]>
Commit | Line | Data |
---|---|---|
6dd083fd MC |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <assert.h> | |
ab83e314 | 11 | #include <openssl/ocsp.h> |
6dd083fd MC |
12 | #include "../ssl_locl.h" |
13 | #include "statem_locl.h" | |
14 | ||
1266eefd | 15 | int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
16 | { |
17 | /* Add RI if renegotiating */ | |
18 | if (!s->renegotiate) | |
19 | return 1; | |
20 | ||
21 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) | |
22 | || !WPACKET_start_sub_packet_u16(pkt) | |
23 | || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished, | |
24 | s->s3->previous_client_finished_len) | |
25 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 26 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
27 | return 0; |
28 | } | |
29 | ||
30 | return 1; | |
31 | } | |
32 | ||
1266eefd | 33 | int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
34 | { |
35 | if (s->tlsext_hostname == NULL) | |
36 | return 1; | |
37 | ||
38 | /* Add TLS extension servername to the Client Hello message */ | |
39 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) | |
40 | /* Sub-packet for server_name extension */ | |
41 | || !WPACKET_start_sub_packet_u16(pkt) | |
42 | /* Sub-packet for servername list (always 1 hostname)*/ | |
43 | || !WPACKET_start_sub_packet_u16(pkt) | |
44 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) | |
45 | || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname, | |
46 | strlen(s->tlsext_hostname)) | |
47 | || !WPACKET_close(pkt) | |
48 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 49 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
50 | return 0; |
51 | } | |
52 | ||
53 | return 1; | |
54 | } | |
55 | ||
56 | #ifndef OPENSSL_NO_SRP | |
1266eefd | 57 | int tls_construct_ctos_srp(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
58 | { |
59 | /* Add SRP username if there is one */ | |
60 | if (s->srp_ctx.login == NULL) | |
61 | return 1; | |
62 | ||
63 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) | |
64 | /* Sub-packet for SRP extension */ | |
65 | || !WPACKET_start_sub_packet_u16(pkt) | |
66 | || !WPACKET_start_sub_packet_u8(pkt) | |
67 | /* login must not be zero...internal error if so */ | |
68 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) | |
69 | || !WPACKET_memcpy(pkt, s->srp_ctx.login, | |
70 | strlen(s->srp_ctx.login)) | |
71 | || !WPACKET_close(pkt) | |
72 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 73 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
74 | return 0; |
75 | } | |
76 | ||
77 | return 1; | |
78 | } | |
79 | #endif | |
80 | ||
81 | #ifndef OPENSSL_NO_EC | |
82 | static int use_ecc(SSL *s) | |
83 | { | |
1266eefd | 84 | int i, end; |
ab83e314 MC |
85 | unsigned long alg_k, alg_a; |
86 | STACK_OF(SSL_CIPHER) *cipher_stack = NULL; | |
87 | ||
88 | /* See if we support any ECC ciphersuites */ | |
89 | if (s->version == SSL3_VERSION) | |
90 | return 0; | |
91 | ||
ab83e314 | 92 | cipher_stack = SSL_get_ciphers(s); |
1266eefd MC |
93 | end = sk_SSL_CIPHER_num(cipher_stack); |
94 | for (i = 0; i < end; i++) { | |
ab83e314 MC |
95 | const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); |
96 | ||
97 | alg_k = c->algorithm_mkey; | |
98 | alg_a = c->algorithm_auth; | |
99 | if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) | |
1266eefd MC |
100 | || (alg_a & SSL_aECDSA) |
101 | || c->min_tls >= TLS1_3_VERSION) | |
ab83e314 | 102 | break; |
ab83e314 MC |
103 | } |
104 | ||
1266eefd | 105 | return i < end; |
ab83e314 MC |
106 | } |
107 | ||
1266eefd | 108 | int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
109 | { |
110 | const unsigned char *pformats; | |
111 | size_t num_formats; | |
112 | ||
113 | if (!use_ecc(s)) | |
114 | return 1; | |
115 | ||
116 | /* Add TLS extension ECPointFormats to the ClientHello message */ | |
ab83e314 MC |
117 | tls1_get_formatlist(s, &pformats, &num_formats); |
118 | ||
119 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) | |
120 | /* Sub-packet for formats extension */ | |
121 | || !WPACKET_start_sub_packet_u16(pkt) | |
122 | || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) | |
123 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 124 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
125 | return 0; |
126 | } | |
127 | ||
128 | return 1; | |
129 | } | |
130 | ||
131 | ||
1266eefd | 132 | int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
133 | { |
134 | const unsigned char *pcurves = NULL, *pcurvestmp; | |
135 | size_t num_curves = 0, i; | |
136 | ||
137 | if (!use_ecc(s)) | |
138 | return 1; | |
139 | ||
140 | /* | |
141 | * Add TLS extension supported_groups to the ClientHello message | |
142 | */ | |
143 | /* TODO(TLS1.3): Add support for DHE groups */ | |
144 | pcurves = s->tlsext_supportedgroupslist; | |
145 | if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) { | |
7fe97c07 | 146 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
ab83e314 MC |
147 | ERR_R_INTERNAL_ERROR); |
148 | return 0; | |
149 | } | |
150 | pcurvestmp = pcurves; | |
151 | ||
152 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) | |
153 | /* Sub-packet for supported_groups extension */ | |
154 | || !WPACKET_start_sub_packet_u16(pkt) | |
155 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
7fe97c07 | 156 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
ab83e314 MC |
157 | ERR_R_INTERNAL_ERROR); |
158 | return 0; | |
159 | } | |
160 | /* Copy curve ID if supported */ | |
161 | for (i = 0; i < num_curves; i++, pcurvestmp += 2) { | |
162 | if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) { | |
163 | if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0]) | |
164 | || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) { | |
7fe97c07 | 165 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
ab83e314 MC |
166 | ERR_R_INTERNAL_ERROR); |
167 | return 0; | |
168 | } | |
169 | } | |
170 | } | |
171 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
7fe97c07 | 172 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
ab83e314 MC |
173 | ERR_R_INTERNAL_ERROR); |
174 | return 0; | |
175 | } | |
176 | ||
177 | return 1; | |
178 | } | |
179 | #endif | |
180 | ||
1266eefd | 181 | int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
182 | { |
183 | size_t ticklen; | |
184 | ||
185 | if (!tls_use_ticket(s)) | |
186 | return 1; | |
187 | ||
188 | if (!s->new_session && s->session != NULL | |
189 | && s->session->tlsext_tick != NULL) { | |
190 | ticklen = s->session->tlsext_ticklen; | |
191 | } else if (s->session && s->tlsext_session_ticket != NULL | |
192 | && s->tlsext_session_ticket->data != NULL) { | |
193 | ticklen = s->tlsext_session_ticket->length; | |
194 | s->session->tlsext_tick = OPENSSL_malloc(ticklen); | |
195 | if (s->session->tlsext_tick == NULL) { | |
7fe97c07 | 196 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, |
ab83e314 MC |
197 | ERR_R_INTERNAL_ERROR); |
198 | return 0; | |
199 | } | |
200 | memcpy(s->session->tlsext_tick, | |
201 | s->tlsext_session_ticket->data, ticklen); | |
202 | s->session->tlsext_ticklen = ticklen; | |
203 | } else { | |
204 | ticklen = 0; | |
205 | } | |
206 | ||
207 | if (ticklen == 0 && s->tlsext_session_ticket != NULL && | |
208 | s->tlsext_session_ticket->data == NULL) | |
209 | return 1; | |
210 | ||
211 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) | |
212 | || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick, ticklen)) { | |
7fe97c07 | 213 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
214 | return 0; |
215 | } | |
216 | ||
217 | return 1; | |
218 | } | |
219 | ||
1266eefd | 220 | int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
221 | { |
222 | size_t salglen; | |
223 | const unsigned char *salg; | |
224 | ||
225 | if (!SSL_CLIENT_USE_SIGALGS(s)) | |
226 | return 1; | |
227 | ||
228 | salglen = tls12_get_psigalgs(s, &salg); | |
ab83e314 MC |
229 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) |
230 | /* Sub-packet for sig-algs extension */ | |
231 | || !WPACKET_start_sub_packet_u16(pkt) | |
232 | /* Sub-packet for the actual list */ | |
233 | || !WPACKET_start_sub_packet_u16(pkt) | |
234 | || !tls12_copy_sigalgs(s, pkt, salg, salglen) | |
235 | || !WPACKET_close(pkt) | |
236 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 237 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
238 | return 0; |
239 | } | |
240 | ||
241 | return 1; | |
242 | } | |
243 | ||
244 | #ifndef OPENSSL_NO_OCSP | |
1266eefd | 245 | int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
246 | { |
247 | int i; | |
248 | ||
249 | if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) | |
250 | return 1; | |
251 | ||
252 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) | |
253 | /* Sub-packet for status request extension */ | |
254 | || !WPACKET_start_sub_packet_u16(pkt) | |
255 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) | |
256 | /* Sub-packet for the ids */ | |
257 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
7fe97c07 | 258 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
259 | return 0; |
260 | } | |
261 | for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { | |
262 | unsigned char *idbytes; | |
1266eefd MC |
263 | OCSP_RESPID *id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); |
264 | int idlen = i2d_OCSP_RESPID(id, NULL); | |
ab83e314 | 265 | |
ab83e314 MC |
266 | if (idlen <= 0 |
267 | /* Sub-packet for an individual id */ | |
268 | || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) | |
269 | || i2d_OCSP_RESPID(id, &idbytes) != idlen) { | |
7fe97c07 | 270 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, |
ab83e314 MC |
271 | ERR_R_INTERNAL_ERROR); |
272 | return 0; | |
273 | } | |
274 | } | |
275 | if (!WPACKET_close(pkt) | |
276 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
7fe97c07 | 277 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
278 | return 0; |
279 | } | |
280 | if (s->tlsext_ocsp_exts) { | |
281 | unsigned char *extbytes; | |
282 | int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); | |
283 | ||
284 | if (extlen < 0) { | |
7fe97c07 | 285 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, |
ab83e314 MC |
286 | ERR_R_INTERNAL_ERROR); |
287 | return 0; | |
288 | } | |
289 | if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) | |
290 | || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes) | |
291 | != extlen) { | |
7fe97c07 | 292 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, |
ab83e314 MC |
293 | ERR_R_INTERNAL_ERROR); |
294 | return 0; | |
295 | } | |
296 | } | |
297 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
7fe97c07 | 298 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
299 | return 0; |
300 | } | |
301 | ||
302 | return 1; | |
303 | } | |
304 | #endif | |
305 | ||
306 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
1266eefd | 307 | int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
308 | { |
309 | if (s->ctx->next_proto_select_cb == NULL || s->s3->tmp.finish_md_len != 0) | |
310 | return 1; | |
311 | ||
312 | /* | |
313 | * The client advertises an empty extension to indicate its support | |
314 | * for Next Protocol Negotiation | |
315 | */ | |
316 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) | |
317 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
7fe97c07 | 318 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
319 | return 0; |
320 | } | |
321 | ||
322 | return 1; | |
323 | } | |
324 | #endif | |
325 | ||
1266eefd | 326 | int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
327 | { |
328 | s->s3->alpn_sent = 0; | |
329 | ||
330 | /* | |
331 | * finish_md_len is non-zero during a renegotiation, so | |
332 | * this avoids sending ALPN during the renegotiation | |
333 | */ | |
334 | if (s->alpn_client_proto_list == NULL || s->s3->tmp.finish_md_len != 0) | |
335 | return 1; | |
336 | ||
337 | if (!WPACKET_put_bytes_u16(pkt, | |
338 | TLSEXT_TYPE_application_layer_protocol_negotiation) | |
339 | /* Sub-packet ALPN extension */ | |
340 | || !WPACKET_start_sub_packet_u16(pkt) | |
341 | || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list, | |
342 | s->alpn_client_proto_list_len) | |
343 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 344 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
345 | return 0; |
346 | } | |
347 | s->s3->alpn_sent = 1; | |
348 | ||
349 | return 1; | |
350 | } | |
351 | ||
352 | ||
353 | #ifndef OPENSSL_NO_SRTP | |
1266eefd | 354 | int tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
355 | { |
356 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); | |
1266eefd | 357 | int i, end; |
ab83e314 MC |
358 | |
359 | if (clnt == NULL) | |
360 | return 1; | |
361 | ||
362 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) | |
363 | /* Sub-packet for SRTP extension */ | |
364 | || !WPACKET_start_sub_packet_u16(pkt) | |
365 | /* Sub-packet for the protection profile list */ | |
366 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
7fe97c07 | 367 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
368 | return 0; |
369 | } | |
1266eefd MC |
370 | |
371 | end = sk_SRTP_PROTECTION_PROFILE_num(clnt); | |
372 | for (i = 0; i < end; i++) { | |
373 | const SRTP_PROTECTION_PROFILE *prof = | |
374 | sk_SRTP_PROTECTION_PROFILE_value(clnt, i); | |
375 | ||
ab83e314 | 376 | if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { |
7fe97c07 | 377 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
378 | return 0; |
379 | } | |
380 | } | |
381 | if (!WPACKET_close(pkt) | |
382 | /* Add an empty use_mki value */ | |
383 | || !WPACKET_put_bytes_u8(pkt, 0) | |
384 | || !WPACKET_close(pkt)) { | |
7fe97c07 | 385 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
386 | return 0; |
387 | } | |
388 | ||
389 | return 1; | |
390 | } | |
391 | #endif | |
392 | ||
1266eefd | 393 | int tls_construct_ctos_etm(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
394 | { |
395 | if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) | |
396 | return 1; | |
397 | ||
398 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) | |
399 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
7fe97c07 | 400 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
401 | return 0; |
402 | } | |
403 | ||
404 | return 1; | |
405 | } | |
406 | ||
407 | #ifndef OPENSSL_NO_CT | |
1266eefd | 408 | int tls_construct_ctos_sct(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
409 | { |
410 | if (s->ct_validation_callback == NULL) | |
411 | return 1; | |
412 | ||
413 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) | |
414 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
7fe97c07 | 415 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
416 | return 0; |
417 | } | |
418 | ||
419 | return 1; | |
420 | } | |
421 | #endif | |
422 | ||
1266eefd | 423 | int tls_construct_ctos_ems(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
424 | { |
425 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) | |
426 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
7fe97c07 | 427 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
428 | return 0; |
429 | } | |
430 | ||
431 | return 1; | |
432 | } | |
433 | ||
1266eefd | 434 | int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
435 | { |
436 | int currv, min_version, max_version, reason; | |
437 | ||
438 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) | |
439 | || !WPACKET_start_sub_packet_u16(pkt) | |
440 | || !WPACKET_start_sub_packet_u8(pkt)) { | |
7fe97c07 | 441 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
ab83e314 MC |
442 | ERR_R_INTERNAL_ERROR); |
443 | return 0; | |
444 | } | |
445 | ||
446 | reason = ssl_get_client_min_max_version(s, &min_version, &max_version); | |
447 | if (reason != 0) { | |
7fe97c07 | 448 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); |
ab83e314 MC |
449 | return 0; |
450 | } | |
451 | ||
452 | /* | |
453 | * TODO(TLS1.3): There is some discussion on the TLS list as to wheter | |
454 | * we should include versions <TLS1.2. For the moment we do. To be | |
455 | * reviewed later. | |
456 | */ | |
457 | for (currv = max_version; currv >= min_version; currv--) { | |
458 | /* TODO(TLS1.3): Remove this first if clause prior to release!! */ | |
459 | if (currv == TLS1_3_VERSION) { | |
460 | if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) { | |
7fe97c07 | 461 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
ab83e314 MC |
462 | ERR_R_INTERNAL_ERROR); |
463 | return 0; | |
464 | } | |
465 | } else if (!WPACKET_put_bytes_u16(pkt, currv)) { | |
7fe97c07 | 466 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
ab83e314 MC |
467 | ERR_R_INTERNAL_ERROR); |
468 | return 0; | |
469 | } | |
470 | } | |
471 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
7fe97c07 | 472 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
ab83e314 MC |
473 | ERR_R_INTERNAL_ERROR); |
474 | return 0; | |
475 | } | |
476 | ||
477 | return 1; | |
478 | } | |
479 | ||
480 | ||
1266eefd | 481 | int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, int *al) |
ab83e314 MC |
482 | { |
483 | size_t i, sharessent = 0, num_curves = 0; | |
484 | const unsigned char *pcurves = NULL; | |
485 | ||
486 | /* key_share extension */ | |
487 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) | |
488 | /* Extension data sub-packet */ | |
489 | || !WPACKET_start_sub_packet_u16(pkt) | |
490 | /* KeyShare list sub-packet */ | |
491 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
7fe97c07 | 492 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
493 | return 0; |
494 | } | |
495 | ||
496 | pcurves = s->tlsext_supportedgroupslist; | |
497 | if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) { | |
7fe97c07 | 498 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
499 | return 0; |
500 | } | |
501 | ||
502 | /* | |
503 | * TODO(TLS1.3): Make the number of key_shares sent configurable. For | |
504 | * now, just send one | |
505 | */ | |
506 | for (i = 0; i < num_curves && sharessent < 1; i++, pcurves += 2) { | |
507 | unsigned char *encodedPoint = NULL; | |
508 | unsigned int curve_id = 0; | |
509 | EVP_PKEY *key_share_key = NULL; | |
510 | size_t encodedlen; | |
511 | ||
512 | if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) | |
513 | continue; | |
514 | ||
515 | if (s->s3->tmp.pkey != NULL) { | |
516 | /* Shouldn't happen! */ | |
7fe97c07 | 517 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
518 | return 0; |
519 | } | |
520 | ||
521 | /* Generate a key for this key_share */ | |
522 | curve_id = (pcurves[0] << 8) | pcurves[1]; | |
523 | key_share_key = ssl_generate_pkey_curve(curve_id); | |
524 | if (key_share_key == NULL) { | |
7fe97c07 | 525 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_EVP_LIB); |
ab83e314 MC |
526 | return 0; |
527 | } | |
528 | ||
529 | /* Encode the public key. */ | |
530 | encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, | |
531 | &encodedPoint); | |
532 | if (encodedlen == 0) { | |
7fe97c07 | 533 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_EC_LIB); |
ab83e314 MC |
534 | EVP_PKEY_free(key_share_key); |
535 | return 0; | |
536 | } | |
537 | ||
538 | /* Create KeyShareEntry */ | |
539 | if (!WPACKET_put_bytes_u16(pkt, curve_id) | |
540 | || !WPACKET_sub_memcpy_u16(pkt, encodedPoint, encodedlen)) { | |
7fe97c07 | 541 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
542 | EVP_PKEY_free(key_share_key); |
543 | OPENSSL_free(encodedPoint); | |
544 | return 0; | |
545 | } | |
546 | ||
547 | /* | |
548 | * TODO(TLS1.3): When changing to send more than one key_share we're | |
549 | * going to need to be able to save more than one EVP_PKEY. For now | |
550 | * we reuse the existing tmp.pkey | |
551 | */ | |
552 | s->s3->group_id = curve_id; | |
553 | s->s3->tmp.pkey = key_share_key; | |
554 | sharessent++; | |
555 | OPENSSL_free(encodedPoint); | |
556 | } | |
557 | ||
558 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
7fe97c07 | 559 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
560 | return 0; |
561 | } | |
562 | ||
563 | return 1; | |
564 | } | |
565 | ||
1266eefd MC |
566 | #define F5_WORKAROUND_MIN_MSG_LEN 0xff |
567 | #define F5_WORKAROUND_MAX_MSG_LEN 0x200 | |
568 | ||
569 | int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, int *al) | |
ab83e314 MC |
570 | { |
571 | unsigned char *padbytes; | |
572 | size_t hlen; | |
573 | ||
574 | if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) | |
575 | return 1; | |
576 | ||
577 | /* | |
578 | * Add padding to workaround bugs in F5 terminators. See | |
579 | * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this | |
1266eefd | 580 | * code calculates the length of all existing extensions it MUST always |
ab83e314 MC |
581 | * appear last. |
582 | */ | |
583 | if (!WPACKET_get_total_written(pkt, &hlen)) { | |
7fe97c07 | 584 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
585 | return 0; |
586 | } | |
587 | ||
1266eefd MC |
588 | if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { |
589 | /* Calculate the amond of padding we need to add */ | |
590 | hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; | |
591 | ||
592 | /* | |
593 | * Take off the size of extension header itself (2 bytes for type and | |
594 | * 2 bytes for length bytes) | |
595 | */ | |
ab83e314 MC |
596 | if (hlen >= 4) |
597 | hlen -= 4; | |
598 | else | |
599 | hlen = 0; | |
600 | ||
601 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) | |
602 | || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { | |
7fe97c07 | 603 | SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR); |
ab83e314 MC |
604 | return 0; |
605 | } | |
606 | memset(padbytes, 0, hlen); | |
607 | } | |
608 | ||
609 | return 1; | |
610 | } | |
611 | ||
6dd083fd MC |
612 | /* |
613 | * Parse the server's renegotiation binding and abort if it's not right | |
614 | */ | |
1266eefd | 615 | int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
616 | { |
617 | size_t expected_len = s->s3->previous_client_finished_len | |
618 | + s->s3->previous_server_finished_len; | |
619 | size_t ilen; | |
620 | const unsigned char *data; | |
621 | ||
622 | /* Check for logic errors */ | |
623 | assert(expected_len == 0 || s->s3->previous_client_finished_len != 0); | |
624 | assert(expected_len == 0 || s->s3->previous_server_finished_len != 0); | |
625 | ||
626 | /* Parse the length byte */ | |
627 | if (!PACKET_get_1_len(pkt, &ilen)) { | |
7fe97c07 | 628 | SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
6dd083fd MC |
629 | SSL_R_RENEGOTIATION_ENCODING_ERR); |
630 | *al = SSL_AD_ILLEGAL_PARAMETER; | |
631 | return 0; | |
632 | } | |
633 | ||
634 | /* Consistency check */ | |
635 | if (PACKET_remaining(pkt) != ilen) { | |
7fe97c07 | 636 | SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
6dd083fd MC |
637 | SSL_R_RENEGOTIATION_ENCODING_ERR); |
638 | *al = SSL_AD_ILLEGAL_PARAMETER; | |
639 | return 0; | |
640 | } | |
641 | ||
642 | /* Check that the extension matches */ | |
643 | if (ilen != expected_len) { | |
7fe97c07 | 644 | SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
6dd083fd MC |
645 | SSL_R_RENEGOTIATION_MISMATCH); |
646 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
647 | return 0; | |
648 | } | |
649 | ||
650 | if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) | |
651 | || memcmp(data, s->s3->previous_client_finished, | |
652 | s->s3->previous_client_finished_len) != 0) { | |
7fe97c07 | 653 | SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
6dd083fd MC |
654 | SSL_R_RENEGOTIATION_MISMATCH); |
655 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
656 | return 0; | |
657 | } | |
658 | ||
659 | if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) | |
660 | || memcmp(data, s->s3->previous_server_finished, | |
661 | s->s3->previous_server_finished_len) != 0) { | |
7fe97c07 | 662 | SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
6dd083fd MC |
663 | SSL_R_RENEGOTIATION_MISMATCH); |
664 | *al = SSL_AD_ILLEGAL_PARAMETER; | |
665 | return 0; | |
666 | } | |
667 | s->s3->send_connection_binding = 1; | |
668 | ||
669 | return 1; | |
670 | } | |
671 | ||
1266eefd | 672 | int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
673 | { |
674 | if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) { | |
675 | *al = SSL_AD_UNRECOGNIZED_NAME; | |
676 | return 0; | |
677 | } | |
678 | ||
679 | if (!s->hit) { | |
680 | if (s->session->tlsext_hostname != NULL) { | |
681 | *al = SSL_AD_INTERNAL_ERROR; | |
682 | return 0; | |
683 | } | |
684 | s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname); | |
685 | if (s->session->tlsext_hostname == NULL) { | |
686 | *al = SSL_AD_INTERNAL_ERROR; | |
687 | return 0; | |
688 | } | |
689 | } | |
690 | ||
691 | return 1; | |
692 | } | |
693 | ||
694 | #ifndef OPENSSL_NO_EC | |
1266eefd | 695 | int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
696 | { |
697 | unsigned int ecpointformatlist_length; | |
698 | PACKET ecptformatlist; | |
699 | ||
700 | if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { | |
701 | *al = SSL_AD_DECODE_ERROR; | |
702 | return 0; | |
703 | } | |
704 | if (!s->hit) { | |
705 | ecpointformatlist_length = PACKET_remaining(&ecptformatlist); | |
706 | s->session->tlsext_ecpointformatlist_length = 0; | |
707 | ||
708 | OPENSSL_free(s->session->tlsext_ecpointformatlist); | |
709 | s->session->tlsext_ecpointformatlist = | |
710 | OPENSSL_malloc(ecpointformatlist_length); | |
711 | if (s->session->tlsext_ecpointformatlist == NULL) { | |
712 | *al = SSL_AD_INTERNAL_ERROR; | |
713 | return 0; | |
714 | } | |
715 | ||
716 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | |
717 | ||
718 | if (!PACKET_copy_bytes(&ecptformatlist, | |
719 | s->session->tlsext_ecpointformatlist, | |
720 | ecpointformatlist_length)) { | |
721 | *al = SSL_AD_INTERNAL_ERROR; | |
722 | return 0; | |
723 | } | |
724 | } | |
725 | ||
726 | return 1; | |
727 | } | |
728 | #endif | |
729 | ||
1266eefd | 730 | int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, int *al) |
6dd083fd | 731 | { |
1266eefd | 732 | if (s->tls_session_ticket_ext_cb != NULL && |
6dd083fd MC |
733 | !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt), |
734 | PACKET_remaining(pkt), | |
735 | s->tls_session_ticket_ext_cb_arg)) { | |
736 | *al = SSL_AD_INTERNAL_ERROR; | |
737 | return 0; | |
738 | } | |
1266eefd | 739 | |
6dd083fd MC |
740 | if (!tls_use_ticket(s) || PACKET_remaining(pkt) > 0) { |
741 | *al = SSL_AD_UNSUPPORTED_EXTENSION; | |
742 | return 0; | |
743 | } | |
1266eefd | 744 | |
6dd083fd MC |
745 | s->tlsext_ticket_expected = 1; |
746 | ||
747 | return 1; | |
748 | } | |
749 | ||
ab83e314 | 750 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 751 | int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
752 | { |
753 | /* | |
754 | * MUST be empty and only sent if we've requested a status | |
755 | * request message. | |
756 | */ | |
cbb09544 MC |
757 | if (s->tlsext_status_type == TLSEXT_STATUSTYPE_nothing |
758 | || PACKET_remaining(pkt) > 0) { | |
6dd083fd MC |
759 | *al = SSL_AD_UNSUPPORTED_EXTENSION; |
760 | return 0; | |
761 | } | |
762 | /* Set flag to expect CertificateStatus message */ | |
763 | s->tlsext_status_expected = 1; | |
764 | ||
765 | return 1; | |
766 | } | |
ab83e314 | 767 | #endif |
6dd083fd MC |
768 | |
769 | ||
770 | #ifndef OPENSSL_NO_CT | |
1266eefd | 771 | int tls_parse_stoc_sct(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
772 | { |
773 | /* | |
774 | * Only take it if we asked for it - i.e if there is no CT validation | |
775 | * callback set, then a custom extension MAY be processing it, so we | |
776 | * need to let control continue to flow to that. | |
777 | */ | |
778 | if (s->ct_validation_callback != NULL) { | |
779 | size_t size = PACKET_remaining(pkt); | |
780 | ||
781 | /* Simply copy it off for later processing */ | |
1266eefd MC |
782 | OPENSSL_free(s->tlsext_scts); |
783 | s->tlsext_scts = NULL; | |
784 | ||
6dd083fd MC |
785 | s->tlsext_scts_len = size; |
786 | if (size > 0) { | |
787 | s->tlsext_scts = OPENSSL_malloc(size); | |
788 | if (s->tlsext_scts == NULL | |
789 | || !PACKET_copy_bytes(pkt, s->tlsext_scts, size)) { | |
790 | *al = SSL_AD_INTERNAL_ERROR; | |
791 | return 0; | |
792 | } | |
793 | } | |
794 | } else { | |
795 | if (custom_ext_parse(s, 0, TLSEXT_TYPE_signed_certificate_timestamp, | |
796 | PACKET_data(pkt), PACKET_remaining(pkt), al) <= 0) | |
797 | return 0; | |
798 | } | |
799 | ||
800 | return 1; | |
801 | } | |
802 | #endif | |
803 | ||
804 | ||
805 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
806 | /* | |
807 | * ssl_next_proto_validate validates a Next Protocol Negotiation block. No | |
808 | * elements of zero length are allowed and the set of elements must exactly | |
809 | * fill the length of the block. Returns 1 on success or 0 on failure. | |
810 | */ | |
811 | static int ssl_next_proto_validate(PACKET *pkt) | |
812 | { | |
813 | PACKET tmp_protocol; | |
814 | ||
815 | while (PACKET_remaining(pkt)) { | |
816 | if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) | |
817 | || PACKET_remaining(&tmp_protocol) == 0) | |
818 | return 0; | |
819 | } | |
820 | ||
821 | return 1; | |
822 | } | |
823 | ||
1266eefd | 824 | int tls_parse_stoc_npn(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
825 | { |
826 | unsigned char *selected; | |
827 | unsigned char selected_len; | |
828 | PACKET tmppkt; | |
829 | ||
1266eefd | 830 | /* Check if we are in a renegotiation. If so ignore this extension */ |
6dd083fd MC |
831 | if (s->s3->tmp.finish_md_len != 0) |
832 | return 1; | |
833 | ||
834 | /* We must have requested it. */ | |
835 | if (s->ctx->next_proto_select_cb == NULL) { | |
836 | *al = SSL_AD_UNSUPPORTED_EXTENSION; | |
837 | return 0; | |
838 | } | |
1266eefd | 839 | |
6dd083fd MC |
840 | /* The data must be valid */ |
841 | tmppkt = *pkt; | |
842 | if (!ssl_next_proto_validate(&tmppkt)) { | |
843 | *al = SSL_AD_DECODE_ERROR; | |
844 | return 0; | |
845 | } | |
846 | if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, | |
847 | PACKET_data(pkt), | |
848 | PACKET_remaining(pkt), | |
849 | s->ctx->next_proto_select_cb_arg) != | |
850 | SSL_TLSEXT_ERR_OK) { | |
851 | *al = SSL_AD_INTERNAL_ERROR; | |
852 | return 0; | |
853 | } | |
1266eefd | 854 | |
6dd083fd MC |
855 | /* |
856 | * Could be non-NULL if server has sent multiple NPN extensions in | |
857 | * a single Serverhello | |
858 | */ | |
859 | OPENSSL_free(s->next_proto_negotiated); | |
860 | s->next_proto_negotiated = OPENSSL_malloc(selected_len); | |
861 | if (s->next_proto_negotiated == NULL) { | |
862 | *al = SSL_AD_INTERNAL_ERROR; | |
863 | return 0; | |
864 | } | |
865 | ||
866 | memcpy(s->next_proto_negotiated, selected, selected_len); | |
867 | s->next_proto_negotiated_len = selected_len; | |
868 | s->s3->next_proto_neg_seen = 1; | |
869 | ||
870 | return 1; | |
871 | } | |
872 | #endif | |
873 | ||
1266eefd | 874 | int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
875 | { |
876 | size_t len; | |
877 | ||
878 | /* We must have requested it. */ | |
879 | if (!s->s3->alpn_sent) { | |
880 | *al = SSL_AD_UNSUPPORTED_EXTENSION; | |
881 | return 0; | |
882 | } | |
883 | /*- | |
884 | * The extension data consists of: | |
885 | * uint16 list_length | |
886 | * uint8 proto_length; | |
887 | * uint8 proto[proto_length]; | |
888 | */ | |
889 | if (!PACKET_get_net_2_len(pkt, &len) | |
890 | || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) | |
891 | || PACKET_remaining(pkt) != len) { | |
892 | *al = SSL_AD_DECODE_ERROR; | |
893 | return 0; | |
894 | } | |
895 | OPENSSL_free(s->s3->alpn_selected); | |
896 | s->s3->alpn_selected = OPENSSL_malloc(len); | |
897 | if (s->s3->alpn_selected == NULL) { | |
898 | *al = SSL_AD_INTERNAL_ERROR; | |
899 | return 0; | |
900 | } | |
901 | if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) { | |
902 | *al = SSL_AD_DECODE_ERROR; | |
903 | return 0; | |
904 | } | |
905 | s->s3->alpn_selected_len = len; | |
906 | ||
907 | return 1; | |
908 | } | |
909 | ||
910 | #ifndef OPENSSL_NO_SRTP | |
1266eefd | 911 | int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
912 | { |
913 | unsigned int id, ct, mki; | |
914 | int i; | |
915 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; | |
916 | SRTP_PROTECTION_PROFILE *prof; | |
917 | ||
1266eefd MC |
918 | if (!PACKET_get_net_2(pkt, &ct) || ct != 2 |
919 | || !PACKET_get_net_2(pkt, &id) | |
920 | || !PACKET_get_1(pkt, &mki) | |
921 | || PACKET_remaining(pkt) != 0) { | |
7fe97c07 | 922 | SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, |
6dd083fd MC |
923 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
924 | *al = SSL_AD_DECODE_ERROR; | |
925 | return 0; | |
926 | } | |
927 | ||
928 | if (mki != 0) { | |
929 | /* Must be no MKI, since we never offer one */ | |
7fe97c07 | 930 | SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE); |
6dd083fd MC |
931 | *al = SSL_AD_ILLEGAL_PARAMETER; |
932 | return 0; | |
933 | } | |
934 | ||
6dd083fd | 935 | /* Throw an error if the server gave us an unsolicited extension */ |
1266eefd | 936 | clnt = SSL_get_srtp_profiles(s); |
6dd083fd | 937 | if (clnt == NULL) { |
7fe97c07 | 938 | SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES); |
6dd083fd MC |
939 | *al = SSL_AD_DECODE_ERROR; |
940 | return 0; | |
941 | } | |
942 | ||
943 | /* | |
944 | * Check to see if the server gave us something we support (and | |
945 | * presumably offered) | |
946 | */ | |
947 | for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { | |
948 | prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); | |
949 | ||
950 | if (prof->id == id) { | |
951 | s->srtp_profile = prof; | |
952 | *al = 0; | |
953 | return 1; | |
954 | } | |
955 | } | |
956 | ||
7fe97c07 | 957 | SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, |
6dd083fd MC |
958 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
959 | *al = SSL_AD_DECODE_ERROR; | |
960 | return 0; | |
961 | } | |
962 | #endif | |
963 | ||
1266eefd | 964 | int tls_parse_stoc_etm(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
965 | { |
966 | /* Ignore if inappropriate ciphersuite */ | |
967 | if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) | |
968 | && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD | |
969 | && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) | |
970 | s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; | |
971 | ||
972 | return 1; | |
973 | } | |
974 | ||
1266eefd | 975 | int tls_parse_stoc_ems(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
976 | { |
977 | s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; | |
978 | if (!s->hit) | |
979 | s->session->flags |= SSL_SESS_FLAG_EXTMS; | |
980 | ||
981 | return 1; | |
982 | } | |
983 | ||
1266eefd | 984 | int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, int *al) |
6dd083fd MC |
985 | { |
986 | unsigned int group_id; | |
987 | PACKET encoded_pt; | |
988 | EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL; | |
989 | ||
990 | /* Sanity check */ | |
991 | if (ckey == NULL) { | |
992 | *al = SSL_AD_INTERNAL_ERROR; | |
7fe97c07 | 993 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
994 | return 0; |
995 | } | |
996 | ||
997 | if (!PACKET_get_net_2(pkt, &group_id)) { | |
998 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 999 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH); |
6dd083fd MC |
1000 | return 0; |
1001 | } | |
1002 | ||
1003 | if (group_id != s->s3->group_id) { | |
1004 | /* | |
1005 | * This isn't for the group that we sent in the original | |
1006 | * key_share! | |
1007 | */ | |
1008 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 1009 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); |
6dd083fd MC |
1010 | return 0; |
1011 | } | |
1012 | ||
1013 | if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) | |
1014 | || PACKET_remaining(&encoded_pt) == 0) { | |
1015 | *al = SSL_AD_DECODE_ERROR; | |
7fe97c07 | 1016 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH); |
6dd083fd MC |
1017 | return 0; |
1018 | } | |
1019 | ||
1020 | skey = ssl_generate_pkey(ckey); | |
1021 | if (skey == NULL) { | |
1022 | *al = SSL_AD_INTERNAL_ERROR; | |
7fe97c07 | 1023 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); |
6dd083fd MC |
1024 | return 0; |
1025 | } | |
1026 | if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), | |
1027 | PACKET_remaining(&encoded_pt))) { | |
1028 | *al = SSL_AD_DECODE_ERROR; | |
7fe97c07 | 1029 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT); |
a1d6a0b6 | 1030 | EVP_PKEY_free(skey); |
6dd083fd MC |
1031 | return 0; |
1032 | } | |
1033 | ||
1034 | if (ssl_derive(s, ckey, skey, 1) == 0) { | |
1035 | *al = SSL_AD_INTERNAL_ERROR; | |
7fe97c07 | 1036 | SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1037 | EVP_PKEY_free(skey); |
1038 | return 0; | |
1039 | } | |
1040 | EVP_PKEY_free(skey); | |
1041 | ||
1042 | return 1; | |
1043 | } |