]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
RSA_padding_check_PKCS1_type_2 is not constant time.
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
b186a592 2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
25670f3e
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
fb34a0f4 28 *al = SSL_AD_DECODE_ERROR;
25670f3e
MC		 29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
61138358
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
7d061fce
MC		 119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
aff8c126 121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
25670f3e
MC		 122 *al = TLS1_AD_INTERNAL_ERROR;
123 return 0;
124 }
125
126 s->servername_done = 1;
127 } else {
128 /*
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
131 */
aff8c126
RS		 132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
25670f3e
MC		 135 }
136
137 return 1;
138}
139
140#ifndef OPENSSL_NO_SRP
61138358
MC		 141int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
25670f3e
MC		 143{
144 PACKET srp_I;
145
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
149 return 0;
150 }
151
152 /*
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
155 */
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
fb34a0f4 157 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 158 return 0;
159 }
160
161 return 1;
162}
163#endif
164
165#ifndef OPENSSL_NO_EC
61138358
MC		 166int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 168{
169 PACKET ec_point_format_list;
170
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
174 return 0;
175 }
176
177 if (!s->hit) {
178 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
fb34a0f4 181 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 182 return 0;
183 }
184 }
185
186 return 1;
187}
188#endif /* OPENSSL_NO_EC */
189
61138358
MC		 190int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
25670f3e 192{
aff8c126
RS		 193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
fb34a0f4 197 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 198 return 0;
199 }
200
201 return 1;
202}
203
61138358
MC		 204int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
25670f3e
MC		 206{
207 PACKET supported_sig_algs;
208
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e
MC		 210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
212 return 0;
213 }
214
703bcee0 215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
fb34a0f4 216 *al = SSL_AD_DECODE_ERROR;
25670f3e
MC		 217 return 0;
218 }
219
220 return 1;
221}
222
ab83e314 223#ifndef OPENSSL_NO_OCSP
61138358
MC		 224int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
25670f3e 226{
1266eefd
MC		 227 PACKET responder_id_list, exts;
228
e96e0f8e
MC		 229 /* Not defined if we get one of these in a client Certificate */
230 if (x != NULL)
231 return 1;
232
aff8c126 233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
25670f3e
MC		 234 *al = SSL_AD_DECODE_ERROR;
235 return 0;
236 }
ab83e314 237
aff8c126 238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 239 /*
1266eefd 240 * We don't know what to do with any other type so ignore it.
25670f3e 241 */
aff8c126 242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 243 return 1;
244 }
25670f3e 245
1266eefd
MC		 246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
248 return 0;
249 }
25670f3e 250
1266eefd
MC		 251 /*
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
254 */
aff8c126 255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 256 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
1266eefd
MC		 259 *al = SSL_AD_INTERNAL_ERROR;
260 return 0;
261 }
262 } else {
aff8c126 263 s->ext.ocsp.ids = NULL;
1266eefd 264 }
25670f3e 265
1266eefd
MC		 266 while (PACKET_remaining(&responder_id_list) > 0) {
267 OCSP_RESPID *id;
268 PACKET responder_id;
269 const unsigned char *id_data;
25670f3e 270
1266eefd
MC		 271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
274 return 0;
275 }
25670f3e 276
1266eefd
MC		 277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
281 if (id == NULL) {
282 *al = SSL_AD_DECODE_ERROR;
283 return 0;
25670f3e
MC		 284 }
285
1266eefd
MC		 286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
25670f3e
MC		 288 *al = SSL_AD_DECODE_ERROR;
289 return 0;
290 }
291
aff8c126 292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd
MC		 293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
295 return 0;
296 }
297 }
298
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
302 return 0;
303 }
304
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
307
aff8c126 308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 309 X509_EXTENSION_free);
aff8c126 310 s->ext.ocsp.exts =
1266eefd 311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
1266eefd
MC		 313 *al = SSL_AD_DECODE_ERROR;
314 return 0;
25670f3e 315 }
25670f3e
MC		 316 }
317
318 return 1;
319}
ab83e314 320#endif
25670f3e
MC		 321
322#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 323int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
25670f3e 325{
1266eefd
MC		 326 /*
327 * We shouldn't accept this extension on a
328 * renegotiation.
1266eefd 329 */
c7f47786 330 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 331 s->s3->npn_seen = 1;
25670f3e
MC		 332
333 return 1;
334}
335#endif
336
337/*
1266eefd
MC		 338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 341 */
61138358
MC		 342int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
25670f3e
MC		 344{
345 PACKET protocol_list, save_protocol_list, protocol;
346
c7f47786 347 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 348 return 1;
349
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
353 return 0;
354 }
355
356 save_protocol_list = protocol_list;
357 do {
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364 } while (PACKET_remaining(&protocol_list) != 0);
365
7d061fce
MC		 366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
fb34a0f4 371 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 372 return 0;
373 }
374
375 return 1;
376}
377
378#ifndef OPENSSL_NO_SRTP
61138358
MC		 379int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
25670f3e 381{
25670f3e
MC		 382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
384 int i, srtp_pref;
385 PACKET subpkt;
386
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
389 return 1;
390
391 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
397 return 0;
398 }
399
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
410 return 0;
411 }
412
413 /*
414 * Only look for match in profiles of higher preference than
415 * current match.
416 * If no profiles have been have been configured then this
417 * does nothing.
418 */
419 for (i = 0; i < srtp_pref; i++) {
d270de32 420 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422
25670f3e
MC		 423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
425 srtp_pref = i;
426 break;
427 }
428 }
429 }
430
1266eefd 431 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 432 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
7fe97c07 441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 return 1;
447}
448#endif
449
61138358
MC		 450int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
25670f3e
MC		 452{
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 454 s->ext.use_etm = 1;
25670f3e
MC		 455
456 return 1;
457}
458
b2f7e8c0
MC		 459/*
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
463 */
61138358
MC		 464int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
b2f7e8c0
MC		 466{
467#ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
469 unsigned int mode;
470
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
474 return 0;
475 }
476
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 480 else if (mode == TLSEXT_KEX_MODE_KE
481 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 482 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
483 }
484#endif
485
486 return 1;
487}
488
25670f3e
MC		 489/*
490 * Process a key_share extension received in the ClientHello. |pkt| contains
491 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
492 * If a failure occurs then |*al| is set to an appropriate alert value.
493 */
61138358
MC		 494int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
495 size_t chainidx, int *al)
25670f3e 496{
3cf96e88 497#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 498 unsigned int group_id;
499 PACKET key_share_list, encoded_pt;
500 const unsigned char *clntcurves, *srvrcurves;
501 size_t clnt_num_curves, srvr_num_curves;
502 int group_nid, found = 0;
503 unsigned int curve_flags;
504
f4bbb37c 505 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 506 return 1;
507
508 /* Sanity check */
509 if (s->s3->peer_tmp != NULL) {
510 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 511 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 512 return 0;
513 }
514
515 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
721586ea 516 *al = SSL_AD_DECODE_ERROR;
7fe97c07 517 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 518 return 0;
519 }
520
521 /* Get our list of supported curves */
522 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
523 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 524 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 525 return 0;
526 }
527
b6fdc12d 528 /* Get the clients list of supported curves. */
25670f3e
MC		 529 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
530 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 531 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 532 return 0;
533 }
b6fdc12d
MC		 534 if (clnt_num_curves == 0) {
535 /*
536 * This can only happen if the supported_groups extension was not sent,
537 * because we verify that the length is non-zero when we process that
538 * extension.
539 */
540 *al = SSL_AD_MISSING_EXTENSION;
541 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
542 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
543 return 0;
544 }
25670f3e
MC		 545
546 while (PACKET_remaining(&key_share_list) > 0) {
547 if (!PACKET_get_net_2(&key_share_list, &group_id)
548 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
549 || PACKET_remaining(&encoded_pt) == 0) {
721586ea 550 *al = SSL_AD_DECODE_ERROR;
7fe97c07 551 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 552 SSL_R_LENGTH_MISMATCH);
553 return 0;
554 }
555
556 /*
557 * If we already found a suitable key_share we loop through the
558 * rest to verify the structure, but don't process them.
559 */
560 if (found)
561 continue;
562
563 /* Check if this share is in supported_groups sent from client */
564 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
721586ea 565 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 566 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 567 return 0;
568 }
569
570 /* Check if this share is for a group we can use */
571 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
572 /* Share not suitable */
573 continue;
574 }
575
576 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
577
578 if (group_nid == 0) {
579 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 580 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 581 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
582 return 0;
583 }
584
585 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
586 /* Can happen for some curves, e.g. X25519 */
587 EVP_PKEY *key = EVP_PKEY_new();
588
589 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
590 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 591 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 592 EVP_PKEY_free(key);
593 return 0;
594 }
595 s->s3->peer_tmp = key;
596 } else {
597 /* Set up EVP_PKEY with named curve as parameters */
598 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 599
25670f3e
MC		 600 if (pctx == NULL
601 || EVP_PKEY_paramgen_init(pctx) <= 0
602 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
603 group_nid) <= 0
604 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
605 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 606 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 607 EVP_PKEY_CTX_free(pctx);
608 return 0;
609 }
610 EVP_PKEY_CTX_free(pctx);
611 pctx = NULL;
612 }
613 s->s3->group_id = group_id;
614
615 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
616 PACKET_data(&encoded_pt),
617 PACKET_remaining(&encoded_pt))) {
fb34a0f4 618 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 619 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 620 return 0;
621 }
622
623 found = 1;
624 }
3cf96e88 625#endif
25670f3e
MC		 626
627 return 1;
628}
629
630#ifndef OPENSSL_NO_EC
61138358
MC		 631int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
632 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 633{
634 PACKET supported_groups_list;
635
636 /* Each group is 2 bytes and we must have at least 1. */
637 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
638 || PACKET_remaining(&supported_groups_list) == 0
639 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
640 *al = SSL_AD_DECODE_ERROR;
641 return 0;
642 }
643
7d061fce
MC		 644 OPENSSL_free(s->session->ext.supportedgroups);
645 s->session->ext.supportedgroups = NULL;
646 s->session->ext.supportedgroups_len = 0;
1053a6e2
MC		 647 if (!PACKET_memdup(&supported_groups_list,
648 &s->session->ext.supportedgroups,
649 &s->session->ext.supportedgroups_len)) {
fb34a0f4 650 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 651 return 0;
652 }
653
654 return 1;
655}
656#endif
657
61138358
MC		 658int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
659 size_t chainidx, int *al)
25670f3e
MC		 660{
661 /* The extension must always be empty */
662 if (PACKET_remaining(pkt) != 0) {
663 *al = SSL_AD_DECODE_ERROR;
664 return 0;
665 }
666
667 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
668
669 return 1;
670}
7da160b0 671
38df5a45
MC		 672
673int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
674 X509 *x, size_t chainidx, int *al)
675{
676 if (PACKET_remaining(pkt) != 0) {
677 *al = SSL_AD_DECODE_ERROR;
678 return 0;
679 }
680
681 return 1;
682}
683
61138358
MC		 684int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
685 size_t chainidx, int *al)
1053a6e2
MC		 686{
687 PACKET identities, binders, binder;
688 size_t binderoffset, hashsize;
689 SSL_SESSION *sess = NULL;
3a7c56b2 690 unsigned int id, i, ext = 0;
1053a6e2
MC		 691 const EVP_MD *md = NULL;
692
1a9f457c
MC		 693 /*
694 * If we have no PSK kex mode that we recognise then we can't resume so
695 * ignore this extension
696 */
697 if ((s->ext.psk_kex_mode
698 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
699 return 1;
700
1053a6e2
MC		 701 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
702 *al = SSL_AD_DECODE_ERROR;
703 return 0;
704 }
705
706 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
707 PACKET identity;
2c604cb9 708 unsigned long ticket_agel;
1053a6e2
MC		 709
710 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 711 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1053a6e2
MC		 712 *al = SSL_AD_DECODE_ERROR;
713 return 0;
714 }
715
3a7c56b2 716 if (s->psk_find_session_cb != NULL
011d768a
MC		 717 && !s->psk_find_session_cb(s, PACKET_data(&identity),
718 PACKET_remaining(&identity),
719 &sess)) {
720 *al = SSL_AD_INTERNAL_ERROR;
721 return 0;
722 }
723
724 if (sess != NULL) {
725 /* We found a PSK */
3a7c56b2 726 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 727
3a7c56b2
MC		 728 if (sesstmp == NULL) {
729 *al = SSL_AD_INTERNAL_ERROR;
730 return 0;
731 }
732 SSL_SESSION_free(sess);
733 sess = sesstmp;
734
735 /*
736 * We've just been told to use this session for this context so
737 * make sure the sid_ctx matches up.
738 */
739 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
740 sess->sid_ctx_length = s->sid_ctx_length;
741 ext = 1;
742 } else {
743 uint32_t ticket_age = 0, now, agesec, agems;
744 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
745 PACKET_remaining(&identity), NULL, 0,
746 &sess);
747
748 if (ret == TICKET_FATAL_ERR_MALLOC
749 || ret == TICKET_FATAL_ERR_OTHER) {
750 *al = SSL_AD_INTERNAL_ERROR;
751 return 0;
752 }
753 if (ret == TICKET_NO_DECRYPT)
754 continue;
755
756 ticket_age = (uint32_t)ticket_agel;
757 now = (uint32_t)time(NULL);
758 agesec = now - (uint32_t)sess->time;
759 agems = agesec * (uint32_t)1000;
760 ticket_age -= sess->ext.tick_age_add;
761
762 /*
763 * For simplicity we do our age calculations in seconds. If the
764 * client does it in ms then it could appear that their ticket age
765 * is longer than ours (our ticket age calculation should always be
766 * slightly longer than the client's due to the network latency).
767 * Therefore we add 1000ms to our age calculation to adjust for
768 * rounding errors.
769 */
770 if (sess->timeout >= (long)agesec
771 && agems / (uint32_t)1000 == agesec
772 && ticket_age <= agems + 1000
773 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
774 /*
775 * Ticket age is within tolerance and not expired. We allow it
776 * for early data
777 */
778 s->ext.early_data_ok = 1;
779 }
1053a6e2 780 }
1053a6e2 781
534a43ff 782 md = ssl_md(sess->cipher->algorithm2);
0de6d66d
MC		 783 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
784 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 785 SSL_SESSION_free(sess);
786 sess = NULL;
787 continue;
788 }
1053a6e2
MC		 789 break;
790 }
791
792 if (sess == NULL)
793 return 1;
794
795 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 796 hashsize = EVP_MD_size(md);
797
798 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
799 *al = SSL_AD_DECODE_ERROR;
800 goto err;
801 }
802
803 for (i = 0; i <= id; i++) {
804 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
805 *al = SSL_AD_DECODE_ERROR;
806 goto err;
807 }
808 }
809
810 if (PACKET_remaining(&binder) != hashsize
811 || tls_psk_do_binder(s, md,
812 (const unsigned char *)s->init_buf->data,
813 binderoffset, PACKET_data(&binder), NULL,
3a7c56b2 814 sess, 0, ext) != 1) {
1053a6e2
MC		 815 *al = SSL_AD_DECODE_ERROR;
816 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
817 goto err;
818 }
819
820 sess->ext.tick_identity = id;
2c604cb9 821
1053a6e2
MC		 822 SSL_SESSION_free(s->session);
823 s->session = sess;
1053a6e2
MC		 824 return 1;
825err:
312e9387 826 SSL_SESSION_free(sess);
1053a6e2
MC		 827 return 0;
828}
829
1266eefd
MC		 830/*
831 * Add the server's renegotiation binding
832 */
b186a592
MC		 833EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
834 unsigned int context, X509 *x,
835 size_t chainidx, int *al)
7da160b0
MC		 836{
837 if (!s->s3->send_connection_binding)
b186a592 838 return EXT_RETURN_NOT_SENT;
7da160b0 839
db0f35dd 840 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 841 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
842 || !WPACKET_start_sub_packet_u16(pkt)
843 || !WPACKET_start_sub_packet_u8(pkt)
844 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
845 s->s3->previous_client_finished_len)
846 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
847 s->s3->previous_server_finished_len)
848 || !WPACKET_close(pkt)
849 || !WPACKET_close(pkt)) {
7fe97c07 850 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
b186a592 851 return EXT_RETURN_FAIL;
7da160b0
MC		 852 }
853
b186a592 854 return EXT_RETURN_SENT;
7da160b0
MC		 855}
856
b186a592
MC		 857EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
858 unsigned int context, X509 *x,
859 size_t chainidx, int *al)
7da160b0
MC		 860{
861 if (s->hit || s->servername_done != 1
aff8c126 862 || s->session->ext.hostname == NULL)
b186a592 863 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 864
865 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
866 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 867 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
b186a592 868 return EXT_RETURN_FAIL;
7da160b0
MC		 869 }
870
b186a592 871 return EXT_RETURN_SENT;
7da160b0
MC		 872}
873
874#ifndef OPENSSL_NO_EC
b186a592
MC		 875EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
876 unsigned int context, X509 *x,
877 size_t chainidx, int *al)
7da160b0
MC		 878{
879 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
880 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 881 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 882 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 883 const unsigned char *plist;
884 size_t plistlen;
885
886 if (!using_ecc)
b186a592 887 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 888
889 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 890 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
891 || !WPACKET_start_sub_packet_u16(pkt)
892 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
893 || !WPACKET_close(pkt)) {
7fe97c07 894 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 895 return EXT_RETURN_FAIL;
7da160b0
MC		 896 }
897
b186a592 898 return EXT_RETURN_SENT;
7da160b0
MC		 899}
900#endif
901
cf53cbea 902#ifndef OPENSSL_NO_EC
b186a592
MC		 903EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
904 unsigned int context, X509 *x,
905 size_t chainidx, int *al)
6af87546
MC		 906{
907 const unsigned char *groups;
908 size_t numgroups, i, first = 1;
909
910 /* s->s3->group_id is non zero if we accepted a key_share */
911 if (s->s3->group_id == 0)
b186a592 912 return EXT_RETURN_NOT_SENT;
6af87546
MC		 913
914 /* Get our list of supported groups */
915 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
916 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 917 return EXT_RETURN_FAIL;
6af87546
MC		 918 }
919
920 /* Copy group ID if supported */
921 for (i = 0; i < numgroups; i++, groups += 2) {
922 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
923 if (first) {
924 /*
925 * Check if the client is already using our preferred group. If
926 * so we don't need to add this extension
927 */
928 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
b186a592 929 return EXT_RETURN_NOT_SENT;
6af87546
MC		 930
931 /* Add extension header */
932 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
933 /* Sub-packet for supported_groups extension */
934 || !WPACKET_start_sub_packet_u16(pkt)
935 || !WPACKET_start_sub_packet_u16(pkt)) {
936 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
937 ERR_R_INTERNAL_ERROR);
b186a592 938 return EXT_RETURN_FAIL;
6af87546
MC		 939 }
940
941 first = 0;
942 }
12635aa0 943 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
6af87546
MC		 944 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
945 ERR_R_INTERNAL_ERROR);
b186a592 946 return EXT_RETURN_FAIL;
6af87546
MC		 947 }
948 }
949 }
950
951 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
952 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 953 return EXT_RETURN_FAIL;
6af87546
MC		 954 }
955
b186a592 956 return EXT_RETURN_SENT;
6af87546 957}
cf53cbea 958#endif
6af87546 959
b186a592
MC		 960EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
961 unsigned int context, X509 *x,
962 size_t chainidx, int *al)
7da160b0 963{
aff8c126
RS		 964 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
965 s->ext.ticket_expected = 0;
b186a592 966 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 967 }
968
969 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
970 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 971 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 972 return EXT_RETURN_FAIL;
7da160b0
MC		 973 }
974
b186a592 975 return EXT_RETURN_SENT;
7da160b0
MC		 976}
977
ab83e314 978#ifndef OPENSSL_NO_OCSP
b186a592
MC		 979EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
980 unsigned int context, X509 *x,
981 size_t chainidx, int *al)
7da160b0 982{
aff8c126 983 if (!s->ext.status_expected)
b186a592 984 return EXT_RETURN_NOT_SENT;
7da160b0 985
8521ced6 986 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 987 return EXT_RETURN_NOT_SENT;
e96e0f8e 988
7da160b0 989 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 990 || !WPACKET_start_sub_packet_u16(pkt)) {
991 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 992 return EXT_RETURN_FAIL;
f63e4288
MC		 993 }
994
995 /*
996 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
997 * send back an empty extension, with the certificate status appearing as a
998 * separate message
999 */
1000 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1001 || !WPACKET_close(pkt)) {
7fe97c07 1002 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1003 return EXT_RETURN_FAIL;
7da160b0
MC		 1004 }
1005
b186a592 1006 return EXT_RETURN_SENT;
7da160b0 1007}
ab83e314 1008#endif
7da160b0 1009
7da160b0 1010#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1011EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1012 unsigned int context, X509 *x,
1013 size_t chainidx, int *al)
7da160b0
MC		 1014{
1015 const unsigned char *npa;
1016 unsigned int npalen;
1017 int ret;
aff8c126 1018 int npn_seen = s->s3->npn_seen;
7da160b0 1019
aff8c126
RS		 1020 s->s3->npn_seen = 0;
1021 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1022 return EXT_RETURN_NOT_SENT;
7da160b0 1023
aff8c126
RS		 1024 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1025 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1026 if (ret == SSL_TLSEXT_ERR_OK) {
1027 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1028 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 1029 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0 1030 ERR_R_INTERNAL_ERROR);
b186a592 1031 return EXT_RETURN_FAIL;
7da160b0 1032 }
aff8c126 1033 s->s3->npn_seen = 1;
7da160b0
MC		 1034 }
1035
b186a592 1036 return EXT_RETURN_SENT;
7da160b0
MC		 1037}
1038#endif
1039
b186a592
MC		 1040EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1041 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1042{
1043 if (s->s3->alpn_selected == NULL)
b186a592 1044 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1045
1046 if (!WPACKET_put_bytes_u16(pkt,
1047 TLSEXT_TYPE_application_layer_protocol_negotiation)
1048 || !WPACKET_start_sub_packet_u16(pkt)
1049 || !WPACKET_start_sub_packet_u16(pkt)
1050 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1051 s->s3->alpn_selected_len)
1052 || !WPACKET_close(pkt)
1053 || !WPACKET_close(pkt)) {
7fe97c07 1054 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
b186a592 1055 return EXT_RETURN_FAIL;
7da160b0
MC		 1056 }
1057
b186a592 1058 return EXT_RETURN_SENT;
7da160b0
MC		 1059}
1060
1061#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1062EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1063 unsigned int context, X509 *x,
1064 size_t chainidx, int *al)
7da160b0
MC		 1065{
1066 if (s->srtp_profile == NULL)
b186a592 1067 return EXT_RETURN_NOT_SENT;
a1448c26 1068
7da160b0
MC		 1069 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1070 || !WPACKET_start_sub_packet_u16(pkt)
1071 || !WPACKET_put_bytes_u16(pkt, 2)
1072 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1073 || !WPACKET_put_bytes_u8(pkt, 0)
1074 || !WPACKET_close(pkt)) {
7fe97c07 1075 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
b186a592 1076 return EXT_RETURN_FAIL;
7da160b0
MC		 1077 }
1078
b186a592 1079 return EXT_RETURN_SENT;
7da160b0
MC		 1080}
1081#endif
1082
b186a592
MC		 1083EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1084 X509 *x, size_t chainidx, int *al)
7da160b0 1085{
28a31a0a 1086 if (!s->ext.use_etm)
b186a592 1087 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1088
1089 /*
1090 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1091 * for other cases too.
1092 */
1093 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1094 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1095 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1096 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1097 s->ext.use_etm = 0;
b186a592 1098 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1099 }
1100
1101 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1102 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1103 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
b186a592 1104 return EXT_RETURN_FAIL;
7da160b0
MC		 1105 }
1106
b186a592 1107 return EXT_RETURN_SENT;
7da160b0
MC		 1108}
1109
b186a592
MC		 1110EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1111 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1112{
1113 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1114 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1115
1116 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1117 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
b186a592 1119 return EXT_RETURN_FAIL;
7da160b0
MC		 1120 }
1121
b186a592 1122 return EXT_RETURN_SENT;
7da160b0
MC		 1123}
1124
b186a592
MC		 1125EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1126 unsigned int context, X509 *x,
1127 size_t chainidx, int *al)
7da160b0 1128{
3cf96e88 1129#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1130 unsigned char *encodedPoint;
1131 size_t encoded_pt_len = 0;
1132 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1133
7da160b0 1134 if (ckey == NULL) {
7d061fce
MC		 1135 /* No key_share received from client */
1136 if (s->hello_retry_request) {
7d061fce 1137 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1138 || !WPACKET_start_sub_packet_u16(pkt)
1139 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1140 || !WPACKET_close(pkt)) {
7d061fce
MC		 1141 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1142 ERR_R_INTERNAL_ERROR);
b186a592 1143 return EXT_RETURN_FAIL;
7d061fce
MC		 1144 }
1145
b186a592 1146 return EXT_RETURN_SENT;
7d061fce
MC		 1147 }
1148
1149 /* Must be resuming. */
0247086d
MC		 1150 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1151 *al = SSL_AD_INTERNAL_ERROR;
1152 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1153 return EXT_RETURN_FAIL;
0247086d 1154 }
b186a592 1155 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1156 }
1157
1158 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1159 || !WPACKET_start_sub_packet_u16(pkt)
1160 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 1161 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1162 return EXT_RETURN_FAIL;
7da160b0
MC		 1163 }
1164
1165 skey = ssl_generate_pkey(ckey);
1166 if (skey == NULL) {
7fe97c07 1167 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
b186a592 1168 return EXT_RETURN_FAIL;
7da160b0
MC		 1169 }
1170
1171 /* Generate encoding of server key */
1172 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1173 if (encoded_pt_len == 0) {
7fe97c07 1174 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0 1175 EVP_PKEY_free(skey);
b186a592 1176 return EXT_RETURN_FAIL;
7da160b0
MC		 1177 }
1178
1179 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1180 || !WPACKET_close(pkt)) {
7fe97c07 1181 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1182 EVP_PKEY_free(skey);
1183 OPENSSL_free(encodedPoint);
b186a592 1184 return EXT_RETURN_FAIL;
7da160b0
MC		 1185 }
1186 OPENSSL_free(encodedPoint);
1187
1188 /* This causes the crypto state to be updated based on the derived keys */
1189 s->s3->tmp.pkey = skey;
1190 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 1191 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1192 return EXT_RETURN_FAIL;
7da160b0 1193 }
3cf96e88 1194#endif
7da160b0 1195
b186a592 1196 return EXT_RETURN_SENT;
7da160b0
MC		 1197}
1198
b186a592
MC		 1199EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1200 unsigned int context, X509 *x,
1201 size_t chainidx, int *al)
7da160b0
MC		 1202{
1203 const unsigned char cryptopro_ext[36] = {
1204 0xfd, 0xe8, /* 65000 */
1205 0x00, 0x20, /* 32 bytes length */
1206 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1207 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1208 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1209 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1210 };
1211
1212 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1213 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1214 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1215 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1216
1217 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 1218 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
b186a592 1219 return EXT_RETURN_FAIL;
7da160b0
MC		 1220 }
1221
b186a592 1222 return EXT_RETURN_SENT;
7da160b0 1223}
0247086d 1224
b186a592
MC		 1225EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1226 unsigned int context, X509 *x,
1227 size_t chainidx, int *al)
38df5a45 1228{
fe874d27 1229 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1230 if (s->max_early_data == 0)
b186a592 1231 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1232
1233 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1234 || !WPACKET_start_sub_packet_u16(pkt)
1235 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1236 || !WPACKET_close(pkt)) {
1237 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1238 return EXT_RETURN_FAIL;
6594189f
MC		 1239 }
1240
b186a592 1241 return EXT_RETURN_SENT;
6594189f
MC		 1242 }
1243
38df5a45 1244 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1245 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1246
1247 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1248 || !WPACKET_start_sub_packet_u16(pkt)
1249 || !WPACKET_close(pkt)) {
1250 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1251 return EXT_RETURN_FAIL;
38df5a45
MC		 1252 }
1253
b186a592 1254 return EXT_RETURN_SENT;
38df5a45
MC		 1255}
1256
b186a592
MC		 1257EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1258 X509 *x, size_t chainidx, int *al)
0247086d
MC		 1259{
1260 if (!s->hit)
b186a592 1261 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1262
1263 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1264 || !WPACKET_start_sub_packet_u16(pkt)
1265 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1266 || !WPACKET_close(pkt)) {
1267 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
b186a592 1268 return EXT_RETURN_FAIL;
0247086d
MC		 1269 }
1270
b186a592 1271 return EXT_RETURN_SENT;
0247086d 1272}
A mirror of the official openssl repository