]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_clnt.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix extension for various no- options
[thirdparty/openssl.git] / ssl / statem / extensions_clnt.c
CommitLineData
6dd083fd
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <assert.h>
ab83e314 11#include <openssl/ocsp.h>
6dd083fd
MC		 12#include "../ssl_locl.h"
13#include "statem_locl.h"
14
1266eefd 15int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 16{
17 /* Add RI if renegotiating */
18 if (!s->renegotiate)
19 return 1;
20
21 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
22 || !WPACKET_start_sub_packet_u16(pkt)
23 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
24 s->s3->previous_client_finished_len)
25 || !WPACKET_close(pkt)) {
7fe97c07 26 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 27 return 0;
28 }
29
30 return 1;
31}
32
1266eefd 33int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 34{
35 if (s->tlsext_hostname == NULL)
36 return 1;
37
38 /* Add TLS extension servername to the Client Hello message */
39 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
40 /* Sub-packet for server_name extension */
41 || !WPACKET_start_sub_packet_u16(pkt)
42 /* Sub-packet for servername list (always 1 hostname)*/
43 || !WPACKET_start_sub_packet_u16(pkt)
44 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
45 || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
46 strlen(s->tlsext_hostname))
47 || !WPACKET_close(pkt)
48 || !WPACKET_close(pkt)) {
7fe97c07 49 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 50 return 0;
51 }
52
53 return 1;
54}
55
56#ifndef OPENSSL_NO_SRP
1266eefd 57int tls_construct_ctos_srp(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 58{
59 /* Add SRP username if there is one */
60 if (s->srp_ctx.login == NULL)
61 return 1;
62
63 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
64 /* Sub-packet for SRP extension */
65 || !WPACKET_start_sub_packet_u16(pkt)
66 || !WPACKET_start_sub_packet_u8(pkt)
67 /* login must not be zero...internal error if so */
68 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
69 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
70 strlen(s->srp_ctx.login))
71 || !WPACKET_close(pkt)
72 || !WPACKET_close(pkt)) {
7fe97c07 73 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 74 return 0;
75 }
76
77 return 1;
78}
79#endif
80
81#ifndef OPENSSL_NO_EC
82static int use_ecc(SSL *s)
83{
1266eefd 84 int i, end;
ab83e314
MC		 85 unsigned long alg_k, alg_a;
86 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
87
88 /* See if we support any ECC ciphersuites */
89 if (s->version == SSL3_VERSION)
90 return 0;
91
ab83e314 92 cipher_stack = SSL_get_ciphers(s);
1266eefd
MC		 93 end = sk_SSL_CIPHER_num(cipher_stack);
94 for (i = 0; i < end; i++) {
ab83e314
MC		 95 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
96
97 alg_k = c->algorithm_mkey;
98 alg_a = c->algorithm_auth;
99 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1266eefd
MC		 100 || (alg_a & SSL_aECDSA)
101 || c->min_tls >= TLS1_3_VERSION)
ab83e314 102 break;
ab83e314
MC		 103 }
104
1266eefd 105 return i < end;
ab83e314
MC		 106}
107
1266eefd 108int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 109{
110 const unsigned char *pformats;
111 size_t num_formats;
112
113 if (!use_ecc(s))
114 return 1;
115
116 /* Add TLS extension ECPointFormats to the ClientHello message */
ab83e314
MC		 117 tls1_get_formatlist(s, &pformats, &num_formats);
118
119 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
120 /* Sub-packet for formats extension */
121 || !WPACKET_start_sub_packet_u16(pkt)
122 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
123 || !WPACKET_close(pkt)) {
7fe97c07 124 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 125 return 0;
126 }
127
128 return 1;
129}
130
131
1266eefd 132int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 133{
134 const unsigned char *pcurves = NULL, *pcurvestmp;
135 size_t num_curves = 0, i;
136
137 if (!use_ecc(s))
138 return 1;
139
140 /*
141 * Add TLS extension supported_groups to the ClientHello message
142 */
143 /* TODO(TLS1.3): Add support for DHE groups */
144 pcurves = s->tlsext_supportedgroupslist;
145 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
7fe97c07 146 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ab83e314
MC		 147 ERR_R_INTERNAL_ERROR);
148 return 0;
149 }
150 pcurvestmp = pcurves;
151
152 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
153 /* Sub-packet for supported_groups extension */
154 || !WPACKET_start_sub_packet_u16(pkt)
155 || !WPACKET_start_sub_packet_u16(pkt)) {
7fe97c07 156 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ab83e314
MC		 157 ERR_R_INTERNAL_ERROR);
158 return 0;
159 }
160 /* Copy curve ID if supported */
161 for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
162 if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
163 if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
164 || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
7fe97c07 165 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ab83e314
MC		 166 ERR_R_INTERNAL_ERROR);
167 return 0;
168 }
169 }
170 }
171 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
7fe97c07 172 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ab83e314
MC		 173 ERR_R_INTERNAL_ERROR);
174 return 0;
175 }
176
177 return 1;
178}
179#endif
180
1266eefd 181int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 182{
183 size_t ticklen;
184
185 if (!tls_use_ticket(s))
186 return 1;
187
188 if (!s->new_session && s->session != NULL
189 && s->session->tlsext_tick != NULL) {
190 ticklen = s->session->tlsext_ticklen;
191 } else if (s->session && s->tlsext_session_ticket != NULL
192 && s->tlsext_session_ticket->data != NULL) {
193 ticklen = s->tlsext_session_ticket->length;
194 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
195 if (s->session->tlsext_tick == NULL) {
7fe97c07 196 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
ab83e314
MC		 197 ERR_R_INTERNAL_ERROR);
198 return 0;
199 }
200 memcpy(s->session->tlsext_tick,
201 s->tlsext_session_ticket->data, ticklen);
202 s->session->tlsext_ticklen = ticklen;
203 } else {
204 ticklen = 0;
205 }
206
207 if (ticklen == 0 && s->tlsext_session_ticket != NULL &&
208 s->tlsext_session_ticket->data == NULL)
209 return 1;
210
211 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
212 || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick, ticklen)) {
7fe97c07 213 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 214 return 0;
215 }
216
217 return 1;
218}
219
1266eefd 220int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 221{
222 size_t salglen;
223 const unsigned char *salg;
224
225 if (!SSL_CLIENT_USE_SIGALGS(s))
226 return 1;
227
228 salglen = tls12_get_psigalgs(s, &salg);
ab83e314
MC		 229 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
230 /* Sub-packet for sig-algs extension */
231 || !WPACKET_start_sub_packet_u16(pkt)
232 /* Sub-packet for the actual list */
233 || !WPACKET_start_sub_packet_u16(pkt)
234 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
235 || !WPACKET_close(pkt)
236 || !WPACKET_close(pkt)) {
7fe97c07 237 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 238 return 0;
239 }
240
241 return 1;
242}
243
244#ifndef OPENSSL_NO_OCSP
1266eefd 245int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 246{
247 int i;
248
249 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp)
250 return 1;
251
252 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
253 /* Sub-packet for status request extension */
254 || !WPACKET_start_sub_packet_u16(pkt)
255 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
256 /* Sub-packet for the ids */
257 || !WPACKET_start_sub_packet_u16(pkt)) {
7fe97c07 258 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 259 return 0;
260 }
261 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
262 unsigned char *idbytes;
1266eefd
MC		 263 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
264 int idlen = i2d_OCSP_RESPID(id, NULL);
ab83e314 265
ab83e314
MC		 266 if (idlen <= 0
267 /* Sub-packet for an individual id */
268 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
269 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
7fe97c07 270 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ab83e314
MC		 271 ERR_R_INTERNAL_ERROR);
272 return 0;
273 }
274 }
275 if (!WPACKET_close(pkt)
276 || !WPACKET_start_sub_packet_u16(pkt)) {
7fe97c07 277 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 278 return 0;
279 }
280 if (s->tlsext_ocsp_exts) {
281 unsigned char *extbytes;
282 int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
283
284 if (extlen < 0) {
7fe97c07 285 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ab83e314
MC		 286 ERR_R_INTERNAL_ERROR);
287 return 0;
288 }
289 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
290 || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
291 != extlen) {
7fe97c07 292 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ab83e314
MC		 293 ERR_R_INTERNAL_ERROR);
294 return 0;
295 }
296 }
297 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
7fe97c07 298 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 299 return 0;
300 }
301
302 return 1;
303}
304#endif
305
306#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 307int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 308{
309 if (s->ctx->next_proto_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
310 return 1;
311
312 /*
313 * The client advertises an empty extension to indicate its support
314 * for Next Protocol Negotiation
315 */
316 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
317 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 318 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 319 return 0;
320 }
321
322 return 1;
323}
324#endif
325
1266eefd 326int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 327{
328 s->s3->alpn_sent = 0;
329
330 /*
331 * finish_md_len is non-zero during a renegotiation, so
332 * this avoids sending ALPN during the renegotiation
333 */
334 if (s->alpn_client_proto_list == NULL || s->s3->tmp.finish_md_len != 0)
335 return 1;
336
337 if (!WPACKET_put_bytes_u16(pkt,
338 TLSEXT_TYPE_application_layer_protocol_negotiation)
339 /* Sub-packet ALPN extension */
340 || !WPACKET_start_sub_packet_u16(pkt)
341 || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
342 s->alpn_client_proto_list_len)
343 || !WPACKET_close(pkt)) {
7fe97c07 344 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 345 return 0;
346 }
347 s->s3->alpn_sent = 1;
348
349 return 1;
350}
351
352
353#ifndef OPENSSL_NO_SRTP
1266eefd 354int tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 355{
356 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
1266eefd 357 int i, end;
ab83e314
MC		 358
359 if (clnt == NULL)
360 return 1;
361
362 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
363 /* Sub-packet for SRTP extension */
364 || !WPACKET_start_sub_packet_u16(pkt)
365 /* Sub-packet for the protection profile list */
366 || !WPACKET_start_sub_packet_u16(pkt)) {
7fe97c07 367 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 368 return 0;
369 }
1266eefd
MC		 370
371 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
372 for (i = 0; i < end; i++) {
373 const SRTP_PROTECTION_PROFILE *prof =
374 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
375
ab83e314 376 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
7fe97c07 377 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 378 return 0;
379 }
380 }
381 if (!WPACKET_close(pkt)
382 /* Add an empty use_mki value */
383 || !WPACKET_put_bytes_u8(pkt, 0)
384 || !WPACKET_close(pkt)) {
7fe97c07 385 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 386 return 0;
387 }
388
389 return 1;
390}
391#endif
392
1266eefd 393int tls_construct_ctos_etm(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 394{
395 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
396 return 1;
397
398 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
399 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 400 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 401 return 0;
402 }
403
404 return 1;
405}
406
407#ifndef OPENSSL_NO_CT
1266eefd 408int tls_construct_ctos_sct(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 409{
410 if (s->ct_validation_callback == NULL)
411 return 1;
412
413 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
414 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 415 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 416 return 0;
417 }
418
419 return 1;
420}
421#endif
422
1266eefd 423int tls_construct_ctos_ems(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 424{
425 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
426 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 427 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 428 return 0;
429 }
430
431 return 1;
432}
433
1266eefd 434int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 435{
436 int currv, min_version, max_version, reason;
437
438 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
439 || !WPACKET_start_sub_packet_u16(pkt)
440 || !WPACKET_start_sub_packet_u8(pkt)) {
7fe97c07 441 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ab83e314
MC		 442 ERR_R_INTERNAL_ERROR);
443 return 0;
444 }
445
446 reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
447 if (reason != 0) {
7fe97c07 448 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
ab83e314
MC		 449 return 0;
450 }
451
452 /*
453 * TODO(TLS1.3): There is some discussion on the TLS list as to wheter
454 * we should include versions <TLS1.2. For the moment we do. To be
455 * reviewed later.
456 */
457 for (currv = max_version; currv >= min_version; currv--) {
458 /* TODO(TLS1.3): Remove this first if clause prior to release!! */
459 if (currv == TLS1_3_VERSION) {
460 if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
7fe97c07 461 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ab83e314
MC		 462 ERR_R_INTERNAL_ERROR);
463 return 0;
464 }
465 } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
7fe97c07 466 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ab83e314
MC		 467 ERR_R_INTERNAL_ERROR);
468 return 0;
469 }
470 }
471 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
7fe97c07 472 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ab83e314
MC		 473 ERR_R_INTERNAL_ERROR);
474 return 0;
475 }
476
477 return 1;
478}
479
480
1266eefd 481int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 482{
483 size_t i, sharessent = 0, num_curves = 0;
484 const unsigned char *pcurves = NULL;
485
486 /* key_share extension */
487 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
488 /* Extension data sub-packet */
489 || !WPACKET_start_sub_packet_u16(pkt)
490 /* KeyShare list sub-packet */
491 || !WPACKET_start_sub_packet_u16(pkt)) {
7fe97c07 492 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 493 return 0;
494 }
495
496 pcurves = s->tlsext_supportedgroupslist;
497 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
7fe97c07 498 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 499 return 0;
500 }
501
502 /*
503 * TODO(TLS1.3): Make the number of key_shares sent configurable. For
504 * now, just send one
505 */
506 for (i = 0; i < num_curves && sharessent < 1; i++, pcurves += 2) {
507 unsigned char *encodedPoint = NULL;
508 unsigned int curve_id = 0;
509 EVP_PKEY *key_share_key = NULL;
510 size_t encodedlen;
511
512 if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
513 continue;
514
515 if (s->s3->tmp.pkey != NULL) {
516 /* Shouldn't happen! */
7fe97c07 517 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 518 return 0;
519 }
520
521 /* Generate a key for this key_share */
522 curve_id = (pcurves[0] << 8) | pcurves[1];
523 key_share_key = ssl_generate_pkey_curve(curve_id);
524 if (key_share_key == NULL) {
7fe97c07 525 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
ab83e314
MC		 526 return 0;
527 }
528
529 /* Encode the public key. */
530 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
531 &encodedPoint);
532 if (encodedlen == 0) {
7fe97c07 533 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_EC_LIB);
ab83e314
MC		 534 EVP_PKEY_free(key_share_key);
535 return 0;
536 }
537
538 /* Create KeyShareEntry */
539 if (!WPACKET_put_bytes_u16(pkt, curve_id)
540 || !WPACKET_sub_memcpy_u16(pkt, encodedPoint, encodedlen)) {
7fe97c07 541 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 542 EVP_PKEY_free(key_share_key);
543 OPENSSL_free(encodedPoint);
544 return 0;
545 }
546
547 /*
548 * TODO(TLS1.3): When changing to send more than one key_share we're
549 * going to need to be able to save more than one EVP_PKEY. For now
550 * we reuse the existing tmp.pkey
551 */
552 s->s3->group_id = curve_id;
553 s->s3->tmp.pkey = key_share_key;
554 sharessent++;
555 OPENSSL_free(encodedPoint);
556 }
557
558 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
7fe97c07 559 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 560 return 0;
561 }
562
563 return 1;
564}
565
1266eefd
MC		 566#define F5_WORKAROUND_MIN_MSG_LEN 0xff
567#define F5_WORKAROUND_MAX_MSG_LEN 0x200
568
569int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, int *al)
ab83e314
MC		 570{
571 unsigned char *padbytes;
572 size_t hlen;
573
574 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
575 return 1;
576
577 /*
578 * Add padding to workaround bugs in F5 terminators. See
579 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1266eefd 580 * code calculates the length of all existing extensions it MUST always
ab83e314
MC		 581 * appear last.
582 */
583 if (!WPACKET_get_total_written(pkt, &hlen)) {
7fe97c07 584 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 585 return 0;
586 }
587
1266eefd
MC		 588 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
589 /* Calculate the amond of padding we need to add */
590 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
591
592 /*
593 * Take off the size of extension header itself (2 bytes for type and
594 * 2 bytes for length bytes)
595 */
ab83e314
MC		 596 if (hlen >= 4)
597 hlen -= 4;
598 else
599 hlen = 0;
600
601 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
602 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
7fe97c07 603 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
ab83e314
MC		 604 return 0;
605 }
606 memset(padbytes, 0, hlen);
607 }
608
609 return 1;
610}
611
6dd083fd
MC		 612/*
613 * Parse the server's renegotiation binding and abort if it's not right
614 */
1266eefd 615int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 616{
617 size_t expected_len = s->s3->previous_client_finished_len
618 + s->s3->previous_server_finished_len;
619 size_t ilen;
620 const unsigned char *data;
621
622 /* Check for logic errors */
623 assert(expected_len == 0 || s->s3->previous_client_finished_len != 0);
624 assert(expected_len == 0 || s->s3->previous_server_finished_len != 0);
625
626 /* Parse the length byte */
627 if (!PACKET_get_1_len(pkt, &ilen)) {
7fe97c07 628 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
6dd083fd
MC		 629 SSL_R_RENEGOTIATION_ENCODING_ERR);
630 *al = SSL_AD_ILLEGAL_PARAMETER;
631 return 0;
632 }
633
634 /* Consistency check */
635 if (PACKET_remaining(pkt) != ilen) {
7fe97c07 636 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
6dd083fd
MC		 637 SSL_R_RENEGOTIATION_ENCODING_ERR);
638 *al = SSL_AD_ILLEGAL_PARAMETER;
639 return 0;
640 }
641
642 /* Check that the extension matches */
643 if (ilen != expected_len) {
7fe97c07 644 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
6dd083fd
MC		 645 SSL_R_RENEGOTIATION_MISMATCH);
646 *al = SSL_AD_HANDSHAKE_FAILURE;
647 return 0;
648 }
649
650 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
651 || memcmp(data, s->s3->previous_client_finished,
652 s->s3->previous_client_finished_len) != 0) {
7fe97c07 653 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
6dd083fd
MC		 654 SSL_R_RENEGOTIATION_MISMATCH);
655 *al = SSL_AD_HANDSHAKE_FAILURE;
656 return 0;
657 }
658
659 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
660 || memcmp(data, s->s3->previous_server_finished,
661 s->s3->previous_server_finished_len) != 0) {
7fe97c07 662 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
6dd083fd
MC		 663 SSL_R_RENEGOTIATION_MISMATCH);
664 *al = SSL_AD_ILLEGAL_PARAMETER;
665 return 0;
666 }
667 s->s3->send_connection_binding = 1;
668
669 return 1;
670}
671
1266eefd 672int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 673{
674 if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) {
675 *al = SSL_AD_UNRECOGNIZED_NAME;
676 return 0;
677 }
678
679 if (!s->hit) {
680 if (s->session->tlsext_hostname != NULL) {
681 *al = SSL_AD_INTERNAL_ERROR;
682 return 0;
683 }
684 s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
685 if (s->session->tlsext_hostname == NULL) {
686 *al = SSL_AD_INTERNAL_ERROR;
687 return 0;
688 }
689 }
690
691 return 1;
692}
693
694#ifndef OPENSSL_NO_EC
1266eefd 695int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 696{
697 unsigned int ecpointformatlist_length;
698 PACKET ecptformatlist;
699
700 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
701 *al = SSL_AD_DECODE_ERROR;
702 return 0;
703 }
704 if (!s->hit) {
705 ecpointformatlist_length = PACKET_remaining(&ecptformatlist);
706 s->session->tlsext_ecpointformatlist_length = 0;
707
708 OPENSSL_free(s->session->tlsext_ecpointformatlist);
709 s->session->tlsext_ecpointformatlist =
710 OPENSSL_malloc(ecpointformatlist_length);
711 if (s->session->tlsext_ecpointformatlist == NULL) {
712 *al = SSL_AD_INTERNAL_ERROR;
713 return 0;
714 }
715
716 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
717
718 if (!PACKET_copy_bytes(&ecptformatlist,
719 s->session->tlsext_ecpointformatlist,
720 ecpointformatlist_length)) {
721 *al = SSL_AD_INTERNAL_ERROR;
722 return 0;
723 }
724 }
725
726 return 1;
727}
728#endif
729
1266eefd 730int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, int *al)
6dd083fd 731{
1266eefd 732 if (s->tls_session_ticket_ext_cb != NULL &&
6dd083fd
MC		 733 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
734 PACKET_remaining(pkt),
735 s->tls_session_ticket_ext_cb_arg)) {
736 *al = SSL_AD_INTERNAL_ERROR;
737 return 0;
738 }
1266eefd 739
6dd083fd
MC		 740 if (!tls_use_ticket(s) || PACKET_remaining(pkt) > 0) {
741 *al = SSL_AD_UNSUPPORTED_EXTENSION;
742 return 0;
743 }
1266eefd 744
6dd083fd
MC		 745 s->tlsext_ticket_expected = 1;
746
747 return 1;
748}
749
ab83e314 750#ifndef OPENSSL_NO_OCSP
1266eefd 751int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 752{
753 /*
754 * MUST be empty and only sent if we've requested a status
755 * request message.
756 */
cbb09544
MC		 757 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_nothing
758 || PACKET_remaining(pkt) > 0) {
6dd083fd
MC		 759 *al = SSL_AD_UNSUPPORTED_EXTENSION;
760 return 0;
761 }
762 /* Set flag to expect CertificateStatus message */
763 s->tlsext_status_expected = 1;
764
765 return 1;
766}
ab83e314 767#endif
6dd083fd
MC		 768
769
770#ifndef OPENSSL_NO_CT
1266eefd 771int tls_parse_stoc_sct(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 772{
773 /*
774 * Only take it if we asked for it - i.e if there is no CT validation
775 * callback set, then a custom extension MAY be processing it, so we
776 * need to let control continue to flow to that.
777 */
778 if (s->ct_validation_callback != NULL) {
779 size_t size = PACKET_remaining(pkt);
780
781 /* Simply copy it off for later processing */
1266eefd
MC		 782 OPENSSL_free(s->tlsext_scts);
783 s->tlsext_scts = NULL;
784
6dd083fd
MC		 785 s->tlsext_scts_len = size;
786 if (size > 0) {
787 s->tlsext_scts = OPENSSL_malloc(size);
788 if (s->tlsext_scts == NULL
789 || !PACKET_copy_bytes(pkt, s->tlsext_scts, size)) {
790 *al = SSL_AD_INTERNAL_ERROR;
791 return 0;
792 }
793 }
794 } else {
795 if (custom_ext_parse(s, 0, TLSEXT_TYPE_signed_certificate_timestamp,
796 PACKET_data(pkt), PACKET_remaining(pkt), al) <= 0)
797 return 0;
798 }
799
800 return 1;
801}
802#endif
803
804
805#ifndef OPENSSL_NO_NEXTPROTONEG
806/*
807 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
808 * elements of zero length are allowed and the set of elements must exactly
809 * fill the length of the block. Returns 1 on success or 0 on failure.
810 */
811static int ssl_next_proto_validate(PACKET *pkt)
812{
813 PACKET tmp_protocol;
814
815 while (PACKET_remaining(pkt)) {
816 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
817 || PACKET_remaining(&tmp_protocol) == 0)
818 return 0;
819 }
820
821 return 1;
822}
823
1266eefd 824int tls_parse_stoc_npn(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 825{
826 unsigned char *selected;
827 unsigned char selected_len;
828 PACKET tmppkt;
829
1266eefd 830 /* Check if we are in a renegotiation. If so ignore this extension */
6dd083fd
MC		 831 if (s->s3->tmp.finish_md_len != 0)
832 return 1;
833
834 /* We must have requested it. */
835 if (s->ctx->next_proto_select_cb == NULL) {
836 *al = SSL_AD_UNSUPPORTED_EXTENSION;
837 return 0;
838 }
1266eefd 839
6dd083fd
MC		 840 /* The data must be valid */
841 tmppkt = *pkt;
842 if (!ssl_next_proto_validate(&tmppkt)) {
843 *al = SSL_AD_DECODE_ERROR;
844 return 0;
845 }
846 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,
847 PACKET_data(pkt),
848 PACKET_remaining(pkt),
849 s->ctx->next_proto_select_cb_arg) !=
850 SSL_TLSEXT_ERR_OK) {
851 *al = SSL_AD_INTERNAL_ERROR;
852 return 0;
853 }
1266eefd 854
6dd083fd
MC		 855 /*
856 * Could be non-NULL if server has sent multiple NPN extensions in
857 * a single Serverhello
858 */
859 OPENSSL_free(s->next_proto_negotiated);
860 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
861 if (s->next_proto_negotiated == NULL) {
862 *al = SSL_AD_INTERNAL_ERROR;
863 return 0;
864 }
865
866 memcpy(s->next_proto_negotiated, selected, selected_len);
867 s->next_proto_negotiated_len = selected_len;
868 s->s3->next_proto_neg_seen = 1;
869
870 return 1;
871}
872#endif
873
1266eefd 874int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 875{
876 size_t len;
877
878 /* We must have requested it. */
879 if (!s->s3->alpn_sent) {
880 *al = SSL_AD_UNSUPPORTED_EXTENSION;
881 return 0;
882 }
883 /*-
884 * The extension data consists of:
885 * uint16 list_length
886 * uint8 proto_length;
887 * uint8 proto[proto_length];
888 */
889 if (!PACKET_get_net_2_len(pkt, &len)
890 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
891 || PACKET_remaining(pkt) != len) {
892 *al = SSL_AD_DECODE_ERROR;
893 return 0;
894 }
895 OPENSSL_free(s->s3->alpn_selected);
896 s->s3->alpn_selected = OPENSSL_malloc(len);
897 if (s->s3->alpn_selected == NULL) {
898 *al = SSL_AD_INTERNAL_ERROR;
899 return 0;
900 }
901 if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
902 *al = SSL_AD_DECODE_ERROR;
903 return 0;
904 }
905 s->s3->alpn_selected_len = len;
906
907 return 1;
908}
909
910#ifndef OPENSSL_NO_SRTP
1266eefd 911int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 912{
913 unsigned int id, ct, mki;
914 int i;
915 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
916 SRTP_PROTECTION_PROFILE *prof;
917
1266eefd
MC		 918 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
919 || !PACKET_get_net_2(pkt, &id)
920 || !PACKET_get_1(pkt, &mki)
921 || PACKET_remaining(pkt) != 0) {
7fe97c07 922 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
6dd083fd
MC		 923 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
924 *al = SSL_AD_DECODE_ERROR;
925 return 0;
926 }
927
928 if (mki != 0) {
929 /* Must be no MKI, since we never offer one */
7fe97c07 930 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
6dd083fd
MC		 931 *al = SSL_AD_ILLEGAL_PARAMETER;
932 return 0;
933 }
934
6dd083fd 935 /* Throw an error if the server gave us an unsolicited extension */
1266eefd 936 clnt = SSL_get_srtp_profiles(s);
6dd083fd 937 if (clnt == NULL) {
7fe97c07 938 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES);
6dd083fd
MC		 939 *al = SSL_AD_DECODE_ERROR;
940 return 0;
941 }
942
943 /*
944 * Check to see if the server gave us something we support (and
945 * presumably offered)
946 */
947 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
948 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
949
950 if (prof->id == id) {
951 s->srtp_profile = prof;
952 *al = 0;
953 return 1;
954 }
955 }
956
7fe97c07 957 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
6dd083fd
MC		 958 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
959 *al = SSL_AD_DECODE_ERROR;
960 return 0;
961}
962#endif
963
1266eefd 964int tls_parse_stoc_etm(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 965{
966 /* Ignore if inappropriate ciphersuite */
967 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
968 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
969 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
970 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
971
972 return 1;
973}
974
1266eefd 975int tls_parse_stoc_ems(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 976{
977 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
978 if (!s->hit)
979 s->session->flags |= SSL_SESS_FLAG_EXTMS;
980
981 return 1;
982}
983
1266eefd 984int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, int *al)
6dd083fd
MC		 985{
986 unsigned int group_id;
987 PACKET encoded_pt;
988 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
989
990 /* Sanity check */
991 if (ckey == NULL) {
992 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 993 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 994 return 0;
995 }
996
997 if (!PACKET_get_net_2(pkt, &group_id)) {
998 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 999 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1000 return 0;
1001 }
1002
1003 if (group_id != s->s3->group_id) {
1004 /*
1005 * This isn't for the group that we sent in the original
1006 * key_share!
1007 */
1008 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 1009 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
6dd083fd
MC		 1010 return 0;
1011 }
1012
1013 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1014 || PACKET_remaining(&encoded_pt) == 0) {
1015 *al = SSL_AD_DECODE_ERROR;
7fe97c07 1016 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1017 return 0;
1018 }
1019
1020 skey = ssl_generate_pkey(ckey);
1021 if (skey == NULL) {
1022 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 1023 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
6dd083fd
MC		 1024 return 0;
1025 }
1026 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
1027 PACKET_remaining(&encoded_pt))) {
1028 *al = SSL_AD_DECODE_ERROR;
7fe97c07 1029 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT);
a1d6a0b6 1030 EVP_PKEY_free(skey);
6dd083fd
MC		 1031 return 0;
1032 }
1033
1034 if (ssl_derive(s, ckey, skey, 1) == 0) {
1035 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 1036 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1037 EVP_PKEY_free(skey);
1038 return 0;
1039 }
1040 EVP_PKEY_free(skey);
1041
1042 return 1;
1043}
A mirror of the official openssl repository