Bug Summary

File:src/lib/libssl/ssl_tlsext.c
Warning:line 798, column 7
Branch condition evaluates to a garbage value

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ssl_tlsext.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -I /usr/src/lib/libssl -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libssl/ssl_tlsext.c
1/* $OpenBSD: ssl_tlsext.c,v 1.108 2022/01/11 18:28:41 jsing Exp $ */
2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/socket.h>
21
22#include <arpa/inet.h>
23#include <netinet/in.h>
24
25#include <ctype.h>
26
27#include <openssl/ocsp.h>
28#include <openssl/opensslconf.h>
29
30#include "bytestring.h"
31#include "ssl_locl.h"
32#include "ssl_sigalgs.h"
33#include "ssl_tlsext.h"
34
35/*
36 * Supported Application-Layer Protocol Negotiation - RFC 7301
37 */
38
39int
40tlsext_alpn_client_needs(SSL *s, uint16_t msg_type)
41{
42 /* ALPN protos have been specified and this is the initial handshake */
43 return s->internal->alpn_client_proto_list != NULL((void*)0) &&
44 S3I(s)(s->s3->internal)->hs.finished_len == 0;
45}
46
47int
48tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
49{
50 CBB protolist;
51
52 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
53 return 0;
54
55 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
56 s->internal->alpn_client_proto_list_len))
57 return 0;
58
59 if (!CBB_flush(cbb))
60 return 0;
61
62 return 1;
63}
64
65int
66tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
67{
68 CBS proto_name_list, alpn;
69 const unsigned char *selected;
70 unsigned char selected_len;
71 int r;
72
73 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
74 goto err;
75 if (CBS_len(&alpn) < 2)
76 goto err;
77 if (CBS_len(cbs) != 0)
78 goto err;
79
80 CBS_dup(&alpn, &proto_name_list);
81 while (CBS_len(&proto_name_list) > 0) {
82 CBS proto_name;
83
84 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
85 goto err;
86 if (CBS_len(&proto_name) == 0)
87 goto err;
88 }
89
90 if (s->ctx->internal->alpn_select_cb == NULL((void*)0))
91 return 1;
92
93 /*
94 * XXX - A few things should be considered here:
95 * 1. Ensure that the same protocol is selected on session resumption.
96 * 2. Should the callback be called even if no ALPN extension was sent?
97 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
98 */
99 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
100 CBS_data(&alpn), CBS_len(&alpn),
101 s->ctx->internal->alpn_select_cb_arg);
102
103 if (r == SSL_TLSEXT_ERR_OK0) {
104 free(S3I(s)(s->s3->internal)->alpn_selected);
105 if ((S3I(s)(s->s3->internal)->alpn_selected = malloc(selected_len)) == NULL((void*)0)) {
106 S3I(s)(s->s3->internal)->alpn_selected_len = 0;
107 *alert = SSL_AD_INTERNAL_ERROR80;
108 return 0;
109 }
110 memcpy(S3I(s)(s->s3->internal)->alpn_selected, selected, selected_len);
111 S3I(s)(s->s3->internal)->alpn_selected_len = selected_len;
112
113 return 1;
114 }
115
116 /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
117 if (r == SSL_TLSEXT_ERR_NOACK3)
118 return 1;
119
120 *alert = SSL_AD_NO_APPLICATION_PROTOCOL120;
121 SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL)SSL_error_internal(s, 235, "/usr/src/lib/libssl/ssl_tlsext.c"
, 121);
122
123 return 0;
124
125 err:
126 *alert = SSL_AD_DECODE_ERROR50;
127 return 0;
128}
129
130int
131tlsext_alpn_server_needs(SSL *s, uint16_t msg_type)
132{
133 return S3I(s)(s->s3->internal)->alpn_selected != NULL((void*)0);
134}
135
136int
137tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
138{
139 CBB list, selected;
140
141 if (!CBB_add_u16_length_prefixed(cbb, &list))
142 return 0;
143
144 if (!CBB_add_u8_length_prefixed(&list, &selected))
145 return 0;
146
147 if (!CBB_add_bytes(&selected, S3I(s)(s->s3->internal)->alpn_selected,
148 S3I(s)(s->s3->internal)->alpn_selected_len))
149 return 0;
150
151 if (!CBB_flush(cbb))
152 return 0;
153
154 return 1;
155}
156
157int
158tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
159{
160 CBS list, proto;
161
162 if (s->internal->alpn_client_proto_list == NULL((void*)0)) {
163 *alert = SSL_AD_UNSUPPORTED_EXTENSION110;
164 return 0;
165 }
166
167 if (!CBS_get_u16_length_prefixed(cbs, &list))
168 goto err;
169 if (CBS_len(cbs) != 0)
170 goto err;
171
172 if (!CBS_get_u8_length_prefixed(&list, &proto))
173 goto err;
174
175 if (CBS_len(&list) != 0)
176 goto err;
177 if (CBS_len(&proto) == 0)
178 goto err;
179
180 if (!CBS_stow(&proto, &(S3I(s)(s->s3->internal)->alpn_selected),
181 &(S3I(s)(s->s3->internal)->alpn_selected_len)))
182 goto err;
183
184 return 1;
185
186 err:
187 *alert = SSL_AD_DECODE_ERROR50;
188 return 0;
189}
190
191/*
192 * Supported Groups - RFC 7919 section 2
193 */
194int
195tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
196{
197 return ssl_has_ecc_ciphers(s) ||
198 (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_3_VERSION0x0304);
199}
200
201int
202tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
203{
204 const uint16_t *groups;
205 size_t groups_len;
206 CBB grouplist;
207 int i;
208
209 tls1_get_group_list(s, 0, &groups, &groups_len);
210 if (groups_len == 0) {
211 SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_tlsext.c"
, 211);
212 return 0;
213 }
214
215 if (!CBB_add_u16_length_prefixed(cbb, &grouplist))
216 return 0;
217
218 for (i = 0; i < groups_len; i++) {
219 if (!CBB_add_u16(&grouplist, groups[i]))
220 return 0;
221 }
222
223 if (!CBB_flush(cbb))
224 return 0;
225
226 return 1;
227}
228
229int
230tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
231 int *alert)
232{
233 CBS grouplist;
234 size_t groups_len;
235
236 if (!CBS_get_u16_length_prefixed(cbs, &grouplist))
237 goto err;
238 if (CBS_len(cbs) != 0)
239 goto err;
240
241 groups_len = CBS_len(&grouplist);
242 if (groups_len == 0 || groups_len % 2 != 0)
243 goto err;
244 groups_len /= 2;
245
246 if (!s->internal->hit) {
247 uint16_t *groups;
248 int i;
249
250 if (S3I(s)(s->s3->internal)->hs.tls13.hrr) {
251 if (s->session->tlsext_supportedgroups == NULL((void*)0)) {
252 *alert = SSL_AD_HANDSHAKE_FAILURE40;
253 return 0;
254 }
255 /*
256 * In the case of TLSv1.3 the client cannot change
257 * the supported groups.
258 */
259 if (groups_len != s->session->tlsext_supportedgroups_length) {
260 *alert = SSL_AD_ILLEGAL_PARAMETER47;
261 return 0;
262 }
263 for (i = 0; i < groups_len; i++) {
264 uint16_t group;
265
266 if (!CBS_get_u16(&grouplist, &group))
267 goto err;
268 if (s->session->tlsext_supportedgroups[i] != group) {
269 *alert = SSL_AD_ILLEGAL_PARAMETER47;
270 return 0;
271 }
272 }
273
274 return 1;
275 }
276
277 if (s->session->tlsext_supportedgroups != NULL((void*)0))
278 goto err;
279
280 if ((groups = reallocarray(NULL((void*)0), groups_len,
281 sizeof(uint16_t))) == NULL((void*)0)) {
282 *alert = SSL_AD_INTERNAL_ERROR80;
283 return 0;
284 }
285
286 for (i = 0; i < groups_len; i++) {
287 if (!CBS_get_u16(&grouplist, &groups[i])) {
288 free(groups);
289 goto err;
290 }
291 }
292
293 if (CBS_len(&grouplist) != 0) {
294 free(groups);
295 goto err;
296 }
297
298 s->session->tlsext_supportedgroups = groups;
299 s->session->tlsext_supportedgroups_length = groups_len;
300 }
301
302 return 1;
303
304 err:
305 *alert = SSL_AD_DECODE_ERROR50;
306 return 0;
307}
308
309/* This extension is never used by the server. */
310int
311tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type)
312{
313 return 0;
314}
315
316int
317tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
318{
319 return 0;
320}
321
322int
323tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
324 int *alert)
325{
326 /*
327 * Servers should not send this extension per the RFC.
328 *
329 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
330 * from at least 2014 but as of 2017, there are still large sites with
331 * this unpatched in production. As a result, we need to currently skip
332 * over the extension and ignore its content:
333 *
334 * https://support.f5.com/csp/article/K37345003
335 */
336 if (!CBS_skip(cbs, CBS_len(cbs))) {
337 *alert = SSL_AD_INTERNAL_ERROR80;
338 return 0;
339 }
340
341 return 1;
342}
343
344/*
345 * Supported Point Formats Extension - RFC 4492 section 5.1.2
346 */
347static int
348tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
349{
350 CBB ecpf;
351 size_t formats_len;
352 const uint8_t *formats;
353
354 tls1_get_formatlist(s, 0, &formats, &formats_len);
355
356 if (formats_len == 0) {
357 SSLerror(s, ERR_R_INTERNAL_ERROR)SSL_error_internal(s, (4|64), "/usr/src/lib/libssl/ssl_tlsext.c"
, 357);
358 return 0;
359 }
360
361 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
362 return 0;
363 if (!CBB_add_bytes(&ecpf, formats, formats_len))
364 return 0;
365 if (!CBB_flush(cbb))
366 return 0;
367
368 return 1;
369}
370
371static int
372tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
373{
374 CBS ecpf;
375
376 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
377 return 0;
378 if (CBS_len(&ecpf) == 0)
379 return 0;
380 if (CBS_len(cbs) != 0)
381 return 0;
382
383 /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
384 if (!CBS_contains_zero_byte(&ecpf)) {
385 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST)SSL_error_internal(s, 157, "/usr/src/lib/libssl/ssl_tlsext.c"
, 385);
386 *alert = SSL_AD_ILLEGAL_PARAMETER47;
387 return 0;
388 }
389
390 if (!s->internal->hit) {
391 if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist),
392 &(s->session->tlsext_ecpointformatlist_length))) {
393 *alert = SSL_AD_INTERNAL_ERROR80;
394 return 0;
395 }
396 }
397
398 return 1;
399}
400
401int
402tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type)
403{
404 return ssl_has_ecc_ciphers(s);
405}
406
407int
408tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
409{
410 return tlsext_ecpf_build(s, msg_type, cbb);
411}
412
413int
414tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
415{
416 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
417}
418
419int
420tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
421{
422 return ssl_using_ecc_cipher(s);
423}
424
425int
426tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
427{
428 return tlsext_ecpf_build(s, msg_type, cbb);
429}
430
431int
432tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
433{
434 return tlsext_ecpf_parse(s, msg_type, cbs, alert);
435}
436
437/*
438 * Renegotiation Indication - RFC 5746.
439 */
440int
441tlsext_ri_client_needs(SSL *s, uint16_t msg_type)
442{
443 return (s->internal->renegotiate);
444}
445
446int
447tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
448{
449 CBB reneg;
450
451 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
452 return 0;
453 if (!CBB_add_bytes(&reneg, S3I(s)(s->s3->internal)->previous_client_finished,
454 S3I(s)(s->s3->internal)->previous_client_finished_len))
455 return 0;
456 if (!CBB_flush(cbb))
457 return 0;
458
459 return 1;
460}
461
462int
463tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
464{
465 CBS reneg;
466
467 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
468 goto err;
469 if (CBS_len(cbs) != 0)
470 goto err;
471
472 if (!CBS_mem_equal(&reneg, S3I(s)(s->s3->internal)->previous_client_finished,
473 S3I(s)(s->s3->internal)->previous_client_finished_len)) {
474 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH)SSL_error_internal(s, 337, "/usr/src/lib/libssl/ssl_tlsext.c"
, 474);
475 *alert = SSL_AD_HANDSHAKE_FAILURE40;
476 return 0;
477 }
478
479 S3I(s)(s->s3->internal)->renegotiate_seen = 1;
480 S3I(s)(s->s3->internal)->send_connection_binding = 1;
481
482 return 1;
483
484 err:
485 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR)SSL_error_internal(s, 336, "/usr/src/lib/libssl/ssl_tlsext.c"
, 485);
486 *alert = SSL_AD_DECODE_ERROR50;
487 return 0;
488}
489
490int
491tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
492{
493 return (S3I(s)(s->s3->internal)->hs.negotiated_tls_version < TLS1_3_VERSION0x0304 &&
494 S3I(s)(s->s3->internal)->send_connection_binding);
495}
496
497int
498tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
499{
500 CBB reneg;
501
502 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
503 return 0;
504 if (!CBB_add_bytes(&reneg, S3I(s)(s->s3->internal)->previous_client_finished,
505 S3I(s)(s->s3->internal)->previous_client_finished_len))
506 return 0;
507 if (!CBB_add_bytes(&reneg, S3I(s)(s->s3->internal)->previous_server_finished,
508 S3I(s)(s->s3->internal)->previous_server_finished_len))
509 return 0;
510 if (!CBB_flush(cbb))
511 return 0;
512
513 return 1;
514}
515
516int
517tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
518{
519 CBS reneg, prev_client, prev_server;
520
521 /*
522 * Ensure that the previous client and server values are both not
523 * present, or that they are both present.
524 */
525 if ((S3I(s)(s->s3->internal)->previous_client_finished_len == 0 &&
526 S3I(s)(s->s3->internal)->previous_server_finished_len != 0) ||
527 (S3I(s)(s->s3->internal)->previous_client_finished_len != 0 &&
528 S3I(s)(s->s3->internal)->previous_server_finished_len == 0)) {
529 *alert = SSL_AD_INTERNAL_ERROR80;
530 return 0;
531 }
532
533 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
534 goto err;
535 if (!CBS_get_bytes(&reneg, &prev_client,
536 S3I(s)(s->s3->internal)->previous_client_finished_len))
537 goto err;
538 if (!CBS_get_bytes(&reneg, &prev_server,
539 S3I(s)(s->s3->internal)->previous_server_finished_len))
540 goto err;
541 if (CBS_len(&reneg) != 0)
542 goto err;
543 if (CBS_len(cbs) != 0)
544 goto err;
545
546 if (!CBS_mem_equal(&prev_client, S3I(s)(s->s3->internal)->previous_client_finished,
547 S3I(s)(s->s3->internal)->previous_client_finished_len)) {
548 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH)SSL_error_internal(s, 337, "/usr/src/lib/libssl/ssl_tlsext.c"
, 548);
549 *alert = SSL_AD_HANDSHAKE_FAILURE40;
550 return 0;
551 }
552 if (!CBS_mem_equal(&prev_server, S3I(s)(s->s3->internal)->previous_server_finished,
553 S3I(s)(s->s3->internal)->previous_server_finished_len)) {
554 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH)SSL_error_internal(s, 337, "/usr/src/lib/libssl/ssl_tlsext.c"
, 554);
555 *alert = SSL_AD_HANDSHAKE_FAILURE40;
556 return 0;
557 }
558
559 S3I(s)(s->s3->internal)->renegotiate_seen = 1;
560 S3I(s)(s->s3->internal)->send_connection_binding = 1;
561
562 return 1;
563
564 err:
565 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR)SSL_error_internal(s, 336, "/usr/src/lib/libssl/ssl_tlsext.c"
, 565);
566 *alert = SSL_AD_DECODE_ERROR50;
567 return 0;
568}
569
570/*
571 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
572 */
573int
574tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
575{
576 return (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_2_VERSION0x0303);
577}
578
579int
580tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
581{
582 uint16_t tls_version = S3I(s)(s->s3->internal)->hs.negotiated_tls_version;
583 CBB sigalgs;
584
585 if (msg_type == SSL_TLSEXT_MSG_CH0x0001)
586 tls_version = S3I(s)(s->s3->internal)->hs.our_min_tls_version;
587
588 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
589 return 0;
590 if (!ssl_sigalgs_build(tls_version, &sigalgs))
591 return 0;
592 if (!CBB_flush(cbb))
593 return 0;
594
595 return 1;
596}
597
598int
599tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
600{
601 CBS sigalgs;
602
603 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
604 return 0;
605 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
606 return 0;
607 if (!CBS_stow(&sigalgs, &S3I(s)(s->s3->internal)->hs.sigalgs, &S3I(s)(s->s3->internal)->hs.sigalgs_len))
608 return 0;
609
610 return 1;
611}
612
613int
614tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
615{
616 return (S3I(s)(s->s3->internal)->hs.negotiated_tls_version >= TLS1_3_VERSION0x0304);
617}
618
619int
620tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
621{
622 CBB sigalgs;
623
624 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
625 return 0;
626 if (!ssl_sigalgs_build(S3I(s)(s->s3->internal)->hs.negotiated_tls_version, &sigalgs))
627 return 0;
628 if (!CBB_flush(cbb))
629 return 0;
630
631 return 1;
632}
633
634int
635tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
636{
637 CBS sigalgs;
638
639 if (ssl_effective_tls_version(s) < TLS1_3_VERSION0x0304)
640 return 0;
641
642 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
643 return 0;
644 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64)
645 return 0;
646 if (!CBS_stow(&sigalgs, &S3I(s)(s->s3->internal)->hs.sigalgs, &S3I(s)(s->s3->internal)->hs.sigalgs_len))
647 return 0;
648
649 return 1;
650}
651
652/*
653 * Server Name Indication - RFC 6066, section 3.
654 */
655int
656tlsext_sni_client_needs(SSL *s, uint16_t msg_type)
657{
658 return (s->tlsext_hostname != NULL((void*)0));
659}
660
661int
662tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
663{
664 CBB server_name_list, host_name;
665
666 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
667 return 0;
668 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name0))
669 return 0;
670 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
671 return 0;
672 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
673 strlen(s->tlsext_hostname)))
674 return 0;
675 if (!CBB_flush(cbb))
676 return 0;
677
678 return 1;
679}
680
681static int
682tlsext_sni_is_ip_literal(CBS *cbs, int *is_ip)
683{
684 union {
685 struct in_addr ip4;
686 struct in6_addr ip6;
687 } addrbuf;
688 char *hostname = NULL((void*)0);
689
690 *is_ip = 0;
691
692 if (!CBS_strdup(cbs, &hostname))
693 return 0;
694
695 if (inet_pton(AF_INET2, hostname, &addrbuf) == 1 ||
696 inet_pton(AF_INET624, hostname, &addrbuf) == 1)
697 *is_ip = 1;
698
699 free(hostname);
700
701 return 1;
702}
703
704/*
705 * Validate that the CBS contains only a hostname consisting of RFC 5890
706 * compliant A-labels (see RFC 6066 section 3). Not a complete check
707 * since we don't parse punycode to verify its validity but limits to
708 * correct structure and character set.
709 */
710int
711tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
712{
713 uint8_t prev, c = 0;
714 int component = 0;
715 CBS hostname;
716
717 CBS_dup(cbs, &hostname);
718
719 if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name255)
13
Assuming the condition is true
14
Taking true branch
720 return 0;
15
Returning without writing to '*is_ip'
16
Returning zero, which participates in a condition later
721
722 /* An IP literal is invalid as a host name (RFC 6066 section 3). */
723 if (!tlsext_sni_is_ip_literal(&hostname, is_ip))
724 return 0;
725 if (*is_ip)
726 return 0;
727
728 while (CBS_len(&hostname) > 0) {
729 prev = c;
730 if (!CBS_get_u8(&hostname, &c))
731 return 0;
732 /* Everything has to be ASCII, with no NUL byte. */
733 if (!isascii(c) || c == '\0')
734 return 0;
735 /* It must be alphanumeric, a '-', or a '.' */
736 if (!isalnum(c) && c != '-' && c != '.')
737 return 0;
738 /* '-' and '.' must not start a component or be at the end. */
739 if (component == 0 || CBS_len(&hostname) == 0) {
740 if (c == '-' || c == '.')
741 return 0;
742 }
743 if (c == '.') {
744 /* Components can not end with a dash. */
745 if (prev == '-')
746 return 0;
747 /* Start new component */
748 component = 0;
749 continue;
750 }
751 /* Components must be 63 chars or less. */
752 if (++component > 63)
753 return 0;
754 }
755
756 return 1;
757}
758
759int
760tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
761{
762 CBS server_name_list, host_name;
763 uint8_t name_type;
764 int is_ip;
1
'is_ip' declared without an initial value
765
766 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
2
Assuming the condition is false
3
Taking false branch
767 goto err;
768
769 if (!CBS_get_u8(&server_name_list, &name_type))
4
Assuming the condition is false
5
Taking false branch
770 goto err;
771
772 /*
773 * RFC 6066 section 3, only one type (host_name) is specified.
774 * We do not tolerate unknown types, neither does BoringSSL.
775 * other implementations appear more tolerant.
776 */
777 if (name_type != TLSEXT_NAMETYPE_host_name0) {
6
Assuming 'name_type' is equal to TLSEXT_NAMETYPE_host_name
7
Taking false branch
778 *alert = SSL_AD_ILLEGAL_PARAMETER47;
779 goto err;
780 }
781
782 /*
783 * RFC 6066 section 3 specifies a host name must be at least 1 byte
784 * so 0 length is a decode error.
785 */
786 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
8
Assuming the condition is false
9
Taking false branch
787 goto err;
788 if (CBS_len(&host_name) < 1)
10
Assuming the condition is false
11
Taking false branch
789 goto err;
790
791 if (!tlsext_sni_is_valid_hostname(&host_name, &is_ip)) {
12
Calling 'tlsext_sni_is_valid_hostname'
17
Returning from 'tlsext_sni_is_valid_hostname'
18
Taking true branch
792 /*
793 * Various pieces of software have been known to set the SNI
794 * host name to an IP address, even though that violates the
795 * RFC. If this is the case, pretend the SNI extension does
796 * not exist.
797 */
798 if (is_ip)
19
Branch condition evaluates to a garbage value
799 goto done;
800
801 *alert = SSL_AD_ILLEGAL_PARAMETER47;
802 goto err;
803 }
804
805 if (s->internal->hit || S3I(s)(s->s3->internal)->hs.tls13.hrr) {
806 if (s->session->tlsext_hostname == NULL((void*)0)) {
807 *alert = SSL_AD_UNRECOGNIZED_NAME112;
808 goto err;
809 }
810 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
811 strlen(s->session->tlsext_hostname))) {
812 *alert = SSL_AD_UNRECOGNIZED_NAME112;
813 goto err;
814 }
815 } else {
816 if (s->session->tlsext_hostname != NULL((void*)0))
817 goto err;
818 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
819 *alert = SSL_AD_INTERNAL_ERROR80;
820 goto err;
821 }
822 }
823
824 done:
825 /*
826 * RFC 6066 section 3 forbids multiple host names with the same type,
827 * therefore we allow only one entry.
828 */
829 if (CBS_len(&server_name_list) != 0) {
830 *alert = SSL_AD_ILLEGAL_PARAMETER47;
831 goto err;
832 }
833 if (CBS_len(cbs) != 0)
834 goto err;
835
836 return 1;
837
838 err:
839 return 0;
840}
841
842int
843tlsext_sni_server_needs(SSL *s, uint16_t msg_type)
844{
845 if (s->internal->hit)
846 return 0;
847
848 return (s->session->tlsext_hostname != NULL((void*)0));
849}
850
851int
852tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
853{
854 return 1;
855}
856
857int
858tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
859{
860 if (s->tlsext_hostname == NULL((void*)0) || CBS_len(cbs) != 0) {
861 *alert = SSL_AD_UNRECOGNIZED_NAME112;
862 return 0;
863 }
864
865 if (s->internal->hit) {
866 if (s->session->tlsext_hostname == NULL((void*)0)) {
867 *alert = SSL_AD_UNRECOGNIZED_NAME112;
868 return 0;
869 }
870 if (strcmp(s->tlsext_hostname,
871 s->session->tlsext_hostname) != 0) {
872 *alert = SSL_AD_UNRECOGNIZED_NAME112;
873 return 0;
874 }
875 } else {
876 if (s->session->tlsext_hostname != NULL((void*)0)) {
877 *alert = SSL_AD_DECODE_ERROR50;
878 return 0;
879 }
880 if ((s->session->tlsext_hostname =
881 strdup(s->tlsext_hostname)) == NULL((void*)0)) {
882 *alert = SSL_AD_INTERNAL_ERROR80;
883 return 0;
884 }
885 }
886
887 return 1;
888}
889
890
891/*
892 * Certificate Status Request - RFC 6066 section 8.
893 */
894
895int
896tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
897{
898 if (msg_type != SSL_TLSEXT_MSG_CH0x0001)
899 return 0;
900
901 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp1);
902}
903
904int
905tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
906{
907 CBB respid_list, respid, exts;
908 unsigned char *ext_data;
909 size_t ext_len;
910 int i;
911
912 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp1))
913 return 0;
914 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
915 return 0;
916 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids)sk_num(((_STACK*) (1 ? (s->internal->tlsext_ocsp_ids) :
(struct stack_st_OCSP_RESPID*)0))); i++) {
917 unsigned char *respid_data;
918 OCSP_RESPID *id;
919 size_t id_len;
920
921 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,((OCSP_RESPID *)sk_value(((_STACK*) (1 ? (s->internal->
tlsext_ocsp_ids) : (struct stack_st_OCSP_RESPID*)0)), (i)))
922 i)((OCSP_RESPID *)sk_value(((_STACK*) (1 ? (s->internal->
tlsext_ocsp_ids) : (struct stack_st_OCSP_RESPID*)0)), (i)))) == NULL((void*)0))
923 return 0;
924 if ((id_len = i2d_OCSP_RESPID(id, NULL((void*)0))) == -1)
925 return 0;
926 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
927 return 0;
928 if (!CBB_add_space(&respid, &respid_data, id_len))
929 return 0;
930 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
931 return 0;
932 }
933 if (!CBB_add_u16_length_prefixed(cbb, &exts))
934 return 0;
935 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
936 NULL((void*)0))) == -1)
937 return 0;
938 if (!CBB_add_space(&exts, &ext_data, ext_len))
939 return 0;
940 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
941 ext_len))
942 return 0;
943 if (!CBB_flush(cbb))
944 return 0;
945 return 1;
946}
947
948int
949tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
950{
951 int alert_desc = SSL_AD_DECODE_ERROR50;
952 CBS respid_list, respid, exts;
953 const unsigned char *p;
954 uint8_t status_type;
955 int ret = 0;
956
957 if (msg_type != SSL_TLSEXT_MSG_CH0x0001)
958 goto err;
959
960 if (!CBS_get_u8(cbs, &status_type))
961 goto err;
962 if (status_type != TLSEXT_STATUSTYPE_ocsp1) {
963 /* ignore unknown status types */
964 s->tlsext_status_type = -1;
965
966 if (!CBS_skip(cbs, CBS_len(cbs))) {
967 *alert = SSL_AD_INTERNAL_ERROR80;
968 return 0;
969 }
970 return 1;
971 }
972 s->tlsext_status_type = status_type;
973 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
974 goto err;
975
976 /* XXX */
977 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free)sk_pop_free(((_STACK*) (1 ? (s->internal->tlsext_ocsp_ids
) : (struct stack_st_OCSP_RESPID*)0)), ((void (*)(void *)) ((
1 ? (OCSP_RESPID_free) : (void (*)(OCSP_RESPID *))0))));
978 s->internal->tlsext_ocsp_ids = NULL((void*)0);
979 if (CBS_len(&respid_list) > 0) {
980 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null()((struct stack_st_OCSP_RESPID *)sk_new_null());
981 if (s->internal->tlsext_ocsp_ids == NULL((void*)0)) {
982 alert_desc = SSL_AD_INTERNAL_ERROR80;
983 goto err;
984 }
985 }
986
987 while (CBS_len(&respid_list) > 0) {
988 OCSP_RESPID *id;
989
990 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
991 goto err;
992 p = CBS_data(&respid);
993 if ((id = d2i_OCSP_RESPID(NULL((void*)0), &p, CBS_len(&respid))) == NULL((void*)0))
994 goto err;
995 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)sk_push(((_STACK*) (1 ? (s->internal->tlsext_ocsp_ids) :
(struct stack_st_OCSP_RESPID*)0)), ((void*) (1 ? (id) : (OCSP_RESPID
*)0)))) {
996 alert_desc = SSL_AD_INTERNAL_ERROR80;
997 OCSP_RESPID_free(id);
998 goto err;
999 }
1000 }
1001
1002 /* Read in request_extensions */
1003 if (!CBS_get_u16_length_prefixed(cbs, &exts))
1004 goto err;
1005 if (CBS_len(&exts) > 0) {
1006 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,sk_pop_free(((_STACK*) (1 ? (s->internal->tlsext_ocsp_exts
) : (struct stack_st_X509_EXTENSION*)0)), ((void (*)(void *))
((1 ? (X509_EXTENSION_free) : (void (*)(X509_EXTENSION *))0)
)))
1007 X509_EXTENSION_free)sk_pop_free(((_STACK*) (1 ? (s->internal->tlsext_ocsp_exts
) : (struct stack_st_X509_EXTENSION*)0)), ((void (*)(void *))
((1 ? (X509_EXTENSION_free) : (void (*)(X509_EXTENSION *))0)
)));
1008 p = CBS_data(&exts);
1009 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL((void*)0),
1010 &p, CBS_len(&exts))) == NULL((void*)0))
1011 goto err;
1012 }
1013
1014 /* should be nothing left */
1015 if (CBS_len(cbs) > 0)
1016 goto err;
1017
1018 ret = 1;
1019 err:
1020 if (ret == 0)
1021 *alert = alert_desc;
1022 return ret;
1023}
1024
1025int
1026tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
1027{
1028 if (S3I(s)(s->s3->internal)->hs.negotiated_tls_version >= TLS1_3_VERSION0x0304 &&
1029 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp1 &&
1030 s->ctx->internal->tlsext_status_cb != NULL((void*)0)) {
1031 s->internal->tlsext_status_expected = 0;
1032 if (s->ctx->internal->tlsext_status_cb(s,
1033 s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK0 &&
1034 s->internal->tlsext_ocsp_resp_len > 0)
1035 s->internal->tlsext_status_expected = 1;
1036 }
1037 return s->internal->tlsext_status_expected;
1038}
1039
1040int
1041tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1042{
1043 CBB ocsp_response;
1044
1045 if (S3I(s)(s->s3->internal)->hs.negotiated_tls_version >= TLS1_3_VERSION0x0304) {
1046 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp1))
1047 return 0;
1048 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
1049 return 0;
1050 if (!CBB_add_bytes(&ocsp_response,
1051 s->internal->tlsext_ocsp_resp,
1052 s->internal->tlsext_ocsp_resp_len))
1053 return 0;
1054 if (!CBB_flush(cbb))
1055 return 0;
1056 }
1057 return 1;
1058}
1059
1060int
1061tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1062{
1063 uint8_t status_type;
1064 CBS response;
1065
1066 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION0x0304) {
1067 if (msg_type == SSL_TLSEXT_MSG_CR0x0010) {
1068 /*
1069 * RFC 8446, 4.4.2.1 - the server may request an OCSP
1070 * response with an empty status_request.
1071 */
1072 if (CBS_len(cbs) == 0)
1073 return 1;
1074
1075 SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1075);
1076 return 0;
1077 }
1078 if (!CBS_get_u8(cbs, &status_type)) {
1079 SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1079);
1080 return 0;
1081 }
1082 if (status_type != TLSEXT_STATUSTYPE_ocsp1) {
1083 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE)SSL_error_internal(s, 329, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1083);
1084 return 0;
1085 }
1086 if (!CBS_get_u24_length_prefixed(cbs, &response)) {
1087 SSLerror(s, SSL_R_LENGTH_MISMATCH)SSL_error_internal(s, 159, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1087);
1088 return 0;
1089 }
1090 if (CBS_len(&response) > 65536) {
1091 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG)SSL_error_internal(s, 146, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1091);
1092 return 0;
1093 }
1094 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
1095 &s->internal->tlsext_ocsp_resp_len)) {
1096 *alert = SSL_AD_INTERNAL_ERROR80;
1097 return 0;
1098 }
1099 } else {
1100 if (s->tlsext_status_type == -1) {
1101 *alert = SSL_AD_UNSUPPORTED_EXTENSION110;
1102 return 0;
1103 }
1104 /* Set flag to expect CertificateStatus message */
1105 s->internal->tlsext_status_expected = 1;
1106 }
1107 return 1;
1108}
1109
1110/*
1111 * SessionTicket extension - RFC 5077 section 3.2
1112 */
1113int
1114tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
1115{
1116 /*
1117 * Send session ticket extension when enabled and not overridden.
1118 *
1119 * When renegotiating, send an empty session ticket to indicate support.
1120 */
1121 if ((SSL_get_options(s)SSL_ctrl((s),32,0,((void*)0)) & SSL_OP_NO_TICKET0x00004000L) != 0)
1122 return 0;
1123
1124 if (s->internal->new_session)
1125 return 1;
1126
1127 if (s->internal->tlsext_session_ticket != NULL((void*)0) &&
1128 s->internal->tlsext_session_ticket->data == NULL((void*)0))
1129 return 0;
1130
1131 return 1;
1132}
1133
1134int
1135tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1136{
1137 /*
1138 * Signal that we support session tickets by sending an empty
1139 * extension when renegotiating or no session found.
1140 */
1141 if (s->internal->new_session || s->session == NULL((void*)0))
1142 return 1;
1143
1144 if (s->session->tlsext_tick != NULL((void*)0)) {
1145 /* Attempt to resume with an existing session ticket */
1146 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1147 s->session->tlsext_ticklen))
1148 return 0;
1149
1150 } else if (s->internal->tlsext_session_ticket != NULL((void*)0)) {
1151 /*
1152 * Attempt to resume with a custom provided session ticket set
1153 * by SSL_set_session_ticket_ext().
1154 */
1155 if (s->internal->tlsext_session_ticket->length > 0) {
1156 size_t ticklen = s->internal->tlsext_session_ticket->length;
1157
1158 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL((void*)0))
1159 return 0;
1160 memcpy(s->session->tlsext_tick,
1161 s->internal->tlsext_session_ticket->data,
1162 ticklen);
1163 s->session->tlsext_ticklen = ticklen;
1164
1165 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
1166 s->session->tlsext_ticklen))
1167 return 0;
1168 }
1169 }
1170
1171 if (!CBB_flush(cbb))
1172 return 0;
1173
1174 return 1;
1175}
1176
1177int
1178tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1179 int *alert)
1180{
1181 if (s->internal->tls_session_ticket_ext_cb) {
1182 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1183 (int)CBS_len(cbs),
1184 s->internal->tls_session_ticket_ext_cb_arg)) {
1185 *alert = SSL_AD_INTERNAL_ERROR80;
1186 return 0;
1187 }
1188 }
1189
1190 /* We need to signal that this was processed fully */
1191 if (!CBS_skip(cbs, CBS_len(cbs))) {
1192 *alert = SSL_AD_INTERNAL_ERROR80;
1193 return 0;
1194 }
1195
1196 return 1;
1197}
1198
1199int
1200tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
1201{
1202 return (s->internal->tlsext_ticket_expected &&
1203 !(SSL_get_options(s)SSL_ctrl((s),32,0,((void*)0)) & SSL_OP_NO_TICKET0x00004000L));
1204}
1205
1206int
1207tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1208{
1209 /* Empty ticket */
1210 return 1;
1211}
1212
1213int
1214tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1215 int *alert)
1216{
1217 if (s->internal->tls_session_ticket_ext_cb) {
1218 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1219 (int)CBS_len(cbs),
1220 s->internal->tls_session_ticket_ext_cb_arg)) {
1221 *alert = SSL_AD_INTERNAL_ERROR80;
1222 return 0;
1223 }
1224 }
1225
1226 if ((SSL_get_options(s)SSL_ctrl((s),32,0,((void*)0)) & SSL_OP_NO_TICKET0x00004000L) != 0 || CBS_len(cbs) > 0) {
1227 *alert = SSL_AD_UNSUPPORTED_EXTENSION110;
1228 return 0;
1229 }
1230
1231 s->internal->tlsext_ticket_expected = 1;
1232
1233 return 1;
1234}
1235
1236/*
1237 * DTLS extension for SRTP key establishment - RFC 5764
1238 */
1239
1240#ifndef OPENSSL_NO_SRTP
1241
1242int
1243tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1244{
1245 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL((void*)0);
1246}
1247
1248int
1249tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1250{
1251 CBB profiles, mki;
1252 int ct, i;
1253 STACK_OF(SRTP_PROTECTION_PROFILE)struct stack_st_SRTP_PROTECTION_PROFILE *clnt = NULL((void*)0);
1254 const SRTP_PROTECTION_PROFILE *prof;
1255
1256 if ((clnt = SSL_get_srtp_profiles(s)) == NULL((void*)0)) {
1257 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST)SSL_error_internal(s, 354, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1257);
1258 return 0;
1259 }
1260
1261 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)sk_num(((_STACK*) (1 ? (clnt) : (struct stack_st_SRTP_PROTECTION_PROFILE
*)0)))) < 1) {
1262 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST)SSL_error_internal(s, 354, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1262);
1263 return 0;
1264 }
1265
1266 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1267 return 0;
1268
1269 for (i = 0; i < ct; i++) {
1270 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)((SRTP_PROTECTION_PROFILE *)sk_value(((_STACK*) (1 ? (clnt) :
(struct stack_st_SRTP_PROTECTION_PROFILE*)0)), (i)))) == NULL((void*)0))
1271 return 0;
1272 if (!CBB_add_u16(&profiles, prof->id))
1273 return 0;
1274 }
1275
1276 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1277 return 0;
1278
1279 if (!CBB_flush(cbb))
1280 return 0;
1281
1282 return 1;
1283}
1284
1285int
1286tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1287{
1288 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1289 STACK_OF(SRTP_PROTECTION_PROFILE)struct stack_st_SRTP_PROTECTION_PROFILE *clnt = NULL((void*)0), *srvr;
1290 int i, j;
1291 int ret;
1292 uint16_t id;
1293 CBS profiles, mki;
1294
1295 ret = 0;
1296
1297 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1298 goto err;
1299 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1300 goto err;
1301
1302 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()((struct stack_st_SRTP_PROTECTION_PROFILE *)sk_new_null())) == NULL((void*)0))
1303 goto err;
1304
1305 while (CBS_len(&profiles) > 0) {
1306 if (!CBS_get_u16(&profiles, &id))
1307 goto err;
1308
1309 if (!srtp_find_profile_by_num(id, &cprof)) {
1310 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof)sk_push(((_STACK*) (1 ? (clnt) : (struct stack_st_SRTP_PROTECTION_PROFILE
*)0)), ((void*) (1 ? (cprof) : (SRTP_PROTECTION_PROFILE*)0))))
1311 goto err;
1312 }
1313 }
1314
1315 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1316 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE)SSL_error_internal(s, 352, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1316);
1317 *alert = SSL_AD_DECODE_ERROR50;
1318 goto done;
1319 }
1320 if (CBS_len(cbs) != 0)
1321 goto err;
1322
1323 /*
1324 * Per RFC 5764 section 4.1.1
1325 *
1326 * Find the server preferred profile using the client's list.
1327 *
1328 * The server MUST send a profile if it sends the use_srtp
1329 * extension. If one is not found, it should fall back to the
1330 * negotiated DTLS cipher suite or return a DTLS alert.
1331 */
1332 if ((srvr = SSL_get_srtp_profiles(s)) == NULL((void*)0))
1333 goto err;
1334 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr)sk_num(((_STACK*) (1 ? (srvr) : (struct stack_st_SRTP_PROTECTION_PROFILE
*)0))); i++) {
1335 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)((SRTP_PROTECTION_PROFILE *)sk_value(((_STACK*) (1 ? (srvr) :
(struct stack_st_SRTP_PROTECTION_PROFILE*)0)), (i))))
1336 == NULL((void*)0))
1337 goto err;
1338
1339 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt)sk_num(((_STACK*) (1 ? (clnt) : (struct stack_st_SRTP_PROTECTION_PROFILE
*)0))); j++) {
1340 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j)((SRTP_PROTECTION_PROFILE *)sk_value(((_STACK*) (1 ? (clnt) :
(struct stack_st_SRTP_PROTECTION_PROFILE*)0)), (j))))
1341 == NULL((void*)0))
1342 goto err;
1343
1344 if (cprof->id == sprof->id) {
1345 s->internal->srtp_profile = sprof;
1346 ret = 1;
1347 goto done;
1348 }
1349 }
1350 }
1351
1352 /* If we didn't find anything, fall back to the negotiated */
1353 ret = 1;
1354 goto done;
1355
1356 err:
1357 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST)SSL_error_internal(s, 353, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1357);
1358 *alert = SSL_AD_DECODE_ERROR50;
1359
1360 done:
1361 sk_SRTP_PROTECTION_PROFILE_free(clnt)sk_free(((_STACK*) (1 ? (clnt) : (struct stack_st_SRTP_PROTECTION_PROFILE
*)0)));
1362 return ret;
1363}
1364
1365int
1366tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1367{
1368 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL((void*)0);
1369}
1370
1371int
1372tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1373{
1374 SRTP_PROTECTION_PROFILE *profile;
1375 CBB srtp, mki;
1376
1377 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1378 return 0;
1379
1380 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL((void*)0))
1381 return 0;
1382
1383 if (!CBB_add_u16(&srtp, profile->id))
1384 return 0;
1385
1386 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1387 return 0;
1388
1389 if (!CBB_flush(cbb))
1390 return 0;
1391
1392 return 1;
1393}
1394
1395int
1396tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1397{
1398 STACK_OF(SRTP_PROTECTION_PROFILE)struct stack_st_SRTP_PROTECTION_PROFILE *clnt;
1399 const SRTP_PROTECTION_PROFILE *prof;
1400 int i;
1401 uint16_t id;
1402 CBS profile_ids, mki;
1403
1404 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1405 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST)SSL_error_internal(s, 353, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1405);
1406 goto err;
1407 }
1408
1409 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1410 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST)SSL_error_internal(s, 353, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1410);
1411 goto err;
1412 }
1413
1414 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1415 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE)SSL_error_internal(s, 352, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1415);
1416 *alert = SSL_AD_ILLEGAL_PARAMETER47;
1417 return 0;
1418 }
1419
1420 if ((clnt = SSL_get_srtp_profiles(s)) == NULL((void*)0)) {
1421 SSLerror(s, SSL_R_NO_SRTP_PROFILES)SSL_error_internal(s, 359, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1421);
1422 goto err;
1423 }
1424
1425 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt)sk_num(((_STACK*) (1 ? (clnt) : (struct stack_st_SRTP_PROTECTION_PROFILE
*)0))); i++) {
1426 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)((SRTP_PROTECTION_PROFILE *)sk_value(((_STACK*) (1 ? (clnt) :
(struct stack_st_SRTP_PROTECTION_PROFILE*)0)), (i))))
1427 == NULL((void*)0)) {
1428 SSLerror(s, SSL_R_NO_SRTP_PROFILES)SSL_error_internal(s, 359, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1428);
1429 goto err;
1430 }
1431
1432 if (prof->id == id) {
1433 s->internal->srtp_profile = prof;
1434 return 1;
1435 }
1436 }
1437
1438 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST)SSL_error_internal(s, 353, "/usr/src/lib/libssl/ssl_tlsext.c"
, 1438);
1439 err:
1440 *alert = SSL_AD_DECODE_ERROR50;
1441 return 0;
1442}
1443
1444#endif /* OPENSSL_NO_SRTP */
1445
1446/*
1447 * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
1448 */
1449int
1450tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1451{
1452 return (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_3_VERSION0x0304);
1453}
1454
1455int
1456tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1457{
1458 CBB client_shares, key_exchange;
1459
1460 if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
1461 return 0;
1462
1463 if (!CBB_add_u16(&client_shares,
1464 tls_key_share_group(S3I(s)(s->s3->internal)->hs.key_share)))
1465 return 0;
1466 if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
1467 return 0;
1468 if (!tls_key_share_public(S3I(s)(s->s3->internal)->hs.key_share, &key_exchange))
1469 return 0;
1470
1471 if (!CBB_flush(cbb))
1472 return 0;
1473
1474 return 1;
1475}
1476
1477int
1478tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1479{
1480 CBS client_shares, key_exchange;
1481 int decode_error;
1482 uint16_t group;
1483
1484 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1485 return 0;
1486
1487 while (CBS_len(&client_shares) > 0) {
1488
1489 /* Unpack client share. */
1490 if (!CBS_get_u16(&client_shares, &group))
1491 return 0;
1492 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1493 return 0;
1494
1495 /*
1496 * XXX - check key exchange against supported groups from client.
1497 * XXX - check that groups only appear once.
1498 */
1499
1500 /*
1501 * Ignore this client share if we're using earlier than TLSv1.3
1502 * or we've already selected a key share.
1503 */
1504 if (S3I(s)(s->s3->internal)->hs.our_max_tls_version < TLS1_3_VERSION0x0304)
1505 continue;
1506 if (S3I(s)(s->s3->internal)->hs.key_share != NULL((void*)0))
1507 continue;
1508
1509 /* XXX - consider implementing server preference. */
1510 if (!tls1_check_curve(s, group))
1511 continue;
1512
1513 /* Decode and store the selected key share. */
1514 if ((S3I(s)(s->s3->internal)->hs.key_share = tls_key_share_new(group)) == NULL((void*)0)) {
1515 *alert = SSL_AD_INTERNAL_ERROR80;
1516 return 0;
1517 }
1518 if (!tls_key_share_peer_public(S3I(s)(s->s3->internal)->hs.key_share,
1519 &key_exchange, &decode_error, NULL((void*)0))) {
1520 if (!decode_error)
1521 *alert = SSL_AD_INTERNAL_ERROR80;
1522 return 0;
1523 }
1524 }
1525
1526 return 1;
1527}
1528
1529int
1530tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1531{
1532 return (S3I(s)(s->s3->internal)->hs.negotiated_tls_version >= TLS1_3_VERSION0x0304 &&
1533 tlsext_extension_seen(s, TLSEXT_TYPE_key_share51));
1534}
1535
1536int
1537tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1538{
1539 CBB key_exchange;
1540
1541 /* In the case of a HRR, we only send the server selected group. */
1542 if (S3I(s)(s->s3->internal)->hs.tls13.hrr) {
1543 if (S3I(s)(s->s3->internal)->hs.tls13.server_group == 0)
1544 return 0;
1545 return CBB_add_u16(cbb, S3I(s)(s->s3->internal)->hs.tls13.server_group);
1546 }
1547
1548 if (S3I(s)(s->s3->internal)->hs.key_share == NULL((void*)0))
1549 return 0;
1550
1551 if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)(s->s3->internal)->hs.key_share)))
1552 return 0;
1553 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1554 return 0;
1555 if (!tls_key_share_public(S3I(s)(s->s3->internal)->hs.key_share, &key_exchange))
1556 return 0;
1557
1558 if (!CBB_flush(cbb))
1559 return 0;
1560
1561 return 1;
1562}
1563
1564int
1565tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1566{
1567 CBS key_exchange;
1568 int decode_error;
1569 uint16_t group;
1570
1571 /* Unpack server share. */
1572 if (!CBS_get_u16(cbs, &group))
1573 return 0;
1574
1575 if (CBS_len(cbs) == 0) {
1576 /* HRR does not include an actual key share, only the group. */
1577 if (msg_type != SSL_TLSEXT_MSG_HRR0x0040)
1578 return 0;
1579
1580 S3I(s)(s->s3->internal)->hs.tls13.server_group = group;
1581 return 1;
1582 }
1583
1584 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1585 return 0;
1586
1587 if (S3I(s)(s->s3->internal)->hs.key_share == NULL((void*)0)) {
1588 *alert = SSL_AD_INTERNAL_ERROR80;
1589 return 0;
1590 }
1591 if (tls_key_share_group(S3I(s)(s->s3->internal)->hs.key_share) != group) {
1592 *alert = SSL_AD_INTERNAL_ERROR80;
1593 return 0;
1594 }
1595 if (!tls_key_share_peer_public(S3I(s)(s->s3->internal)->hs.key_share,
1596 &key_exchange, &decode_error, NULL((void*)0))) {
1597 if (!decode_error)
1598 *alert = SSL_AD_INTERNAL_ERROR80;
1599 return 0;
1600 }
1601
1602 return 1;
1603}
1604
1605/*
1606 * Supported Versions - RFC 8446 section 4.2.1.
1607 */
1608int
1609tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1610{
1611 return (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_3_VERSION0x0304);
1612}
1613
1614int
1615tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1616{
1617 uint16_t max, min;
1618 uint16_t version;
1619 CBB versions;
1620
1621 max = S3I(s)(s->s3->internal)->hs.our_max_tls_version;
1622 min = S3I(s)(s->s3->internal)->hs.our_min_tls_version;
1623
1624 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1625 return 0;
1626
1627 /* XXX - fix, but contiguous for now... */
1628 for (version = max; version >= min; version--) {
1629 if (!CBB_add_u16(&versions, version))
1630 return 0;
1631 }
1632
1633 if (!CBB_flush(cbb))
1634 return 0;
1635
1636 return 1;
1637}
1638
1639int
1640tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1641{
1642 CBS versions;
1643 uint16_t version;
1644 uint16_t max, min;
1645 uint16_t matched_version = 0;
1646
1647 max = S3I(s)(s->s3->internal)->hs.our_max_tls_version;
1648 min = S3I(s)(s->s3->internal)->hs.our_min_tls_version;
1649
1650 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1651 goto err;
1652
1653 while (CBS_len(&versions) > 0) {
1654 if (!CBS_get_u16(&versions, &version))
1655 goto err;
1656 /*
1657 * XXX What is below implements client preference, and
1658 * ignores any server preference entirely.
1659 */
1660 if (matched_version == 0 && version >= min && version <= max)
1661 matched_version = version;
1662 }
1663
1664 if (matched_version > 0) {
1665 /* XXX - this should be stored for later processing. */
1666 s->version = matched_version;
1667 return 1;
1668 }
1669
1670 *alert = SSL_AD_PROTOCOL_VERSION70;
1671 return 0;
1672
1673 err:
1674 *alert = SSL_AD_DECODE_ERROR50;
1675 return 0;
1676}
1677
1678int
1679tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1680{
1681 return (S3I(s)(s->s3->internal)->hs.negotiated_tls_version >= TLS1_3_VERSION0x0304);
1682}
1683
1684int
1685tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1686{
1687 return CBB_add_u16(cbb, TLS1_3_VERSION0x0304);
1688}
1689
1690int
1691tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1692{
1693 uint16_t selected_version;
1694
1695 if (!CBS_get_u16(cbs, &selected_version)) {
1696 *alert = SSL_AD_DECODE_ERROR50;
1697 return 0;
1698 }
1699
1700 /* XXX - need to fix for DTLS 1.3 */
1701 if (selected_version < TLS1_3_VERSION0x0304) {
1702 *alert = SSL_AD_ILLEGAL_PARAMETER47;
1703 return 0;
1704 }
1705
1706 /* XXX test between min and max once initialization code goes in */
1707 S3I(s)(s->s3->internal)->hs.tls13.server_version = selected_version;
1708
1709 return 1;
1710}
1711
1712
1713/*
1714 * Cookie - RFC 8446 section 4.2.2.
1715 */
1716
1717int
1718tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1719{
1720 return (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_3_VERSION0x0304 &&
1721 S3I(s)(s->s3->internal)->hs.tls13.cookie_len > 0 && S3I(s)(s->s3->internal)->hs.tls13.cookie != NULL((void*)0));
1722}
1723
1724int
1725tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1726{
1727 CBB cookie;
1728
1729 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1730 return 0;
1731
1732 if (!CBB_add_bytes(&cookie, S3I(s)(s->s3->internal)->hs.tls13.cookie,
1733 S3I(s)(s->s3->internal)->hs.tls13.cookie_len))
1734 return 0;
1735
1736 if (!CBB_flush(cbb))
1737 return 0;
1738
1739 return 1;
1740}
1741
1742int
1743tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1744{
1745 CBS cookie;
1746
1747 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1748 goto err;
1749
1750 if (CBS_len(&cookie) != S3I(s)(s->s3->internal)->hs.tls13.cookie_len)
1751 goto err;
1752
1753 /*
1754 * Check provided cookie value against what server previously
1755 * sent - client *MUST* send the same cookie with new CR after
1756 * a cookie is sent by the server with an HRR.
1757 */
1758 if (!CBS_mem_equal(&cookie, S3I(s)(s->s3->internal)->hs.tls13.cookie,
1759 S3I(s)(s->s3->internal)->hs.tls13.cookie_len)) {
1760 /* XXX special cookie mismatch alert? */
1761 *alert = SSL_AD_ILLEGAL_PARAMETER47;
1762 return 0;
1763 }
1764
1765 return 1;
1766
1767 err:
1768 *alert = SSL_AD_DECODE_ERROR50;
1769 return 0;
1770}
1771
1772int
1773tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1774{
1775 /*
1776 * Server needs to set cookie value in tls13 handshake
1777 * in order to send one, should only be sent with HRR.
1778 */
1779 return (S3I(s)(s->s3->internal)->hs.our_max_tls_version >= TLS1_3_VERSION0x0304 &&
1780 S3I(s)(s->s3->internal)->hs.tls13.cookie_len > 0 && S3I(s)(s->s3->internal)->hs.tls13.cookie != NULL((void*)0));
1781}
1782
1783int
1784tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1785{
1786 CBB cookie;
1787
1788 /* XXX deduplicate with client code */
1789
1790 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1791 return 0;
1792
1793 if (!CBB_add_bytes(&cookie, S3I(s)(s->s3->internal)->hs.tls13.cookie,
1794 S3I(s)(s->s3->internal)->hs.tls13.cookie_len))
1795 return 0;
1796
1797 if (!CBB_flush(cbb))
1798 return 0;
1799
1800 return 1;
1801}
1802
1803int
1804tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1805{
1806 CBS cookie;
1807
1808 /*
1809 * XXX This currently assumes we will not get a second
1810 * HRR from a server with a cookie to process after accepting
1811 * one from the server in the same handshake
1812 */
1813 if (S3I(s)(s->s3->internal)->hs.tls13.cookie != NULL((void*)0) ||
1814 S3I(s)(s->s3->internal)->hs.tls13.cookie_len != 0) {
1815 *alert = SSL_AD_ILLEGAL_PARAMETER47;
1816 return 0;
1817 }
1818
1819 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1820 goto err;
1821
1822 if (!CBS_stow(&cookie, &S3I(s)(s->s3->internal)->hs.tls13.cookie,
1823 &S3I(s)(s->s3->internal)->hs.tls13.cookie_len))
1824 goto err;
1825
1826 return 1;
1827
1828 err:
1829 *alert = SSL_AD_DECODE_ERROR50;
1830 return 0;
1831}
1832
1833struct tls_extension_funcs {
1834 int (*needs)(SSL *s, uint16_t msg_type);
1835 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
1836 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
1837};
1838
1839struct tls_extension {
1840 uint16_t type;
1841 uint16_t messages;
1842 struct tls_extension_funcs client;
1843 struct tls_extension_funcs server;
1844};
1845
1846static const struct tls_extension tls_extensions[] = {
1847 {
1848 .type = TLSEXT_TYPE_supported_versions43,
1849 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002 |
1850 SSL_TLSEXT_MSG_HRR0x0040,
1851 .client = {
1852 .needs = tlsext_versions_client_needs,
1853 .build = tlsext_versions_client_build,
1854 .parse = tlsext_versions_client_parse,
1855 },
1856 .server = {
1857 .needs = tlsext_versions_server_needs,
1858 .build = tlsext_versions_server_build,
1859 .parse = tlsext_versions_server_parse,
1860 },
1861 },
1862 {
1863 .type = TLSEXT_TYPE_key_share51,
1864 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002 |
1865 SSL_TLSEXT_MSG_HRR0x0040,
1866 .client = {
1867 .needs = tlsext_keyshare_client_needs,
1868 .build = tlsext_keyshare_client_build,
1869 .parse = tlsext_keyshare_client_parse,
1870 },
1871 .server = {
1872 .needs = tlsext_keyshare_server_needs,
1873 .build = tlsext_keyshare_server_build,
1874 .parse = tlsext_keyshare_server_parse,
1875 },
1876 },
1877 {
1878 .type = TLSEXT_TYPE_server_name0,
1879 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_EE0x0004,
1880 .client = {
1881 .needs = tlsext_sni_client_needs,
1882 .build = tlsext_sni_client_build,
1883 .parse = tlsext_sni_client_parse,
1884 },
1885 .server = {
1886 .needs = tlsext_sni_server_needs,
1887 .build = tlsext_sni_server_build,
1888 .parse = tlsext_sni_server_parse,
1889 },
1890 },
1891 {
1892 .type = TLSEXT_TYPE_renegotiate0xff01,
1893 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002,
1894 .client = {
1895 .needs = tlsext_ri_client_needs,
1896 .build = tlsext_ri_client_build,
1897 .parse = tlsext_ri_client_parse,
1898 },
1899 .server = {
1900 .needs = tlsext_ri_server_needs,
1901 .build = tlsext_ri_server_build,
1902 .parse = tlsext_ri_server_parse,
1903 },
1904 },
1905 {
1906 .type = TLSEXT_TYPE_status_request5,
1907 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_CR0x0010 |
1908 SSL_TLSEXT_MSG_CT0x0008,
1909 .client = {
1910 .needs = tlsext_ocsp_client_needs,
1911 .build = tlsext_ocsp_client_build,
1912 .parse = tlsext_ocsp_client_parse,
1913 },
1914 .server = {
1915 .needs = tlsext_ocsp_server_needs,
1916 .build = tlsext_ocsp_server_build,
1917 .parse = tlsext_ocsp_server_parse,
1918 },
1919 },
1920 {
1921 .type = TLSEXT_TYPE_ec_point_formats11,
1922 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002,
1923 .client = {
1924 .needs = tlsext_ecpf_client_needs,
1925 .build = tlsext_ecpf_client_build,
1926 .parse = tlsext_ecpf_client_parse,
1927 },
1928 .server = {
1929 .needs = tlsext_ecpf_server_needs,
1930 .build = tlsext_ecpf_server_build,
1931 .parse = tlsext_ecpf_server_parse,
1932 },
1933 },
1934 {
1935 .type = TLSEXT_TYPE_supported_groups10,
1936 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_EE0x0004,
1937 .client = {
1938 .needs = tlsext_supportedgroups_client_needs,
1939 .build = tlsext_supportedgroups_client_build,
1940 .parse = tlsext_supportedgroups_client_parse,
1941 },
1942 .server = {
1943 .needs = tlsext_supportedgroups_server_needs,
1944 .build = tlsext_supportedgroups_server_build,
1945 .parse = tlsext_supportedgroups_server_parse,
1946 },
1947 },
1948 {
1949 .type = TLSEXT_TYPE_session_ticket35,
1950 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002,
1951 .client = {
1952 .needs = tlsext_sessionticket_client_needs,
1953 .build = tlsext_sessionticket_client_build,
1954 .parse = tlsext_sessionticket_client_parse,
1955 },
1956 .server = {
1957 .needs = tlsext_sessionticket_server_needs,
1958 .build = tlsext_sessionticket_server_build,
1959 .parse = tlsext_sessionticket_server_parse,
1960 },
1961 },
1962 {
1963 .type = TLSEXT_TYPE_signature_algorithms13,
1964 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_CR0x0010,
1965 .client = {
1966 .needs = tlsext_sigalgs_client_needs,
1967 .build = tlsext_sigalgs_client_build,
1968 .parse = tlsext_sigalgs_client_parse,
1969 },
1970 .server = {
1971 .needs = tlsext_sigalgs_server_needs,
1972 .build = tlsext_sigalgs_server_build,
1973 .parse = tlsext_sigalgs_server_parse,
1974 },
1975 },
1976 {
1977 .type = TLSEXT_TYPE_application_layer_protocol_negotiation16,
1978 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_EE0x0004,
1979 .client = {
1980 .needs = tlsext_alpn_client_needs,
1981 .build = tlsext_alpn_client_build,
1982 .parse = tlsext_alpn_client_parse,
1983 },
1984 .server = {
1985 .needs = tlsext_alpn_server_needs,
1986 .build = tlsext_alpn_server_build,
1987 .parse = tlsext_alpn_server_parse,
1988 },
1989 },
1990 {
1991 .type = TLSEXT_TYPE_cookie44,
1992 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_HRR0x0040,
1993 .client = {
1994 .needs = tlsext_cookie_client_needs,
1995 .build = tlsext_cookie_client_build,
1996 .parse = tlsext_cookie_client_parse,
1997 },
1998 .server = {
1999 .needs = tlsext_cookie_server_needs,
2000 .build = tlsext_cookie_server_build,
2001 .parse = tlsext_cookie_server_parse,
2002 },
2003 },
2004#ifndef OPENSSL_NO_SRTP
2005 {
2006 .type = TLSEXT_TYPE_use_srtp14,
2007 .messages = SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002 /* XXX */ |
2008 SSL_TLSEXT_MSG_EE0x0004,
2009 .client = {
2010 .needs = tlsext_srtp_client_needs,
2011 .build = tlsext_srtp_client_build,
2012 .parse = tlsext_srtp_client_parse,
2013 },
2014 .server = {
2015 .needs = tlsext_srtp_server_needs,
2016 .build = tlsext_srtp_server_build,
2017 .parse = tlsext_srtp_server_parse,
2018 },
2019 }
2020#endif /* OPENSSL_NO_SRTP */
2021};
2022
2023#define N_TLS_EXTENSIONS(sizeof(tls_extensions) / sizeof(*tls_extensions)) (sizeof(tls_extensions) / sizeof(*tls_extensions))
2024
2025/* Ensure that extensions fit in a uint32_t bitmask. */
2026CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8))extern char _ctassert[((sizeof(tls_extensions) / sizeof(*tls_extensions
)) <= (sizeof(uint32_t) * 8)) ? 1 : -1 ] __attribute__((__unused__
));
2027
2028const struct tls_extension *
2029tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
2030{
2031 size_t i;
2032
2033 for (i = 0; i < N_TLS_EXTENSIONS(sizeof(tls_extensions) / sizeof(*tls_extensions)); i++) {
2034 if (tls_extensions[i].type == type) {
2035 *tls_extensions_idx = i;
2036 return &tls_extensions[i];
2037 }
2038 }
2039
2040 return NULL((void*)0);
2041}
2042
2043int
2044tlsext_extension_seen(SSL *s, uint16_t type)
2045{
2046 size_t idx;
2047
2048 if (tls_extension_find(type, &idx) == NULL((void*)0))
2049 return 0;
2050 return ((S3I(s)(s->s3->internal)->hs.extensions_seen & (1 << idx)) != 0);
2051}
2052
2053static const struct tls_extension_funcs *
2054tlsext_funcs(const struct tls_extension *tlsext, int is_server)
2055{
2056 if (is_server)
2057 return &tlsext->server;
2058
2059 return &tlsext->client;
2060}
2061
2062static int
2063tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2064{
2065 const struct tls_extension_funcs *ext;
2066 const struct tls_extension *tlsext;
2067 CBB extensions, extension_data;
2068 int extensions_present = 0;
2069 uint16_t tls_version;
2070 size_t i;
2071
2072 tls_version = ssl_effective_tls_version(s);
2073
2074 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2075 return 0;
2076
2077 for (i = 0; i < N_TLS_EXTENSIONS(sizeof(tls_extensions) / sizeof(*tls_extensions)); i++) {
2078 tlsext = &tls_extensions[i];
2079 ext = tlsext_funcs(tlsext, is_server);
2080
2081 /* RFC 8446 Section 4.2 */
2082 if (tls_version >= TLS1_3_VERSION0x0304 &&
2083 !(tlsext->messages & msg_type))
2084 continue;
2085
2086 if (!ext->needs(s, msg_type))
2087 continue;
2088
2089 if (!CBB_add_u16(&extensions, tlsext->type))
2090 return 0;
2091 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
2092 return 0;
2093
2094 if (!ext->build(s, msg_type, &extension_data))
2095 return 0;
2096
2097 extensions_present = 1;
2098 }
2099
2100 if (!extensions_present &&
2101 (msg_type & (SSL_TLSEXT_MSG_CH0x0001 | SSL_TLSEXT_MSG_SH0x0002)) != 0)
2102 CBB_discard_child(cbb);
2103
2104 if (!CBB_flush(cbb))
2105 return 0;
2106
2107 return 1;
2108}
2109
2110int
2111tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
2112{
2113 /*
2114 * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
2115 * cookie may be added, padding may be removed.
2116 */
2117 struct tls13_ctx *ctx = s->internal->tls13;
2118
2119 if (type == TLSEXT_TYPE_early_data42 || type == TLSEXT_TYPE_cookie44 ||
2120 type == TLSEXT_TYPE_padding21)
2121 return 1;
2122 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
2123 sizeof(type)))
2124 return 0;
2125 /*
2126 * key_share data may be changed, and pre_shared_key data may
2127 * be changed
2128 */
2129 if (type == TLSEXT_TYPE_pre_shared_key41 || type == TLSEXT_TYPE_key_share51)
2130 return 1;
2131 if (!tls13_clienthello_hash_update(ctx, cbs))
2132 return 0;
2133
2134 return 1;
2135}
2136
2137static int
2138tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2139{
2140 const struct tls_extension_funcs *ext;
2141 const struct tls_extension *tlsext;
2142 CBS extensions, extension_data;
2143 uint16_t type;
2144 size_t idx;
2145 uint16_t tls_version;
2146 int alert_desc;
2147
2148 tls_version = ssl_effective_tls_version(s);
2149
2150 S3I(s)(s->s3->internal)->hs.extensions_seen = 0;
2151
2152 /* An empty extensions block is valid. */
2153 if (CBS_len(cbs) == 0)
2154 return 1;
2155
2156 alert_desc = SSL_AD_DECODE_ERROR50;
2157
2158 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
2159 goto err;
2160
2161 while (CBS_len(&extensions) > 0) {
2162 if (!CBS_get_u16(&extensions, &type))
2163 goto err;
2164 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
2165 goto err;
2166
2167 if (s->internal->tlsext_debug_cb != NULL((void*)0))
2168 s->internal->tlsext_debug_cb(s, !is_server, type,
2169 (unsigned char *)CBS_data(&extension_data),
2170 CBS_len(&extension_data),
2171 s->internal->tlsext_debug_arg);
2172
2173 /* Unknown extensions are ignored. */
2174 if ((tlsext = tls_extension_find(type, &idx)) == NULL((void*)0))
2175 continue;
2176
2177 if (tls_version >= TLS1_3_VERSION0x0304 && is_server &&
2178 msg_type == SSL_TLSEXT_MSG_CH0x0001) {
2179 if (!tlsext_clienthello_hash_extension(s, type,
2180 &extension_data))
2181 goto err;
2182 }
2183
2184 /* RFC 8446 Section 4.2 */
2185 if (tls_version >= TLS1_3_VERSION0x0304 &&
2186 !(tlsext->messages & msg_type)) {
2187 alert_desc = SSL_AD_ILLEGAL_PARAMETER47;
2188 goto err;
2189 }
2190
2191 /* Check for duplicate known extensions. */
2192 if ((S3I(s)(s->s3->internal)->hs.extensions_seen & (1 << idx)) != 0)
2193 goto err;
2194 S3I(s)(s->s3->internal)->hs.extensions_seen |= (1 << idx);
2195
2196 ext = tlsext_funcs(tlsext, is_server);
2197 if (!ext->parse(s, msg_type, &extension_data, &alert_desc))
2198 goto err;
2199
2200 if (CBS_len(&extension_data) != 0)
2201 goto err;
2202 }
2203
2204 return 1;
2205
2206 err:
2207 *alert = alert_desc;
2208
2209 return 0;
2210}
2211
2212static void
2213tlsext_server_reset_state(SSL *s)
2214{
2215 s->tlsext_status_type = -1;
2216 S3I(s)(s->s3->internal)->renegotiate_seen = 0;
2217 free(S3I(s)(s->s3->internal)->alpn_selected);
2218 S3I(s)(s->s3->internal)->alpn_selected = NULL((void*)0);
2219 S3I(s)(s->s3->internal)->alpn_selected_len = 0;
2220 s->internal->srtp_profile = NULL((void*)0);
2221}
2222
2223int
2224tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
2225{
2226 return tlsext_build(s, 1, msg_type, cbb);
2227}
2228
2229int
2230tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2231{
2232 /* XXX - this should be done by the caller... */
2233 if (msg_type == SSL_TLSEXT_MSG_CH0x0001)
2234 tlsext_server_reset_state(s);
2235
2236 return tlsext_parse(s, 1, msg_type, cbs, alert);
2237}
2238
2239static void
2240tlsext_client_reset_state(SSL *s)
2241{
2242 S3I(s)(s->s3->internal)->renegotiate_seen = 0;
2243 free(S3I(s)(s->s3->internal)->alpn_selected);
2244 S3I(s)(s->s3->internal)->alpn_selected = NULL((void*)0);
2245 S3I(s)(s->s3->internal)->alpn_selected_len = 0;
2246}
2247
2248int
2249tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
2250{
2251 return tlsext_build(s, 0, msg_type, cbb);
2252}
2253
2254int
2255tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
2256{
2257 /* XXX - this should be done by the caller... */
2258 if (msg_type == SSL_TLSEXT_MSG_SH0x0002)
2259 tlsext_client_reset_state(s);
2260
2261 return tlsext_parse(s, 0, msg_type, cbs, alert);
2262}