]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Rename tls_curve_info to TLS_GROUP_INFO, move to ssl_locl.h
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
b186a592 2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
25670f3e
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
fb34a0f4 28 *al = SSL_AD_DECODE_ERROR;
25670f3e
MC		 29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
61138358
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
44e69951
F		 90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
25670f3e
MC		 93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
96 *
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
99 */
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
104 return 0;
105 }
106
107 if (!s->hit) {
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
110 return 0;
111 }
112
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
115 return 0;
116 }
117
7d061fce
MC		 118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
aff8c126 120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
25670f3e
MC		 121 *al = TLS1_AD_INTERNAL_ERROR;
122 return 0;
123 }
124
125 s->servername_done = 1;
126 } else {
127 /*
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
130 */
aff8c126
RS		 131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
630369d9
MC		 134
135 if (!s->servername_done && s->session->ext.hostname != NULL)
136 s->ext.early_data_ok = 0;
25670f3e
MC		 137 }
138
139 return 1;
140}
141
142#ifndef OPENSSL_NO_SRP
61138358
MC		 143int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
144 size_t chainidx, int *al)
25670f3e
MC		 145{
146 PACKET srp_I;
147
148 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
149 || PACKET_contains_zero_byte(&srp_I)) {
150 *al = SSL_AD_DECODE_ERROR;
151 return 0;
152 }
153
154 /*
155 * TODO(openssl-team): currently, we re-authenticate the user
156 * upon resumption. Instead, we MUST ignore the login.
157 */
158 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
fb34a0f4 159 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 160 return 0;
161 }
162
163 return 1;
164}
165#endif
166
167#ifndef OPENSSL_NO_EC
61138358
MC		 168int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
169 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 170{
171 PACKET ec_point_format_list;
172
173 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
174 || PACKET_remaining(&ec_point_format_list) == 0) {
175 *al = SSL_AD_DECODE_ERROR;
176 return 0;
177 }
178
179 if (!s->hit) {
180 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 181 &s->session->ext.ecpointformats,
182 &s->session->ext.ecpointformats_len)) {
fb34a0f4 183 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 184 return 0;
185 }
186 }
187
188 return 1;
189}
190#endif /* OPENSSL_NO_EC */
191
61138358
MC		 192int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
193 X509 *x, size_t chainidx, int *al)
25670f3e 194{
aff8c126
RS		 195 if (s->ext.session_ticket_cb &&
196 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
197 PACKET_remaining(pkt),
198 s->ext.session_ticket_cb_arg)) {
fb34a0f4 199 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 200 return 0;
201 }
202
203 return 1;
204}
205
61138358
MC		 206int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
207 size_t chainidx, int *al)
25670f3e
MC		 208{
209 PACKET supported_sig_algs;
210
211 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e
MC		 212 || PACKET_remaining(&supported_sig_algs) == 0) {
213 *al = SSL_AD_DECODE_ERROR;
214 return 0;
215 }
216
703bcee0 217 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
fb34a0f4 218 *al = SSL_AD_DECODE_ERROR;
25670f3e
MC		 219 return 0;
220 }
221
222 return 1;
223}
224
ab83e314 225#ifndef OPENSSL_NO_OCSP
61138358
MC		 226int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
227 X509 *x, size_t chainidx, int *al)
25670f3e 228{
1266eefd
MC		 229 PACKET responder_id_list, exts;
230
e96e0f8e
MC		 231 /* Not defined if we get one of these in a client Certificate */
232 if (x != NULL)
233 return 1;
234
aff8c126 235 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
25670f3e
MC		 236 *al = SSL_AD_DECODE_ERROR;
237 return 0;
238 }
ab83e314 239
aff8c126 240 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 241 /*
1266eefd 242 * We don't know what to do with any other type so ignore it.
25670f3e 243 */
aff8c126 244 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 245 return 1;
246 }
25670f3e 247
1266eefd
MC		 248 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
249 *al = SSL_AD_DECODE_ERROR;
250 return 0;
251 }
25670f3e 252
1266eefd
MC		 253 /*
254 * We remove any OCSP_RESPIDs from a previous handshake
255 * to prevent unbounded memory growth - CVE-2016-6304
256 */
aff8c126 257 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 258 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 259 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
260 if (s->ext.ocsp.ids == NULL) {
1266eefd
MC		 261 *al = SSL_AD_INTERNAL_ERROR;
262 return 0;
263 }
264 } else {
aff8c126 265 s->ext.ocsp.ids = NULL;
1266eefd 266 }
25670f3e 267
1266eefd
MC		 268 while (PACKET_remaining(&responder_id_list) > 0) {
269 OCSP_RESPID *id;
270 PACKET responder_id;
271 const unsigned char *id_data;
25670f3e 272
1266eefd
MC		 273 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
274 || PACKET_remaining(&responder_id) == 0) {
275 *al = SSL_AD_DECODE_ERROR;
276 return 0;
277 }
25670f3e 278
1266eefd
MC		 279 id_data = PACKET_data(&responder_id);
280 /* TODO(size_t): Convert d2i_* to size_t */
281 id = d2i_OCSP_RESPID(NULL, &id_data,
282 (int)PACKET_remaining(&responder_id));
283 if (id == NULL) {
284 *al = SSL_AD_DECODE_ERROR;
285 return 0;
25670f3e
MC		 286 }
287
1266eefd
MC		 288 if (id_data != PACKET_end(&responder_id)) {
289 OCSP_RESPID_free(id);
25670f3e
MC		 290 *al = SSL_AD_DECODE_ERROR;
291 return 0;
292 }
293
aff8c126 294 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd
MC		 295 OCSP_RESPID_free(id);
296 *al = SSL_AD_INTERNAL_ERROR;
297 return 0;
298 }
299 }
300
301 /* Read in request_extensions */
302 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
303 *al = SSL_AD_DECODE_ERROR;
304 return 0;
305 }
306
307 if (PACKET_remaining(&exts) > 0) {
308 const unsigned char *ext_data = PACKET_data(&exts);
309
aff8c126 310 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 311 X509_EXTENSION_free);
aff8c126 312 s->ext.ocsp.exts =
1266eefd 313 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 314 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
1266eefd
MC		 315 *al = SSL_AD_DECODE_ERROR;
316 return 0;
25670f3e 317 }
25670f3e
MC		 318 }
319
320 return 1;
321}
ab83e314 322#endif
25670f3e
MC		 323
324#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 325int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
326 size_t chainidx, int *al)
25670f3e 327{
1266eefd
MC		 328 /*
329 * We shouldn't accept this extension on a
330 * renegotiation.
1266eefd 331 */
c7f47786 332 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 333 s->s3->npn_seen = 1;
25670f3e
MC		 334
335 return 1;
336}
337#endif
338
339/*
1266eefd
MC		 340 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
341 * extension, not including type and length. |al| is a pointer to the alert
342 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 343 */
61138358
MC		 344int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
345 size_t chainidx, int *al)
25670f3e
MC		 346{
347 PACKET protocol_list, save_protocol_list, protocol;
348
c7f47786 349 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 350 return 1;
351
352 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
353 || PACKET_remaining(&protocol_list) < 2) {
354 *al = SSL_AD_DECODE_ERROR;
355 return 0;
356 }
357
358 save_protocol_list = protocol_list;
359 do {
360 /* Protocol names can't be empty. */
361 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
362 || PACKET_remaining(&protocol) == 0) {
363 *al = SSL_AD_DECODE_ERROR;
364 return 0;
365 }
366 } while (PACKET_remaining(&protocol_list) != 0);
367
7d061fce
MC		 368 OPENSSL_free(s->s3->alpn_proposed);
369 s->s3->alpn_proposed = NULL;
370 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
fb34a0f4 373 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 374 return 0;
375 }
376
377 return 1;
378}
379
380#ifndef OPENSSL_NO_SRTP
61138358
MC		 381int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
382 size_t chainidx, int *al)
25670f3e 383{
25670f3e
MC		 384 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
385 unsigned int ct, mki_len, id;
386 int i, srtp_pref;
387 PACKET subpkt;
388
389 /* Ignore this if we have no SRTP profiles */
390 if (SSL_get_srtp_profiles(s) == NULL)
391 return 1;
392
393 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 394 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
395 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 396 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 397 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
398 *al = SSL_AD_DECODE_ERROR;
399 return 0;
400 }
401
402 srvr = SSL_get_srtp_profiles(s);
403 s->srtp_profile = NULL;
404 /* Search all profiles for a match initially */
405 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
406
407 while (PACKET_remaining(&subpkt)) {
408 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 409 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 410 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
411 *al = SSL_AD_DECODE_ERROR;
412 return 0;
413 }
414
415 /*
416 * Only look for match in profiles of higher preference than
417 * current match.
418 * If no profiles have been have been configured then this
419 * does nothing.
420 */
421 for (i = 0; i < srtp_pref; i++) {
d270de32 422 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 423 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
424
25670f3e
MC		 425 if (sprof->id == id) {
426 s->srtp_profile = sprof;
427 srtp_pref = i;
428 break;
429 }
430 }
431 }
432
1266eefd 433 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 434 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 435 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 436 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
437 *al = SSL_AD_DECODE_ERROR;
438 return 0;
439 }
440
441 if (!PACKET_forward(pkt, mki_len)
442 || PACKET_remaining(pkt)) {
7fe97c07 443 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 444 *al = SSL_AD_DECODE_ERROR;
445 return 0;
446 }
447
448 return 1;
449}
450#endif
451
61138358
MC		 452int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 size_t chainidx, int *al)
25670f3e
MC		 454{
455 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 456 s->ext.use_etm = 1;
25670f3e
MC		 457
458 return 1;
459}
460
b2f7e8c0
MC		 461/*
462 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
463 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
464 * If a failure occurs then |*al| is set to an appropriate alert value.
465 */
61138358
MC		 466int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
467 X509 *x, size_t chainidx, int *al)
b2f7e8c0
MC		 468{
469#ifndef OPENSSL_NO_TLS1_3
470 PACKET psk_kex_modes;
471 unsigned int mode;
472
473 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
474 || PACKET_remaining(&psk_kex_modes) == 0) {
475 *al = SSL_AD_DECODE_ERROR;
476 return 0;
477 }
478
479 while (PACKET_get_1(&psk_kex_modes, &mode)) {
480 if (mode == TLSEXT_KEX_MODE_KE_DHE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 482 else if (mode == TLSEXT_KEX_MODE_KE
483 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 484 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
485 }
486#endif
487
488 return 1;
489}
490
25670f3e
MC		 491/*
492 * Process a key_share extension received in the ClientHello. |pkt| contains
493 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
494 * If a failure occurs then |*al| is set to an appropriate alert value.
495 */
61138358
MC		 496int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
497 size_t chainidx, int *al)
25670f3e 498{
3cf96e88 499#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 500 unsigned int group_id;
501 PACKET key_share_list, encoded_pt;
9e84a42d 502 const uint16_t *clntcurves, *srvrcurves;
25670f3e
MC		 503 size_t clnt_num_curves, srvr_num_curves;
504 int group_nid, found = 0;
505 unsigned int curve_flags;
506
f4bbb37c 507 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 508 return 1;
509
510 /* Sanity check */
511 if (s->s3->peer_tmp != NULL) {
512 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 513 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 514 return 0;
515 }
516
517 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
721586ea 518 *al = SSL_AD_DECODE_ERROR;
7fe97c07 519 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 520 return 0;
521 }
522
523 /* Get our list of supported curves */
524 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
525 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 526 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 527 return 0;
528 }
529
b6fdc12d 530 /* Get the clients list of supported curves. */
25670f3e
MC		 531 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
532 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 533 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 534 return 0;
535 }
b6fdc12d
MC		 536 if (clnt_num_curves == 0) {
537 /*
538 * This can only happen if the supported_groups extension was not sent,
539 * because we verify that the length is non-zero when we process that
540 * extension.
541 */
542 *al = SSL_AD_MISSING_EXTENSION;
543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
544 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
545 return 0;
546 }
25670f3e
MC		 547
548 while (PACKET_remaining(&key_share_list) > 0) {
549 if (!PACKET_get_net_2(&key_share_list, &group_id)
550 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
551 || PACKET_remaining(&encoded_pt) == 0) {
721586ea 552 *al = SSL_AD_DECODE_ERROR;
7fe97c07 553 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 554 SSL_R_LENGTH_MISMATCH);
555 return 0;
556 }
557
558 /*
559 * If we already found a suitable key_share we loop through the
560 * rest to verify the structure, but don't process them.
561 */
562 if (found)
563 continue;
564
565 /* Check if this share is in supported_groups sent from client */
566 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
721586ea 567 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 568 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 569 return 0;
570 }
571
572 /* Check if this share is for a group we can use */
573 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
574 /* Share not suitable */
575 continue;
576 }
577
578 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
579
580 if (group_nid == 0) {
581 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 582 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 583 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
584 return 0;
585 }
586
587 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
588 /* Can happen for some curves, e.g. X25519 */
589 EVP_PKEY *key = EVP_PKEY_new();
590
591 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
592 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 593 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 594 EVP_PKEY_free(key);
595 return 0;
596 }
597 s->s3->peer_tmp = key;
598 } else {
599 /* Set up EVP_PKEY with named curve as parameters */
600 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 601
25670f3e
MC		 602 if (pctx == NULL
603 || EVP_PKEY_paramgen_init(pctx) <= 0
604 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
605 group_nid) <= 0
606 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
607 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 608 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 609 EVP_PKEY_CTX_free(pctx);
610 return 0;
611 }
612 EVP_PKEY_CTX_free(pctx);
613 pctx = NULL;
614 }
615 s->s3->group_id = group_id;
616
617 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
618 PACKET_data(&encoded_pt),
619 PACKET_remaining(&encoded_pt))) {
fb34a0f4 620 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 621 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 622 return 0;
623 }
624
625 found = 1;
626 }
3cf96e88 627#endif
25670f3e
MC		 628
629 return 1;
630}
631
632#ifndef OPENSSL_NO_EC
61138358
MC		 633int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
634 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 635{
636 PACKET supported_groups_list;
637
638 /* Each group is 2 bytes and we must have at least 1. */
639 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
640 || PACKET_remaining(&supported_groups_list) == 0
641 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
642 *al = SSL_AD_DECODE_ERROR;
643 return 0;
644 }
645
e3743355
BK		 646 if (!s->hit || SSL_IS_TLS13(s)) {
647 OPENSSL_free(s->session->ext.supportedgroups);
648 s->session->ext.supportedgroups = NULL;
649 s->session->ext.supportedgroups_len = 0;
9e84a42d 650 if (!tls1_save_u16(&supported_groups_list,
e3743355
BK		 651 &s->session->ext.supportedgroups,
652 &s->session->ext.supportedgroups_len)) {
653 *al = SSL_AD_INTERNAL_ERROR;
654 return 0;
655 }
25670f3e
MC		 656 }
657
658 return 1;
659}
660#endif
661
61138358
MC		 662int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
663 size_t chainidx, int *al)
25670f3e
MC		 664{
665 /* The extension must always be empty */
666 if (PACKET_remaining(pkt) != 0) {
667 *al = SSL_AD_DECODE_ERROR;
668 return 0;
669 }
670
671 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
672
673 return 1;
674}
7da160b0 675
38df5a45
MC		 676
677int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
678 X509 *x, size_t chainidx, int *al)
679{
680 if (PACKET_remaining(pkt) != 0) {
681 *al = SSL_AD_DECODE_ERROR;
682 return 0;
683 }
684
d4504fe5
MC		 685 if (s->hello_retry_request) {
686 *al = SSL_AD_ILLEGAL_PARAMETER;
687 return 0;
688 }
689
38df5a45
MC		 690 return 1;
691}
692
61138358
MC		 693int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
694 size_t chainidx, int *al)
1053a6e2
MC		 695{
696 PACKET identities, binders, binder;
697 size_t binderoffset, hashsize;
698 SSL_SESSION *sess = NULL;
3a7c56b2 699 unsigned int id, i, ext = 0;
1053a6e2
MC		 700 const EVP_MD *md = NULL;
701
1a9f457c
MC		 702 /*
703 * If we have no PSK kex mode that we recognise then we can't resume so
704 * ignore this extension
705 */
706 if ((s->ext.psk_kex_mode
707 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
708 return 1;
709
1053a6e2
MC		 710 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
711 *al = SSL_AD_DECODE_ERROR;
712 return 0;
713 }
714
715 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
716 PACKET identity;
2c604cb9 717 unsigned long ticket_agel;
1053a6e2
MC		 718
719 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 720 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1053a6e2
MC		 721 *al = SSL_AD_DECODE_ERROR;
722 return 0;
723 }
724
3a7c56b2 725 if (s->psk_find_session_cb != NULL
011d768a
MC		 726 && !s->psk_find_session_cb(s, PACKET_data(&identity),
727 PACKET_remaining(&identity),
728 &sess)) {
729 *al = SSL_AD_INTERNAL_ERROR;
730 return 0;
731 }
732
733 if (sess != NULL) {
734 /* We found a PSK */
3a7c56b2 735 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 736
3a7c56b2
MC		 737 if (sesstmp == NULL) {
738 *al = SSL_AD_INTERNAL_ERROR;
739 return 0;
740 }
741 SSL_SESSION_free(sess);
742 sess = sesstmp;
743
744 /*
745 * We've just been told to use this session for this context so
746 * make sure the sid_ctx matches up.
747 */
748 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
749 sess->sid_ctx_length = s->sid_ctx_length;
750 ext = 1;
630369d9
MC		 751 if (id == 0)
752 s->ext.early_data_ok = 1;
3a7c56b2
MC		 753 } else {
754 uint32_t ticket_age = 0, now, agesec, agems;
755 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
756 PACKET_remaining(&identity), NULL, 0,
757 &sess);
758
759 if (ret == TICKET_FATAL_ERR_MALLOC
760 || ret == TICKET_FATAL_ERR_OTHER) {
761 *al = SSL_AD_INTERNAL_ERROR;
762 return 0;
763 }
764 if (ret == TICKET_NO_DECRYPT)
765 continue;
766
767 ticket_age = (uint32_t)ticket_agel;
768 now = (uint32_t)time(NULL);
769 agesec = now - (uint32_t)sess->time;
770 agems = agesec * (uint32_t)1000;
771 ticket_age -= sess->ext.tick_age_add;
772
773 /*
774 * For simplicity we do our age calculations in seconds. If the
775 * client does it in ms then it could appear that their ticket age
776 * is longer than ours (our ticket age calculation should always be
777 * slightly longer than the client's due to the network latency).
778 * Therefore we add 1000ms to our age calculation to adjust for
779 * rounding errors.
780 */
630369d9
MC		 781 if (id == 0
782 && sess->timeout >= (long)agesec
3a7c56b2
MC		 783 && agems / (uint32_t)1000 == agesec
784 && ticket_age <= agems + 1000
785 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
786 /*
787 * Ticket age is within tolerance and not expired. We allow it
788 * for early data
789 */
790 s->ext.early_data_ok = 1;
791 }
1053a6e2 792 }
1053a6e2 793
534a43ff 794 md = ssl_md(sess->cipher->algorithm2);
0de6d66d
MC		 795 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
796 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 797 SSL_SESSION_free(sess);
798 sess = NULL;
630369d9 799 s->ext.early_data_ok = 0;
1053a6e2
MC		 800 continue;
801 }
1053a6e2
MC		 802 break;
803 }
804
805 if (sess == NULL)
806 return 1;
807
808 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 809 hashsize = EVP_MD_size(md);
810
811 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
812 *al = SSL_AD_DECODE_ERROR;
813 goto err;
814 }
815
816 for (i = 0; i <= id; i++) {
817 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
818 *al = SSL_AD_DECODE_ERROR;
819 goto err;
820 }
821 }
822
823 if (PACKET_remaining(&binder) != hashsize
824 || tls_psk_do_binder(s, md,
825 (const unsigned char *)s->init_buf->data,
826 binderoffset, PACKET_data(&binder), NULL,
3a7c56b2 827 sess, 0, ext) != 1) {
1053a6e2
MC		 828 *al = SSL_AD_DECODE_ERROR;
829 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
830 goto err;
831 }
832
833 sess->ext.tick_identity = id;
2c604cb9 834
1053a6e2
MC		 835 SSL_SESSION_free(s->session);
836 s->session = sess;
1053a6e2
MC		 837 return 1;
838err:
312e9387 839 SSL_SESSION_free(sess);
1053a6e2
MC		 840 return 0;
841}
842
1266eefd
MC		 843/*
844 * Add the server's renegotiation binding
845 */
b186a592
MC		 846EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
847 unsigned int context, X509 *x,
848 size_t chainidx, int *al)
7da160b0
MC		 849{
850 if (!s->s3->send_connection_binding)
b186a592 851 return EXT_RETURN_NOT_SENT;
7da160b0 852
db0f35dd 853 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 854 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
855 || !WPACKET_start_sub_packet_u16(pkt)
856 || !WPACKET_start_sub_packet_u8(pkt)
857 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
858 s->s3->previous_client_finished_len)
859 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
860 s->s3->previous_server_finished_len)
861 || !WPACKET_close(pkt)
862 || !WPACKET_close(pkt)) {
7fe97c07 863 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
b186a592 864 return EXT_RETURN_FAIL;
7da160b0
MC		 865 }
866
b186a592 867 return EXT_RETURN_SENT;
7da160b0
MC		 868}
869
b186a592
MC		 870EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
871 unsigned int context, X509 *x,
872 size_t chainidx, int *al)
7da160b0
MC		 873{
874 if (s->hit || s->servername_done != 1
aff8c126 875 || s->session->ext.hostname == NULL)
b186a592 876 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 877
878 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
879 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 880 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
b186a592 881 return EXT_RETURN_FAIL;
7da160b0
MC		 882 }
883
b186a592 884 return EXT_RETURN_SENT;
7da160b0
MC		 885}
886
887#ifndef OPENSSL_NO_EC
b186a592
MC		 888EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
889 unsigned int context, X509 *x,
890 size_t chainidx, int *al)
7da160b0
MC		 891{
892 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
893 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 894 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 895 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 896 const unsigned char *plist;
897 size_t plistlen;
898
899 if (!using_ecc)
b186a592 900 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 901
902 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 903 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
904 || !WPACKET_start_sub_packet_u16(pkt)
905 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
906 || !WPACKET_close(pkt)) {
7fe97c07 907 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 908 return EXT_RETURN_FAIL;
7da160b0
MC		 909 }
910
b186a592 911 return EXT_RETURN_SENT;
7da160b0
MC		 912}
913#endif
914
cf53cbea 915#ifndef OPENSSL_NO_EC
b186a592
MC		 916EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
917 unsigned int context, X509 *x,
918 size_t chainidx, int *al)
6af87546 919{
9e84a42d 920 const uint16_t *groups;
6af87546
MC		 921 size_t numgroups, i, first = 1;
922
923 /* s->s3->group_id is non zero if we accepted a key_share */
924 if (s->s3->group_id == 0)
b186a592 925 return EXT_RETURN_NOT_SENT;
6af87546
MC		 926
927 /* Get our list of supported groups */
928 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
929 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 930 return EXT_RETURN_FAIL;
6af87546
MC		 931 }
932
933 /* Copy group ID if supported */
9e84a42d
DSH		 934 for (i = 0; i < numgroups; i++) {
935 uint16_t group = groups[i];
936
937 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 938 if (first) {
939 /*
940 * Check if the client is already using our preferred group. If
941 * so we don't need to add this extension
942 */
9e84a42d 943 if (s->s3->group_id == group)
b186a592 944 return EXT_RETURN_NOT_SENT;
6af87546
MC		 945
946 /* Add extension header */
947 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
948 /* Sub-packet for supported_groups extension */
949 || !WPACKET_start_sub_packet_u16(pkt)
950 || !WPACKET_start_sub_packet_u16(pkt)) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
952 ERR_R_INTERNAL_ERROR);
b186a592 953 return EXT_RETURN_FAIL;
6af87546
MC		 954 }
955
956 first = 0;
957 }
9e84a42d 958 if (!WPACKET_put_bytes_u16(pkt, group)) {
6af87546
MC		 959 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
960 ERR_R_INTERNAL_ERROR);
b186a592 961 return EXT_RETURN_FAIL;
6af87546
MC		 962 }
963 }
964 }
965
966 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
967 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 968 return EXT_RETURN_FAIL;
6af87546
MC		 969 }
970
b186a592 971 return EXT_RETURN_SENT;
6af87546 972}
cf53cbea 973#endif
6af87546 974
b186a592
MC		 975EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
976 unsigned int context, X509 *x,
977 size_t chainidx, int *al)
7da160b0 978{
aff8c126
RS		 979 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
980 s->ext.ticket_expected = 0;
b186a592 981 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 982 }
983
984 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
985 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 986 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 987 return EXT_RETURN_FAIL;
7da160b0
MC		 988 }
989
b186a592 990 return EXT_RETURN_SENT;
7da160b0
MC		 991}
992
ab83e314 993#ifndef OPENSSL_NO_OCSP
b186a592
MC		 994EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
995 unsigned int context, X509 *x,
996 size_t chainidx, int *al)
7da160b0 997{
aff8c126 998 if (!s->ext.status_expected)
b186a592 999 return EXT_RETURN_NOT_SENT;
7da160b0 1000
8521ced6 1001 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 1002 return EXT_RETURN_NOT_SENT;
e96e0f8e 1003
7da160b0 1004 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 1005 || !WPACKET_start_sub_packet_u16(pkt)) {
1006 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1007 return EXT_RETURN_FAIL;
f63e4288
MC		 1008 }
1009
1010 /*
1011 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1012 * send back an empty extension, with the certificate status appearing as a
1013 * separate message
1014 */
1015 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1016 || !WPACKET_close(pkt)) {
7fe97c07 1017 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1018 return EXT_RETURN_FAIL;
7da160b0
MC		 1019 }
1020
b186a592 1021 return EXT_RETURN_SENT;
7da160b0 1022}
ab83e314 1023#endif
7da160b0 1024
7da160b0 1025#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1026EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1027 unsigned int context, X509 *x,
1028 size_t chainidx, int *al)
7da160b0
MC		 1029{
1030 const unsigned char *npa;
1031 unsigned int npalen;
1032 int ret;
aff8c126 1033 int npn_seen = s->s3->npn_seen;
7da160b0 1034
aff8c126
RS		 1035 s->s3->npn_seen = 0;
1036 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1037 return EXT_RETURN_NOT_SENT;
7da160b0 1038
aff8c126
RS		 1039 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1040 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1041 if (ret == SSL_TLSEXT_ERR_OK) {
1042 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1043 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 1044 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0 1045 ERR_R_INTERNAL_ERROR);
b186a592 1046 return EXT_RETURN_FAIL;
7da160b0 1047 }
aff8c126 1048 s->s3->npn_seen = 1;
7da160b0
MC		 1049 }
1050
b186a592 1051 return EXT_RETURN_SENT;
7da160b0
MC		 1052}
1053#endif
1054
b186a592
MC		 1055EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1056 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1057{
1058 if (s->s3->alpn_selected == NULL)
b186a592 1059 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1060
1061 if (!WPACKET_put_bytes_u16(pkt,
1062 TLSEXT_TYPE_application_layer_protocol_negotiation)
1063 || !WPACKET_start_sub_packet_u16(pkt)
1064 || !WPACKET_start_sub_packet_u16(pkt)
1065 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1066 s->s3->alpn_selected_len)
1067 || !WPACKET_close(pkt)
1068 || !WPACKET_close(pkt)) {
7fe97c07 1069 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
b186a592 1070 return EXT_RETURN_FAIL;
7da160b0
MC		 1071 }
1072
b186a592 1073 return EXT_RETURN_SENT;
7da160b0
MC		 1074}
1075
1076#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1077EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1078 unsigned int context, X509 *x,
1079 size_t chainidx, int *al)
7da160b0
MC		 1080{
1081 if (s->srtp_profile == NULL)
b186a592 1082 return EXT_RETURN_NOT_SENT;
a1448c26 1083
7da160b0
MC		 1084 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1085 || !WPACKET_start_sub_packet_u16(pkt)
1086 || !WPACKET_put_bytes_u16(pkt, 2)
1087 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1088 || !WPACKET_put_bytes_u8(pkt, 0)
1089 || !WPACKET_close(pkt)) {
7fe97c07 1090 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
b186a592 1091 return EXT_RETURN_FAIL;
7da160b0
MC		 1092 }
1093
b186a592 1094 return EXT_RETURN_SENT;
7da160b0
MC		 1095}
1096#endif
1097
b186a592
MC		 1098EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1099 X509 *x, size_t chainidx, int *al)
7da160b0 1100{
28a31a0a 1101 if (!s->ext.use_etm)
b186a592 1102 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1103
1104 /*
1105 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1106 * for other cases too.
1107 */
1108 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1109 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1110 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1111 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1112 s->ext.use_etm = 0;
b186a592 1113 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1114 }
1115
1116 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1117 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
b186a592 1119 return EXT_RETURN_FAIL;
7da160b0
MC		 1120 }
1121
b186a592 1122 return EXT_RETURN_SENT;
7da160b0
MC		 1123}
1124
b186a592
MC		 1125EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1126 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1127{
1128 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1129 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1130
1131 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1132 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1133 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
b186a592 1134 return EXT_RETURN_FAIL;
7da160b0
MC		 1135 }
1136
b186a592 1137 return EXT_RETURN_SENT;
7da160b0
MC		 1138}
1139
b186a592
MC		 1140EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1141 unsigned int context, X509 *x,
1142 size_t chainidx, int *al)
7da160b0 1143{
3cf96e88 1144#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1145 unsigned char *encodedPoint;
1146 size_t encoded_pt_len = 0;
1147 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1148
7da160b0 1149 if (ckey == NULL) {
7d061fce
MC		 1150 /* No key_share received from client */
1151 if (s->hello_retry_request) {
7d061fce 1152 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1153 || !WPACKET_start_sub_packet_u16(pkt)
1154 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1155 || !WPACKET_close(pkt)) {
7d061fce
MC		 1156 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1157 ERR_R_INTERNAL_ERROR);
b186a592 1158 return EXT_RETURN_FAIL;
7d061fce
MC		 1159 }
1160
b186a592 1161 return EXT_RETURN_SENT;
7d061fce
MC		 1162 }
1163
1164 /* Must be resuming. */
0247086d
MC		 1165 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1166 *al = SSL_AD_INTERNAL_ERROR;
1167 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1168 return EXT_RETURN_FAIL;
0247086d 1169 }
b186a592 1170 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1171 }
1172
1173 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1174 || !WPACKET_start_sub_packet_u16(pkt)
1175 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 1176 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1177 return EXT_RETURN_FAIL;
7da160b0
MC		 1178 }
1179
1180 skey = ssl_generate_pkey(ckey);
1181 if (skey == NULL) {
7fe97c07 1182 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
b186a592 1183 return EXT_RETURN_FAIL;
7da160b0
MC		 1184 }
1185
1186 /* Generate encoding of server key */
1187 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1188 if (encoded_pt_len == 0) {
7fe97c07 1189 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0 1190 EVP_PKEY_free(skey);
b186a592 1191 return EXT_RETURN_FAIL;
7da160b0
MC		 1192 }
1193
1194 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1195 || !WPACKET_close(pkt)) {
7fe97c07 1196 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1197 EVP_PKEY_free(skey);
1198 OPENSSL_free(encodedPoint);
b186a592 1199 return EXT_RETURN_FAIL;
7da160b0
MC		 1200 }
1201 OPENSSL_free(encodedPoint);
1202
1203 /* This causes the crypto state to be updated based on the derived keys */
1204 s->s3->tmp.pkey = skey;
1205 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 1206 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1207 return EXT_RETURN_FAIL;
7da160b0 1208 }
3cf96e88 1209#endif
7da160b0 1210
b186a592 1211 return EXT_RETURN_SENT;
7da160b0
MC		 1212}
1213
b186a592
MC		 1214EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1215 unsigned int context, X509 *x,
1216 size_t chainidx, int *al)
7da160b0
MC		 1217{
1218 const unsigned char cryptopro_ext[36] = {
1219 0xfd, 0xe8, /* 65000 */
1220 0x00, 0x20, /* 32 bytes length */
1221 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1222 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1223 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1224 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1225 };
1226
1227 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1228 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1229 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1230 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1231
1232 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 1233 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
b186a592 1234 return EXT_RETURN_FAIL;
7da160b0
MC		 1235 }
1236
b186a592 1237 return EXT_RETURN_SENT;
7da160b0 1238}
0247086d 1239
b186a592
MC		 1240EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1241 unsigned int context, X509 *x,
1242 size_t chainidx, int *al)
38df5a45 1243{
fe874d27 1244 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1245 if (s->max_early_data == 0)
b186a592 1246 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1247
1248 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1249 || !WPACKET_start_sub_packet_u16(pkt)
1250 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1251 || !WPACKET_close(pkt)) {
1252 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1253 return EXT_RETURN_FAIL;
6594189f
MC		 1254 }
1255
b186a592 1256 return EXT_RETURN_SENT;
6594189f
MC		 1257 }
1258
38df5a45 1259 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1260 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1261
1262 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1263 || !WPACKET_start_sub_packet_u16(pkt)
1264 || !WPACKET_close(pkt)) {
1265 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1266 return EXT_RETURN_FAIL;
38df5a45
MC		 1267 }
1268
b186a592 1269 return EXT_RETURN_SENT;
38df5a45
MC		 1270}
1271
b186a592
MC		 1272EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1273 X509 *x, size_t chainidx, int *al)
0247086d
MC		 1274{
1275 if (!s->hit)
b186a592 1276 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1277
1278 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1279 || !WPACKET_start_sub_packet_u16(pkt)
1280 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1281 || !WPACKET_close(pkt)) {
1282 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
b186a592 1283 return EXT_RETURN_FAIL;
0247086d
MC		 1284 }
1285
b186a592 1286 return EXT_RETURN_SENT;
0247086d 1287}
A mirror of the official openssl repository