1 /* $OpenBSD: ssl_tlsext.c,v 1.22 2018/05/12 17:27:22 jsing Exp $ */
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <openssl/ocsp.h>
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
27 * Supported Application-Layer Protocol Negotiation - RFC 7301
31 tlsext_alpn_clienthello_needs(SSL
*s
)
33 /* ALPN protos have been specified and this is the initial handshake */
34 return s
->internal
->alpn_client_proto_list
!= NULL
&&
35 S3I(s
)->tmp
.finish_md_len
== 0;
39 tlsext_alpn_clienthello_build(SSL
*s
, CBB
*cbb
)
43 if (!CBB_add_u16_length_prefixed(cbb
, &protolist
))
46 if (!CBB_add_bytes(&protolist
, s
->internal
->alpn_client_proto_list
,
47 s
->internal
->alpn_client_proto_list_len
))
57 tlsext_alpn_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
59 CBS proto_name_list
, alpn
;
60 const unsigned char *selected
;
61 unsigned char selected_len
;
64 if (!CBS_get_u16_length_prefixed(cbs
, &alpn
))
66 if (CBS_len(&alpn
) < 2)
68 if (CBS_len(cbs
) != 0)
71 CBS_dup(&alpn
, &proto_name_list
);
72 while (CBS_len(&proto_name_list
) > 0) {
75 if (!CBS_get_u8_length_prefixed(&proto_name_list
, &proto_name
))
77 if (CBS_len(&proto_name
) == 0)
81 if (s
->ctx
->internal
->alpn_select_cb
== NULL
)
84 r
= s
->ctx
->internal
->alpn_select_cb(s
, &selected
, &selected_len
,
85 CBS_data(&alpn
), CBS_len(&alpn
),
86 s
->ctx
->internal
->alpn_select_cb_arg
);
87 if (r
== SSL_TLSEXT_ERR_OK
) {
88 free(S3I(s
)->alpn_selected
);
89 if ((S3I(s
)->alpn_selected
= malloc(selected_len
)) == NULL
) {
90 *alert
= SSL_AD_INTERNAL_ERROR
;
93 memcpy(S3I(s
)->alpn_selected
, selected
, selected_len
);
94 S3I(s
)->alpn_selected_len
= selected_len
;
100 *alert
= SSL_AD_DECODE_ERROR
;
105 tlsext_alpn_serverhello_needs(SSL
*s
)
107 return S3I(s
)->alpn_selected
!= NULL
;
111 tlsext_alpn_serverhello_build(SSL
*s
, CBB
*cbb
)
115 if (!CBB_add_u16_length_prefixed(cbb
, &list
))
118 if (!CBB_add_u8_length_prefixed(&list
, &selected
))
121 if (!CBB_add_bytes(&selected
, S3I(s
)->alpn_selected
,
122 S3I(s
)->alpn_selected_len
))
132 tlsext_alpn_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
136 if (s
->internal
->alpn_client_proto_list
== NULL
) {
137 *alert
= TLS1_AD_UNSUPPORTED_EXTENSION
;
141 if (!CBS_get_u16_length_prefixed(cbs
, &list
))
143 if (CBS_len(cbs
) != 0)
146 if (!CBS_get_u8_length_prefixed(&list
, &proto
))
149 if (CBS_len(&list
) != 0)
151 if (CBS_len(&proto
) == 0)
154 if (!CBS_stow(&proto
, &(S3I(s
)->alpn_selected
),
155 &(S3I(s
)->alpn_selected_len
)))
161 *alert
= TLS1_AD_DECODE_ERROR
;
166 * Supported Elliptic Curves - RFC 4492 section 5.1.1
169 tlsext_ec_clienthello_needs(SSL
*s
)
171 return ssl_has_ecc_ciphers(s
);
175 tlsext_ec_clienthello_build(SSL
*s
, CBB
*cbb
)
180 const uint16_t *curves
;
182 tls1_get_curvelist(s
, 0, &curves
, &curves_len
);
184 if (curves_len
== 0) {
185 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
189 if (!CBB_add_u16_length_prefixed(cbb
, &curvelist
))
192 for (i
= 0; i
< curves_len
; i
++) {
193 if (!CBB_add_u16(&curvelist
, curves
[i
]))
204 tlsext_ec_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
209 if (!CBS_get_u16_length_prefixed(cbs
, &curvelist
))
211 if (CBS_len(cbs
) != 0)
214 curves_len
= CBS_len(&curvelist
);
215 if (curves_len
== 0 || curves_len
% 2 != 0)
219 if (!s
->internal
->hit
) {
223 if (SSI(s
)->tlsext_supportedgroups
!= NULL
)
226 if ((curves
= reallocarray(NULL
, curves_len
,
227 sizeof(uint16_t))) == NULL
) {
228 *alert
= TLS1_AD_INTERNAL_ERROR
;
232 for (i
= 0; i
< curves_len
; i
++) {
233 if (!CBS_get_u16(&curvelist
, &curves
[i
])) {
239 if (CBS_len(&curvelist
) != 0) {
244 SSI(s
)->tlsext_supportedgroups
= curves
;
245 SSI(s
)->tlsext_supportedgroups_length
= curves_len
;
251 *alert
= TLS1_AD_DECODE_ERROR
;
255 /* This extension is never used by the server. */
257 tlsext_ec_serverhello_needs(SSL
*s
)
263 tlsext_ec_serverhello_build(SSL
*s
, CBB
*cbb
)
269 tlsext_ec_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
272 * Servers should not send this extension per the RFC.
274 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
275 * from at least 2014 but as of 2017, there are still large sites with
276 * this unpatched in production. As a result, we need to currently skip
277 * over the extension and ignore its content:
279 * https://support.f5.com/csp/article/K37345003
281 if (!CBS_skip(cbs
, CBS_len(cbs
))) {
282 *alert
= TLS1_AD_INTERNAL_ERROR
;
290 * Supported Point Formats Extension - RFC 4492 section 5.1.2
293 tlsext_ecpf_build(SSL
*s
, CBB
*cbb
)
297 const uint8_t *formats
;
299 tls1_get_formatlist(s
, 0, &formats
, &formats_len
);
301 if (formats_len
== 0) {
302 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
306 if (!CBB_add_u8_length_prefixed(cbb
, &ecpf
))
308 if (!CBB_add_bytes(&ecpf
, formats
, formats_len
))
317 tlsext_ecpf_parse(SSL
*s
, CBS
*cbs
, int *alert
)
321 if (!CBS_get_u8_length_prefixed(cbs
, &ecpf
))
323 if (CBS_len(&ecpf
) == 0)
325 if (CBS_len(cbs
) != 0)
328 /* Must contain uncompressed (0) */
329 if (!CBS_contains_zero_byte(&ecpf
)) {
330 SSLerror(s
, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST
);
334 if (!s
->internal
->hit
) {
335 if (!CBS_stow(&ecpf
, &(SSI(s
)->tlsext_ecpointformatlist
),
336 &(SSI(s
)->tlsext_ecpointformatlist_length
))) {
337 *alert
= TLS1_AD_INTERNAL_ERROR
;
345 *alert
= SSL_AD_DECODE_ERROR
;
350 tlsext_ecpf_clienthello_needs(SSL
*s
)
352 return ssl_has_ecc_ciphers(s
);
356 tlsext_ecpf_clienthello_build(SSL
*s
, CBB
*cbb
)
358 return tlsext_ecpf_build(s
, cbb
);
362 tlsext_ecpf_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
364 return tlsext_ecpf_parse(s
, cbs
, alert
);
368 tlsext_ecpf_serverhello_needs(SSL
*s
)
370 if (s
->version
== DTLS1_VERSION
)
373 return ssl_using_ecc_cipher(s
);
377 tlsext_ecpf_serverhello_build(SSL
*s
, CBB
*cbb
)
379 return tlsext_ecpf_build(s
, cbb
);
383 tlsext_ecpf_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
385 return tlsext_ecpf_parse(s
, cbs
, alert
);
389 * Renegotiation Indication - RFC 5746.
392 tlsext_ri_clienthello_needs(SSL
*s
)
394 return (s
->internal
->renegotiate
);
398 tlsext_ri_clienthello_build(SSL
*s
, CBB
*cbb
)
402 if (!CBB_add_u8_length_prefixed(cbb
, &reneg
))
404 if (!CBB_add_bytes(&reneg
, S3I(s
)->previous_client_finished
,
405 S3I(s
)->previous_client_finished_len
))
414 tlsext_ri_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
418 if (!CBS_get_u8_length_prefixed(cbs
, &reneg
))
420 if (CBS_len(cbs
) != 0)
423 if (!CBS_mem_equal(&reneg
, S3I(s
)->previous_client_finished
,
424 S3I(s
)->previous_client_finished_len
)) {
425 SSLerror(s
, SSL_R_RENEGOTIATION_MISMATCH
);
426 *alert
= SSL_AD_HANDSHAKE_FAILURE
;
430 S3I(s
)->renegotiate_seen
= 1;
431 S3I(s
)->send_connection_binding
= 1;
436 SSLerror(s
, SSL_R_RENEGOTIATION_ENCODING_ERR
);
437 *alert
= SSL_AD_DECODE_ERROR
;
442 tlsext_ri_serverhello_needs(SSL
*s
)
444 return (S3I(s
)->send_connection_binding
);
448 tlsext_ri_serverhello_build(SSL
*s
, CBB
*cbb
)
452 if (!CBB_add_u8_length_prefixed(cbb
, &reneg
))
454 if (!CBB_add_bytes(&reneg
, S3I(s
)->previous_client_finished
,
455 S3I(s
)->previous_client_finished_len
))
457 if (!CBB_add_bytes(&reneg
, S3I(s
)->previous_server_finished
,
458 S3I(s
)->previous_server_finished_len
))
467 tlsext_ri_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
469 CBS reneg
, prev_client
, prev_server
;
472 * Ensure that the previous client and server values are both not
473 * present, or that they are both present.
475 if ((S3I(s
)->previous_client_finished_len
== 0 &&
476 S3I(s
)->previous_server_finished_len
!= 0) ||
477 (S3I(s
)->previous_client_finished_len
!= 0 &&
478 S3I(s
)->previous_server_finished_len
== 0)) {
479 *alert
= TLS1_AD_INTERNAL_ERROR
;
483 if (!CBS_get_u8_length_prefixed(cbs
, &reneg
))
485 if (!CBS_get_bytes(&reneg
, &prev_client
,
486 S3I(s
)->previous_client_finished_len
))
488 if (!CBS_get_bytes(&reneg
, &prev_server
,
489 S3I(s
)->previous_server_finished_len
))
491 if (CBS_len(&reneg
) != 0)
493 if (CBS_len(cbs
) != 0)
496 if (!CBS_mem_equal(&prev_client
, S3I(s
)->previous_client_finished
,
497 S3I(s
)->previous_client_finished_len
)) {
498 SSLerror(s
, SSL_R_RENEGOTIATION_MISMATCH
);
499 *alert
= SSL_AD_HANDSHAKE_FAILURE
;
502 if (!CBS_mem_equal(&prev_server
, S3I(s
)->previous_server_finished
,
503 S3I(s
)->previous_server_finished_len
)) {
504 SSLerror(s
, SSL_R_RENEGOTIATION_MISMATCH
);
505 *alert
= SSL_AD_HANDSHAKE_FAILURE
;
509 S3I(s
)->renegotiate_seen
= 1;
510 S3I(s
)->send_connection_binding
= 1;
515 SSLerror(s
, SSL_R_RENEGOTIATION_ENCODING_ERR
);
516 *alert
= SSL_AD_DECODE_ERROR
;
521 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
524 tlsext_sigalgs_clienthello_needs(SSL
*s
)
526 return (TLS1_get_client_version(s
) >= TLS1_2_VERSION
);
530 tlsext_sigalgs_clienthello_build(SSL
*s
, CBB
*cbb
)
532 unsigned char *sigalgs_data
;
536 tls12_get_req_sig_algs(s
, &sigalgs_data
, &sigalgs_len
);
538 if (!CBB_add_u16_length_prefixed(cbb
, &sigalgs
))
540 if (!CBB_add_bytes(&sigalgs
, sigalgs_data
, sigalgs_len
))
549 tlsext_sigalgs_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
553 if (!CBS_get_u16_length_prefixed(cbs
, &sigalgs
))
556 return tls1_process_sigalgs(s
, &sigalgs
);
560 tlsext_sigalgs_serverhello_needs(SSL
*s
)
566 tlsext_sigalgs_serverhello_build(SSL
*s
, CBB
*cbb
)
572 tlsext_sigalgs_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
574 /* As per the RFC, servers must not send this extension. */
579 * Server Name Indication - RFC 6066, section 3.
582 tlsext_sni_clienthello_needs(SSL
*s
)
584 return (s
->tlsext_hostname
!= NULL
);
588 tlsext_sni_clienthello_build(SSL
*s
, CBB
*cbb
)
590 CBB server_name_list
, host_name
;
592 if (!CBB_add_u16_length_prefixed(cbb
, &server_name_list
))
594 if (!CBB_add_u8(&server_name_list
, TLSEXT_NAMETYPE_host_name
))
596 if (!CBB_add_u16_length_prefixed(&server_name_list
, &host_name
))
598 if (!CBB_add_bytes(&host_name
, (const uint8_t *)s
->tlsext_hostname
,
599 strlen(s
->tlsext_hostname
)))
608 tlsext_sni_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
610 CBS server_name_list
, host_name
;
613 if (!CBS_get_u16_length_prefixed(cbs
, &server_name_list
))
617 * RFC 6066 section 3 forbids multiple host names with the same type.
618 * Additionally, only one type (host_name) is specified.
620 if (!CBS_get_u8(&server_name_list
, &name_type
))
622 if (name_type
!= TLSEXT_NAMETYPE_host_name
)
625 if (!CBS_get_u16_length_prefixed(&server_name_list
, &host_name
))
627 if (CBS_len(&host_name
) == 0 ||
628 CBS_len(&host_name
) > TLSEXT_MAXLEN_host_name
||
629 CBS_contains_zero_byte(&host_name
)) {
630 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
634 if (s
->internal
->hit
) {
635 if (s
->session
->tlsext_hostname
== NULL
) {
636 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
639 if (!CBS_mem_equal(&host_name
, s
->session
->tlsext_hostname
,
640 strlen(s
->session
->tlsext_hostname
))) {
641 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
645 if (s
->session
->tlsext_hostname
!= NULL
)
647 if (!CBS_strdup(&host_name
, &s
->session
->tlsext_hostname
)) {
648 *alert
= TLS1_AD_INTERNAL_ERROR
;
653 if (CBS_len(&server_name_list
) != 0)
655 if (CBS_len(cbs
) != 0)
661 *alert
= SSL_AD_DECODE_ERROR
;
666 tlsext_sni_serverhello_needs(SSL
*s
)
668 return (s
->session
->tlsext_hostname
!= NULL
);
672 tlsext_sni_serverhello_build(SSL
*s
, CBB
*cbb
)
678 tlsext_sni_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
680 if (s
->tlsext_hostname
== NULL
|| CBS_len(cbs
) != 0) {
681 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
685 if (s
->internal
->hit
) {
686 if (s
->session
->tlsext_hostname
== NULL
) {
687 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
690 if (strcmp(s
->tlsext_hostname
,
691 s
->session
->tlsext_hostname
) != 0) {
692 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
696 if (s
->session
->tlsext_hostname
!= NULL
) {
697 *alert
= SSL_AD_DECODE_ERROR
;
700 if ((s
->session
->tlsext_hostname
=
701 strdup(s
->tlsext_hostname
)) == NULL
) {
702 *alert
= TLS1_AD_INTERNAL_ERROR
;
712 *Certificate Status Request - RFC 6066 section 8.
716 tlsext_ocsp_clienthello_needs(SSL
*s
)
718 return (s
->tlsext_status_type
== TLSEXT_STATUSTYPE_ocsp
&&
719 s
->version
!= DTLS1_VERSION
);
723 tlsext_ocsp_clienthello_build(SSL
*s
, CBB
*cbb
)
725 CBB respid_list
, respid
, exts
;
726 unsigned char *ext_data
;
730 if (!CBB_add_u8(cbb
, TLSEXT_STATUSTYPE_ocsp
))
732 if (!CBB_add_u16_length_prefixed(cbb
, &respid_list
))
734 for (i
= 0; i
< sk_OCSP_RESPID_num(s
->internal
->tlsext_ocsp_ids
); i
++) {
735 unsigned char *respid_data
;
739 if ((id
= sk_OCSP_RESPID_value(s
->internal
->tlsext_ocsp_ids
,
742 if ((id_len
= i2d_OCSP_RESPID(id
, NULL
)) == -1)
744 if (!CBB_add_u16_length_prefixed(&respid_list
, &respid
))
746 if (!CBB_add_space(&respid
, &respid_data
, id_len
))
748 if ((i2d_OCSP_RESPID(id
, &respid_data
)) != id_len
)
751 if (!CBB_add_u16_length_prefixed(cbb
, &exts
))
753 if ((ext_len
= i2d_X509_EXTENSIONS(s
->internal
->tlsext_ocsp_exts
,
756 if (!CBB_add_space(&exts
, &ext_data
, ext_len
))
758 if ((i2d_X509_EXTENSIONS(s
->internal
->tlsext_ocsp_exts
, &ext_data
) !=
767 tlsext_ocsp_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
769 int failure
= SSL_AD_DECODE_ERROR
;
770 CBS respid_list
, respid
, exts
;
771 const unsigned char *p
;
775 if (!CBS_get_u8(cbs
, &status_type
))
777 if (status_type
!= TLSEXT_STATUSTYPE_ocsp
) {
778 /* ignore unknown status types */
779 s
->tlsext_status_type
= -1;
781 if (!CBS_skip(cbs
, CBS_len(cbs
))) {
782 *alert
= TLS1_AD_INTERNAL_ERROR
;
787 s
->tlsext_status_type
= status_type
;
788 if (!CBS_get_u16_length_prefixed(cbs
, &respid_list
))
792 sk_OCSP_RESPID_pop_free(s
->internal
->tlsext_ocsp_ids
, OCSP_RESPID_free
);
793 s
->internal
->tlsext_ocsp_ids
= NULL
;
794 if (CBS_len(&respid_list
) > 0) {
795 s
->internal
->tlsext_ocsp_ids
= sk_OCSP_RESPID_new_null();
796 if (s
->internal
->tlsext_ocsp_ids
== NULL
) {
797 failure
= SSL_AD_INTERNAL_ERROR
;
802 while (CBS_len(&respid_list
) > 0) {
805 if (!CBS_get_u16_length_prefixed(&respid_list
, &respid
))
807 p
= CBS_data(&respid
);
808 if ((id
= d2i_OCSP_RESPID(NULL
, &p
, CBS_len(&respid
))) == NULL
)
810 if (!sk_OCSP_RESPID_push(s
->internal
->tlsext_ocsp_ids
, id
)) {
811 failure
= SSL_AD_INTERNAL_ERROR
;
812 OCSP_RESPID_free(id
);
817 /* Read in request_extensions */
818 if (!CBS_get_u16_length_prefixed(cbs
, &exts
))
820 if (CBS_len(&exts
) > 0) {
821 sk_X509_EXTENSION_pop_free(s
->internal
->tlsext_ocsp_exts
,
822 X509_EXTENSION_free
);
824 if ((s
->internal
->tlsext_ocsp_exts
= d2i_X509_EXTENSIONS(NULL
,
825 &p
, CBS_len(&exts
))) == NULL
)
829 /* should be nothing left */
830 if (CBS_len(cbs
) > 0)
841 tlsext_ocsp_serverhello_needs(SSL
*s
)
843 return s
->internal
->tlsext_status_expected
;
847 tlsext_ocsp_serverhello_build(SSL
*s
, CBB
*cbb
)
853 tlsext_ocsp_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
855 if (s
->tlsext_status_type
== -1) {
856 *alert
= TLS1_AD_UNSUPPORTED_EXTENSION
;
859 /* Set flag to expect CertificateStatus message */
860 s
->internal
->tlsext_status_expected
= 1;
865 * SessionTicket extension - RFC 5077 section 3.2
868 tlsext_sessionticket_clienthello_needs(SSL
*s
)
871 * Send session ticket extension when enabled and not overridden.
873 * When renegotiating, send an empty session ticket to indicate support.
875 if ((SSL_get_options(s
) & SSL_OP_NO_TICKET
) != 0)
878 if (s
->internal
->new_session
)
881 if (s
->internal
->tlsext_session_ticket
!= NULL
&&
882 s
->internal
->tlsext_session_ticket
->data
== NULL
)
889 tlsext_sessionticket_clienthello_build(SSL
*s
, CBB
*cbb
)
892 * Signal that we support session tickets by sending an empty
893 * extension when renegotiating or no session found.
895 if (s
->internal
->new_session
|| s
->session
== NULL
)
898 if (s
->session
->tlsext_tick
!= NULL
) {
899 /* Attempt to resume with an existing session ticket */
900 if (!CBB_add_bytes(cbb
, s
->session
->tlsext_tick
,
901 s
->session
->tlsext_ticklen
))
904 } else if (s
->internal
->tlsext_session_ticket
!= NULL
) {
906 * Attempt to resume with a custom provided session ticket set
907 * by SSL_set_session_ticket_ext().
909 if (s
->internal
->tlsext_session_ticket
->length
> 0) {
910 size_t ticklen
= s
->internal
->tlsext_session_ticket
->length
;
912 if ((s
->session
->tlsext_tick
= malloc(ticklen
)) == NULL
)
914 memcpy(s
->session
->tlsext_tick
,
915 s
->internal
->tlsext_session_ticket
->data
,
917 s
->session
->tlsext_ticklen
= ticklen
;
919 if (!CBB_add_bytes(cbb
, s
->session
->tlsext_tick
,
920 s
->session
->tlsext_ticklen
))
932 tlsext_sessionticket_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
934 if (s
->internal
->tls_session_ticket_ext_cb
) {
935 if (!s
->internal
->tls_session_ticket_ext_cb(s
, CBS_data(cbs
),
937 s
->internal
->tls_session_ticket_ext_cb_arg
)) {
938 *alert
= TLS1_AD_INTERNAL_ERROR
;
943 /* We need to signal that this was processed fully */
944 if (!CBS_skip(cbs
, CBS_len(cbs
))) {
945 *alert
= TLS1_AD_INTERNAL_ERROR
;
953 tlsext_sessionticket_serverhello_needs(SSL
*s
)
955 return (s
->internal
->tlsext_ticket_expected
&&
956 !(SSL_get_options(s
) & SSL_OP_NO_TICKET
));
960 tlsext_sessionticket_serverhello_build(SSL
*s
, CBB
*cbb
)
968 tlsext_sessionticket_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
970 if (s
->internal
->tls_session_ticket_ext_cb
) {
971 if (!s
->internal
->tls_session_ticket_ext_cb(s
, CBS_data(cbs
),
973 s
->internal
->tls_session_ticket_ext_cb_arg
)) {
974 *alert
= TLS1_AD_INTERNAL_ERROR
;
979 if ((SSL_get_options(s
) & SSL_OP_NO_TICKET
) != 0 || CBS_len(cbs
) > 0) {
980 *alert
= TLS1_AD_UNSUPPORTED_EXTENSION
;
984 s
->internal
->tlsext_ticket_expected
= 1;
990 * DTLS extension for SRTP key establishment - RFC 5764
993 #ifndef OPENSSL_NO_SRTP
996 tlsext_srtp_clienthello_needs(SSL
*s
)
998 return SSL_IS_DTLS(s
) && SSL_get_srtp_profiles(s
) != NULL
;
1002 tlsext_srtp_clienthello_build(SSL
*s
, CBB
*cbb
)
1006 STACK_OF(SRTP_PROTECTION_PROFILE
) *clnt
= NULL
;
1007 SRTP_PROTECTION_PROFILE
*prof
;
1009 if ((clnt
= SSL_get_srtp_profiles(s
)) == NULL
) {
1010 SSLerror(s
, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST
);
1014 if ((ct
= sk_SRTP_PROTECTION_PROFILE_num(clnt
)) < 1) {
1015 SSLerror(s
, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST
);
1019 if (!CBB_add_u16_length_prefixed(cbb
, &profiles
))
1022 for (i
= 0; i
< ct
; i
++) {
1023 if ((prof
= sk_SRTP_PROTECTION_PROFILE_value(clnt
, i
)) == NULL
)
1025 if (!CBB_add_u16(&profiles
, prof
->id
))
1029 if (!CBB_add_u8_length_prefixed(cbb
, &mki
))
1032 if (!CBB_flush(cbb
))
1039 tlsext_srtp_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1041 SRTP_PROTECTION_PROFILE
*cprof
, *sprof
;
1042 STACK_OF(SRTP_PROTECTION_PROFILE
) *clnt
= NULL
, *srvr
;
1050 if (!CBS_get_u16_length_prefixed(cbs
, &profiles
))
1052 if (CBS_len(&profiles
) == 0 || CBS_len(&profiles
) % 2 != 0)
1055 if ((clnt
= sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL
)
1058 while (CBS_len(&profiles
) > 0) {
1059 if (!CBS_get_u16(&profiles
, &id
))
1062 if (!srtp_find_profile_by_num(id
, &cprof
)) {
1063 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt
, cprof
))
1068 if (!CBS_get_u8_length_prefixed(cbs
, &mki
) || CBS_len(&mki
) != 0) {
1069 SSLerror(s
, SSL_R_BAD_SRTP_MKI_VALUE
);
1070 *alert
= SSL_AD_DECODE_ERROR
;
1073 if (CBS_len(cbs
) != 0)
1077 * Per RFC 5764 section 4.1.1
1079 * Find the server preferred profile using the client's list.
1081 * The server MUST send a profile if it sends the use_srtp
1082 * extension. If one is not found, it should fall back to the
1083 * negotiated DTLS cipher suite or return a DTLS alert.
1085 if ((srvr
= SSL_get_srtp_profiles(s
)) == NULL
)
1087 for (i
= 0; i
< sk_SRTP_PROTECTION_PROFILE_num(srvr
); i
++) {
1088 if ((sprof
= sk_SRTP_PROTECTION_PROFILE_value(srvr
, i
))
1092 for (j
= 0; j
< sk_SRTP_PROTECTION_PROFILE_num(clnt
); j
++) {
1093 if ((cprof
= sk_SRTP_PROTECTION_PROFILE_value(clnt
, j
))
1097 if (cprof
->id
== sprof
->id
) {
1098 s
->internal
->srtp_profile
= sprof
;
1105 /* If we didn't find anything, fall back to the negotiated */
1110 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1111 *alert
= SSL_AD_DECODE_ERROR
;
1114 sk_SRTP_PROTECTION_PROFILE_free(clnt
);
1119 tlsext_srtp_serverhello_needs(SSL
*s
)
1121 return SSL_IS_DTLS(s
) && SSL_get_selected_srtp_profile(s
) != NULL
;
1125 tlsext_srtp_serverhello_build(SSL
*s
, CBB
*cbb
)
1127 SRTP_PROTECTION_PROFILE
*profile
;
1130 if (!CBB_add_u16_length_prefixed(cbb
, &srtp
))
1133 if ((profile
= SSL_get_selected_srtp_profile(s
)) == NULL
)
1136 if (!CBB_add_u16(&srtp
, profile
->id
))
1139 if (!CBB_add_u8_length_prefixed(cbb
, &mki
))
1142 if (!CBB_flush(cbb
))
1149 tlsext_srtp_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1151 STACK_OF(SRTP_PROTECTION_PROFILE
) *clnt
;
1152 SRTP_PROTECTION_PROFILE
*prof
;
1155 CBS profile_ids
, mki
;
1157 if (!CBS_get_u16_length_prefixed(cbs
, &profile_ids
)) {
1158 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1162 if (!CBS_get_u16(&profile_ids
, &id
) || CBS_len(&profile_ids
) != 0) {
1163 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1167 if (!CBS_get_u8_length_prefixed(cbs
, &mki
) || CBS_len(&mki
) != 0) {
1168 SSLerror(s
, SSL_R_BAD_SRTP_MKI_VALUE
);
1169 *alert
= SSL_AD_ILLEGAL_PARAMETER
;
1173 if ((clnt
= SSL_get_srtp_profiles(s
)) == NULL
) {
1174 SSLerror(s
, SSL_R_NO_SRTP_PROFILES
);
1178 for (i
= 0; i
< sk_SRTP_PROTECTION_PROFILE_num(clnt
); i
++) {
1179 if ((prof
= sk_SRTP_PROTECTION_PROFILE_value(clnt
, i
))
1181 SSLerror(s
, SSL_R_NO_SRTP_PROFILES
);
1185 if (prof
->id
== id
) {
1186 s
->internal
->srtp_profile
= prof
;
1191 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1193 *alert
= SSL_AD_DECODE_ERROR
;
1197 #endif /* OPENSSL_NO_SRTP */
1199 struct tls_extension
{
1201 int (*clienthello_needs
)(SSL
*s
);
1202 int (*clienthello_build
)(SSL
*s
, CBB
*cbb
);
1203 int (*clienthello_parse
)(SSL
*s
, CBS
*cbs
, int *alert
);
1204 int (*serverhello_needs
)(SSL
*s
);
1205 int (*serverhello_build
)(SSL
*s
, CBB
*cbb
);
1206 int (*serverhello_parse
)(SSL
*s
, CBS
*cbs
, int *alert
);
1209 static struct tls_extension tls_extensions
[] = {
1211 .type
= TLSEXT_TYPE_server_name
,
1212 .clienthello_needs
= tlsext_sni_clienthello_needs
,
1213 .clienthello_build
= tlsext_sni_clienthello_build
,
1214 .clienthello_parse
= tlsext_sni_clienthello_parse
,
1215 .serverhello_needs
= tlsext_sni_serverhello_needs
,
1216 .serverhello_build
= tlsext_sni_serverhello_build
,
1217 .serverhello_parse
= tlsext_sni_serverhello_parse
,
1220 .type
= TLSEXT_TYPE_renegotiate
,
1221 .clienthello_needs
= tlsext_ri_clienthello_needs
,
1222 .clienthello_build
= tlsext_ri_clienthello_build
,
1223 .clienthello_parse
= tlsext_ri_clienthello_parse
,
1224 .serverhello_needs
= tlsext_ri_serverhello_needs
,
1225 .serverhello_build
= tlsext_ri_serverhello_build
,
1226 .serverhello_parse
= tlsext_ri_serverhello_parse
,
1229 .type
= TLSEXT_TYPE_status_request
,
1230 .clienthello_needs
= tlsext_ocsp_clienthello_needs
,
1231 .clienthello_build
= tlsext_ocsp_clienthello_build
,
1232 .clienthello_parse
= tlsext_ocsp_clienthello_parse
,
1233 .serverhello_needs
= tlsext_ocsp_serverhello_needs
,
1234 .serverhello_build
= tlsext_ocsp_serverhello_build
,
1235 .serverhello_parse
= tlsext_ocsp_serverhello_parse
,
1238 .type
= TLSEXT_TYPE_ec_point_formats
,
1239 .clienthello_needs
= tlsext_ecpf_clienthello_needs
,
1240 .clienthello_build
= tlsext_ecpf_clienthello_build
,
1241 .clienthello_parse
= tlsext_ecpf_clienthello_parse
,
1242 .serverhello_needs
= tlsext_ecpf_serverhello_needs
,
1243 .serverhello_build
= tlsext_ecpf_serverhello_build
,
1244 .serverhello_parse
= tlsext_ecpf_serverhello_parse
,
1247 .type
= TLSEXT_TYPE_elliptic_curves
,
1248 .clienthello_needs
= tlsext_ec_clienthello_needs
,
1249 .clienthello_build
= tlsext_ec_clienthello_build
,
1250 .clienthello_parse
= tlsext_ec_clienthello_parse
,
1251 .serverhello_needs
= tlsext_ec_serverhello_needs
,
1252 .serverhello_build
= tlsext_ec_serverhello_build
,
1253 .serverhello_parse
= tlsext_ec_serverhello_parse
,
1256 .type
= TLSEXT_TYPE_session_ticket
,
1257 .clienthello_needs
= tlsext_sessionticket_clienthello_needs
,
1258 .clienthello_build
= tlsext_sessionticket_clienthello_build
,
1259 .clienthello_parse
= tlsext_sessionticket_clienthello_parse
,
1260 .serverhello_needs
= tlsext_sessionticket_serverhello_needs
,
1261 .serverhello_build
= tlsext_sessionticket_serverhello_build
,
1262 .serverhello_parse
= tlsext_sessionticket_serverhello_parse
,
1265 .type
= TLSEXT_TYPE_signature_algorithms
,
1266 .clienthello_needs
= tlsext_sigalgs_clienthello_needs
,
1267 .clienthello_build
= tlsext_sigalgs_clienthello_build
,
1268 .clienthello_parse
= tlsext_sigalgs_clienthello_parse
,
1269 .serverhello_needs
= tlsext_sigalgs_serverhello_needs
,
1270 .serverhello_build
= tlsext_sigalgs_serverhello_build
,
1271 .serverhello_parse
= tlsext_sigalgs_serverhello_parse
,
1274 .type
= TLSEXT_TYPE_application_layer_protocol_negotiation
,
1275 .clienthello_needs
= tlsext_alpn_clienthello_needs
,
1276 .clienthello_build
= tlsext_alpn_clienthello_build
,
1277 .clienthello_parse
= tlsext_alpn_clienthello_parse
,
1278 .serverhello_needs
= tlsext_alpn_serverhello_needs
,
1279 .serverhello_build
= tlsext_alpn_serverhello_build
,
1280 .serverhello_parse
= tlsext_alpn_serverhello_parse
,
1282 #ifndef OPENSSL_NO_SRTP
1284 .type
= TLSEXT_TYPE_use_srtp
,
1285 .clienthello_needs
= tlsext_srtp_clienthello_needs
,
1286 .clienthello_build
= tlsext_srtp_clienthello_build
,
1287 .clienthello_parse
= tlsext_srtp_clienthello_parse
,
1288 .serverhello_needs
= tlsext_srtp_serverhello_needs
,
1289 .serverhello_build
= tlsext_srtp_serverhello_build
,
1290 .serverhello_parse
= tlsext_srtp_serverhello_parse
,
1292 #endif /* OPENSSL_NO_SRTP */
1295 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1297 /* Ensure that extensions fit in a uint32_t bitmask. */
1298 CTASSERT(N_TLS_EXTENSIONS
<= (sizeof(uint32_t) * 8));
1300 static struct tls_extension
*
1301 tls_extension_find(uint16_t type
, size_t *tls_extensions_idx
)
1305 for (i
= 0; i
< N_TLS_EXTENSIONS
; i
++) {
1306 if (tls_extensions
[i
].type
== type
) {
1307 *tls_extensions_idx
= i
;
1308 return &tls_extensions
[i
];
1316 tls_extension_needs(struct tls_extension
*tlsext
, int is_serverhello
, SSL
*s
)
1319 return tlsext
->serverhello_needs(s
);
1320 return tlsext
->clienthello_needs(s
);
1324 tls_extension_build(struct tls_extension
*tlsext
, int is_serverhello
, SSL
*s
,
1328 return tlsext
->serverhello_build(s
, cbb
);
1329 return tlsext
->clienthello_build(s
, cbb
);
1333 tls_extension_parse(struct tls_extension
*tlsext
, int is_serverhello
, SSL
*s
,
1334 CBS
*cbs
, int *alert
)
1337 return tlsext
->serverhello_parse(s
, cbs
, alert
);
1338 return tlsext
->clienthello_parse(s
, cbs
, alert
);
1342 tlsext_build(SSL
*s
, CBB
*cbb
, int is_serverhello
)
1344 CBB extensions
, extension_data
;
1345 struct tls_extension
*tlsext
;
1346 int extensions_present
= 0;
1349 if (!CBB_add_u16_length_prefixed(cbb
, &extensions
))
1352 for (i
= 0; i
< N_TLS_EXTENSIONS
; i
++) {
1353 tlsext
= &tls_extensions
[i
];
1355 if (!tls_extension_needs(tlsext
, is_serverhello
, s
))
1358 if (!CBB_add_u16(&extensions
, tlsext
->type
))
1360 if (!CBB_add_u16_length_prefixed(&extensions
, &extension_data
))
1363 if (!tls_extension_build(tlsext
, is_serverhello
, s
,
1367 extensions_present
= 1;
1370 if (!extensions_present
)
1371 CBB_discard_child(cbb
);
1373 if (!CBB_flush(cbb
))
1380 tlsext_parse(SSL
*s
, CBS
*cbs
, int *alert
, int is_serverhello
)
1382 CBS extensions
, extension_data
;
1383 struct tls_extension
*tlsext
;
1384 uint32_t extensions_seen
= 0;
1388 /* An empty extensions block is valid. */
1389 if (CBS_len(cbs
) == 0)
1392 *alert
= SSL_AD_DECODE_ERROR
;
1394 if (!CBS_get_u16_length_prefixed(cbs
, &extensions
))
1397 while (CBS_len(&extensions
) > 0) {
1398 if (!CBS_get_u16(&extensions
, &type
))
1400 if (!CBS_get_u16_length_prefixed(&extensions
, &extension_data
))
1403 if (s
->internal
->tlsext_debug_cb
!= NULL
)
1404 s
->internal
->tlsext_debug_cb(s
, is_serverhello
, type
,
1405 (unsigned char *)CBS_data(&extension_data
),
1406 CBS_len(&extension_data
),
1407 s
->internal
->tlsext_debug_arg
);
1409 /* Unknown extensions are ignored. */
1410 if ((tlsext
= tls_extension_find(type
, &idx
)) == NULL
)
1413 /* Check for duplicate known extensions. */
1414 if ((extensions_seen
& (1 << idx
)) != 0)
1416 extensions_seen
|= (1 << idx
);
1418 if (!tls_extension_parse(tlsext
, is_serverhello
, s
,
1419 &extension_data
, alert
))
1422 if (CBS_len(&extension_data
) != 0)
1430 tlsext_clienthello_reset_state(SSL
*s
)
1432 s
->internal
->servername_done
= 0;
1433 s
->tlsext_status_type
= -1;
1434 S3I(s
)->renegotiate_seen
= 0;
1435 free(S3I(s
)->alpn_selected
);
1436 S3I(s
)->alpn_selected
= NULL
;
1437 s
->internal
->srtp_profile
= NULL
;
1441 tlsext_clienthello_build(SSL
*s
, CBB
*cbb
)
1443 return tlsext_build(s
, cbb
, 0);
1447 tlsext_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1449 /* XXX - this possibly should be done by the caller... */
1450 tlsext_clienthello_reset_state(s
);
1452 return tlsext_parse(s
, cbs
, alert
, 0);
1456 tlsext_serverhello_reset_state(SSL
*s
)
1458 S3I(s
)->renegotiate_seen
= 0;
1459 free(S3I(s
)->alpn_selected
);
1460 S3I(s
)->alpn_selected
= NULL
;
1464 tlsext_serverhello_build(SSL
*s
, CBB
*cbb
)
1466 return tlsext_build(s
, cbb
, 1);
1470 tlsext_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1472 /* XXX - this possibly should be done by the caller... */
1473 tlsext_serverhello_reset_state(s
);
1475 return tlsext_parse(s
, cbs
, alert
, 1);