xref: /dragonfly/crypto/libressl/ssl/ssl_tlsext.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: ssl_tlsext.c,v 1.129 2022/08/15 10:46:53 tb Exp $ */
2 /*
3  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <sys/socket.h>
21 
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24 
25 #include <ctype.h>
26 
27 #include <openssl/ocsp.h>
28 #include <openssl/opensslconf.h>
29 
30 #include "bytestring.h"
31 #include "ssl_locl.h"
32 #include "ssl_sigalgs.h"
33 #include "ssl_tlsext.h"
34 
35 /*
36  * Supported Application-Layer Protocol Negotiation - RFC 7301
37  */
38 
39 static int
tlsext_alpn_client_needs(SSL * s,uint16_t msg_type)40 tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
41 {
42           /* ALPN protos have been specified and this is the initial handshake */
43           return s->internal->alpn_client_proto_list != NULL &&
44               s->s3->hs.finished_len == 0;
45 }
46 
47 static int
tlsext_alpn_client_build(SSL * s,uint16_t msg_type,CBB * cbb)48 tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
49 {
50           CBB protolist;
51 
52           if (!CBB_add_u16_length_prefixed(cbb, &protolist))
53                     return 0;
54 
55           if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
56               s->internal->alpn_client_proto_list_len))
57                     return 0;
58 
59           if (!CBB_flush(cbb))
60                     return 0;
61 
62           return 1;
63 }
64 
65 int
tlsext_alpn_check_format(CBS * cbs)66 tlsext_alpn_check_format(CBS *cbs)
67 {
68           CBS proto_name_list;
69 
70           if (CBS_len(cbs) == 0)
71                     return 0;
72 
73           CBS_dup(cbs, &proto_name_list);
74           while (CBS_len(&proto_name_list) > 0) {
75                     CBS proto_name;
76 
77                     if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
78                               return 0;
79                     if (CBS_len(&proto_name) == 0)
80                               return 0;
81           }
82 
83           return 1;
84 }
85 
86 static int
tlsext_alpn_server_parse(SSL * s,uint16_t msg_types,CBS * cbs,int * alert)87 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
88 {
89           CBS alpn, selected_cbs;
90           const unsigned char *selected;
91           unsigned char selected_len;
92           int r;
93 
94           if (!CBS_get_u16_length_prefixed(cbs, &alpn))
95                     return 0;
96 
97           if (!tlsext_alpn_check_format(&alpn))
98                     return 0;
99 
100           if (s->ctx->internal->alpn_select_cb == NULL)
101                     return 1;
102 
103           /*
104            * XXX - A few things should be considered here:
105            * 1. Ensure that the same protocol is selected on session resumption.
106            * 2. Should the callback be called even if no ALPN extension was sent?
107            * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
108            */
109           r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
110               CBS_data(&alpn), CBS_len(&alpn),
111               s->ctx->internal->alpn_select_cb_arg);
112 
113           if (r == SSL_TLSEXT_ERR_OK) {
114                     CBS_init(&selected_cbs, selected, selected_len);
115 
116                     if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected,
117                         &s->s3->alpn_selected_len)) {
118                               *alert = SSL_AD_INTERNAL_ERROR;
119                               return 0;
120                     }
121 
122                     return 1;
123           }
124 
125           /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
126           if (r == SSL_TLSEXT_ERR_NOACK)
127                     return 1;
128 
129           *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
130           SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
131 
132           return 0;
133 }
134 
135 static int
tlsext_alpn_server_needs(SSL * s,uint16_t msg_type)136 tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
137 {
138           return s->s3->alpn_selected != NULL;
139 }
140 
141 static int
tlsext_alpn_server_build(SSL * s,uint16_t msg_type,CBB * cbb)142 tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
143 {
144           CBB list, selected;
145 
146           if (!CBB_add_u16_length_prefixed(cbb, &list))
147                     return 0;
148 
149           if (!CBB_add_u8_length_prefixed(&list, &selected))
150                     return 0;
151 
152           if (!CBB_add_bytes(&selected, s->s3->alpn_selected,
153               s->s3->alpn_selected_len))
154                     return 0;
155 
156           if (!CBB_flush(cbb))
157                     return 0;
158 
159           return 1;
160 }
161 
162 static int
tlsext_alpn_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)163 tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
164 {
165           CBS list, proto;
166 
167           if (s->internal->alpn_client_proto_list == NULL) {
168                     *alert = SSL_AD_UNSUPPORTED_EXTENSION;
169                     return 0;
170           }
171 
172           if (!CBS_get_u16_length_prefixed(cbs, &list))
173                     return 0;
174 
175           if (!CBS_get_u8_length_prefixed(&list, &proto))
176                     return 0;
177 
178           if (CBS_len(&list) != 0)
179                     return 0;
180           if (CBS_len(&proto) == 0)
181                     return 0;
182 
183           if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
184                     return 0;
185 
186           return 1;
187 }
188 
189 /*
190  * Supported Groups - RFC 7919 section 2
191  */
192 static int
tlsext_supportedgroups_client_needs(SSL * s,uint16_t msg_type)193 tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
194 {
195           return ssl_has_ecc_ciphers(s) ||
196               (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
197 }
198 
199 static int
tlsext_supportedgroups_client_build(SSL * s,uint16_t msg_type,CBB * cbb)200 tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
201 {
202           const uint16_t *groups;
203           size_t groups_len;
204           CBB grouplist;
205           int i;
206 
207           tls1_get_group_list(s, 0, &groups, &groups_len);
208           if (groups_len == 0) {
209                     SSLerror(s, ERR_R_INTERNAL_ERROR);
210                     return 0;
211           }
212 
213           if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
214                     return 0;
215 
216           for (i = 0; i < groups_len; i++) {
217                     if (!ssl_security_supported_group(s, groups[i]))
218                               continue;
219                     if (!CBB_add_u16(&grouplist, groups[i]))
220                               return 0;
221           }
222 
223           if (!CBB_flush(cbb))
224                     return 0;
225 
226           return 1;
227 }
228 
229 static int
tlsext_supportedgroups_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)230 tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
231     int *alert)
232 {
233           CBS grouplist;
234           uint16_t *groups;
235           size_t groups_len;
236           int i;
237 
238           if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
239                     return 0;
240 
241           groups_len = CBS_len(&grouplist);
242           if (groups_len == 0 || groups_len % 2 != 0)
243                     return 0;
244           groups_len /= 2;
245 
246           if (s->internal->hit)
247                     return 1;
248 
249           if (s->s3->hs.tls13.hrr) {
250                     if (s->session->tlsext_supportedgroups == NULL) {
251                               *alert = SSL_AD_HANDSHAKE_FAILURE;
252                               return 0;
253                     }
254 
255                     /*
256                      * The ClientHello extension hashing ensures that the client
257                      * did not change its list of supported groups.
258                      */
259 
260                     return 1;
261           }
262 
263           if (s->session->tlsext_supportedgroups != NULL)
264                     return 0; /* XXX internal error? */
265 
266           if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) {
267                     *alert = SSL_AD_INTERNAL_ERROR;
268                     return 0;
269           }
270 
271           for (i = 0; i < groups_len; i++) {
272                     if (!CBS_get_u16(&grouplist, &groups[i])) {
273                               free(groups);
274                               return 0;
275                     }
276           }
277 
278           if (CBS_len(&grouplist) != 0) {
279                     free(groups);
280                     return 0;
281           }
282 
283           s->session->tlsext_supportedgroups = groups;
284           s->session->tlsext_supportedgroups_length = groups_len;
285 
286           return 1;
287 }
288 
289 /* This extension is never used by the server. */
290 static int
tlsext_supportedgroups_server_needs(SSL * s,uint16_t msg_type)291 tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
292 {
293           return 0;
294 }
295 
296 static int
tlsext_supportedgroups_server_build(SSL * s,uint16_t msg_type,CBB * cbb)297 tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
298 {
299           return 0;
300 }
301 
302 static int
tlsext_supportedgroups_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)303 tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
304     int *alert)
305 {
306           /*
307            * Servers should not send this extension per the RFC.
308            *
309            * However, certain F5 BIG-IP systems incorrectly send it. This bug is
310            * from at least 2014 but as of 2017, there are still large sites with
311            * this unpatched in production. As a result, we need to currently skip
312            * over the extension and ignore its content:
313            *
314            *  https://support.f5.com/csp/article/K37345003
315            */
316           if (!CBS_skip(cbs, CBS_len(cbs))) {
317                     *alert = SSL_AD_INTERNAL_ERROR;
318                     return 0;
319           }
320 
321           return 1;
322 }
323 
324 /*
325  * Supported Point Formats Extension - RFC 4492 section 5.1.2
326  */
327 static int
tlsext_ecpf_build(SSL * s,uint16_t msg_type,CBB * cbb)328 tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
329 {
330           CBB ecpf;
331           size_t formats_len;
332           const uint8_t *formats;
333 
334           tls1_get_formatlist(s, 0, &formats, &formats_len);
335 
336           if (formats_len == 0) {
337                     SSLerror(s, ERR_R_INTERNAL_ERROR);
338                     return 0;
339           }
340 
341           if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
342                     return 0;
343           if (!CBB_add_bytes(&ecpf, formats, formats_len))
344                     return 0;
345           if (!CBB_flush(cbb))
346                     return 0;
347 
348           return 1;
349 }
350 
351 static int
tlsext_ecpf_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)352 tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
353 {
354           CBS ecpf;
355 
356           if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
357                     return 0;
358           if (CBS_len(&ecpf) == 0)
359                     return 0;
360 
361           /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
362           if (!CBS_contains_zero_byte(&ecpf)) {
363                     SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
364                     *alert = SSL_AD_ILLEGAL_PARAMETER;
365                     return 0;
366           }
367 
368           if (!s->internal->hit) {
369                     if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
370                         &(s->session->tlsext_ecpointformatlist_length))) {
371                               *alert = SSL_AD_INTERNAL_ERROR;
372                               return 0;
373                     }
374           }
375 
376           return 1;
377 }
378 
379 static int
tlsext_ecpf_client_needs(SSL * s,uint16_t msg_type)380 tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
381 {
382           return ssl_has_ecc_ciphers(s);
383 }
384 
385 static int
tlsext_ecpf_client_build(SSL * s,uint16_t msg_type,CBB * cbb)386 tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
387 {
388           return tlsext_ecpf_build(s, msg_type, cbb);
389 }
390 
391 static int
tlsext_ecpf_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)392 tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
393 {
394           return tlsext_ecpf_parse(s, msg_type, cbs, alert);
395 }
396 
397 static int
tlsext_ecpf_server_needs(SSL * s,uint16_t msg_type)398 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
399 {
400           return ssl_using_ecc_cipher(s);
401 }
402 
403 static int
tlsext_ecpf_server_build(SSL * s,uint16_t msg_type,CBB * cbb)404 tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
405 {
406           return tlsext_ecpf_build(s, msg_type, cbb);
407 }
408 
409 static int
tlsext_ecpf_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)410 tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
411 {
412           return tlsext_ecpf_parse(s, msg_type, cbs, alert);
413 }
414 
415 /*
416  * Renegotiation Indication - RFC 5746.
417  */
418 static int
tlsext_ri_client_needs(SSL * s,uint16_t msg_type)419 tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
420 {
421           return (s->internal->renegotiate);
422 }
423 
424 static int
tlsext_ri_client_build(SSL * s,uint16_t msg_type,CBB * cbb)425 tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
426 {
427           CBB reneg;
428 
429           if (!CBB_add_u8_length_prefixed(cbb, &reneg))
430                     return 0;
431           if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
432               s->s3->previous_client_finished_len))
433                     return 0;
434           if (!CBB_flush(cbb))
435                     return 0;
436 
437           return 1;
438 }
439 
440 static int
tlsext_ri_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)441 tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
442 {
443           CBS reneg;
444 
445           if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
446                     SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
447                     return 0;
448           }
449 
450           if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished,
451               s->s3->previous_client_finished_len)) {
452                     SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
453                     *alert = SSL_AD_HANDSHAKE_FAILURE;
454                     return 0;
455           }
456 
457           s->s3->renegotiate_seen = 1;
458           s->s3->send_connection_binding = 1;
459 
460           return 1;
461 }
462 
463 static int
tlsext_ri_server_needs(SSL * s,uint16_t msg_type)464 tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
465 {
466           return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
467               s->s3->send_connection_binding);
468 }
469 
470 static int
tlsext_ri_server_build(SSL * s,uint16_t msg_type,CBB * cbb)471 tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
472 {
473           CBB reneg;
474 
475           if (!CBB_add_u8_length_prefixed(cbb, &reneg))
476                     return 0;
477           if (!CBB_add_bytes(&reneg, s->s3->previous_client_finished,
478               s->s3->previous_client_finished_len))
479                     return 0;
480           if (!CBB_add_bytes(&reneg, s->s3->previous_server_finished,
481               s->s3->previous_server_finished_len))
482                     return 0;
483           if (!CBB_flush(cbb))
484                     return 0;
485 
486           return 1;
487 }
488 
489 static int
tlsext_ri_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)490 tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
491 {
492           CBS reneg, prev_client, prev_server;
493 
494           /*
495            * Ensure that the previous client and server values are both not
496            * present, or that they are both present.
497            */
498           if ((s->s3->previous_client_finished_len == 0 &&
499               s->s3->previous_server_finished_len != 0) ||
500               (s->s3->previous_client_finished_len != 0 &&
501               s->s3->previous_server_finished_len == 0)) {
502                     *alert = SSL_AD_INTERNAL_ERROR;
503                     return 0;
504           }
505 
506           if (!CBS_get_u8_length_prefixed(cbs, &reneg)) {
507                     SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
508                     return 0;
509           }
510           if (!CBS_get_bytes(&reneg, &prev_client,
511               s->s3->previous_client_finished_len)) {
512                     SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
513                     return 0;
514           }
515           if (!CBS_get_bytes(&reneg, &prev_server,
516               s->s3->previous_server_finished_len)) {
517                     SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
518                     return 0;
519           }
520           if (CBS_len(&reneg) != 0) {
521                     SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
522                     return 0;
523           }
524 
525           if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished,
526               s->s3->previous_client_finished_len)) {
527                     SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
528                     *alert = SSL_AD_HANDSHAKE_FAILURE;
529                     return 0;
530           }
531           if (!CBS_mem_equal(&prev_server, s->s3->previous_server_finished,
532               s->s3->previous_server_finished_len)) {
533                     SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
534                     *alert = SSL_AD_HANDSHAKE_FAILURE;
535                     return 0;
536           }
537 
538           s->s3->renegotiate_seen = 1;
539           s->s3->send_connection_binding = 1;
540 
541           return 1;
542 }
543 
544 /*
545  * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
546  */
547 static int
tlsext_sigalgs_client_needs(SSL * s,uint16_t msg_type)548 tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
549 {
550           return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION);
551 }
552 
553 static int
tlsext_sigalgs_client_build(SSL * s,uint16_t msg_type,CBB * cbb)554 tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
555 {
556           uint16_t tls_version = s->s3->hs.negotiated_tls_version;
557           CBB sigalgs;
558 
559           if (msg_type == SSL_TLSEXT_MSG_CH)
560                     tls_version = s->s3->hs.our_min_tls_version;
561 
562           if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
563                     return 0;
564           if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s)))
565                     return 0;
566           if (!CBB_flush(cbb))
567                     return 0;
568 
569           return 1;
570 }
571 
572 static int
tlsext_sigalgs_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)573 tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
574 {
575           CBS sigalgs;
576 
577           if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
578                     return 0;
579           if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
580                     return 0;
581           if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
582                     return 0;
583 
584           return 1;
585 }
586 
587 static int
tlsext_sigalgs_server_needs(SSL * s,uint16_t msg_type)588 tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
589 {
590           return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
591 }
592 
593 static int
tlsext_sigalgs_server_build(SSL * s,uint16_t msg_type,CBB * cbb)594 tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
595 {
596           CBB sigalgs;
597 
598           if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
599                     return 0;
600           if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs,
601               SSL_get_security_level(s)))
602                     return 0;
603           if (!CBB_flush(cbb))
604                     return 0;
605 
606           return 1;
607 }
608 
609 static int
tlsext_sigalgs_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)610 tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
611 {
612           CBS sigalgs;
613 
614           if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
615                     return 0;
616 
617           if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
618                     return 0;
619           if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
620                     return 0;
621           if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, &s->s3->hs.sigalgs_len))
622                     return 0;
623 
624           return 1;
625 }
626 
627 /*
628  * Server Name Indication - RFC 6066, section 3.
629  */
630 static int
tlsext_sni_client_needs(SSL * s,uint16_t msg_type)631 tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
632 {
633           return (s->tlsext_hostname != NULL);
634 }
635 
636 static int
tlsext_sni_client_build(SSL * s,uint16_t msg_type,CBB * cbb)637 tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
638 {
639           CBB server_name_list, host_name;
640 
641           if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
642                     return 0;
643           if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
644                     return 0;
645           if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
646                     return 0;
647           if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
648               strlen(s->tlsext_hostname)))
649                     return 0;
650           if (!CBB_flush(cbb))
651                     return 0;
652 
653           return 1;
654 }
655 
656 static int
tlsext_sni_is_ip_literal(CBS * cbs,int * is_ip)657 tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
658 {
659           union {
660                     struct in_addr ip4;
661                     struct in6_addr ip6;
662           } addrbuf;
663           char *hostname = NULL;
664 
665           *is_ip = 0;
666 
667           if (!CBS_strdup(cbs, &hostname))
668                     return 0;
669 
670           if (inet_pton(AF_INET, hostname, &addrbuf) == 1 ||
671               inet_pton(AF_INET6, hostname, &addrbuf) == 1)
672                     *is_ip = 1;
673 
674           free(hostname);
675 
676           return 1;
677 }
678 
679 /*
680  * Validate that the CBS contains only a hostname consisting of RFC 5890
681  * compliant A-labels (see RFC 6066 section 3). Not a complete check
682  * since we don't parse punycode to verify its validity but limits to
683  * correct structure and character set.
684  */
685 int
tlsext_sni_is_valid_hostname(CBS * cbs,int * is_ip)686 tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
687 {
688           uint8_t prev, c = 0;
689           int component = 0;
690           CBS hostname;
691 
692           *is_ip = 0;
693 
694           CBS_dup(cbs, &hostname);
695 
696           if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
697                     return 0;
698 
699           /* An IP literal is invalid as a host name (RFC 6066 section 3). */
700           if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
701                     return 0;
702           if (*is_ip)
703                     return 0;
704 
705           while (CBS_len(&hostname) > 0) {
706                     prev = c;
707                     if (!CBS_get_u8(&hostname, &c))
708                               return 0;
709                     /* Everything has to be ASCII, with no NUL byte. */
710                     if (!isascii(c) || c == '\0')
711                               return 0;
712                     /* It must be alphanumeric, a '-', or a '.' */
713                     if (!isalnum(c) && c != '-' && c != '.')
714                               return 0;
715                     /* '-' and '.' must not start a component or be at the end. */
716                     if (component == 0 || CBS_len(&hostname) == 0) {
717                               if (c == '-' || c == '.')
718                                         return 0;
719                     }
720                     if (c == '.') {
721                               /* Components can not end with a dash. */
722                               if (prev == '-')
723                                         return 0;
724                               /* Start new component */
725                               component = 0;
726                               continue;
727                     }
728                     /* Components must be 63 chars or less. */
729                     if (++component > 63)
730                               return 0;
731           }
732 
733           return 1;
734 }
735 
736 static int
tlsext_sni_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)737 tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
738 {
739           CBS server_name_list, host_name;
740           uint8_t name_type;
741           int is_ip;
742 
743           if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
744                     goto err;
745 
746           if (!CBS_get_u8(&server_name_list, &name_type))
747                     goto err;
748 
749           /*
750            * RFC 6066 section 3, only one type (host_name) is specified.
751            * We do not tolerate unknown types, neither does BoringSSL.
752            * other implementations appear more tolerant.
753            */
754           if (name_type != TLSEXT_NAMETYPE_host_name) {
755                     *alert = SSL_AD_ILLEGAL_PARAMETER;
756                     goto err;
757           }
758 
759           /*
760            * RFC 6066 section 3 specifies a host name must be at least 1 byte
761            * so 0 length is a decode error.
762            */
763           if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
764                     goto err;
765           if (CBS_len(&host_name) < 1)
766                     goto err;
767 
768           if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
769                     /*
770                      * Various pieces of software have been known to set the SNI
771                      * host name to an IP address, even though that violates the
772                      * RFC. If this is the case, pretend the SNI extension does
773                      * not exist.
774                      */
775                     if (is_ip)
776                               goto done;
777 
778                     *alert = SSL_AD_ILLEGAL_PARAMETER;
779                     goto err;
780           }
781 
782           if (s->internal->hit || s->s3->hs.tls13.hrr) {
783                     if (s->session->tlsext_hostname == NULL) {
784                               *alert = SSL_AD_UNRECOGNIZED_NAME;
785                               goto err;
786                     }
787                     if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
788                         strlen(s->session->tlsext_hostname))) {
789                               *alert = SSL_AD_UNRECOGNIZED_NAME;
790                               goto err;
791                     }
792           } else {
793                     if (s->session->tlsext_hostname != NULL)
794                               goto err;
795                     if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
796                               *alert = SSL_AD_INTERNAL_ERROR;
797                               goto err;
798                     }
799           }
800 
801  done:
802           /*
803            * RFC 6066 section 3 forbids multiple host names with the same type,
804            * therefore we allow only one entry.
805            */
806           if (CBS_len(&server_name_list) != 0) {
807                     *alert = SSL_AD_ILLEGAL_PARAMETER;
808                     goto err;
809           }
810 
811           return 1;
812 
813  err:
814           return 0;
815 }
816 
817 static int
tlsext_sni_server_needs(SSL * s,uint16_t msg_type)818 tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
819 {
820           if (s->internal->hit)
821                     return 0;
822 
823           return (s->session->tlsext_hostname != NULL);
824 }
825 
826 static int
tlsext_sni_server_build(SSL * s,uint16_t msg_type,CBB * cbb)827 tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
828 {
829           return 1;
830 }
831 
832 static int
tlsext_sni_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)833 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
834 {
835           if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
836                     *alert = SSL_AD_UNRECOGNIZED_NAME;
837                     return 0;
838           }
839 
840           if (s->internal->hit) {
841                     if (s->session->tlsext_hostname == NULL) {
842                               *alert = SSL_AD_UNRECOGNIZED_NAME;
843                               return 0;
844                     }
845                     if (strcmp(s->tlsext_hostname,
846                         s->session->tlsext_hostname) != 0) {
847                               *alert = SSL_AD_UNRECOGNIZED_NAME;
848                               return 0;
849                     }
850           } else {
851                     if (s->session->tlsext_hostname != NULL)
852                               return 0;
853                     if ((s->session->tlsext_hostname =
854                         strdup(s->tlsext_hostname)) == NULL) {
855                               *alert = SSL_AD_INTERNAL_ERROR;
856                               return 0;
857                     }
858           }
859 
860           return 1;
861 }
862 
863 /*
864  * Certificate Status Request - RFC 6066 section 8.
865  */
866 
867 static int
tlsext_ocsp_client_needs(SSL * s,uint16_t msg_type)868 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
869 {
870           if (msg_type != SSL_TLSEXT_MSG_CH)
871                     return 0;
872 
873           return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
874 }
875 
876 static int
tlsext_ocsp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)877 tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
878 {
879           CBB respid_list, respid, exts;
880           unsigned char *ext_data;
881           size_t ext_len;
882           int i;
883 
884           if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
885                     return 0;
886           if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
887                     return 0;
888           for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
889                     unsigned char *respid_data;
890                     OCSP_RESPID *id;
891                     size_t id_len;
892 
893                     if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
894                         i)) ==  NULL)
895                               return 0;
896                     if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
897                               return 0;
898                     if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
899                               return 0;
900                     if (!CBB_add_space(&respid, &respid_data, id_len))
901                               return 0;
902                     if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
903                               return 0;
904           }
905           if (!CBB_add_u16_length_prefixed(cbb, &exts))
906                     return 0;
907           if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
908               NULL)) == -1)
909                     return 0;
910           if (!CBB_add_space(&exts, &ext_data, ext_len))
911                     return 0;
912           if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
913               ext_len))
914                     return 0;
915           if (!CBB_flush(cbb))
916                     return 0;
917           return 1;
918 }
919 
920 static int
tlsext_ocsp_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)921 tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
922 {
923           int alert_desc = SSL_AD_DECODE_ERROR;
924           CBS respid_list, respid, exts;
925           const unsigned char *p;
926           uint8_t status_type;
927           int ret = 0;
928 
929           if (msg_type != SSL_TLSEXT_MSG_CH)
930                     goto err;
931 
932           if (!CBS_get_u8(cbs, &status_type))
933                     goto err;
934           if (status_type != TLSEXT_STATUSTYPE_ocsp) {
935                     /* ignore unknown status types */
936                     s->tlsext_status_type = -1;
937 
938                     if (!CBS_skip(cbs, CBS_len(cbs))) {
939                               *alert = SSL_AD_INTERNAL_ERROR;
940                               return 0;
941                     }
942                     return 1;
943           }
944           s->tlsext_status_type = status_type;
945           if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
946                     goto err;
947 
948           /* XXX */
949           sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
950           s->internal->tlsext_ocsp_ids = NULL;
951           if (CBS_len(&respid_list) > 0) {
952                     s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
953                     if (s->internal->tlsext_ocsp_ids == NULL) {
954                               alert_desc = SSL_AD_INTERNAL_ERROR;
955                               goto err;
956                     }
957           }
958 
959           while (CBS_len(&respid_list) > 0) {
960                     OCSP_RESPID *id;
961 
962                     if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
963                               goto err;
964                     p = CBS_data(&respid);
965                     if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
966                               goto err;
967                     if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
968                               alert_desc = SSL_AD_INTERNAL_ERROR;
969                               OCSP_RESPID_free(id);
970                               goto err;
971                     }
972           }
973 
974           /* Read in request_extensions */
975           if (!CBS_get_u16_length_prefixed(cbs, &exts))
976                     goto err;
977           if (CBS_len(&exts) > 0) {
978                     sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
979                         X509_EXTENSION_free);
980                     p = CBS_data(&exts);
981                     if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
982                         &p, CBS_len(&exts))) == NULL)
983                               goto err;
984           }
985 
986           ret = 1;
987  err:
988           if (ret == 0)
989                     *alert = alert_desc;
990           return ret;
991 }
992 
993 static int
tlsext_ocsp_server_needs(SSL * s,uint16_t msg_type)994 tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
995 {
996           if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
997               s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
998               s->ctx->internal->tlsext_status_cb != NULL) {
999                     s->internal->tlsext_status_expected = 0;
1000                     if (s->ctx->internal->tlsext_status_cb(s,
1001                         s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
1002                         s->internal->tlsext_ocsp_resp_len > 0)
1003                               s->internal->tlsext_status_expected = 1;
1004           }
1005           return s->internal->tlsext_status_expected;
1006 }
1007 
1008 static int
tlsext_ocsp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1009 tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1010 {
1011           CBB ocsp_response;
1012 
1013           if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1014                     if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1015                               return 0;
1016                     if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1017                               return 0;
1018                     if (!CBB_add_bytes(&ocsp_response,
1019                         s->internal->tlsext_ocsp_resp,
1020                         s->internal->tlsext_ocsp_resp_len))
1021                               return 0;
1022                     if (!CBB_flush(cbb))
1023                               return 0;
1024           }
1025           return 1;
1026 }
1027 
1028 static int
tlsext_ocsp_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1029 tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1030 {
1031           uint8_t status_type;
1032           CBS response;
1033 
1034           if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1035                     if (msg_type == SSL_TLSEXT_MSG_CR) {
1036                               /*
1037                                * RFC 8446, 4.4.2.1 - the server may request an OCSP
1038                                * response with an empty status_request.
1039                                */
1040                               if (CBS_len(cbs) == 0)
1041                                         return 1;
1042 
1043                               SSLerror(s, SSL_R_LENGTH_MISMATCH);
1044                               return 0;
1045                     }
1046                     if (!CBS_get_u8(cbs, &status_type)) {
1047                               SSLerror(s, SSL_R_LENGTH_MISMATCH);
1048                               return 0;
1049                     }
1050                     if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1051                               SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1052                               return 0;
1053                     }
1054                     if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1055                               SSLerror(s, SSL_R_LENGTH_MISMATCH);
1056                               return 0;
1057                     }
1058                     if (CBS_len(&response) > 65536) {
1059                               SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1060                               return 0;
1061                     }
1062                     if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1063                         &s->internal->tlsext_ocsp_resp_len)) {
1064                               *alert = SSL_AD_INTERNAL_ERROR;
1065                               return 0;
1066                     }
1067           } else {
1068                     if (s->tlsext_status_type == -1) {
1069                               *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1070                               return 0;
1071                     }
1072                     /* Set flag to expect CertificateStatus message */
1073                     s->internal->tlsext_status_expected = 1;
1074           }
1075           return 1;
1076 }
1077 
1078 /*
1079  * SessionTicket extension - RFC 5077 section 3.2
1080  */
1081 static int
tlsext_sessionticket_client_needs(SSL * s,uint16_t msg_type)1082 tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1083 {
1084           /*
1085            * Send session ticket extension when enabled and not overridden.
1086            *
1087            * When renegotiating, send an empty session ticket to indicate support.
1088            */
1089           if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
1090                     return 0;
1091 
1092           if (!ssl_security_tickets(s))
1093                     return 0;
1094 
1095           if (s->internal->new_session)
1096                     return 1;
1097 
1098           if (s->internal->tlsext_session_ticket != NULL &&
1099               s->internal->tlsext_session_ticket->data == NULL)
1100                     return 0;
1101 
1102           return 1;
1103 }
1104 
1105 static int
tlsext_sessionticket_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1106 tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1107 {
1108           /*
1109            * Signal that we support session tickets by sending an empty
1110            * extension when renegotiating or no session found.
1111            */
1112           if (s->internal->new_session || s->session == NULL)
1113                     return 1;
1114 
1115           if (s->session->tlsext_tick != NULL) {
1116                     /* Attempt to resume with an existing session ticket */
1117                     if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1118                         s->session->tlsext_ticklen))
1119                               return 0;
1120 
1121           } else if (s->internal->tlsext_session_ticket != NULL) {
1122                     /*
1123                      * Attempt to resume with a custom provided session ticket set
1124                      * by SSL_set_session_ticket_ext().
1125                      */
1126                     if (s->internal->tlsext_session_ticket->length > 0) {
1127                               size_t ticklen = s->internal->tlsext_session_ticket->length;
1128 
1129                               if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
1130                                         return 0;
1131                               memcpy(s->session->tlsext_tick,
1132                                   s->internal->tlsext_session_ticket->data,
1133                                   ticklen);
1134                               s->session->tlsext_ticklen = ticklen;
1135 
1136                               if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1137                                   s->session->tlsext_ticklen))
1138                                         return 0;
1139                     }
1140           }
1141 
1142           if (!CBB_flush(cbb))
1143                     return 0;
1144 
1145           return 1;
1146 }
1147 
1148 static int
tlsext_sessionticket_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1149 tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1150     int *alert)
1151 {
1152           if (s->internal->tls_session_ticket_ext_cb) {
1153                     if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1154                         (int)CBS_len(cbs),
1155                         s->internal->tls_session_ticket_ext_cb_arg)) {
1156                               *alert = SSL_AD_INTERNAL_ERROR;
1157                               return 0;
1158                     }
1159           }
1160 
1161           /* We need to signal that this was processed fully */
1162           if (!CBS_skip(cbs, CBS_len(cbs))) {
1163                     *alert = SSL_AD_INTERNAL_ERROR;
1164                     return 0;
1165           }
1166 
1167           return 1;
1168 }
1169 
1170 static int
tlsext_sessionticket_server_needs(SSL * s,uint16_t msg_type)1171 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1172 {
1173           return (s->internal->tlsext_ticket_expected &&
1174               !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
1175               ssl_security_tickets(s));
1176 }
1177 
1178 static int
tlsext_sessionticket_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1179 tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1180 {
1181           /* Empty ticket */
1182           return 1;
1183 }
1184 
1185 static int
tlsext_sessionticket_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1186 tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1187     int *alert)
1188 {
1189           if (s->internal->tls_session_ticket_ext_cb) {
1190                     if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1191                         (int)CBS_len(cbs),
1192                         s->internal->tls_session_ticket_ext_cb_arg)) {
1193                               *alert = SSL_AD_INTERNAL_ERROR;
1194                               return 0;
1195                     }
1196           }
1197 
1198           if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
1199                     *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1200                     return 0;
1201           }
1202 
1203           s->internal->tlsext_ticket_expected = 1;
1204 
1205           return 1;
1206 }
1207 
1208 /*
1209  * DTLS extension for SRTP key establishment - RFC 5764
1210  */
1211 
1212 #ifndef OPENSSL_NO_SRTP
1213 
1214 static int
tlsext_srtp_client_needs(SSL * s,uint16_t msg_type)1215 tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1216 {
1217           return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1218 }
1219 
1220 static int
tlsext_srtp_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1221 tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1222 {
1223           CBB profiles, mki;
1224           int ct, i;
1225           STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1226           const SRTP_PROTECTION_PROFILE *prof;
1227 
1228           if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1229                     SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1230                     return 0;
1231           }
1232 
1233           if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1234                     SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1235                     return 0;
1236           }
1237 
1238           if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1239                     return 0;
1240 
1241           for (i = 0; i < ct; i++) {
1242                     if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1243                               return 0;
1244                     if (!CBB_add_u16(&profiles, prof->id))
1245                               return 0;
1246           }
1247 
1248           if (!CBB_add_u8_length_prefixed(cbb, &mki))
1249                     return 0;
1250 
1251           if (!CBB_flush(cbb))
1252                     return 0;
1253 
1254           return 1;
1255 }
1256 
1257 static int
tlsext_srtp_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1258 tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1259 {
1260           const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1261           STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1262           int i, j;
1263           int ret;
1264           uint16_t id;
1265           CBS profiles, mki;
1266 
1267           ret = 0;
1268 
1269           if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1270                     goto err;
1271           if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1272                     goto err;
1273 
1274           if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1275                     goto err;
1276 
1277           while (CBS_len(&profiles) > 0) {
1278                     if (!CBS_get_u16(&profiles, &id))
1279                               goto err;
1280 
1281                     if (!srtp_find_profile_by_num(id, &cprof)) {
1282                               if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1283                                         goto err;
1284                     }
1285           }
1286 
1287           if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1288                     SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1289                     goto done;
1290           }
1291 
1292           /*
1293            * Per RFC 5764 section 4.1.1
1294            *
1295            * Find the server preferred profile using the client's list.
1296            *
1297            * The server MUST send a profile if it sends the use_srtp
1298            * extension.  If one is not found, it should fall back to the
1299            * negotiated DTLS cipher suite or return a DTLS alert.
1300            */
1301           if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1302                     goto err;
1303           for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1304                     if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL)
1305                               goto err;
1306 
1307                     for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1308                               if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1309                                   == NULL)
1310                                         goto err;
1311 
1312                               if (cprof->id == sprof->id) {
1313                                         s->internal->srtp_profile = sprof;
1314                                         ret = 1;
1315                                         goto done;
1316                               }
1317                     }
1318           }
1319 
1320           /* If we didn't find anything, fall back to the negotiated */
1321           ret = 1;
1322           goto done;
1323 
1324  err:
1325           SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1326 
1327  done:
1328           sk_SRTP_PROTECTION_PROFILE_free(clnt);
1329           return ret;
1330 }
1331 
1332 static int
tlsext_srtp_server_needs(SSL * s,uint16_t msg_type)1333 tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1334 {
1335           return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1336 }
1337 
1338 static int
tlsext_srtp_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1339 tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1340 {
1341           SRTP_PROTECTION_PROFILE *profile;
1342           CBB srtp, mki;
1343 
1344           if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1345                     return 0;
1346 
1347           if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1348                     return 0;
1349 
1350           if (!CBB_add_u16(&srtp, profile->id))
1351                     return 0;
1352 
1353           if (!CBB_add_u8_length_prefixed(cbb, &mki))
1354                     return 0;
1355 
1356           if (!CBB_flush(cbb))
1357                     return 0;
1358 
1359           return 1;
1360 }
1361 
1362 static int
tlsext_srtp_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1363 tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1364 {
1365           STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1366           const SRTP_PROTECTION_PROFILE *prof;
1367           int i;
1368           uint16_t id;
1369           CBS profile_ids, mki;
1370 
1371           if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1372                     SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1373                     return 0;
1374           }
1375 
1376           if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1377                     SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1378                     return 0;
1379           }
1380 
1381           if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1382                     SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1383                     *alert = SSL_AD_ILLEGAL_PARAMETER;
1384                     return 0;
1385           }
1386 
1387           if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1388                     SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1389                     return 0;
1390           }
1391 
1392           for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1393                     if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1394                         == NULL) {
1395                               SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1396                               return 0;
1397                     }
1398 
1399                     if (prof->id == id) {
1400                               s->internal->srtp_profile = prof;
1401                               return 1;
1402                     }
1403           }
1404 
1405           SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1406 
1407           return 0;
1408 }
1409 
1410 #endif /* OPENSSL_NO_SRTP */
1411 
1412 /*
1413  * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1414  */
1415 static int
tlsext_keyshare_client_needs(SSL * s,uint16_t msg_type)1416 tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1417 {
1418           return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1419 }
1420 
1421 static int
tlsext_keyshare_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1422 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1423 {
1424           CBB client_shares, key_exchange;
1425 
1426           if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1427                     return 0;
1428 
1429           if (!CBB_add_u16(&client_shares,
1430               tls_key_share_group(s->s3->hs.key_share)))
1431                     return 0;
1432           if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1433                     return 0;
1434           if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1435                     return 0;
1436 
1437           if (!CBB_flush(cbb))
1438                     return 0;
1439 
1440           return 1;
1441 }
1442 
1443 static int
tlsext_keyshare_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1444 tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1445 {
1446           CBS client_shares, key_exchange;
1447           int decode_error;
1448           uint16_t group;
1449 
1450           if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1451                     return 0;
1452 
1453           while (CBS_len(&client_shares) > 0) {
1454 
1455                     /* Unpack client share. */
1456                     if (!CBS_get_u16(&client_shares, &group))
1457                               return 0;
1458                     if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1459                               return 0;
1460 
1461                     /*
1462                      * XXX - check key exchange against supported groups from client.
1463                      * XXX - check that groups only appear once.
1464                      */
1465 
1466                     /*
1467                      * Ignore this client share if we're using earlier than TLSv1.3
1468                      * or we've already selected a key share.
1469                      */
1470                     if (s->s3->hs.our_max_tls_version < TLS1_3_VERSION)
1471                               continue;
1472                     if (s->s3->hs.key_share != NULL)
1473                               continue;
1474 
1475                     /* XXX - consider implementing server preference. */
1476                     if (!tls1_check_group(s, group))
1477                               continue;
1478 
1479                     /* Decode and store the selected key share. */
1480                     if ((s->s3->hs.key_share = tls_key_share_new(group)) == NULL) {
1481                               *alert = SSL_AD_INTERNAL_ERROR;
1482                               return 0;
1483                     }
1484                     if (!tls_key_share_peer_public(s->s3->hs.key_share,
1485                         &key_exchange, &decode_error, NULL)) {
1486                               if (!decode_error)
1487                                         *alert = SSL_AD_INTERNAL_ERROR;
1488                               return 0;
1489                     }
1490           }
1491 
1492           return 1;
1493 }
1494 
1495 static int
tlsext_keyshare_server_needs(SSL * s,uint16_t msg_type)1496 tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1497 {
1498           return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1499               tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1500 }
1501 
1502 static int
tlsext_keyshare_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1503 tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1504 {
1505           CBB key_exchange;
1506 
1507           /* In the case of a HRR, we only send the server selected group. */
1508           if (s->s3->hs.tls13.hrr) {
1509                     if (s->s3->hs.tls13.server_group == 0)
1510                               return 0;
1511                     return CBB_add_u16(cbb, s->s3->hs.tls13.server_group);
1512           }
1513 
1514           if (s->s3->hs.key_share == NULL)
1515                     return 0;
1516 
1517           if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1518                     return 0;
1519           if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1520                     return 0;
1521           if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
1522                     return 0;
1523 
1524           if (!CBB_flush(cbb))
1525                     return 0;
1526 
1527           return 1;
1528 }
1529 
1530 static int
tlsext_keyshare_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1531 tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1532 {
1533           CBS key_exchange;
1534           int decode_error;
1535           uint16_t group;
1536 
1537           /* Unpack server share. */
1538           if (!CBS_get_u16(cbs, &group))
1539                     return 0;
1540 
1541           if (CBS_len(cbs) == 0) {
1542                     /* HRR does not include an actual key share, only the group. */
1543                     if (msg_type != SSL_TLSEXT_MSG_HRR)
1544                               return 0;
1545 
1546                     s->s3->hs.tls13.server_group = group;
1547                     return 1;
1548           }
1549 
1550           if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1551                     return 0;
1552 
1553           if (s->s3->hs.key_share == NULL) {
1554                     *alert = SSL_AD_INTERNAL_ERROR;
1555                     return 0;
1556           }
1557           if (tls_key_share_group(s->s3->hs.key_share) != group) {
1558                     *alert = SSL_AD_INTERNAL_ERROR;
1559                     return 0;
1560           }
1561           if (!tls_key_share_peer_public(s->s3->hs.key_share,
1562               &key_exchange, &decode_error, NULL)) {
1563                     if (!decode_error)
1564                               *alert = SSL_AD_INTERNAL_ERROR;
1565                     return 0;
1566           }
1567 
1568           return 1;
1569 }
1570 
1571 /*
1572  * Supported Versions - RFC 8446 section 4.2.1.
1573  */
1574 static int
tlsext_versions_client_needs(SSL * s,uint16_t msg_type)1575 tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1576 {
1577           return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1578 }
1579 
1580 static int
tlsext_versions_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1581 tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1582 {
1583           uint16_t max, min;
1584           uint16_t version;
1585           CBB versions;
1586 
1587           max = s->s3->hs.our_max_tls_version;
1588           min = s->s3->hs.our_min_tls_version;
1589 
1590           if (!CBB_add_u8_length_prefixed(cbb, &versions))
1591                     return 0;
1592 
1593           /* XXX - fix, but contiguous for now... */
1594           for (version = max; version >= min; version--) {
1595                     if (!CBB_add_u16(&versions, version))
1596                               return 0;
1597           }
1598 
1599           if (!CBB_flush(cbb))
1600                     return 0;
1601 
1602           return 1;
1603 }
1604 
1605 static int
tlsext_versions_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1606 tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1607 {
1608           CBS versions;
1609           uint16_t version;
1610           uint16_t max, min;
1611           uint16_t matched_version = 0;
1612 
1613           max = s->s3->hs.our_max_tls_version;
1614           min = s->s3->hs.our_min_tls_version;
1615 
1616           if (!CBS_get_u8_length_prefixed(cbs, &versions))
1617                     return 0;
1618 
1619           while (CBS_len(&versions) > 0) {
1620                     if (!CBS_get_u16(&versions, &version))
1621                               return 0;
1622                     /*
1623                      * XXX What is below implements client preference, and
1624                      * ignores any server preference entirely.
1625                      */
1626                     if (matched_version == 0 && version >= min && version <= max)
1627                               matched_version = version;
1628           }
1629 
1630           if (matched_version > 0)  {
1631                     /* XXX - this should be stored for later processing. */
1632                     s->version = matched_version;
1633                     return 1;
1634           }
1635 
1636           *alert = SSL_AD_PROTOCOL_VERSION;
1637           return 0;
1638 }
1639 
1640 static int
tlsext_versions_server_needs(SSL * s,uint16_t msg_type)1641 tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1642 {
1643           return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION);
1644 }
1645 
1646 static int
tlsext_versions_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1647 tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1648 {
1649           return CBB_add_u16(cbb, TLS1_3_VERSION);
1650 }
1651 
1652 static int
tlsext_versions_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1653 tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1654 {
1655           uint16_t selected_version;
1656 
1657           if (!CBS_get_u16(cbs, &selected_version))
1658                     return 0;
1659 
1660           /* XXX - need to fix for DTLS 1.3 */
1661           if (selected_version < TLS1_3_VERSION) {
1662                     *alert = SSL_AD_ILLEGAL_PARAMETER;
1663                     return 0;
1664           }
1665 
1666           /* XXX test between min and max once initialization code goes in */
1667           s->s3->hs.tls13.server_version = selected_version;
1668 
1669           return 1;
1670 }
1671 
1672 
1673 /*
1674  * Cookie - RFC 8446 section 4.2.2.
1675  */
1676 
1677 static int
tlsext_cookie_client_needs(SSL * s,uint16_t msg_type)1678 tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1679 {
1680           return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1681               s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1682 }
1683 
1684 static int
tlsext_cookie_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1685 tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1686 {
1687           CBB cookie;
1688 
1689           if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1690                     return 0;
1691 
1692           if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1693               s->s3->hs.tls13.cookie_len))
1694                     return 0;
1695 
1696           if (!CBB_flush(cbb))
1697                     return 0;
1698 
1699           return 1;
1700 }
1701 
1702 static int
tlsext_cookie_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1703 tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1704 {
1705           CBS cookie;
1706 
1707           if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1708                     return 0;
1709 
1710           if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len)
1711                     return 0;
1712 
1713           /*
1714            * Check provided cookie value against what server previously
1715            * sent - client *MUST* send the same cookie with new CR after
1716            * a cookie is sent by the server with an HRR.
1717            */
1718           if (!CBS_mem_equal(&cookie, s->s3->hs.tls13.cookie,
1719               s->s3->hs.tls13.cookie_len)) {
1720                     /* XXX special cookie mismatch alert? */
1721                     *alert = SSL_AD_ILLEGAL_PARAMETER;
1722                     return 0;
1723           }
1724 
1725           return 1;
1726 }
1727 
1728 static int
tlsext_cookie_server_needs(SSL * s,uint16_t msg_type)1729 tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1730 {
1731           /*
1732            * Server needs to set cookie value in tls13 handshake
1733            * in order to send one, should only be sent with HRR.
1734            */
1735           return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION &&
1736               s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL);
1737 }
1738 
1739 static int
tlsext_cookie_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1740 tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1741 {
1742           CBB cookie;
1743 
1744           /* XXX deduplicate with client code */
1745 
1746           if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1747                     return 0;
1748 
1749           if (!CBB_add_bytes(&cookie, s->s3->hs.tls13.cookie,
1750               s->s3->hs.tls13.cookie_len))
1751                     return 0;
1752 
1753           if (!CBB_flush(cbb))
1754                     return 0;
1755 
1756           return 1;
1757 }
1758 
1759 static int
tlsext_cookie_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1760 tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1761 {
1762           CBS cookie;
1763 
1764           /*
1765            * XXX This currently assumes we will not get a second
1766            * HRR from a server with a cookie to process after accepting
1767            * one from the server in the same handshake
1768            */
1769           if (s->s3->hs.tls13.cookie != NULL ||
1770               s->s3->hs.tls13.cookie_len != 0) {
1771                     *alert = SSL_AD_ILLEGAL_PARAMETER;
1772                     return 0;
1773           }
1774 
1775           if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1776                     return 0;
1777 
1778           if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie,
1779               &s->s3->hs.tls13.cookie_len))
1780                     return 0;
1781 
1782           return 1;
1783 }
1784 
1785 /*
1786  * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9.
1787  */
1788 
1789 static int
tlsext_psk_kex_modes_client_needs(SSL * s,uint16_t msg_type)1790 tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type)
1791 {
1792           return (s->s3->hs.tls13.use_psk_dhe_ke &&
1793               s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
1794 }
1795 
1796 static int
tlsext_psk_kex_modes_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1797 tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1798 {
1799           CBB ke_modes;
1800 
1801           if (!CBB_add_u8_length_prefixed(cbb, &ke_modes))
1802                     return 0;
1803 
1804           /* Only indicate support for PSK with DHE key establishment. */
1805           if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE))
1806                     return 0;
1807 
1808           if (!CBB_flush(cbb))
1809                     return 0;
1810 
1811           return 1;
1812 }
1813 
1814 static int
tlsext_psk_kex_modes_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1815 tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1816     int *alert)
1817 {
1818           CBS ke_modes;
1819           uint8_t ke_mode;
1820 
1821           if (!CBS_get_u8_length_prefixed(cbs, &ke_modes))
1822                     return 0;
1823 
1824           while (CBS_len(&ke_modes) > 0) {
1825                     if (!CBS_get_u8(&ke_modes, &ke_mode))
1826                               return 0;
1827 
1828                     if (ke_mode == TLS13_PSK_DHE_KE)
1829                               s->s3->hs.tls13.use_psk_dhe_ke = 1;
1830           }
1831 
1832           return 1;
1833 }
1834 
1835 static int
tlsext_psk_kex_modes_server_needs(SSL * s,uint16_t msg_type)1836 tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type)
1837 {
1838           /* Servers MUST NOT send this extension. */
1839           return 0;
1840 }
1841 
1842 static int
tlsext_psk_kex_modes_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1843 tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1844 {
1845           return 0;
1846 }
1847 
1848 static int
tlsext_psk_kex_modes_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1849 tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1850     int *alert)
1851 {
1852           return 0;
1853 }
1854 
1855 /*
1856  * Pre-Shared Key Extension - RFC 8446, 4.2.11
1857  */
1858 
1859 static int
tlsext_psk_client_needs(SSL * s,uint16_t msg_type)1860 tlsext_psk_client_needs(SSL *s, uint16_t msg_type)
1861 {
1862           return 0;
1863 }
1864 
1865 static int
tlsext_psk_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1866 tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1867 {
1868           return 0;
1869 }
1870 
1871 static int
tlsext_psk_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1872 tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1873 {
1874           return CBS_skip(cbs, CBS_len(cbs));
1875 }
1876 
1877 static int
tlsext_psk_server_needs(SSL * s,uint16_t msg_type)1878 tlsext_psk_server_needs(SSL *s, uint16_t msg_type)
1879 {
1880           return 0;
1881 }
1882 
1883 static int
tlsext_psk_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1884 tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1885 {
1886           return 0;
1887 }
1888 
1889 static int
tlsext_psk_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1890 tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1891 {
1892           return CBS_skip(cbs, CBS_len(cbs));
1893 }
1894 
1895 /*
1896  * QUIC transport parameters extension - RFC 9001 section 8.2.
1897  */
1898 
1899 static int
tlsext_quic_transport_parameters_client_needs(SSL * s,uint16_t msg_type)1900 tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type)
1901 {
1902           return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0;
1903 }
1904 
1905 static int
tlsext_quic_transport_parameters_client_build(SSL * s,uint16_t msg_type,CBB * cbb)1906 tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type,
1907     CBB *cbb)
1908 {
1909           if (!CBB_add_bytes(cbb, s->internal->quic_transport_params,
1910               s->internal->quic_transport_params_len))
1911                     return 0;
1912 
1913           return 1;
1914 }
1915 
1916 static int
tlsext_quic_transport_parameters_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1917 tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type,
1918     CBS *cbs, int *alert)
1919 {
1920           if (!SSL_is_quic(s)) {
1921                     *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1922                     return 0;
1923           }
1924 
1925           if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1926               &s->s3->peer_quic_transport_params_len))
1927                     return 0;
1928           if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1929                     return 0;
1930 
1931           return 1;
1932 }
1933 
1934 static int
tlsext_quic_transport_parameters_server_needs(SSL * s,uint16_t msg_type)1935 tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type)
1936 {
1937           return SSL_is_quic(s) && s->internal->quic_transport_params_len > 0;
1938 }
1939 
1940 static int
tlsext_quic_transport_parameters_server_build(SSL * s,uint16_t msg_type,CBB * cbb)1941 tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type,
1942     CBB *cbb)
1943 {
1944           if (!CBB_add_bytes(cbb, s->internal->quic_transport_params,
1945               s->internal->quic_transport_params_len))
1946                     return 0;
1947 
1948           return 1;
1949 }
1950 
1951 static int
tlsext_quic_transport_parameters_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)1952 tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type,
1953     CBS *cbs, int *alert)
1954 {
1955           if (!SSL_is_quic(s)) {
1956                     *alert = SSL_AD_UNSUPPORTED_EXTENSION;
1957                     return 0;
1958           }
1959 
1960           if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params,
1961               &s->s3->peer_quic_transport_params_len))
1962                     return 0;
1963           if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len))
1964                     return 0;
1965 
1966           return 1;
1967 }
1968 
1969 struct tls_extension_funcs {
1970           int (*needs)(SSL *s, uint16_t msg_type);
1971           int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1972           int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1973 };
1974 
1975 struct tls_extension {
1976           uint16_t type;
1977           uint16_t messages;
1978           struct tls_extension_funcs client;
1979           struct tls_extension_funcs server;
1980 };
1981 
1982 static const struct tls_extension tls_extensions[] = {
1983           {
1984                     .type = TLSEXT_TYPE_supported_versions,
1985                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
1986                         SSL_TLSEXT_MSG_HRR,
1987                     .client = {
1988                               .needs = tlsext_versions_client_needs,
1989                               .build = tlsext_versions_client_build,
1990                               .parse = tlsext_versions_client_parse,
1991                     },
1992                     .server = {
1993                               .needs = tlsext_versions_server_needs,
1994                               .build = tlsext_versions_server_build,
1995                               .parse = tlsext_versions_server_parse,
1996                     },
1997           },
1998           {
1999                     .type = TLSEXT_TYPE_key_share,
2000                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
2001                         SSL_TLSEXT_MSG_HRR,
2002                     .client = {
2003                               .needs = tlsext_keyshare_client_needs,
2004                               .build = tlsext_keyshare_client_build,
2005                               .parse = tlsext_keyshare_client_parse,
2006                     },
2007                     .server = {
2008                               .needs = tlsext_keyshare_server_needs,
2009                               .build = tlsext_keyshare_server_build,
2010                               .parse = tlsext_keyshare_server_parse,
2011                     },
2012           },
2013           {
2014                     .type = TLSEXT_TYPE_server_name,
2015                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2016                     .client = {
2017                               .needs = tlsext_sni_client_needs,
2018                               .build = tlsext_sni_client_build,
2019                               .parse = tlsext_sni_client_parse,
2020                     },
2021                     .server = {
2022                               .needs = tlsext_sni_server_needs,
2023                               .build = tlsext_sni_server_build,
2024                               .parse = tlsext_sni_server_parse,
2025                     },
2026           },
2027           {
2028                     .type = TLSEXT_TYPE_renegotiate,
2029                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2030                     .client = {
2031                               .needs = tlsext_ri_client_needs,
2032                               .build = tlsext_ri_client_build,
2033                               .parse = tlsext_ri_client_parse,
2034                     },
2035                     .server = {
2036                               .needs = tlsext_ri_server_needs,
2037                               .build = tlsext_ri_server_build,
2038                               .parse = tlsext_ri_server_parse,
2039                     },
2040           },
2041           {
2042                     .type = TLSEXT_TYPE_status_request,
2043                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR |
2044                         SSL_TLSEXT_MSG_CT,
2045                     .client = {
2046                               .needs = tlsext_ocsp_client_needs,
2047                               .build = tlsext_ocsp_client_build,
2048                               .parse = tlsext_ocsp_client_parse,
2049                     },
2050                     .server = {
2051                               .needs = tlsext_ocsp_server_needs,
2052                               .build = tlsext_ocsp_server_build,
2053                               .parse = tlsext_ocsp_server_parse,
2054                     },
2055           },
2056           {
2057                     .type = TLSEXT_TYPE_ec_point_formats,
2058                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2059                     .client = {
2060                               .needs = tlsext_ecpf_client_needs,
2061                               .build = tlsext_ecpf_client_build,
2062                               .parse = tlsext_ecpf_client_parse,
2063                     },
2064                     .server = {
2065                               .needs = tlsext_ecpf_server_needs,
2066                               .build = tlsext_ecpf_server_build,
2067                               .parse = tlsext_ecpf_server_parse,
2068                     },
2069           },
2070           {
2071                     .type = TLSEXT_TYPE_supported_groups,
2072                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2073                     .client = {
2074                               .needs = tlsext_supportedgroups_client_needs,
2075                               .build = tlsext_supportedgroups_client_build,
2076                               .parse = tlsext_supportedgroups_client_parse,
2077                     },
2078                     .server = {
2079                               .needs = tlsext_supportedgroups_server_needs,
2080                               .build = tlsext_supportedgroups_server_build,
2081                               .parse = tlsext_supportedgroups_server_parse,
2082                     },
2083           },
2084           {
2085                     .type = TLSEXT_TYPE_session_ticket,
2086                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2087                     .client = {
2088                               .needs = tlsext_sessionticket_client_needs,
2089                               .build = tlsext_sessionticket_client_build,
2090                               .parse = tlsext_sessionticket_client_parse,
2091                     },
2092                     .server = {
2093                               .needs = tlsext_sessionticket_server_needs,
2094                               .build = tlsext_sessionticket_server_build,
2095                               .parse = tlsext_sessionticket_server_parse,
2096                     },
2097           },
2098           {
2099                     .type = TLSEXT_TYPE_signature_algorithms,
2100                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR,
2101                     .client = {
2102                               .needs = tlsext_sigalgs_client_needs,
2103                               .build = tlsext_sigalgs_client_build,
2104                               .parse = tlsext_sigalgs_client_parse,
2105                     },
2106                     .server = {
2107                               .needs = tlsext_sigalgs_server_needs,
2108                               .build = tlsext_sigalgs_server_build,
2109                               .parse = tlsext_sigalgs_server_parse,
2110                     },
2111           },
2112           {
2113                     .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
2114                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2115                     .client = {
2116                               .needs = tlsext_alpn_client_needs,
2117                               .build = tlsext_alpn_client_build,
2118                               .parse = tlsext_alpn_client_parse,
2119                     },
2120                     .server = {
2121                               .needs = tlsext_alpn_server_needs,
2122                               .build = tlsext_alpn_server_build,
2123                               .parse = tlsext_alpn_server_parse,
2124                     },
2125           },
2126           {
2127                     .type = TLSEXT_TYPE_cookie,
2128                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
2129                     .client = {
2130                               .needs = tlsext_cookie_client_needs,
2131                               .build = tlsext_cookie_client_build,
2132                               .parse = tlsext_cookie_client_parse,
2133                     },
2134                     .server = {
2135                               .needs = tlsext_cookie_server_needs,
2136                               .build = tlsext_cookie_server_build,
2137                               .parse = tlsext_cookie_server_parse,
2138                     },
2139           },
2140 #ifndef OPENSSL_NO_SRTP
2141           {
2142                     .type = TLSEXT_TYPE_use_srtp,
2143                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ |
2144                         SSL_TLSEXT_MSG_EE,
2145                     .client = {
2146                               .needs = tlsext_srtp_client_needs,
2147                               .build = tlsext_srtp_client_build,
2148                               .parse = tlsext_srtp_client_parse,
2149                     },
2150                     .server = {
2151                               .needs = tlsext_srtp_server_needs,
2152                               .build = tlsext_srtp_server_build,
2153                               .parse = tlsext_srtp_server_parse,
2154                     },
2155           },
2156 #endif /* OPENSSL_NO_SRTP */
2157           {
2158                     .type = TLSEXT_TYPE_quic_transport_parameters,
2159                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
2160                     .client = {
2161                               .needs = tlsext_quic_transport_parameters_client_needs,
2162                               .build = tlsext_quic_transport_parameters_client_build,
2163                               .parse = tlsext_quic_transport_parameters_client_parse,
2164                     },
2165                     .server = {
2166                               .needs = tlsext_quic_transport_parameters_server_needs,
2167                               .build = tlsext_quic_transport_parameters_server_build,
2168                               .parse = tlsext_quic_transport_parameters_server_parse,
2169                     },
2170           },
2171           {
2172                     .type = TLSEXT_TYPE_psk_key_exchange_modes,
2173                     .messages = SSL_TLSEXT_MSG_CH,
2174                     .client = {
2175                               .needs = tlsext_psk_kex_modes_client_needs,
2176                               .build = tlsext_psk_kex_modes_client_build,
2177                               .parse = tlsext_psk_kex_modes_client_parse,
2178                     },
2179                     .server = {
2180                               .needs = tlsext_psk_kex_modes_server_needs,
2181                               .build = tlsext_psk_kex_modes_server_build,
2182                               .parse = tlsext_psk_kex_modes_server_parse,
2183                     },
2184           },
2185           {
2186                     /* MUST be last extension in CH per RFC 8446 section 4.2. */
2187 
2188                     .type = TLSEXT_TYPE_pre_shared_key,
2189                     .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH,
2190                     .client = {
2191                               .needs = tlsext_psk_client_needs,
2192                               .build = tlsext_psk_client_build,
2193                               .parse = tlsext_psk_client_parse,
2194                     },
2195                     .server = {
2196                               .needs = tlsext_psk_server_needs,
2197                               .build = tlsext_psk_server_build,
2198                               .parse = tlsext_psk_server_parse,
2199                     },
2200           },
2201 };
2202 
2203 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
2204 
2205 /* Ensure that extensions fit in a uint32_t bitmask. */
2206 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2207 
2208 const struct tls_extension *
tls_extension_find(uint16_t type,size_t * tls_extensions_idx)2209 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2210 {
2211           size_t i;
2212 
2213           for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2214                     if (tls_extensions[i].type == type) {
2215                               *tls_extensions_idx = i;
2216                               return &tls_extensions[i];
2217                     }
2218           }
2219 
2220           return NULL;
2221 }
2222 
2223 int
tlsext_extension_seen(SSL * s,uint16_t type)2224 tlsext_extension_seen(SSL *s, uint16_t type)
2225 {
2226           size_t idx;
2227 
2228           if (tls_extension_find(type, &idx) == NULL)
2229                     return 0;
2230           return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
2231 }
2232 
2233 const struct tls_extension_funcs *
tlsext_funcs(const struct tls_extension * tlsext,int is_server)2234 tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2235 {
2236           if (is_server)
2237                     return &tlsext->server;
2238 
2239           return &tlsext->client;
2240 }
2241 
2242 static int
tlsext_build(SSL * s,int is_server,uint16_t msg_type,CBB * cbb)2243 tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2244 {
2245           const struct tls_extension_funcs *ext;
2246           const struct tls_extension *tlsext;
2247           CBB extensions, extension_data;
2248           int extensions_present = 0;
2249           uint16_t tls_version;
2250           size_t i;
2251 
2252           tls_version = ssl_effective_tls_version(s);
2253 
2254           if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2255                     return 0;
2256 
2257           for (i = 0; i < N_TLS_EXTENSIONS; i++) {
2258                     tlsext = &tls_extensions[i];
2259                     ext = tlsext_funcs(tlsext, is_server);
2260 
2261                     /* RFC 8446 Section 4.2 */
2262                     if (tls_version >= TLS1_3_VERSION &&
2263                         !(tlsext->messages & msg_type))
2264                               continue;
2265 
2266                     if (!ext->needs(s, msg_type))
2267                               continue;
2268 
2269                     if (!CBB_add_u16(&extensions, tlsext->type))
2270                               return 0;
2271                     if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2272                               return 0;
2273 
2274                     if (!ext->build(s, msg_type, &extension_data))
2275                               return 0;
2276 
2277                     extensions_present = 1;
2278           }
2279 
2280           if (!extensions_present &&
2281               (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0)
2282                     CBB_discard_child(cbb);
2283 
2284           if (!CBB_flush(cbb))
2285                     return 0;
2286 
2287           return 1;
2288 }
2289 
2290 int
tlsext_clienthello_hash_extension(SSL * s,uint16_t type,CBS * cbs)2291 tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2292 {
2293           /*
2294            * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2295            * cookie may be added, padding may be removed.
2296            */
2297           struct tls13_ctx *ctx = s->internal->tls13;
2298 
2299           if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
2300               type == TLSEXT_TYPE_padding)
2301                     return 1;
2302           if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2303               sizeof(type)))
2304                     return 0;
2305           /*
2306            * key_share data may be changed, and pre_shared_key data may
2307            * be changed
2308            */
2309           if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
2310                     return 1;
2311           if (!tls13_clienthello_hash_update(ctx, cbs))
2312                     return 0;
2313 
2314           return 1;
2315 }
2316 
2317 static int
tlsext_parse(SSL * s,int is_server,uint16_t msg_type,CBS * cbs,int * alert)2318 tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2319 {
2320           const struct tls_extension_funcs *ext;
2321           const struct tls_extension *tlsext;
2322           CBS extensions, extension_data;
2323           uint16_t type;
2324           size_t idx;
2325           uint16_t tls_version;
2326           int alert_desc;
2327 
2328           tls_version = ssl_effective_tls_version(s);
2329 
2330           s->s3->hs.extensions_seen = 0;
2331 
2332           /* An empty extensions block is valid. */
2333           if (CBS_len(cbs) == 0)
2334                     return 1;
2335 
2336           alert_desc = SSL_AD_DECODE_ERROR;
2337 
2338           if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2339                     goto err;
2340 
2341           while (CBS_len(&extensions) > 0) {
2342                     if (!CBS_get_u16(&extensions, &type))
2343                               goto err;
2344                     if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2345                               goto err;
2346 
2347                     if (s->internal->tlsext_debug_cb != NULL)
2348                               s->internal->tlsext_debug_cb(s, !is_server, type,
2349                                   (unsigned char *)CBS_data(&extension_data),
2350                                   CBS_len(&extension_data),
2351                                   s->internal->tlsext_debug_arg);
2352 
2353                     /* Unknown extensions are ignored. */
2354                     if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2355                               continue;
2356 
2357                     if (tls_version >= TLS1_3_VERSION && is_server &&
2358                         msg_type == SSL_TLSEXT_MSG_CH) {
2359                               if (!tlsext_clienthello_hash_extension(s, type,
2360                                   &extension_data))
2361                                         goto err;
2362                     }
2363 
2364                     /* RFC 8446 Section 4.2 */
2365                     if (tls_version >= TLS1_3_VERSION &&
2366                         !(tlsext->messages & msg_type)) {
2367                               alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2368                               goto err;
2369                     }
2370 
2371                     /* Check for duplicate known extensions. */
2372                     if ((s->s3->hs.extensions_seen & (1 << idx)) != 0)
2373                               goto err;
2374                     s->s3->hs.extensions_seen |= (1 << idx);
2375 
2376                     ext = tlsext_funcs(tlsext, is_server);
2377                     if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2378                               goto err;
2379 
2380                     if (CBS_len(&extension_data) != 0)
2381                               goto err;
2382           }
2383 
2384           return 1;
2385 
2386  err:
2387           *alert = alert_desc;
2388 
2389           return 0;
2390 }
2391 
2392 static void
tlsext_server_reset_state(SSL * s)2393 tlsext_server_reset_state(SSL *s)
2394 {
2395           s->tlsext_status_type = -1;
2396           s->s3->renegotiate_seen = 0;
2397           free(s->s3->alpn_selected);
2398           s->s3->alpn_selected = NULL;
2399           s->s3->alpn_selected_len = 0;
2400           s->internal->srtp_profile = NULL;
2401 }
2402 
2403 int
tlsext_server_build(SSL * s,uint16_t msg_type,CBB * cbb)2404 tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2405 {
2406           return tlsext_build(s, 1, msg_type, cbb);
2407 }
2408 
2409 int
tlsext_server_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2410 tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2411 {
2412           /* XXX - this should be done by the caller... */
2413           if (msg_type == SSL_TLSEXT_MSG_CH)
2414                     tlsext_server_reset_state(s);
2415 
2416           return tlsext_parse(s, 1, msg_type, cbs, alert);
2417 }
2418 
2419 static void
tlsext_client_reset_state(SSL * s)2420 tlsext_client_reset_state(SSL *s)
2421 {
2422           s->s3->renegotiate_seen = 0;
2423           free(s->s3->alpn_selected);
2424           s->s3->alpn_selected = NULL;
2425           s->s3->alpn_selected_len = 0;
2426 }
2427 
2428 int
tlsext_client_build(SSL * s,uint16_t msg_type,CBB * cbb)2429 tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2430 {
2431           return tlsext_build(s, 0, msg_type, cbb);
2432 }
2433 
2434 int
tlsext_client_parse(SSL * s,uint16_t msg_type,CBS * cbs,int * alert)2435 tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2436 {
2437           /* XXX - this should be done by the caller... */
2438           if (msg_type == SSL_TLSEXT_MSG_SH)
2439                     tlsext_client_reset_state(s);
2440 
2441           return tlsext_parse(s, 0, msg_type, cbs, alert);
2442 }
2443