]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add ecstress test
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
b186a592 2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
25670f3e
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
fb34a0f4 28 *al = SSL_AD_DECODE_ERROR;
25670f3e
MC		 29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
61138358
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
7d061fce
MC		 119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
aff8c126 121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
25670f3e
MC		 122 *al = TLS1_AD_INTERNAL_ERROR;
123 return 0;
124 }
125
126 s->servername_done = 1;
127 } else {
128 /*
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
131 */
aff8c126
RS		 132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
25670f3e
MC		 135 }
136
137 return 1;
138}
139
140#ifndef OPENSSL_NO_SRP
61138358
MC		 141int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
25670f3e
MC		 143{
144 PACKET srp_I;
145
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
149 return 0;
150 }
151
152 /*
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
155 */
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
fb34a0f4 157 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 158 return 0;
159 }
160
161 return 1;
162}
163#endif
164
165#ifndef OPENSSL_NO_EC
61138358
MC		 166int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 168{
169 PACKET ec_point_format_list;
170
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
174 return 0;
175 }
176
177 if (!s->hit) {
178 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
fb34a0f4 181 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 182 return 0;
183 }
184 }
185
186 return 1;
187}
188#endif /* OPENSSL_NO_EC */
189
61138358
MC		 190int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
25670f3e 192{
aff8c126
RS		 193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
fb34a0f4 197 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 198 return 0;
199 }
200
201 return 1;
202}
203
61138358
MC		 204int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
25670f3e
MC		 206{
207 PACKET supported_sig_algs;
208
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e
MC		 210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
212 return 0;
213 }
214
703bcee0 215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
fb34a0f4 216 *al = SSL_AD_DECODE_ERROR;
25670f3e
MC		 217 return 0;
218 }
219
220 return 1;
221}
222
ab83e314 223#ifndef OPENSSL_NO_OCSP
61138358
MC		 224int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
25670f3e 226{
1266eefd
MC		 227 PACKET responder_id_list, exts;
228
e96e0f8e
MC		 229 /* Not defined if we get one of these in a client Certificate */
230 if (x != NULL)
231 return 1;
232
aff8c126 233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
25670f3e
MC		 234 *al = SSL_AD_DECODE_ERROR;
235 return 0;
236 }
ab83e314 237
aff8c126 238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 239 /*
1266eefd 240 * We don't know what to do with any other type so ignore it.
25670f3e 241 */
aff8c126 242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 243 return 1;
244 }
25670f3e 245
1266eefd
MC		 246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
248 return 0;
249 }
25670f3e 250
1266eefd
MC		 251 /*
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
254 */
aff8c126 255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 256 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
1266eefd
MC		 259 *al = SSL_AD_INTERNAL_ERROR;
260 return 0;
261 }
262 } else {
aff8c126 263 s->ext.ocsp.ids = NULL;
1266eefd 264 }
25670f3e 265
1266eefd
MC		 266 while (PACKET_remaining(&responder_id_list) > 0) {
267 OCSP_RESPID *id;
268 PACKET responder_id;
269 const unsigned char *id_data;
25670f3e 270
1266eefd
MC		 271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
274 return 0;
275 }
25670f3e 276
1266eefd
MC		 277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
281 if (id == NULL) {
282 *al = SSL_AD_DECODE_ERROR;
283 return 0;
25670f3e
MC		 284 }
285
1266eefd
MC		 286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
25670f3e
MC		 288 *al = SSL_AD_DECODE_ERROR;
289 return 0;
290 }
291
aff8c126 292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd
MC		 293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
295 return 0;
296 }
297 }
298
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
302 return 0;
303 }
304
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
307
aff8c126 308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 309 X509_EXTENSION_free);
aff8c126 310 s->ext.ocsp.exts =
1266eefd 311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
1266eefd
MC		 313 *al = SSL_AD_DECODE_ERROR;
314 return 0;
25670f3e 315 }
25670f3e
MC		 316 }
317
318 return 1;
319}
ab83e314 320#endif
25670f3e
MC		 321
322#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 323int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
25670f3e 325{
1266eefd
MC		 326 /*
327 * We shouldn't accept this extension on a
328 * renegotiation.
1266eefd 329 */
c7f47786 330 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 331 s->s3->npn_seen = 1;
25670f3e
MC		 332
333 return 1;
334}
335#endif
336
337/*
1266eefd
MC		 338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 341 */
61138358
MC		 342int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
25670f3e
MC		 344{
345 PACKET protocol_list, save_protocol_list, protocol;
346
c7f47786 347 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 348 return 1;
349
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
353 return 0;
354 }
355
356 save_protocol_list = protocol_list;
357 do {
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364 } while (PACKET_remaining(&protocol_list) != 0);
365
7d061fce
MC		 366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
fb34a0f4 371 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 372 return 0;
373 }
374
375 return 1;
376}
377
378#ifndef OPENSSL_NO_SRTP
61138358
MC		 379int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
25670f3e 381{
25670f3e
MC		 382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
384 int i, srtp_pref;
385 PACKET subpkt;
386
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
389 return 1;
390
391 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
397 return 0;
398 }
399
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
410 return 0;
411 }
412
413 /*
414 * Only look for match in profiles of higher preference than
415 * current match.
416 * If no profiles have been have been configured then this
417 * does nothing.
418 */
419 for (i = 0; i < srtp_pref; i++) {
d270de32 420 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422
25670f3e
MC		 423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
425 srtp_pref = i;
426 break;
427 }
428 }
429 }
430
1266eefd 431 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 432 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
7fe97c07 441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 return 1;
447}
448#endif
449
61138358
MC		 450int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
25670f3e
MC		 452{
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 454 s->ext.use_etm = 1;
25670f3e
MC		 455
456 return 1;
457}
458
b2f7e8c0
MC		 459/*
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
463 */
61138358
MC		 464int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
b2f7e8c0
MC		 466{
467#ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
469 unsigned int mode;
470
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
474 return 0;
475 }
476
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
482 }
483#endif
484
485 return 1;
486}
487
25670f3e
MC		 488/*
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
492 */
61138358
MC		 493int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
25670f3e 495{
3cf96e88 496#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
503
f4bbb37c 504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 505 return 1;
506
507 /* Sanity check */
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 511 return 0;
512 }
513
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
721586ea 515 *al = SSL_AD_DECODE_ERROR;
7fe97c07 516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 517 return 0;
518 }
519
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 524 return 0;
525 }
526
b6fdc12d 527 /* Get the clients list of supported curves. */
25670f3e
MC		 528 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
529 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 530 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 531 return 0;
532 }
b6fdc12d
MC		 533 if (clnt_num_curves == 0) {
534 /*
535 * This can only happen if the supported_groups extension was not sent,
536 * because we verify that the length is non-zero when we process that
537 * extension.
538 */
539 *al = SSL_AD_MISSING_EXTENSION;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
541 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
542 return 0;
543 }
25670f3e
MC		 544
545 while (PACKET_remaining(&key_share_list) > 0) {
546 if (!PACKET_get_net_2(&key_share_list, &group_id)
547 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
548 || PACKET_remaining(&encoded_pt) == 0) {
721586ea 549 *al = SSL_AD_DECODE_ERROR;
7fe97c07 550 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 551 SSL_R_LENGTH_MISMATCH);
552 return 0;
553 }
554
555 /*
556 * If we already found a suitable key_share we loop through the
557 * rest to verify the structure, but don't process them.
558 */
559 if (found)
560 continue;
561
562 /* Check if this share is in supported_groups sent from client */
563 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
721586ea 564 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 566 return 0;
567 }
568
569 /* Check if this share is for a group we can use */
570 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
571 /* Share not suitable */
572 continue;
573 }
574
575 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
576
577 if (group_nid == 0) {
578 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 580 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
581 return 0;
582 }
583
584 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
585 /* Can happen for some curves, e.g. X25519 */
586 EVP_PKEY *key = EVP_PKEY_new();
587
588 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
589 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 590 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 591 EVP_PKEY_free(key);
592 return 0;
593 }
594 s->s3->peer_tmp = key;
595 } else {
596 /* Set up EVP_PKEY with named curve as parameters */
597 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 598
25670f3e
MC		 599 if (pctx == NULL
600 || EVP_PKEY_paramgen_init(pctx) <= 0
601 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
602 group_nid) <= 0
603 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
604 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 606 EVP_PKEY_CTX_free(pctx);
607 return 0;
608 }
609 EVP_PKEY_CTX_free(pctx);
610 pctx = NULL;
611 }
612 s->s3->group_id = group_id;
613
614 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
615 PACKET_data(&encoded_pt),
616 PACKET_remaining(&encoded_pt))) {
fb34a0f4 617 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 618 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 619 return 0;
620 }
621
622 found = 1;
623 }
3cf96e88 624#endif
25670f3e
MC		 625
626 return 1;
627}
628
629#ifndef OPENSSL_NO_EC
61138358
MC		 630int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
631 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 632{
633 PACKET supported_groups_list;
634
635 /* Each group is 2 bytes and we must have at least 1. */
636 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
637 || PACKET_remaining(&supported_groups_list) == 0
638 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
639 *al = SSL_AD_DECODE_ERROR;
640 return 0;
641 }
642
7d061fce
MC		 643 OPENSSL_free(s->session->ext.supportedgroups);
644 s->session->ext.supportedgroups = NULL;
645 s->session->ext.supportedgroups_len = 0;
1053a6e2
MC		 646 if (!PACKET_memdup(&supported_groups_list,
647 &s->session->ext.supportedgroups,
648 &s->session->ext.supportedgroups_len)) {
fb34a0f4 649 *al = SSL_AD_INTERNAL_ERROR;
25670f3e
MC		 650 return 0;
651 }
652
653 return 1;
654}
655#endif
656
61138358
MC		 657int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
658 size_t chainidx, int *al)
25670f3e
MC		 659{
660 /* The extension must always be empty */
661 if (PACKET_remaining(pkt) != 0) {
662 *al = SSL_AD_DECODE_ERROR;
663 return 0;
664 }
665
666 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
667
668 return 1;
669}
7da160b0 670
38df5a45
MC		 671
672int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
673 X509 *x, size_t chainidx, int *al)
674{
675 if (PACKET_remaining(pkt) != 0) {
676 *al = SSL_AD_DECODE_ERROR;
677 return 0;
678 }
679
680 return 1;
681}
682
61138358
MC		 683int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
684 size_t chainidx, int *al)
1053a6e2
MC		 685{
686 PACKET identities, binders, binder;
687 size_t binderoffset, hashsize;
688 SSL_SESSION *sess = NULL;
689 unsigned int id, i;
690 const EVP_MD *md = NULL;
30d1bab1 691 uint32_t ticket_age = 0, now, agesec, agems;
1053a6e2 692
1a9f457c
MC		 693 /*
694 * If we have no PSK kex mode that we recognise then we can't resume so
695 * ignore this extension
696 */
697 if ((s->ext.psk_kex_mode
698 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
699 return 1;
700
1053a6e2
MC		 701 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
702 *al = SSL_AD_DECODE_ERROR;
703 return 0;
704 }
705
706 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
707 PACKET identity;
2c604cb9 708 unsigned long ticket_agel;
1053a6e2
MC		 709 int ret;
710
711 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 712 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1053a6e2
MC		 713 *al = SSL_AD_DECODE_ERROR;
714 return 0;
715 }
716
2c604cb9 717 ticket_age = (uint32_t)ticket_agel;
1b8bacff 718
1053a6e2
MC		 719 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
720 PACKET_remaining(&identity), NULL, 0, &sess);
721 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
722 *al = SSL_AD_INTERNAL_ERROR;
723 return 0;
724 }
725 if (ret == TICKET_NO_DECRYPT)
726 continue;
727
534a43ff 728 md = ssl_md(sess->cipher->algorithm2);
0de6d66d
MC		 729 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
730 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 731 SSL_SESSION_free(sess);
732 sess = NULL;
733 continue;
734 }
735
736 /*
737 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
738 * Ignored for now
739 */
740
741 break;
742 }
743
744 if (sess == NULL)
745 return 1;
746
747 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 748 hashsize = EVP_MD_size(md);
749
750 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
751 *al = SSL_AD_DECODE_ERROR;
752 goto err;
753 }
754
755 for (i = 0; i <= id; i++) {
756 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
757 *al = SSL_AD_DECODE_ERROR;
758 goto err;
759 }
760 }
761
762 if (PACKET_remaining(&binder) != hashsize
763 || tls_psk_do_binder(s, md,
764 (const unsigned char *)s->init_buf->data,
765 binderoffset, PACKET_data(&binder), NULL,
766 sess, 0) != 1) {
767 *al = SSL_AD_DECODE_ERROR;
768 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
769 goto err;
770 }
771
772 sess->ext.tick_identity = id;
2c604cb9
MC		 773
774 now = (uint32_t)time(NULL);
775 agesec = now - (uint32_t)sess->time;
776 agems = agesec * (uint32_t)1000;
777 ticket_age -= sess->ext.tick_age_add;
778
779
780 /*
781 * For simplicity we do our age calculations in seconds. If the client does
782 * it in ms then it could appear that their ticket age is longer than ours
783 * (our ticket age calculation should always be slightly longer than the
784 * client's due to the network latency). Therefore we add 1000ms to our age
785 * calculation to adjust for rounding errors.
786 */
d1186c30 787 if (sess->timeout >= (long)agesec
2c604cb9
MC		 788 && agems / (uint32_t)1000 == agesec
789 && ticket_age <= agems + 1000
790 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
791 /*
792 * Ticket age is within tolerance and not expired. We allow it for early
793 * data
794 */
795 s->ext.early_data_ok = 1;
796 }
797
798
1053a6e2
MC		 799 SSL_SESSION_free(s->session);
800 s->session = sess;
1053a6e2
MC		 801 return 1;
802err:
312e9387 803 SSL_SESSION_free(sess);
1053a6e2
MC		 804 return 0;
805}
806
1266eefd
MC		 807/*
808 * Add the server's renegotiation binding
809 */
b186a592
MC		 810EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
811 unsigned int context, X509 *x,
812 size_t chainidx, int *al)
7da160b0
MC		 813{
814 if (!s->s3->send_connection_binding)
b186a592 815 return EXT_RETURN_NOT_SENT;
7da160b0 816
db0f35dd 817 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 818 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
819 || !WPACKET_start_sub_packet_u16(pkt)
820 || !WPACKET_start_sub_packet_u8(pkt)
821 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
822 s->s3->previous_client_finished_len)
823 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
824 s->s3->previous_server_finished_len)
825 || !WPACKET_close(pkt)
826 || !WPACKET_close(pkt)) {
7fe97c07 827 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
b186a592 828 return EXT_RETURN_FAIL;
7da160b0
MC		 829 }
830
b186a592 831 return EXT_RETURN_SENT;
7da160b0
MC		 832}
833
b186a592
MC		 834EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
835 unsigned int context, X509 *x,
836 size_t chainidx, int *al)
7da160b0
MC		 837{
838 if (s->hit || s->servername_done != 1
aff8c126 839 || s->session->ext.hostname == NULL)
b186a592 840 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 841
842 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
843 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 844 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
b186a592 845 return EXT_RETURN_FAIL;
7da160b0
MC		 846 }
847
b186a592 848 return EXT_RETURN_SENT;
7da160b0
MC		 849}
850
851#ifndef OPENSSL_NO_EC
b186a592
MC		 852EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
853 unsigned int context, X509 *x,
854 size_t chainidx, int *al)
7da160b0
MC		 855{
856 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
857 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 858 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 859 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 860 const unsigned char *plist;
861 size_t plistlen;
862
863 if (!using_ecc)
b186a592 864 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 865
866 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 867 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
868 || !WPACKET_start_sub_packet_u16(pkt)
869 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
870 || !WPACKET_close(pkt)) {
7fe97c07 871 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 872 return EXT_RETURN_FAIL;
7da160b0
MC		 873 }
874
b186a592 875 return EXT_RETURN_SENT;
7da160b0
MC		 876}
877#endif
878
cf53cbea 879#ifndef OPENSSL_NO_EC
b186a592
MC		 880EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
881 unsigned int context, X509 *x,
882 size_t chainidx, int *al)
6af87546
MC		 883{
884 const unsigned char *groups;
885 size_t numgroups, i, first = 1;
886
887 /* s->s3->group_id is non zero if we accepted a key_share */
888 if (s->s3->group_id == 0)
b186a592 889 return EXT_RETURN_NOT_SENT;
6af87546
MC		 890
891 /* Get our list of supported groups */
892 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
893 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 894 return EXT_RETURN_FAIL;
6af87546
MC		 895 }
896
897 /* Copy group ID if supported */
898 for (i = 0; i < numgroups; i++, groups += 2) {
899 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
900 if (first) {
901 /*
902 * Check if the client is already using our preferred group. If
903 * so we don't need to add this extension
904 */
905 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
b186a592 906 return EXT_RETURN_NOT_SENT;
6af87546
MC		 907
908 /* Add extension header */
909 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
910 /* Sub-packet for supported_groups extension */
911 || !WPACKET_start_sub_packet_u16(pkt)
912 || !WPACKET_start_sub_packet_u16(pkt)) {
913 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
914 ERR_R_INTERNAL_ERROR);
b186a592 915 return EXT_RETURN_FAIL;
6af87546
MC		 916 }
917
918 first = 0;
919 }
12635aa0 920 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
6af87546
MC		 921 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
922 ERR_R_INTERNAL_ERROR);
b186a592 923 return EXT_RETURN_FAIL;
6af87546
MC		 924 }
925 }
926 }
927
928 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
929 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 930 return EXT_RETURN_FAIL;
6af87546
MC		 931 }
932
b186a592 933 return EXT_RETURN_SENT;
6af87546 934}
cf53cbea 935#endif
6af87546 936
b186a592
MC		 937EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
938 unsigned int context, X509 *x,
939 size_t chainidx, int *al)
7da160b0 940{
aff8c126
RS		 941 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
942 s->ext.ticket_expected = 0;
b186a592 943 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 944 }
945
946 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
947 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 948 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 949 return EXT_RETURN_FAIL;
7da160b0
MC		 950 }
951
b186a592 952 return EXT_RETURN_SENT;
7da160b0
MC		 953}
954
ab83e314 955#ifndef OPENSSL_NO_OCSP
b186a592
MC		 956EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
957 unsigned int context, X509 *x,
958 size_t chainidx, int *al)
7da160b0 959{
aff8c126 960 if (!s->ext.status_expected)
b186a592 961 return EXT_RETURN_NOT_SENT;
7da160b0 962
8521ced6 963 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 964 return EXT_RETURN_NOT_SENT;
e96e0f8e 965
7da160b0 966 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 967 || !WPACKET_start_sub_packet_u16(pkt)) {
968 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 969 return EXT_RETURN_FAIL;
f63e4288
MC		 970 }
971
972 /*
973 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
974 * send back an empty extension, with the certificate status appearing as a
975 * separate message
976 */
977 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
978 || !WPACKET_close(pkt)) {
7fe97c07 979 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 980 return EXT_RETURN_FAIL;
7da160b0
MC		 981 }
982
b186a592 983 return EXT_RETURN_SENT;
7da160b0 984}
ab83e314 985#endif
7da160b0 986
7da160b0 987#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 988EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
989 unsigned int context, X509 *x,
990 size_t chainidx, int *al)
7da160b0
MC		 991{
992 const unsigned char *npa;
993 unsigned int npalen;
994 int ret;
aff8c126 995 int npn_seen = s->s3->npn_seen;
7da160b0 996
aff8c126
RS		 997 s->s3->npn_seen = 0;
998 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 999 return EXT_RETURN_NOT_SENT;
7da160b0 1000
aff8c126
RS		 1001 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1002 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1003 if (ret == SSL_TLSEXT_ERR_OK) {
1004 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1005 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 1006 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0 1007 ERR_R_INTERNAL_ERROR);
b186a592 1008 return EXT_RETURN_FAIL;
7da160b0 1009 }
aff8c126 1010 s->s3->npn_seen = 1;
7da160b0
MC		 1011 }
1012
b186a592 1013 return EXT_RETURN_SENT;
7da160b0
MC		 1014}
1015#endif
1016
b186a592
MC		 1017EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1018 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1019{
1020 if (s->s3->alpn_selected == NULL)
b186a592 1021 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1022
1023 if (!WPACKET_put_bytes_u16(pkt,
1024 TLSEXT_TYPE_application_layer_protocol_negotiation)
1025 || !WPACKET_start_sub_packet_u16(pkt)
1026 || !WPACKET_start_sub_packet_u16(pkt)
1027 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1028 s->s3->alpn_selected_len)
1029 || !WPACKET_close(pkt)
1030 || !WPACKET_close(pkt)) {
7fe97c07 1031 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
b186a592 1032 return EXT_RETURN_FAIL;
7da160b0
MC		 1033 }
1034
b186a592 1035 return EXT_RETURN_SENT;
7da160b0
MC		 1036}
1037
1038#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1039EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1040 unsigned int context, X509 *x,
1041 size_t chainidx, int *al)
7da160b0
MC		 1042{
1043 if (s->srtp_profile == NULL)
b186a592 1044 return EXT_RETURN_NOT_SENT;
a1448c26 1045
7da160b0
MC		 1046 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1047 || !WPACKET_start_sub_packet_u16(pkt)
1048 || !WPACKET_put_bytes_u16(pkt, 2)
1049 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1050 || !WPACKET_put_bytes_u8(pkt, 0)
1051 || !WPACKET_close(pkt)) {
7fe97c07 1052 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
b186a592 1053 return EXT_RETURN_FAIL;
7da160b0
MC		 1054 }
1055
b186a592 1056 return EXT_RETURN_SENT;
7da160b0
MC		 1057}
1058#endif
1059
b186a592
MC		 1060EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1061 X509 *x, size_t chainidx, int *al)
7da160b0 1062{
28a31a0a 1063 if (!s->ext.use_etm)
b186a592 1064 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1065
1066 /*
1067 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1068 * for other cases too.
1069 */
1070 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1071 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1072 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1073 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1074 s->ext.use_etm = 0;
b186a592 1075 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1076 }
1077
1078 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1079 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1080 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
b186a592 1081 return EXT_RETURN_FAIL;
7da160b0
MC		 1082 }
1083
b186a592 1084 return EXT_RETURN_SENT;
7da160b0
MC		 1085}
1086
b186a592
MC		 1087EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1088 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1089{
1090 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1091 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1092
1093 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1094 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1095 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
b186a592 1096 return EXT_RETURN_FAIL;
7da160b0
MC		 1097 }
1098
b186a592 1099 return EXT_RETURN_SENT;
7da160b0
MC		 1100}
1101
b186a592
MC		 1102EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1103 unsigned int context, X509 *x,
1104 size_t chainidx, int *al)
7da160b0 1105{
3cf96e88 1106#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1107 unsigned char *encodedPoint;
1108 size_t encoded_pt_len = 0;
1109 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1110
7da160b0 1111 if (ckey == NULL) {
7d061fce
MC		 1112 /* No key_share received from client */
1113 if (s->hello_retry_request) {
7d061fce 1114 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1115 || !WPACKET_start_sub_packet_u16(pkt)
1116 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1117 || !WPACKET_close(pkt)) {
7d061fce
MC		 1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1119 ERR_R_INTERNAL_ERROR);
b186a592 1120 return EXT_RETURN_FAIL;
7d061fce
MC		 1121 }
1122
b186a592 1123 return EXT_RETURN_SENT;
7d061fce
MC		 1124 }
1125
1126 /* Must be resuming. */
0247086d
MC		 1127 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1128 *al = SSL_AD_INTERNAL_ERROR;
1129 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1130 return EXT_RETURN_FAIL;
0247086d 1131 }
b186a592 1132 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1133 }
1134
1135 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1136 || !WPACKET_start_sub_packet_u16(pkt)
1137 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 1138 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1139 return EXT_RETURN_FAIL;
7da160b0
MC		 1140 }
1141
1142 skey = ssl_generate_pkey(ckey);
1143 if (skey == NULL) {
7fe97c07 1144 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
b186a592 1145 return EXT_RETURN_FAIL;
7da160b0
MC		 1146 }
1147
1148 /* Generate encoding of server key */
1149 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1150 if (encoded_pt_len == 0) {
7fe97c07 1151 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0 1152 EVP_PKEY_free(skey);
b186a592 1153 return EXT_RETURN_FAIL;
7da160b0
MC		 1154 }
1155
1156 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1157 || !WPACKET_close(pkt)) {
7fe97c07 1158 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1159 EVP_PKEY_free(skey);
1160 OPENSSL_free(encodedPoint);
b186a592 1161 return EXT_RETURN_FAIL;
7da160b0
MC		 1162 }
1163 OPENSSL_free(encodedPoint);
1164
1165 /* This causes the crypto state to be updated based on the derived keys */
1166 s->s3->tmp.pkey = skey;
1167 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 1168 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1169 return EXT_RETURN_FAIL;
7da160b0 1170 }
3cf96e88 1171#endif
7da160b0 1172
b186a592 1173 return EXT_RETURN_SENT;
7da160b0
MC		 1174}
1175
b186a592
MC		 1176EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1177 unsigned int context, X509 *x,
1178 size_t chainidx, int *al)
7da160b0
MC		 1179{
1180 const unsigned char cryptopro_ext[36] = {
1181 0xfd, 0xe8, /* 65000 */
1182 0x00, 0x20, /* 32 bytes length */
1183 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1184 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1185 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1186 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1187 };
1188
1189 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1190 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1191 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1192 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1193
1194 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 1195 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
b186a592 1196 return EXT_RETURN_FAIL;
7da160b0
MC		 1197 }
1198
b186a592 1199 return EXT_RETURN_SENT;
7da160b0 1200}
0247086d 1201
b186a592
MC		 1202EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1203 unsigned int context, X509 *x,
1204 size_t chainidx, int *al)
38df5a45 1205{
fe874d27 1206 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1207 if (s->max_early_data == 0)
b186a592 1208 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1209
1210 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1211 || !WPACKET_start_sub_packet_u16(pkt)
1212 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1213 || !WPACKET_close(pkt)) {
1214 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1215 return EXT_RETURN_FAIL;
6594189f
MC		 1216 }
1217
b186a592 1218 return EXT_RETURN_SENT;
6594189f
MC		 1219 }
1220
38df5a45 1221 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1222 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1223
1224 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1225 || !WPACKET_start_sub_packet_u16(pkt)
1226 || !WPACKET_close(pkt)) {
1227 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1228 return EXT_RETURN_FAIL;
38df5a45
MC		 1229 }
1230
b186a592 1231 return EXT_RETURN_SENT;
38df5a45
MC		 1232}
1233
b186a592
MC		 1234EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1235 X509 *x, size_t chainidx, int *al)
0247086d
MC		 1236{
1237 if (!s->hit)
b186a592 1238 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1239
1240 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1241 || !WPACKET_start_sub_packet_u16(pkt)
1242 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1243 || !WPACKET_close(pkt)) {
1244 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
b186a592 1245 return EXT_RETURN_FAIL;
0247086d
MC		 1246 }
1247
b186a592 1248 return EXT_RETURN_SENT;
0247086d 1249}
A mirror of the official openssl repository