1 /* $OpenBSD: ssl_tlsext.c,v 1.21 2018/02/08 11:30:30 jsing Exp $ */
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <openssl/ocsp.h>
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
27 * Supported Application-Layer Protocol Negotiation - RFC 7301
31 tlsext_alpn_clienthello_needs(SSL
*s
)
33 /* ALPN protos have been specified and this is the initial handshake */
34 return s
->internal
->alpn_client_proto_list
!= NULL
&&
35 S3I(s
)->tmp
.finish_md_len
== 0;
39 tlsext_alpn_clienthello_build(SSL
*s
, CBB
*cbb
)
43 if (!CBB_add_u16_length_prefixed(cbb
, &protolist
))
46 if (!CBB_add_bytes(&protolist
, s
->internal
->alpn_client_proto_list
,
47 s
->internal
->alpn_client_proto_list_len
))
57 tlsext_alpn_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
59 CBS proto_name_list
, alpn
;
60 const unsigned char *selected
;
61 unsigned char selected_len
;
64 if (!CBS_get_u16_length_prefixed(cbs
, &alpn
))
66 if (CBS_len(&alpn
) < 2)
68 if (CBS_len(cbs
) != 0)
71 CBS_dup(&alpn
, &proto_name_list
);
72 while (CBS_len(&proto_name_list
) > 0) {
75 if (!CBS_get_u8_length_prefixed(&proto_name_list
, &proto_name
))
77 if (CBS_len(&proto_name
) == 0)
81 if (s
->ctx
->internal
->alpn_select_cb
== NULL
)
84 r
= s
->ctx
->internal
->alpn_select_cb(s
, &selected
, &selected_len
,
85 CBS_data(&alpn
), CBS_len(&alpn
),
86 s
->ctx
->internal
->alpn_select_cb_arg
);
87 if (r
== SSL_TLSEXT_ERR_OK
) {
88 free(S3I(s
)->alpn_selected
);
89 if ((S3I(s
)->alpn_selected
= malloc(selected_len
)) == NULL
) {
90 *alert
= SSL_AD_INTERNAL_ERROR
;
93 memcpy(S3I(s
)->alpn_selected
, selected
, selected_len
);
94 S3I(s
)->alpn_selected_len
= selected_len
;
100 *alert
= SSL_AD_DECODE_ERROR
;
105 tlsext_alpn_serverhello_needs(SSL
*s
)
107 return S3I(s
)->alpn_selected
!= NULL
;
111 tlsext_alpn_serverhello_build(SSL
*s
, CBB
*cbb
)
115 if (!CBB_add_u16_length_prefixed(cbb
, &list
))
118 if (!CBB_add_u8_length_prefixed(&list
, &selected
))
121 if (!CBB_add_bytes(&selected
, S3I(s
)->alpn_selected
,
122 S3I(s
)->alpn_selected_len
))
132 tlsext_alpn_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
136 if (s
->internal
->alpn_client_proto_list
== NULL
) {
137 *alert
= TLS1_AD_UNSUPPORTED_EXTENSION
;
141 if (!CBS_get_u16_length_prefixed(cbs
, &list
))
143 if (CBS_len(cbs
) != 0)
146 if (!CBS_get_u8_length_prefixed(&list
, &proto
))
149 if (CBS_len(&list
) != 0)
151 if (CBS_len(&proto
) == 0)
154 if (!CBS_stow(&proto
, &(S3I(s
)->alpn_selected
),
155 &(S3I(s
)->alpn_selected_len
)))
161 *alert
= TLS1_AD_DECODE_ERROR
;
166 * Supported Elliptic Curves - RFC 4492 section 5.1.1
169 tlsext_ec_clienthello_needs(SSL
*s
)
171 return ssl_has_ecc_ciphers(s
);
175 tlsext_ec_clienthello_build(SSL
*s
, CBB
*cbb
)
180 const uint16_t *curves
;
182 tls1_get_curvelist(s
, 0, &curves
, &curves_len
);
184 if (curves_len
== 0) {
185 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
189 if (!CBB_add_u16_length_prefixed(cbb
, &curvelist
))
192 for (i
= 0; i
< curves_len
; i
++) {
193 if (!CBB_add_u16(&curvelist
, curves
[i
]))
204 tlsext_ec_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
209 if (!CBS_get_u16_length_prefixed(cbs
, &curvelist
))
211 if (CBS_len(cbs
) != 0)
214 curves_len
= CBS_len(&curvelist
);
215 if (curves_len
== 0 || curves_len
% 2 != 0)
219 if (!s
->internal
->hit
) {
223 if (SSI(s
)->tlsext_supportedgroups
!= NULL
)
226 if ((curves
= reallocarray(NULL
, curves_len
,
227 sizeof(uint16_t))) == NULL
) {
228 *alert
= TLS1_AD_INTERNAL_ERROR
;
232 for (i
= 0; i
< curves_len
; i
++) {
233 if (!CBS_get_u16(&curvelist
, &curves
[i
])) {
239 if (CBS_len(&curvelist
) != 0) {
244 SSI(s
)->tlsext_supportedgroups
= curves
;
245 SSI(s
)->tlsext_supportedgroups_length
= curves_len
;
251 *alert
= TLS1_AD_DECODE_ERROR
;
255 /* This extension is never used by the server. */
257 tlsext_ec_serverhello_needs(SSL
*s
)
263 tlsext_ec_serverhello_build(SSL
*s
, CBB
*cbb
)
269 tlsext_ec_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
272 * Servers should not send this extension per the RFC.
274 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
275 * from at least 2014 but as of 2017, there are still large sites with
276 * this unpatched in production. As a result, we need to currently skip
277 * over the extension and ignore its content:
279 * https://support.f5.com/csp/article/K37345003
281 if (!CBS_skip(cbs
, CBS_len(cbs
))) {
282 *alert
= TLS1_AD_INTERNAL_ERROR
;
290 * Supported Point Formats Extension - RFC 4492 section 5.1.2
293 tlsext_ecpf_build(SSL
*s
, CBB
*cbb
)
297 const uint8_t *formats
;
299 tls1_get_formatlist(s
, 0, &formats
, &formats_len
);
301 if (formats_len
== 0) {
302 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
306 if (!CBB_add_u8_length_prefixed(cbb
, &ecpf
))
308 if (!CBB_add_bytes(&ecpf
, formats
, formats_len
))
317 tlsext_ecpf_parse(SSL
*s
, CBS
*cbs
, int *alert
)
321 if (!CBS_get_u8_length_prefixed(cbs
, &ecpf
))
323 if (CBS_len(&ecpf
) == 0)
325 if (CBS_len(cbs
) != 0)
328 /* Must contain uncompressed (0) */
329 if (!CBS_contains_zero_byte(&ecpf
)) {
330 SSLerror(s
, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST
);
334 if (!s
->internal
->hit
) {
335 if (!CBS_stow(&ecpf
, &(SSI(s
)->tlsext_ecpointformatlist
),
336 &(SSI(s
)->tlsext_ecpointformatlist_length
)))
343 *alert
= TLS1_AD_INTERNAL_ERROR
;
348 tlsext_ecpf_clienthello_needs(SSL
*s
)
350 return ssl_has_ecc_ciphers(s
);
354 tlsext_ecpf_clienthello_build(SSL
*s
, CBB
*cbb
)
356 return tlsext_ecpf_build(s
, cbb
);
360 tlsext_ecpf_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
362 return tlsext_ecpf_parse(s
, cbs
, alert
);
366 tlsext_ecpf_serverhello_needs(SSL
*s
)
368 if (s
->version
== DTLS1_VERSION
)
371 return ssl_using_ecc_cipher(s
);
375 tlsext_ecpf_serverhello_build(SSL
*s
, CBB
*cbb
)
377 return tlsext_ecpf_build(s
, cbb
);
381 tlsext_ecpf_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
383 return tlsext_ecpf_parse(s
, cbs
, alert
);
387 * Renegotiation Indication - RFC 5746.
390 tlsext_ri_clienthello_needs(SSL
*s
)
392 return (s
->internal
->renegotiate
);
396 tlsext_ri_clienthello_build(SSL
*s
, CBB
*cbb
)
400 if (!CBB_add_u8_length_prefixed(cbb
, &reneg
))
402 if (!CBB_add_bytes(&reneg
, S3I(s
)->previous_client_finished
,
403 S3I(s
)->previous_client_finished_len
))
412 tlsext_ri_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
416 if (!CBS_get_u8_length_prefixed(cbs
, &reneg
))
418 if (CBS_len(cbs
) != 0)
421 if (!CBS_mem_equal(&reneg
, S3I(s
)->previous_client_finished
,
422 S3I(s
)->previous_client_finished_len
)) {
423 SSLerror(s
, SSL_R_RENEGOTIATION_MISMATCH
);
424 *alert
= SSL_AD_HANDSHAKE_FAILURE
;
428 S3I(s
)->renegotiate_seen
= 1;
429 S3I(s
)->send_connection_binding
= 1;
434 SSLerror(s
, SSL_R_RENEGOTIATION_ENCODING_ERR
);
435 *alert
= SSL_AD_DECODE_ERROR
;
440 tlsext_ri_serverhello_needs(SSL
*s
)
442 return (S3I(s
)->send_connection_binding
);
446 tlsext_ri_serverhello_build(SSL
*s
, CBB
*cbb
)
450 if (!CBB_add_u8_length_prefixed(cbb
, &reneg
))
452 if (!CBB_add_bytes(&reneg
, S3I(s
)->previous_client_finished
,
453 S3I(s
)->previous_client_finished_len
))
455 if (!CBB_add_bytes(&reneg
, S3I(s
)->previous_server_finished
,
456 S3I(s
)->previous_server_finished_len
))
465 tlsext_ri_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
467 CBS reneg
, prev_client
, prev_server
;
470 * Ensure that the previous client and server values are both not
471 * present, or that they are both present.
473 if ((S3I(s
)->previous_client_finished_len
== 0 &&
474 S3I(s
)->previous_server_finished_len
!= 0) ||
475 (S3I(s
)->previous_client_finished_len
!= 0 &&
476 S3I(s
)->previous_server_finished_len
== 0)) {
477 *alert
= TLS1_AD_INTERNAL_ERROR
;
481 if (!CBS_get_u8_length_prefixed(cbs
, &reneg
))
483 if (!CBS_get_bytes(&reneg
, &prev_client
,
484 S3I(s
)->previous_client_finished_len
))
486 if (!CBS_get_bytes(&reneg
, &prev_server
,
487 S3I(s
)->previous_server_finished_len
))
489 if (CBS_len(&reneg
) != 0)
491 if (CBS_len(cbs
) != 0)
494 if (!CBS_mem_equal(&prev_client
, S3I(s
)->previous_client_finished
,
495 S3I(s
)->previous_client_finished_len
)) {
496 SSLerror(s
, SSL_R_RENEGOTIATION_MISMATCH
);
497 *alert
= SSL_AD_HANDSHAKE_FAILURE
;
500 if (!CBS_mem_equal(&prev_server
, S3I(s
)->previous_server_finished
,
501 S3I(s
)->previous_server_finished_len
)) {
502 SSLerror(s
, SSL_R_RENEGOTIATION_MISMATCH
);
503 *alert
= SSL_AD_HANDSHAKE_FAILURE
;
507 S3I(s
)->renegotiate_seen
= 1;
508 S3I(s
)->send_connection_binding
= 1;
513 SSLerror(s
, SSL_R_RENEGOTIATION_ENCODING_ERR
);
514 *alert
= SSL_AD_DECODE_ERROR
;
519 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
522 tlsext_sigalgs_clienthello_needs(SSL
*s
)
524 return (TLS1_get_client_version(s
) >= TLS1_2_VERSION
);
528 tlsext_sigalgs_clienthello_build(SSL
*s
, CBB
*cbb
)
530 unsigned char *sigalgs_data
;
534 tls12_get_req_sig_algs(s
, &sigalgs_data
, &sigalgs_len
);
536 if (!CBB_add_u16_length_prefixed(cbb
, &sigalgs
))
538 if (!CBB_add_bytes(&sigalgs
, sigalgs_data
, sigalgs_len
))
547 tlsext_sigalgs_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
551 if (!CBS_get_u16_length_prefixed(cbs
, &sigalgs
))
554 return tls1_process_sigalgs(s
, &sigalgs
);
558 tlsext_sigalgs_serverhello_needs(SSL
*s
)
564 tlsext_sigalgs_serverhello_build(SSL
*s
, CBB
*cbb
)
570 tlsext_sigalgs_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
572 /* As per the RFC, servers must not send this extension. */
577 * Server Name Indication - RFC 6066, section 3.
580 tlsext_sni_clienthello_needs(SSL
*s
)
582 return (s
->tlsext_hostname
!= NULL
);
586 tlsext_sni_clienthello_build(SSL
*s
, CBB
*cbb
)
588 CBB server_name_list
, host_name
;
590 if (!CBB_add_u16_length_prefixed(cbb
, &server_name_list
))
592 if (!CBB_add_u8(&server_name_list
, TLSEXT_NAMETYPE_host_name
))
594 if (!CBB_add_u16_length_prefixed(&server_name_list
, &host_name
))
596 if (!CBB_add_bytes(&host_name
, (const uint8_t *)s
->tlsext_hostname
,
597 strlen(s
->tlsext_hostname
)))
606 tlsext_sni_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
608 CBS server_name_list
, host_name
;
611 if (!CBS_get_u16_length_prefixed(cbs
, &server_name_list
))
615 * RFC 6066 section 3 forbids multiple host names with the same type.
616 * Additionally, only one type (host_name) is specified.
618 if (!CBS_get_u8(&server_name_list
, &name_type
))
620 if (name_type
!= TLSEXT_NAMETYPE_host_name
)
623 if (!CBS_get_u16_length_prefixed(&server_name_list
, &host_name
))
625 if (CBS_len(&host_name
) == 0 ||
626 CBS_len(&host_name
) > TLSEXT_MAXLEN_host_name
||
627 CBS_contains_zero_byte(&host_name
)) {
628 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
632 if (s
->internal
->hit
) {
633 if (s
->session
->tlsext_hostname
== NULL
) {
634 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
637 if (!CBS_mem_equal(&host_name
, s
->session
->tlsext_hostname
,
638 strlen(s
->session
->tlsext_hostname
))) {
639 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
643 if (s
->session
->tlsext_hostname
!= NULL
)
645 if (!CBS_strdup(&host_name
, &s
->session
->tlsext_hostname
)) {
646 *alert
= TLS1_AD_INTERNAL_ERROR
;
651 if (CBS_len(&server_name_list
) != 0)
653 if (CBS_len(cbs
) != 0)
659 *alert
= SSL_AD_DECODE_ERROR
;
664 tlsext_sni_serverhello_needs(SSL
*s
)
666 return (s
->session
->tlsext_hostname
!= NULL
);
670 tlsext_sni_serverhello_build(SSL
*s
, CBB
*cbb
)
676 tlsext_sni_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
678 if (s
->tlsext_hostname
== NULL
|| CBS_len(cbs
) != 0) {
679 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
683 if (s
->internal
->hit
) {
684 if (s
->session
->tlsext_hostname
== NULL
) {
685 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
688 if (strcmp(s
->tlsext_hostname
,
689 s
->session
->tlsext_hostname
) != 0) {
690 *alert
= TLS1_AD_UNRECOGNIZED_NAME
;
694 if (s
->session
->tlsext_hostname
!= NULL
) {
695 *alert
= SSL_AD_DECODE_ERROR
;
698 if ((s
->session
->tlsext_hostname
=
699 strdup(s
->tlsext_hostname
)) == NULL
) {
700 *alert
= TLS1_AD_INTERNAL_ERROR
;
710 *Certificate Status Request - RFC 6066 section 8.
714 tlsext_ocsp_clienthello_needs(SSL
*s
)
716 return (s
->tlsext_status_type
== TLSEXT_STATUSTYPE_ocsp
&&
717 s
->version
!= DTLS1_VERSION
);
721 tlsext_ocsp_clienthello_build(SSL
*s
, CBB
*cbb
)
723 CBB respid_list
, respid
, exts
;
724 unsigned char *ext_data
;
728 if (!CBB_add_u8(cbb
, TLSEXT_STATUSTYPE_ocsp
))
730 if (!CBB_add_u16_length_prefixed(cbb
, &respid_list
))
732 for (i
= 0; i
< sk_OCSP_RESPID_num(s
->internal
->tlsext_ocsp_ids
); i
++) {
733 unsigned char *respid_data
;
737 if ((id
= sk_OCSP_RESPID_value(s
->internal
->tlsext_ocsp_ids
,
740 if ((id_len
= i2d_OCSP_RESPID(id
, NULL
)) == -1)
742 if (!CBB_add_u16_length_prefixed(&respid_list
, &respid
))
744 if (!CBB_add_space(&respid
, &respid_data
, id_len
))
746 if ((i2d_OCSP_RESPID(id
, &respid_data
)) != id_len
)
749 if (!CBB_add_u16_length_prefixed(cbb
, &exts
))
751 if ((ext_len
= i2d_X509_EXTENSIONS(s
->internal
->tlsext_ocsp_exts
,
754 if (!CBB_add_space(&exts
, &ext_data
, ext_len
))
756 if ((i2d_X509_EXTENSIONS(s
->internal
->tlsext_ocsp_exts
, &ext_data
) !=
765 tlsext_ocsp_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
767 int failure
= SSL_AD_DECODE_ERROR
;
768 CBS respid_list
, respid
, exts
;
769 const unsigned char *p
;
773 if (!CBS_get_u8(cbs
, &status_type
))
775 if (status_type
!= TLSEXT_STATUSTYPE_ocsp
) {
776 /* ignore unknown status types */
777 s
->tlsext_status_type
= -1;
779 if (!CBS_skip(cbs
, CBS_len(cbs
))) {
780 *alert
= TLS1_AD_INTERNAL_ERROR
;
785 s
->tlsext_status_type
= status_type
;
786 if (!CBS_get_u16_length_prefixed(cbs
, &respid_list
))
790 sk_OCSP_RESPID_pop_free(s
->internal
->tlsext_ocsp_ids
, OCSP_RESPID_free
);
791 s
->internal
->tlsext_ocsp_ids
= NULL
;
792 if (CBS_len(&respid_list
) > 0) {
793 s
->internal
->tlsext_ocsp_ids
= sk_OCSP_RESPID_new_null();
794 if (s
->internal
->tlsext_ocsp_ids
== NULL
) {
795 failure
= SSL_AD_INTERNAL_ERROR
;
800 while (CBS_len(&respid_list
) > 0) {
803 if (!CBS_get_u16_length_prefixed(&respid_list
, &respid
))
805 p
= CBS_data(&respid
);
806 if ((id
= d2i_OCSP_RESPID(NULL
, &p
, CBS_len(&respid
))) == NULL
)
808 if (!sk_OCSP_RESPID_push(s
->internal
->tlsext_ocsp_ids
, id
)) {
809 failure
= SSL_AD_INTERNAL_ERROR
;
810 OCSP_RESPID_free(id
);
815 /* Read in request_extensions */
816 if (!CBS_get_u16_length_prefixed(cbs
, &exts
))
818 if (CBS_len(&exts
) > 0) {
819 sk_X509_EXTENSION_pop_free(s
->internal
->tlsext_ocsp_exts
,
820 X509_EXTENSION_free
);
822 if ((s
->internal
->tlsext_ocsp_exts
= d2i_X509_EXTENSIONS(NULL
,
823 &p
, CBS_len(&exts
))) == NULL
)
827 /* should be nothing left */
828 if (CBS_len(cbs
) > 0)
839 tlsext_ocsp_serverhello_needs(SSL
*s
)
841 return s
->internal
->tlsext_status_expected
;
845 tlsext_ocsp_serverhello_build(SSL
*s
, CBB
*cbb
)
851 tlsext_ocsp_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
853 if (s
->tlsext_status_type
== -1) {
854 *alert
= TLS1_AD_UNSUPPORTED_EXTENSION
;
857 /* Set flag to expect CertificateStatus message */
858 s
->internal
->tlsext_status_expected
= 1;
863 * SessionTicket extension - RFC 5077 section 3.2
866 tlsext_sessionticket_clienthello_needs(SSL
*s
)
869 * Send session ticket extension when enabled and not overridden.
871 * When renegotiating, send an empty session ticket to indicate support.
873 if ((SSL_get_options(s
) & SSL_OP_NO_TICKET
) != 0)
876 if (s
->internal
->new_session
)
879 if (s
->internal
->tlsext_session_ticket
!= NULL
&&
880 s
->internal
->tlsext_session_ticket
->data
== NULL
)
887 tlsext_sessionticket_clienthello_build(SSL
*s
, CBB
*cbb
)
890 * Signal that we support session tickets by sending an empty
891 * extension when renegotiating or no session found.
893 if (s
->internal
->new_session
|| s
->session
== NULL
)
896 if (s
->session
->tlsext_tick
!= NULL
) {
897 /* Attempt to resume with an existing session ticket */
898 if (!CBB_add_bytes(cbb
, s
->session
->tlsext_tick
,
899 s
->session
->tlsext_ticklen
))
902 } else if (s
->internal
->tlsext_session_ticket
!= NULL
) {
904 * Attempt to resume with a custom provided session ticket set
905 * by SSL_set_session_ticket_ext().
907 if (s
->internal
->tlsext_session_ticket
->length
> 0) {
908 size_t ticklen
= s
->internal
->tlsext_session_ticket
->length
;
910 if ((s
->session
->tlsext_tick
= malloc(ticklen
)) == NULL
)
912 memcpy(s
->session
->tlsext_tick
,
913 s
->internal
->tlsext_session_ticket
->data
,
915 s
->session
->tlsext_ticklen
= ticklen
;
917 if (!CBB_add_bytes(cbb
, s
->session
->tlsext_tick
,
918 s
->session
->tlsext_ticklen
))
930 tlsext_sessionticket_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
932 if (s
->internal
->tls_session_ticket_ext_cb
) {
933 if (!s
->internal
->tls_session_ticket_ext_cb(s
, CBS_data(cbs
),
935 s
->internal
->tls_session_ticket_ext_cb_arg
)) {
936 *alert
= TLS1_AD_INTERNAL_ERROR
;
941 /* We need to signal that this was processed fully */
942 if (!CBS_skip(cbs
, CBS_len(cbs
))) {
943 *alert
= TLS1_AD_INTERNAL_ERROR
;
951 tlsext_sessionticket_serverhello_needs(SSL
*s
)
953 return (s
->internal
->tlsext_ticket_expected
&&
954 !(SSL_get_options(s
) & SSL_OP_NO_TICKET
));
958 tlsext_sessionticket_serverhello_build(SSL
*s
, CBB
*cbb
)
966 tlsext_sessionticket_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
968 if (s
->internal
->tls_session_ticket_ext_cb
) {
969 if (!s
->internal
->tls_session_ticket_ext_cb(s
, CBS_data(cbs
),
971 s
->internal
->tls_session_ticket_ext_cb_arg
)) {
972 *alert
= TLS1_AD_INTERNAL_ERROR
;
977 if ((SSL_get_options(s
) & SSL_OP_NO_TICKET
) != 0 || CBS_len(cbs
) > 0) {
978 *alert
= TLS1_AD_UNSUPPORTED_EXTENSION
;
982 s
->internal
->tlsext_ticket_expected
= 1;
988 * DTLS extension for SRTP key establishment - RFC 5764
991 #ifndef OPENSSL_NO_SRTP
994 tlsext_srtp_clienthello_needs(SSL
*s
)
996 return SSL_IS_DTLS(s
) && SSL_get_srtp_profiles(s
) != NULL
;
1000 tlsext_srtp_clienthello_build(SSL
*s
, CBB
*cbb
)
1004 STACK_OF(SRTP_PROTECTION_PROFILE
) *clnt
= NULL
;
1005 SRTP_PROTECTION_PROFILE
*prof
;
1007 if ((clnt
= SSL_get_srtp_profiles(s
)) == NULL
) {
1008 SSLerror(s
, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST
);
1012 if ((ct
= sk_SRTP_PROTECTION_PROFILE_num(clnt
)) < 1) {
1013 SSLerror(s
, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST
);
1017 if (!CBB_add_u16_length_prefixed(cbb
, &profiles
))
1020 for (i
= 0; i
< ct
; i
++) {
1021 if ((prof
= sk_SRTP_PROTECTION_PROFILE_value(clnt
, i
)) == NULL
)
1023 if (!CBB_add_u16(&profiles
, prof
->id
))
1027 if (!CBB_add_u8_length_prefixed(cbb
, &mki
))
1030 if (!CBB_flush(cbb
))
1037 tlsext_srtp_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1039 SRTP_PROTECTION_PROFILE
*cprof
, *sprof
;
1040 STACK_OF(SRTP_PROTECTION_PROFILE
) *clnt
= NULL
, *srvr
;
1048 if (!CBS_get_u16_length_prefixed(cbs
, &profiles
))
1050 if (CBS_len(&profiles
) == 0 || CBS_len(&profiles
) % 2 != 0)
1053 if ((clnt
= sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL
)
1056 while (CBS_len(&profiles
) > 0) {
1057 if (!CBS_get_u16(&profiles
, &id
))
1060 if (!srtp_find_profile_by_num(id
, &cprof
)) {
1061 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt
, cprof
))
1066 if (!CBS_get_u8_length_prefixed(cbs
, &mki
) || CBS_len(&mki
) != 0) {
1067 SSLerror(s
, SSL_R_BAD_SRTP_MKI_VALUE
);
1068 *alert
= SSL_AD_DECODE_ERROR
;
1071 if (CBS_len(cbs
) != 0)
1075 * Per RFC 5764 section 4.1.1
1077 * Find the server preferred profile using the client's list.
1079 * The server MUST send a profile if it sends the use_srtp
1080 * extension. If one is not found, it should fall back to the
1081 * negotiated DTLS cipher suite or return a DTLS alert.
1083 if ((srvr
= SSL_get_srtp_profiles(s
)) == NULL
)
1085 for (i
= 0; i
< sk_SRTP_PROTECTION_PROFILE_num(srvr
); i
++) {
1086 if ((sprof
= sk_SRTP_PROTECTION_PROFILE_value(srvr
, i
))
1090 for (j
= 0; j
< sk_SRTP_PROTECTION_PROFILE_num(clnt
); j
++) {
1091 if ((cprof
= sk_SRTP_PROTECTION_PROFILE_value(clnt
, j
))
1095 if (cprof
->id
== sprof
->id
) {
1096 s
->internal
->srtp_profile
= sprof
;
1103 /* If we didn't find anything, fall back to the negotiated */
1108 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1109 *alert
= SSL_AD_DECODE_ERROR
;
1112 sk_SRTP_PROTECTION_PROFILE_free(clnt
);
1117 tlsext_srtp_serverhello_needs(SSL
*s
)
1119 return SSL_IS_DTLS(s
) && SSL_get_selected_srtp_profile(s
) != NULL
;
1123 tlsext_srtp_serverhello_build(SSL
*s
, CBB
*cbb
)
1125 SRTP_PROTECTION_PROFILE
*profile
;
1128 if (!CBB_add_u16_length_prefixed(cbb
, &srtp
))
1131 if ((profile
= SSL_get_selected_srtp_profile(s
)) == NULL
)
1134 if (!CBB_add_u16(&srtp
, profile
->id
))
1137 if (!CBB_add_u8_length_prefixed(cbb
, &mki
))
1140 if (!CBB_flush(cbb
))
1147 tlsext_srtp_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1149 STACK_OF(SRTP_PROTECTION_PROFILE
) *clnt
;
1150 SRTP_PROTECTION_PROFILE
*prof
;
1153 CBS profile_ids
, mki
;
1155 if (!CBS_get_u16_length_prefixed(cbs
, &profile_ids
)) {
1156 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1160 if (!CBS_get_u16(&profile_ids
, &id
) || CBS_len(&profile_ids
) != 0) {
1161 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1165 if (!CBS_get_u8_length_prefixed(cbs
, &mki
) || CBS_len(&mki
) != 0) {
1166 SSLerror(s
, SSL_R_BAD_SRTP_MKI_VALUE
);
1167 *alert
= SSL_AD_ILLEGAL_PARAMETER
;
1171 if ((clnt
= SSL_get_srtp_profiles(s
)) == NULL
) {
1172 SSLerror(s
, SSL_R_NO_SRTP_PROFILES
);
1176 for (i
= 0; i
< sk_SRTP_PROTECTION_PROFILE_num(clnt
); i
++) {
1177 if ((prof
= sk_SRTP_PROTECTION_PROFILE_value(clnt
, i
))
1179 SSLerror(s
, SSL_R_NO_SRTP_PROFILES
);
1183 if (prof
->id
== id
) {
1184 s
->internal
->srtp_profile
= prof
;
1189 SSLerror(s
, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
1191 *alert
= SSL_AD_DECODE_ERROR
;
1195 #endif /* OPENSSL_NO_SRTP */
1197 struct tls_extension
{
1199 int (*clienthello_needs
)(SSL
*s
);
1200 int (*clienthello_build
)(SSL
*s
, CBB
*cbb
);
1201 int (*clienthello_parse
)(SSL
*s
, CBS
*cbs
, int *alert
);
1202 int (*serverhello_needs
)(SSL
*s
);
1203 int (*serverhello_build
)(SSL
*s
, CBB
*cbb
);
1204 int (*serverhello_parse
)(SSL
*s
, CBS
*cbs
, int *alert
);
1207 static struct tls_extension tls_extensions
[] = {
1209 .type
= TLSEXT_TYPE_server_name
,
1210 .clienthello_needs
= tlsext_sni_clienthello_needs
,
1211 .clienthello_build
= tlsext_sni_clienthello_build
,
1212 .clienthello_parse
= tlsext_sni_clienthello_parse
,
1213 .serverhello_needs
= tlsext_sni_serverhello_needs
,
1214 .serverhello_build
= tlsext_sni_serverhello_build
,
1215 .serverhello_parse
= tlsext_sni_serverhello_parse
,
1218 .type
= TLSEXT_TYPE_renegotiate
,
1219 .clienthello_needs
= tlsext_ri_clienthello_needs
,
1220 .clienthello_build
= tlsext_ri_clienthello_build
,
1221 .clienthello_parse
= tlsext_ri_clienthello_parse
,
1222 .serverhello_needs
= tlsext_ri_serverhello_needs
,
1223 .serverhello_build
= tlsext_ri_serverhello_build
,
1224 .serverhello_parse
= tlsext_ri_serverhello_parse
,
1227 .type
= TLSEXT_TYPE_status_request
,
1228 .clienthello_needs
= tlsext_ocsp_clienthello_needs
,
1229 .clienthello_build
= tlsext_ocsp_clienthello_build
,
1230 .clienthello_parse
= tlsext_ocsp_clienthello_parse
,
1231 .serverhello_needs
= tlsext_ocsp_serverhello_needs
,
1232 .serverhello_build
= tlsext_ocsp_serverhello_build
,
1233 .serverhello_parse
= tlsext_ocsp_serverhello_parse
,
1236 .type
= TLSEXT_TYPE_ec_point_formats
,
1237 .clienthello_needs
= tlsext_ecpf_clienthello_needs
,
1238 .clienthello_build
= tlsext_ecpf_clienthello_build
,
1239 .clienthello_parse
= tlsext_ecpf_clienthello_parse
,
1240 .serverhello_needs
= tlsext_ecpf_serverhello_needs
,
1241 .serverhello_build
= tlsext_ecpf_serverhello_build
,
1242 .serverhello_parse
= tlsext_ecpf_serverhello_parse
,
1245 .type
= TLSEXT_TYPE_elliptic_curves
,
1246 .clienthello_needs
= tlsext_ec_clienthello_needs
,
1247 .clienthello_build
= tlsext_ec_clienthello_build
,
1248 .clienthello_parse
= tlsext_ec_clienthello_parse
,
1249 .serverhello_needs
= tlsext_ec_serverhello_needs
,
1250 .serverhello_build
= tlsext_ec_serverhello_build
,
1251 .serverhello_parse
= tlsext_ec_serverhello_parse
,
1254 .type
= TLSEXT_TYPE_session_ticket
,
1255 .clienthello_needs
= tlsext_sessionticket_clienthello_needs
,
1256 .clienthello_build
= tlsext_sessionticket_clienthello_build
,
1257 .clienthello_parse
= tlsext_sessionticket_clienthello_parse
,
1258 .serverhello_needs
= tlsext_sessionticket_serverhello_needs
,
1259 .serverhello_build
= tlsext_sessionticket_serverhello_build
,
1260 .serverhello_parse
= tlsext_sessionticket_serverhello_parse
,
1263 .type
= TLSEXT_TYPE_signature_algorithms
,
1264 .clienthello_needs
= tlsext_sigalgs_clienthello_needs
,
1265 .clienthello_build
= tlsext_sigalgs_clienthello_build
,
1266 .clienthello_parse
= tlsext_sigalgs_clienthello_parse
,
1267 .serverhello_needs
= tlsext_sigalgs_serverhello_needs
,
1268 .serverhello_build
= tlsext_sigalgs_serverhello_build
,
1269 .serverhello_parse
= tlsext_sigalgs_serverhello_parse
,
1272 .type
= TLSEXT_TYPE_application_layer_protocol_negotiation
,
1273 .clienthello_needs
= tlsext_alpn_clienthello_needs
,
1274 .clienthello_build
= tlsext_alpn_clienthello_build
,
1275 .clienthello_parse
= tlsext_alpn_clienthello_parse
,
1276 .serverhello_needs
= tlsext_alpn_serverhello_needs
,
1277 .serverhello_build
= tlsext_alpn_serverhello_build
,
1278 .serverhello_parse
= tlsext_alpn_serverhello_parse
,
1280 #ifndef OPENSSL_NO_SRTP
1282 .type
= TLSEXT_TYPE_use_srtp
,
1283 .clienthello_needs
= tlsext_srtp_clienthello_needs
,
1284 .clienthello_build
= tlsext_srtp_clienthello_build
,
1285 .clienthello_parse
= tlsext_srtp_clienthello_parse
,
1286 .serverhello_needs
= tlsext_srtp_serverhello_needs
,
1287 .serverhello_build
= tlsext_srtp_serverhello_build
,
1288 .serverhello_parse
= tlsext_srtp_serverhello_parse
,
1290 #endif /* OPENSSL_NO_SRTP */
1293 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1295 /* Ensure that extensions fit in a uint32_t bitmask. */
1296 CTASSERT(N_TLS_EXTENSIONS
<= (sizeof(uint32_t) * 8));
1298 static struct tls_extension
*
1299 tls_extension_find(uint16_t type
, size_t *tls_extensions_idx
)
1303 for (i
= 0; i
< N_TLS_EXTENSIONS
; i
++) {
1304 if (tls_extensions
[i
].type
== type
) {
1305 *tls_extensions_idx
= i
;
1306 return &tls_extensions
[i
];
1314 tls_extension_needs(struct tls_extension
*tlsext
, int is_serverhello
, SSL
*s
)
1317 return tlsext
->serverhello_needs(s
);
1318 return tlsext
->clienthello_needs(s
);
1322 tls_extension_build(struct tls_extension
*tlsext
, int is_serverhello
, SSL
*s
,
1326 return tlsext
->serverhello_build(s
, cbb
);
1327 return tlsext
->clienthello_build(s
, cbb
);
1331 tls_extension_parse(struct tls_extension
*tlsext
, int is_serverhello
, SSL
*s
,
1332 CBS
*cbs
, int *alert
)
1335 return tlsext
->serverhello_parse(s
, cbs
, alert
);
1336 return tlsext
->clienthello_parse(s
, cbs
, alert
);
1340 tlsext_build(SSL
*s
, CBB
*cbb
, int is_serverhello
)
1342 CBB extensions
, extension_data
;
1343 struct tls_extension
*tlsext
;
1344 int extensions_present
= 0;
1347 if (!CBB_add_u16_length_prefixed(cbb
, &extensions
))
1350 for (i
= 0; i
< N_TLS_EXTENSIONS
; i
++) {
1351 tlsext
= &tls_extensions
[i
];
1353 if (!tls_extension_needs(tlsext
, is_serverhello
, s
))
1356 if (!CBB_add_u16(&extensions
, tlsext
->type
))
1358 if (!CBB_add_u16_length_prefixed(&extensions
, &extension_data
))
1361 if (!tls_extension_build(tlsext
, is_serverhello
, s
,
1365 extensions_present
= 1;
1368 if (!extensions_present
)
1369 CBB_discard_child(cbb
);
1371 if (!CBB_flush(cbb
))
1378 tlsext_parse(SSL
*s
, CBS
*cbs
, int *alert
, int is_serverhello
)
1380 CBS extensions
, extension_data
;
1381 struct tls_extension
*tlsext
;
1382 uint32_t extensions_seen
= 0;
1386 /* An empty extensions block is valid. */
1387 if (CBS_len(cbs
) == 0)
1390 *alert
= SSL_AD_DECODE_ERROR
;
1392 if (!CBS_get_u16_length_prefixed(cbs
, &extensions
))
1395 while (CBS_len(&extensions
) > 0) {
1396 if (!CBS_get_u16(&extensions
, &type
))
1398 if (!CBS_get_u16_length_prefixed(&extensions
, &extension_data
))
1401 if (s
->internal
->tlsext_debug_cb
!= NULL
)
1402 s
->internal
->tlsext_debug_cb(s
, is_serverhello
, type
,
1403 (unsigned char *)CBS_data(&extension_data
),
1404 CBS_len(&extension_data
),
1405 s
->internal
->tlsext_debug_arg
);
1407 /* Unknown extensions are ignored. */
1408 if ((tlsext
= tls_extension_find(type
, &idx
)) == NULL
)
1411 /* Check for duplicate known extensions. */
1412 if ((extensions_seen
& (1 << idx
)) != 0)
1414 extensions_seen
|= (1 << idx
);
1416 if (!tls_extension_parse(tlsext
, is_serverhello
, s
,
1417 &extension_data
, alert
))
1420 if (CBS_len(&extension_data
) != 0)
1428 tlsext_clienthello_reset_state(SSL
*s
)
1430 s
->internal
->servername_done
= 0;
1431 s
->tlsext_status_type
= -1;
1432 S3I(s
)->renegotiate_seen
= 0;
1433 free(S3I(s
)->alpn_selected
);
1434 S3I(s
)->alpn_selected
= NULL
;
1435 s
->internal
->srtp_profile
= NULL
;
1439 tlsext_clienthello_build(SSL
*s
, CBB
*cbb
)
1441 return tlsext_build(s
, cbb
, 0);
1445 tlsext_clienthello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1447 /* XXX - this possibly should be done by the caller... */
1448 tlsext_clienthello_reset_state(s
);
1450 return tlsext_parse(s
, cbs
, alert
, 0);
1454 tlsext_serverhello_reset_state(SSL
*s
)
1456 S3I(s
)->renegotiate_seen
= 0;
1457 free(S3I(s
)->alpn_selected
);
1458 S3I(s
)->alpn_selected
= NULL
;
1462 tlsext_serverhello_build(SSL
*s
, CBB
*cbb
)
1464 return tlsext_build(s
, cbb
, 1);
1468 tlsext_serverhello_parse(SSL
*s
, CBS
*cbs
, int *alert
)
1470 /* XXX - this possibly should be done by the caller... */
1471 tlsext_serverhello_reset_state(s
);
1473 return tlsext_parse(s
, cbs
, alert
, 1);