthello_parse,
1281 },
1282 .serverhello = {
1283 .needs = tls13_tlsext_sessionticket_serverhello_needs,
1284 .build = tls13_tlsext_sessionticket_serverhello_build,
1285 .parse = tls13_tlsext_sessionticket_serverhello_parse,
1286 },
1287 },
1288 {
1289 .type = TLSEXT_TYPE_signature_algorithms,
1290 .clienthello = {
1291 .needs = tls13_tlsext_sigalgs_clienthello_needs,
1292 .build = tls13_tlsext_sigalgs_clienthello_build,
1293 .parse = tls13_tlsext_sigalgs_clienthello_parse,
1294 },
1295 .serverhello = {
1296 .needs = tls13_tlsext_sigalgs_serverhello_needs,
1297 .build = tls13_tlsext_sigalgs_serverhello_build,
1298 .parse = tls13_tlsext_sigalgs_serverhello_parse,
1299 },
1300 },
1301 {
1302 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1303 .clienthello = {
1304 .needs = tls13_tlsext_alpn_clienthello_needs,
1305 .build = tls13_tlsext_alpn_clienthello_build,
1306 .parse = tls13_tlsext_alpn_clienthello_parse,
1307 },
1308 .serverhello = {
1309 .needs = tls13_tlsext_alpn_serverhello_needs,
1310 .build = tls13_tlsext_alpn_serverhello_build,
1311 .parse = tls13_tlsext_alpn_serverhello_parse,
1312 },
1313 },
1314#ifndef OPENSSL_NO_SRTP
1315 {
1316 .type = TLSEXT_TYPE_use_srtp,
1317 .clienthello = {
1318 .needs = tls13_tlsext_srtp_clienthello_needs,
1319 .build = tls13_tlsext_srtp_clienthello_build,
1320 .parse = tls13_tlsext_srtp_clienthello_parse,
1321 },
1322 .serverhello = {
1323 .needs = tls13_tlsext_srtp_serverhello_needs,
1324 .build = tls13_tlsext_srtp_serverhello_build,
1325 .parse = tls13_tlsext_srtp_serverhello_parse,
1326 },
1327 }
1328#endif /* OPENSSL_NO_SRTP */
1329};
1330
1331#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1332
1333/* Ensure that extensions fit in a uint32_t bitmask. */
1334CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1335
1336static struct tls_extension *
1337tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1338{
1339 size_t i;
1340
1341 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1342 if (tls_extensions[i].type == type) {
1343 *tls_extensions_idx = i;
1344 return &tls_extensions[i];
1345 }
1346 }
1347
1348 return NULL;
1349}
1350
1351static struct tls_extension_funcs *
1352tls13_tlsext_funcs(struct tls_extension *tlsext, int is_serverhello)
1353{
1354 if (is_serverhello)
1355 return &tlsext->serverhello;
1356
1357 return &tlsext->clienthello;
1358}
1359
1360static int
1361tls13_tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1362{
1363 struct tls_extension_funcs *ext;
1364 struct tls_extension *tlsext;
1365 CBB extensions, extension_data;
1366 int extensions_present = 0;
1367 size_t i;
1368
1369 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
1370 return 0;
1371
1372 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1373 tlsext = &tls_extensions[i];
1374 ext = tls13_tlsext_funcs(tlsext, is_serverhello);
1375
1376 if (!ext->needs(s))
1377 continue;
1378
1379 if (!CBB_add_u16(&extensions, tlsext->type))
1380 return 0;
1381 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
1382 return 0;
1383
1384 if (!ext->build(s, &extension_data))
1385 return 0;
1386
1387 extensions_present = 1;
1388 }
1389
1390 if (!extensions_present)
1391 CBB_discard_child(cbb);
1392
1393 if (!CBB_flush(cbb))
1394 return 0;
1395
1396 return 1;
1397}
1398
1399static int
1400tls13_tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello)
1401{
1402 struct tls_extension_funcs *ext;
1403 struct tls_extension *tlsext;
1404 CBS extensions, extension_data;
1405 uint32_t extensions_seen = 0;
1406 uint16_t type;
1407 size_t idx;
1408
1409 /* An empty extensions block is valid. */
1410 if (CBS_len(cbs) == 0)
1411 return 1;
1412
1413 *alert = SSL_AD_DECODE_ERROR;
1414
1415 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
1416 return 0;
1417
1418 while (CBS_len(&extensions) > 0) {
1419 if (!CBS_get_u16(&extensions, &type))
1420 return 0;
1421 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
1422 return 0;
1423
1424 if (s->internal->tlsext_debug_cb != NULL)
1425 s->internal->tlsext_debug_cb(s, is_serverhello, type,
1426 (unsigned char *)CBS_data(&extension_data),
1427 CBS_len(&extension_data),
1428 s->internal->tlsext_debug_arg);
1429
1430 /* Unknown extensions are ignored. */
1431 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
1432 continue;
1433
1434 /* Check for duplicate known extensions. */
1435 if ((extensions_seen & (1 << idx)) != 0)
1436 return 0;
1437 extensions_seen |= (1 << idx);
1438
1439 ext = tls13_tlsext_funcs(tlsext, is_serverhello);
1440 if (!ext->parse(s, &extension_data, alert))
1441 return 0;
1442
1443 if (CBS_len(&extension_data) != 0)
1444 return 0;
1445 }
1446
1447 return 1;
1448}
1449
1450static void
1451tls13_tlsext_clienthello_reset_state(SSL *s)
1452{
1453 s->internal->servername_done = 0;
1454 s->tlsext_status_type = -1;
1455 S3I(s)->renegotiate_seen = 0;
1456 free(S3I(s)->alpn_selected);
1457 S3I(s)->alpn_selected = NULL;
1458 s->internal->srtp_profile = NULL;
1459}
1460
1461int
1462tls13_tlsext_clienthello_build(SSL *s, CBB *cbb)
1463{
1464 return tls13_tlsext_build(s, cbb, 0);
1465}
1466
1467int
1468tls13_tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1469{
1470 /* XXX - this possibly should be done by the caller... */
1471 tls13_tlsext_clienthello_reset_state(s);
1472
1473 return tls13_tlsext_parse(s, cbs, alert, 0);
1474}
1475
1476static void
1477tls13_tlsext_serverhello_reset_state(SSL *s)
1478{
1479 S3I(s)->renegotiate_seen = 0;
1480 free(S3I(s)->alpn_selected);
1481 S3I(s)->alpn_selected = NULL;
1482}
1483
1484int
1485tls13_tlsext_serverhello_build(SSL *s, CBB *cbb)
1486{
1487 return tls13_tlsext_build(s, cbb, 1);
1488}
1489
1490int
1491tls13_tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1492{
1493 /* XXX - this possibly should be done by the caller... */
1494 tls13_tlsext_serverhello_reset_state(s);
1495
1496 return tls13_tlsext_parse(s, cbs, alert, 1);
1497}
diff --git a/src/lib/libssl/tls13_tlsext.h b/src/lib/libssl/tls13_tlsext.h
new file mode 100644
index 0000000000..f7b45629c8
--- /dev/null
+++ b/src/lib/libssl/tls13_tlsext.h
@@ -0,0 +1,97 @@
1/* $OpenBSD: tls13_tlsext.h,v 1.1 2019/01/17 00:56:57 beck Exp $ */
2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#ifndef HEADER_SSL_TLS13_TLSEXT_H
20#define HEADER_SSL_TLS13_TLSEXT_H
21
22__BEGIN_HIDDEN_DECLS
23
24int tls13_tlsext_alpn_clienthello_needs(SSL *s);
25int tls13_tlsext_alpn_clienthello_build(SSL *s, CBB *cbb);
26int tls13_tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert);
27int tls13_tlsext_alpn_serverhello_needs(SSL *s);
28int tls13_tlsext_alpn_serverhello_build(SSL *s, CBB *cbb);
29int tls13_tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert);
30
31int tls13_tlsext_ri_clienthello_needs(SSL *s);
32int tls13_tlsext_ri_clienthello_build(SSL *s, CBB *cbb);
33int tls13_tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert);
34int tls13_tlsext_ri_serverhello_needs(SSL *s);
35int tls13_tlsext_ri_serverhello_build(SSL *s, CBB *cbb);
36int tls13_tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert);
37
38int tls13_tlsext_sigalgs_clienthello_needs(SSL *s);
39int tls13_tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb);
40int tls13_tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert);
41int tls13_tlsext_sigalgs_serverhello_needs(SSL *s);
42int tls13_tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb);
43int tls13_tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert);
44
45int tls13_tlsext_sni_clienthello_needs(SSL *s);
46int tls13_tlsext_sni_clienthello_build(SSL *s, CBB *cbb);
47int tls13_tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert);
48int tls13_tlsext_sni_serverhello_needs(SSL *s);
49int tls13_tlsext_sni_serverhello_build(SSL *s, CBB *cbb);
50int tls13_tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert);
51
52int tls13_tlsext_supportedgroups_clienthello_needs(SSL *s);
53int tls13_tlsext_supportedgroups_clienthello_build(SSL *s, CBB *cbb);
54int tls13_tlsext_supportedgroups_clienthello_parse(SSL *s, CBS *cbs, int *alert);
55int tls13_tlsext_supportedgroups_serverhello_needs(SSL *s);
56int tls13_tlsext_supportedgroups_serverhello_build(SSL *s, CBB *cbb);
57int tls13_tlsext_supportedgroups_serverhello_parse(SSL *s, CBS *cbs, int *alert);
58
59int tls13_tlsext_ecpf_clienthello_needs(SSL *s);
60int tls13_tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb);
61int tls13_tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert);
62int tls13_tlsext_ecpf_serverhello_needs(SSL *s);
63int tls13_tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb);
64int tls13_tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert);
65
66int tls13_tlsext_ocsp_clienthello_needs(SSL *s);
67int tls13_tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb);
68int tls13_tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert);
69int tls13_tlsext_ocsp_serverhello_needs(SSL *s);
70int tls13_tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb);
71int tls13_tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert);
72
73int tls13_tlsext_sessionticket_clienthello_needs(SSL *s);
74int tls13_tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb);
75int tls13_tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert);
76int tls13_tlsext_sessionticket_serverhello_needs(SSL *s);
77int tls13_tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb);
78int tls13_tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert);
79
80#ifndef OPENSSL_NO_SRTP
81int tls13_tlsext_srtp_clienthello_needs(SSL *s);
82int tls13_tlsext_srtp_clienthello_build(SSL *s, CBB *cbb);
83int tls13_tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert);
84int tls13_tlsext_srtp_serverhello_needs(SSL *s);
85int tls13_tlsext_srtp_serverhello_build(SSL *s, CBB *cbb);
86int tls13_tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert);
87#endif
88
89int tls13_tlsext_clienthello_build(SSL *s, CBB *cbb);
90int tls13_tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert);
91
92int tls13_tlsext_serverhello_build(SSL *s, CBB *cbb);
93int tls13_tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert);
94
95__END_HIDDEN_DECLS
96
97#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-08 19:08:32 +0000