]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix build issues with no-dh, no-dsa and no-ec
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
8521ced6 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
f97d4c37 18 int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
8521ced6 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
f97d4c37 77 int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
119 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
121 return 0;
122 }
123
124 s->servername_done = 1;
125 } else {
126 /*
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
129 */
130 s->servername_done = s->session->tlsext_hostname
131 && PACKET_equal(&hostname, s->session->tlsext_hostname,
132 strlen(s->session->tlsext_hostname));
133 }
134
135 return 1;
136}
137
138#ifndef OPENSSL_NO_SRP
8521ced6 139int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
25670f3e
MC		 140{
141 PACKET srp_I;
142
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
146 return 0;
147 }
148
149 /*
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
152 */
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
155 return 0;
156 }
157
158 return 1;
159}
160#endif
161
162#ifndef OPENSSL_NO_EC
8521ced6 163int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
f97d4c37 164 int *al)
25670f3e
MC		 165{
166 PACKET ec_point_format_list;
167
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
171 return 0;
172 }
173
174 if (!s->hit) {
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->tlsext_ecpointformatlist,
177 &s->session->tlsext_ecpointformatlist_length)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
179 return 0;
180 }
181 }
182
183 return 1;
184}
185#endif /* OPENSSL_NO_EC */
186
8521ced6 187int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
f97d4c37 188 int *al)
25670f3e
MC		 189{
190 if (s->tls_session_ticket_ext_cb &&
191 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->tls_session_ticket_ext_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
195 return 0;
196 }
197
198 return 1;
199}
200
8521ced6
MC		 201int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
202 int *al)
25670f3e
MC		 203{
204 PACKET supported_sig_algs;
205
206 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
207 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
208 || PACKET_remaining(&supported_sig_algs) == 0) {
209 *al = SSL_AD_DECODE_ERROR;
210 return 0;
211 }
212
213 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
214 PACKET_remaining(&supported_sig_algs))) {
215 *al = TLS1_AD_INTERNAL_ERROR;
216 return 0;
217 }
218
219 return 1;
220}
221
ab83e314 222#ifndef OPENSSL_NO_OCSP
8521ced6 223int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
f97d4c37 224 int *al)
25670f3e 225{
1266eefd
MC		 226 PACKET responder_id_list, exts;
227
e96e0f8e
MC		 228 /* Not defined if we get one of these in a client Certificate */
229 if (x != NULL)
230 return 1;
231
25670f3e
MC		 232 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
233 *al = SSL_AD_DECODE_ERROR;
234 return 0;
235 }
ab83e314 236
1266eefd 237 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 238 /*
1266eefd 239 * We don't know what to do with any other type so ignore it.
25670f3e 240 */
cbb09544 241 s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 242 return 1;
243 }
25670f3e 244
1266eefd
MC		 245 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
246 *al = SSL_AD_DECODE_ERROR;
247 return 0;
248 }
25670f3e 249
1266eefd
MC		 250 /*
251 * We remove any OCSP_RESPIDs from a previous handshake
252 * to prevent unbounded memory growth - CVE-2016-6304
253 */
254 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
255 if (PACKET_remaining(&responder_id_list) > 0) {
256 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
257 if (s->tlsext_ocsp_ids == NULL) {
258 *al = SSL_AD_INTERNAL_ERROR;
259 return 0;
260 }
261 } else {
262 s->tlsext_ocsp_ids = NULL;
263 }
25670f3e 264
1266eefd
MC		 265 while (PACKET_remaining(&responder_id_list) > 0) {
266 OCSP_RESPID *id;
267 PACKET responder_id;
268 const unsigned char *id_data;
25670f3e 269
1266eefd
MC		 270 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
271 || PACKET_remaining(&responder_id) == 0) {
272 *al = SSL_AD_DECODE_ERROR;
273 return 0;
274 }
25670f3e 275
1266eefd
MC		 276 id_data = PACKET_data(&responder_id);
277 /* TODO(size_t): Convert d2i_* to size_t */
278 id = d2i_OCSP_RESPID(NULL, &id_data,
279 (int)PACKET_remaining(&responder_id));
280 if (id == NULL) {
281 *al = SSL_AD_DECODE_ERROR;
282 return 0;
25670f3e
MC		 283 }
284
1266eefd
MC		 285 if (id_data != PACKET_end(&responder_id)) {
286 OCSP_RESPID_free(id);
25670f3e
MC		 287 *al = SSL_AD_DECODE_ERROR;
288 return 0;
289 }
290
1266eefd
MC		 291 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
292 OCSP_RESPID_free(id);
293 *al = SSL_AD_INTERNAL_ERROR;
294 return 0;
295 }
296 }
297
298 /* Read in request_extensions */
299 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
300 *al = SSL_AD_DECODE_ERROR;
301 return 0;
302 }
303
304 if (PACKET_remaining(&exts) > 0) {
305 const unsigned char *ext_data = PACKET_data(&exts);
306
307 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
308 X509_EXTENSION_free);
309 s->tlsext_ocsp_exts =
310 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
311 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
312 *al = SSL_AD_DECODE_ERROR;
313 return 0;
25670f3e 314 }
25670f3e
MC		 315 }
316
317 return 1;
318}
ab83e314 319#endif
25670f3e
MC		 320
321#ifndef OPENSSL_NO_NEXTPROTONEG
8521ced6 322int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
25670f3e 323{
1266eefd
MC		 324 /*
325 * We shouldn't accept this extension on a
326 * renegotiation.
327 *
328 * s->new_session will be set on renegotiation, but we
329 * probably shouldn't rely that it couldn't be set on
330 * the initial renegotiation too in certain cases (when
331 * there's some other reason to disallow resuming an
332 * earlier session -- the current code won't be doing
333 * anything like that, but this might change).
334 *
335 * A valid sign that there's been a previous handshake
336 * in this connection is if s->s3->tmp.finish_md_len >
337 * 0. (We are talking about a check that will happen
338 * in the Hello protocol round, well before a new
339 * Finished message could have been computed.)
340 */
341 if (s->s3->tmp.finish_md_len == 0)
25670f3e 342 s->s3->next_proto_neg_seen = 1;
25670f3e
MC		 343
344 return 1;
345}
346#endif
347
348/*
1266eefd
MC		 349 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
350 * extension, not including type and length. |al| is a pointer to the alert
351 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 352 */
8521ced6 353int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
25670f3e
MC		 354{
355 PACKET protocol_list, save_protocol_list, protocol;
356
357 if (s->s3->tmp.finish_md_len != 0)
358 return 1;
359
360 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
361 || PACKET_remaining(&protocol_list) < 2) {
362 *al = SSL_AD_DECODE_ERROR;
363 return 0;
364 }
365
366 save_protocol_list = protocol_list;
367 do {
368 /* Protocol names can't be empty. */
369 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
370 || PACKET_remaining(&protocol) == 0) {
371 *al = SSL_AD_DECODE_ERROR;
372 return 0;
373 }
374 } while (PACKET_remaining(&protocol_list) != 0);
375
376 if (!PACKET_memdup(&save_protocol_list,
377 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
378 *al = TLS1_AD_INTERNAL_ERROR;
379 return 0;
380 }
381
382 return 1;
383}
384
385#ifndef OPENSSL_NO_SRTP
8521ced6
MC		 386int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
387 int *al)
25670f3e 388{
25670f3e
MC		 389 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
390 unsigned int ct, mki_len, id;
391 int i, srtp_pref;
392 PACKET subpkt;
393
394 /* Ignore this if we have no SRTP profiles */
395 if (SSL_get_srtp_profiles(s) == NULL)
396 return 1;
397
398 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 399 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
400 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 401 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 402 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
403 *al = SSL_AD_DECODE_ERROR;
404 return 0;
405 }
406
407 srvr = SSL_get_srtp_profiles(s);
408 s->srtp_profile = NULL;
409 /* Search all profiles for a match initially */
410 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
411
412 while (PACKET_remaining(&subpkt)) {
413 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 414 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 415 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
416 *al = SSL_AD_DECODE_ERROR;
417 return 0;
418 }
419
420 /*
421 * Only look for match in profiles of higher preference than
422 * current match.
423 * If no profiles have been have been configured then this
424 * does nothing.
425 */
426 for (i = 0; i < srtp_pref; i++) {
d270de32 427 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 428 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
429
25670f3e
MC		 430 if (sprof->id == id) {
431 s->srtp_profile = sprof;
432 srtp_pref = i;
433 break;
434 }
435 }
436 }
437
1266eefd 438 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 439 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 440 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 441 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 if (!PACKET_forward(pkt, mki_len)
447 || PACKET_remaining(pkt)) {
7fe97c07 448 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 449 *al = SSL_AD_DECODE_ERROR;
450 return 0;
451 }
452
453 return 1;
454}
455#endif
456
8521ced6 457int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
25670f3e
MC		 458{
459 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
460 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
461
462 return 1;
463}
464
465/*
466 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
467 * and |checkallow| is 1 then additionally check if the group is allowed to be
468 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
469 * 1) or 0 otherwise.
470 */
3cf96e88 471#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 472static int check_in_list(SSL *s, unsigned int group_id,
473 const unsigned char *groups, size_t num_groups,
474 int checkallow)
475{
476 size_t i;
477
478 if (groups == NULL || num_groups == 0)
479 return 0;
480
481 for (i = 0; i < num_groups; i++, groups += 2) {
482 unsigned int share_id = (groups[0] << 8) | (groups[1]);
483
484 if (group_id == share_id
1266eefd
MC		 485 && (!checkallow
486 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
25670f3e
MC		 487 break;
488 }
489 }
490
491 /* If i == num_groups then not in the list */
492 return i < num_groups;
493}
3cf96e88 494#endif
25670f3e
MC		 495
496/*
497 * Process a key_share extension received in the ClientHello. |pkt| contains
498 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
499 * If a failure occurs then |*al| is set to an appropriate alert value.
500 */
8521ced6 501int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
f97d4c37 502 int *al)
25670f3e 503{
3cf96e88 504#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 505 unsigned int group_id;
506 PACKET key_share_list, encoded_pt;
507 const unsigned char *clntcurves, *srvrcurves;
508 size_t clnt_num_curves, srvr_num_curves;
509 int group_nid, found = 0;
510 unsigned int curve_flags;
511
512 if (s->hit)
513 return 1;
514
515 /* Sanity check */
516 if (s->s3->peer_tmp != NULL) {
517 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 518 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 519 return 0;
520 }
521
522 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
523 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 524 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 525 return 0;
526 }
527
528 /* Get our list of supported curves */
529 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
530 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 531 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 532 return 0;
533 }
534
24b8e4b2 535 /*
70af3d8e 536 * Get the clients list of supported curves.
24b8e4b2
MC		 537 * TODO(TLS1.3): We should validate that we actually received
538 * supported_groups!
539 */
25670f3e
MC		 540 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
541 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 542 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 543 return 0;
544 }
545
546 while (PACKET_remaining(&key_share_list) > 0) {
547 if (!PACKET_get_net_2(&key_share_list, &group_id)
548 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
549 || PACKET_remaining(&encoded_pt) == 0) {
550 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 551 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 552 SSL_R_LENGTH_MISMATCH);
553 return 0;
554 }
555
556 /*
557 * If we already found a suitable key_share we loop through the
558 * rest to verify the structure, but don't process them.
559 */
560 if (found)
561 continue;
562
563 /* Check if this share is in supported_groups sent from client */
564 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
565 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 566 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 567 return 0;
568 }
569
570 /* Check if this share is for a group we can use */
571 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
572 /* Share not suitable */
573 continue;
574 }
575
576 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
577
578 if (group_nid == 0) {
579 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 580 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 581 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
582 return 0;
583 }
584
585 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
586 /* Can happen for some curves, e.g. X25519 */
587 EVP_PKEY *key = EVP_PKEY_new();
588
589 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
590 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 591 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 592 EVP_PKEY_free(key);
593 return 0;
594 }
595 s->s3->peer_tmp = key;
596 } else {
597 /* Set up EVP_PKEY with named curve as parameters */
598 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 599
25670f3e
MC		 600 if (pctx == NULL
601 || EVP_PKEY_paramgen_init(pctx) <= 0
602 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
603 group_nid) <= 0
604 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
605 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 606 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 607 EVP_PKEY_CTX_free(pctx);
608 return 0;
609 }
610 EVP_PKEY_CTX_free(pctx);
611 pctx = NULL;
612 }
613 s->s3->group_id = group_id;
614
615 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
616 PACKET_data(&encoded_pt),
617 PACKET_remaining(&encoded_pt))) {
618 *al = SSL_AD_DECODE_ERROR;
7fe97c07 619 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 620 return 0;
621 }
622
623 found = 1;
624 }
3cf96e88 625#endif
25670f3e
MC		 626
627 return 1;
628}
629
630#ifndef OPENSSL_NO_EC
8521ced6
MC		 631int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
632 size_t chainidx, int *al)
25670f3e
MC		 633{
634 PACKET supported_groups_list;
635
636 /* Each group is 2 bytes and we must have at least 1. */
637 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
638 || PACKET_remaining(&supported_groups_list) == 0
639 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
640 *al = SSL_AD_DECODE_ERROR;
641 return 0;
642 }
643
644 if (!s->hit
645 && !PACKET_memdup(&supported_groups_list,
646 &s->session->tlsext_supportedgroupslist,
647 &s->session->tlsext_supportedgroupslist_length)) {
648 *al = SSL_AD_DECODE_ERROR;
649 return 0;
650 }
651
652 return 1;
653}
654#endif
655
8521ced6 656int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
25670f3e
MC		 657{
658 /* The extension must always be empty */
659 if (PACKET_remaining(pkt) != 0) {
660 *al = SSL_AD_DECODE_ERROR;
661 return 0;
662 }
663
664 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
665
666 return 1;
667}
7da160b0 668
1266eefd
MC		 669/*
670 * Add the server's renegotiation binding
671 */
8521ced6
MC		 672int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
673 chainidx, int *al)
7da160b0
MC		 674{
675 if (!s->s3->send_connection_binding)
676 return 1;
677
678 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
679 || !WPACKET_start_sub_packet_u16(pkt)
680 || !WPACKET_start_sub_packet_u8(pkt)
681 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
682 s->s3->previous_client_finished_len)
683 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
684 s->s3->previous_server_finished_len)
685 || !WPACKET_close(pkt)
686 || !WPACKET_close(pkt)) {
7fe97c07 687 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 688 return 0;
689 }
690
691 return 1;
692}
693
8521ced6
MC		 694int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
695 size_t chainidx, int *al)
7da160b0
MC		 696{
697 if (s->hit || s->servername_done != 1
698 || s->session->tlsext_hostname == NULL)
699 return 1;
700
701 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
702 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 703 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 704 return 0;
705 }
706
707 return 1;
708}
709
710#ifndef OPENSSL_NO_EC
30aeba43 711int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
8521ced6 712 size_t chainidx, int *al)
7da160b0
MC		 713{
714 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
715 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375
MC		 716 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
717 && (s->session->tlsext_ecpointformatlist != NULL);
7da160b0
MC		 718 const unsigned char *plist;
719 size_t plistlen;
720
721 if (!using_ecc)
722 return 1;
723
724 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 725 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
726 || !WPACKET_start_sub_packet_u16(pkt)
727 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
728 || !WPACKET_close(pkt)) {
7fe97c07 729 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 730 return 0;
731 }
732
733 return 1;
734}
735#endif
736
30aeba43 737int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
8521ced6 738 size_t chainidx, int *al)
7da160b0
MC		 739{
740 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
741 s->tlsext_ticket_expected = 0;
742 return 1;
743 }
744
745 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
746 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 747 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 748 return 0;
749 }
750
751 return 1;
752}
753
ab83e314 754#ifndef OPENSSL_NO_OCSP
30aeba43 755int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
8521ced6 756 size_t chainidx, int *al)
7da160b0
MC		 757{
758 if (!s->tlsext_status_expected)
759 return 1;
760
8521ced6 761 if (SSL_IS_TLS13(s) && chainidx != 0)
e96e0f8e
MC		 762 return 1;
763
7da160b0 764 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 765 || !WPACKET_start_sub_packet_u16(pkt)) {
766 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
767 return 0;
768 }
769
770 /*
771 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
772 * send back an empty extension, with the certificate status appearing as a
773 * separate message
774 */
775 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
776 || !WPACKET_close(pkt)) {
7fe97c07 777 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 778 return 0;
779 }
780
781 return 1;
782}
ab83e314 783#endif
7da160b0 784
7da160b0 785#ifndef OPENSSL_NO_NEXTPROTONEG
30aeba43 786int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
8521ced6 787 size_t chainidx, int *al)
7da160b0
MC		 788{
789 const unsigned char *npa;
790 unsigned int npalen;
791 int ret;
792 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
793
794 s->s3->next_proto_neg_seen = 0;
795 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
796 return 1;
797
798 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
799 s->ctx->next_protos_advertised_cb_arg);
800 if (ret == SSL_TLSEXT_ERR_OK) {
801 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
802 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 803 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0
MC		 804 ERR_R_INTERNAL_ERROR);
805 return 0;
806 }
807 s->s3->next_proto_neg_seen = 1;
808 }
809
810 return 1;
811}
812#endif
813
8521ced6 814int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
30aeba43 815 int *al)
7da160b0
MC		 816{
817 if (s->s3->alpn_selected == NULL)
818 return 1;
819
820 if (!WPACKET_put_bytes_u16(pkt,
821 TLSEXT_TYPE_application_layer_protocol_negotiation)
822 || !WPACKET_start_sub_packet_u16(pkt)
823 || !WPACKET_start_sub_packet_u16(pkt)
824 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
825 s->s3->alpn_selected_len)
826 || !WPACKET_close(pkt)
827 || !WPACKET_close(pkt)) {
7fe97c07 828 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 829 return 0;
830 }
831
832 return 1;
833}
834
835#ifndef OPENSSL_NO_SRTP
8521ced6 836int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
30aeba43 837 int *al)
7da160b0
MC		 838{
839 if (s->srtp_profile == NULL)
840 return 1;
a1448c26 841
7da160b0
MC		 842 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
843 || !WPACKET_start_sub_packet_u16(pkt)
844 || !WPACKET_put_bytes_u16(pkt, 2)
845 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
846 || !WPACKET_put_bytes_u8(pkt, 0)
847 || !WPACKET_close(pkt)) {
7fe97c07 848 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 849 return 0;
850 }
851
852 return 1;
853}
854#endif
855
8521ced6
MC		 856int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
857 int *al)
7da160b0
MC		 858{
859 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
860 return 1;
861
862 /*
863 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
864 * for other cases too.
865 */
866 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
867 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
868 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
869 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
870 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
871 return 1;
872 }
873
874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
875 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 876 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 877 return 0;
878 }
879
880 return 1;
881}
882
8521ced6
MC		 883int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
884 int *al)
7da160b0
MC		 885{
886 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
887 return 1;
888
889 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
890 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 891 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 892 return 0;
893 }
894
895 return 1;
896}
897
8521ced6 898int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
30aeba43 899 int *al)
7da160b0 900{
3cf96e88 901#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 902 unsigned char *encodedPoint;
903 size_t encoded_pt_len = 0;
904 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
905
906 if (s->hit)
907 return 1;
908
909 if (ckey == NULL) {
7fe97c07 910 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 911 return 0;
912 }
913
914 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
915 || !WPACKET_start_sub_packet_u16(pkt)
916 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 917 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 918 return 0;
919 }
920
921 skey = ssl_generate_pkey(ckey);
922 if (skey == NULL) {
7fe97c07 923 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
7da160b0
MC		 924 return 0;
925 }
926
927 /* Generate encoding of server key */
928 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
929 if (encoded_pt_len == 0) {
7fe97c07 930 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0
MC		 931 EVP_PKEY_free(skey);
932 return 0;
933 }
934
935 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
936 || !WPACKET_close(pkt)) {
7fe97c07 937 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 938 EVP_PKEY_free(skey);
939 OPENSSL_free(encodedPoint);
940 return 0;
941 }
942 OPENSSL_free(encodedPoint);
943
944 /* This causes the crypto state to be updated based on the derived keys */
945 s->s3->tmp.pkey = skey;
946 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 947 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 948 return 0;
949 }
3cf96e88 950#endif
7da160b0
MC		 951
952 return 1;
953}
954
30aeba43 955int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
8521ced6 956 size_t chainidx, int *al)
7da160b0
MC		 957{
958 const unsigned char cryptopro_ext[36] = {
959 0xfd, 0xe8, /* 65000 */
960 0x00, 0x20, /* 32 bytes length */
961 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
962 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
963 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
964 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
965 };
966
967 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
968 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
969 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
970 return 1;
971
972 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 973 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 974 return 0;
975 }
976
977 return 1;
978}
A mirror of the official openssl repository