]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
TLSv1.3 alert and handshake messages can never be 0 length
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
61138358
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
7d061fce
MC		 119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
aff8c126 121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
25670f3e
MC		 122 *al = TLS1_AD_INTERNAL_ERROR;
123 return 0;
124 }
125
126 s->servername_done = 1;
127 } else {
128 /*
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
131 */
aff8c126
RS		 132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
25670f3e
MC		 135 }
136
137 return 1;
138}
139
140#ifndef OPENSSL_NO_SRP
61138358
MC		 141int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
25670f3e
MC		 143{
144 PACKET srp_I;
145
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
149 return 0;
150 }
151
152 /*
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
155 */
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = TLS1_AD_INTERNAL_ERROR;
158 return 0;
159 }
160
161 return 1;
162}
163#endif
164
165#ifndef OPENSSL_NO_EC
61138358
MC		 166int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 168{
169 PACKET ec_point_format_list;
170
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
174 return 0;
175 }
176
177 if (!s->hit) {
178 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
25670f3e
MC		 181 *al = TLS1_AD_INTERNAL_ERROR;
182 return 0;
183 }
184 }
185
186 return 1;
187}
188#endif /* OPENSSL_NO_EC */
189
61138358
MC		 190int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
25670f3e 192{
aff8c126
RS		 193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
25670f3e
MC		 197 *al = TLS1_AD_INTERNAL_ERROR;
198 return 0;
199 }
200
201 return 1;
202}
203
61138358
MC		 204int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
25670f3e
MC		 206{
207 PACKET supported_sig_algs;
208
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e
MC		 210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
212 return 0;
213 }
214
703bcee0
MC		 215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
216 *al = TLS1_AD_DECODE_ERROR;
25670f3e
MC		 217 return 0;
218 }
219
220 return 1;
221}
222
ab83e314 223#ifndef OPENSSL_NO_OCSP
61138358
MC		 224int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
25670f3e 226{
1266eefd
MC		 227 PACKET responder_id_list, exts;
228
e96e0f8e
MC		 229 /* Not defined if we get one of these in a client Certificate */
230 if (x != NULL)
231 return 1;
232
aff8c126 233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
25670f3e
MC		 234 *al = SSL_AD_DECODE_ERROR;
235 return 0;
236 }
ab83e314 237
aff8c126 238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 239 /*
1266eefd 240 * We don't know what to do with any other type so ignore it.
25670f3e 241 */
aff8c126 242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 243 return 1;
244 }
25670f3e 245
1266eefd
MC		 246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
248 return 0;
249 }
25670f3e 250
1266eefd
MC		 251 /*
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
254 */
aff8c126 255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 256 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
1266eefd
MC		 259 *al = SSL_AD_INTERNAL_ERROR;
260 return 0;
261 }
262 } else {
aff8c126 263 s->ext.ocsp.ids = NULL;
1266eefd 264 }
25670f3e 265
1266eefd
MC		 266 while (PACKET_remaining(&responder_id_list) > 0) {
267 OCSP_RESPID *id;
268 PACKET responder_id;
269 const unsigned char *id_data;
25670f3e 270
1266eefd
MC		 271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
274 return 0;
275 }
25670f3e 276
1266eefd
MC		 277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
281 if (id == NULL) {
282 *al = SSL_AD_DECODE_ERROR;
283 return 0;
25670f3e
MC		 284 }
285
1266eefd
MC		 286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
25670f3e
MC		 288 *al = SSL_AD_DECODE_ERROR;
289 return 0;
290 }
291
aff8c126 292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd
MC		 293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
295 return 0;
296 }
297 }
298
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
302 return 0;
303 }
304
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
307
aff8c126 308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 309 X509_EXTENSION_free);
aff8c126 310 s->ext.ocsp.exts =
1266eefd 311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
1266eefd
MC		 313 *al = SSL_AD_DECODE_ERROR;
314 return 0;
25670f3e 315 }
25670f3e
MC		 316 }
317
318 return 1;
319}
ab83e314 320#endif
25670f3e
MC		 321
322#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 323int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
25670f3e 325{
1266eefd
MC		 326 /*
327 * We shouldn't accept this extension on a
328 * renegotiation.
1266eefd 329 */
c7f47786 330 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 331 s->s3->npn_seen = 1;
25670f3e
MC		 332
333 return 1;
334}
335#endif
336
337/*
1266eefd
MC		 338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 341 */
61138358
MC		 342int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
25670f3e
MC		 344{
345 PACKET protocol_list, save_protocol_list, protocol;
346
c7f47786 347 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 348 return 1;
349
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
353 return 0;
354 }
355
356 save_protocol_list = protocol_list;
357 do {
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364 } while (PACKET_remaining(&protocol_list) != 0);
365
7d061fce
MC		 366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = TLS1_AD_INTERNAL_ERROR;
372 return 0;
373 }
374
375 return 1;
376}
377
378#ifndef OPENSSL_NO_SRTP
61138358
MC		 379int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
25670f3e 381{
25670f3e
MC		 382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
384 int i, srtp_pref;
385 PACKET subpkt;
386
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
389 return 1;
390
391 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
397 return 0;
398 }
399
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
410 return 0;
411 }
412
413 /*
414 * Only look for match in profiles of higher preference than
415 * current match.
416 * If no profiles have been have been configured then this
417 * does nothing.
418 */
419 for (i = 0; i < srtp_pref; i++) {
d270de32 420 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422
25670f3e
MC		 423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
425 srtp_pref = i;
426 break;
427 }
428 }
429 }
430
1266eefd 431 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 432 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
7fe97c07 441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 return 1;
447}
448#endif
449
61138358
MC		 450int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
25670f3e
MC		 452{
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 454 s->ext.use_etm = 1;
25670f3e
MC		 455
456 return 1;
457}
458
b2f7e8c0
MC		 459/*
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
463 */
61138358
MC		 464int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
b2f7e8c0
MC		 466{
467#ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
469 unsigned int mode;
470
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
474 return 0;
475 }
476
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
482 }
483#endif
484
485 return 1;
486}
487
25670f3e
MC		 488/*
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
492 */
61138358
MC		 493int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
25670f3e 495{
3cf96e88 496#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
503
f4bbb37c 504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 505 return 1;
506
507 /* Sanity check */
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 511 return 0;
512 }
513
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
721586ea 515 *al = SSL_AD_DECODE_ERROR;
7fe97c07 516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 517 return 0;
518 }
519
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 524 return 0;
525 }
526
24b8e4b2 527 /*
70af3d8e 528 * Get the clients list of supported curves.
24b8e4b2
MC		 529 * TODO(TLS1.3): We should validate that we actually received
530 * supported_groups!
531 */
25670f3e
MC		 532 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
533 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 534 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 535 return 0;
536 }
537
538 while (PACKET_remaining(&key_share_list) > 0) {
539 if (!PACKET_get_net_2(&key_share_list, &group_id)
540 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
541 || PACKET_remaining(&encoded_pt) == 0) {
721586ea 542 *al = SSL_AD_DECODE_ERROR;
7fe97c07 543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 544 SSL_R_LENGTH_MISMATCH);
545 return 0;
546 }
547
548 /*
549 * If we already found a suitable key_share we loop through the
550 * rest to verify the structure, but don't process them.
551 */
552 if (found)
553 continue;
554
555 /* Check if this share is in supported_groups sent from client */
556 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
721586ea 557 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 558 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 559 return 0;
560 }
561
562 /* Check if this share is for a group we can use */
563 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
564 /* Share not suitable */
565 continue;
566 }
567
568 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
569
570 if (group_nid == 0) {
571 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 572 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 573 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
574 return 0;
575 }
576
577 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
578 /* Can happen for some curves, e.g. X25519 */
579 EVP_PKEY *key = EVP_PKEY_new();
580
581 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
582 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 583 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 584 EVP_PKEY_free(key);
585 return 0;
586 }
587 s->s3->peer_tmp = key;
588 } else {
589 /* Set up EVP_PKEY with named curve as parameters */
590 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 591
25670f3e
MC		 592 if (pctx == NULL
593 || EVP_PKEY_paramgen_init(pctx) <= 0
594 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
595 group_nid) <= 0
596 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
597 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 598 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 599 EVP_PKEY_CTX_free(pctx);
600 return 0;
601 }
602 EVP_PKEY_CTX_free(pctx);
603 pctx = NULL;
604 }
605 s->s3->group_id = group_id;
606
607 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
608 PACKET_data(&encoded_pt),
609 PACKET_remaining(&encoded_pt))) {
610 *al = SSL_AD_DECODE_ERROR;
7fe97c07 611 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 612 return 0;
613 }
614
615 found = 1;
616 }
3cf96e88 617#endif
25670f3e
MC		 618
619 return 1;
620}
621
622#ifndef OPENSSL_NO_EC
61138358
MC		 623int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
624 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 625{
626 PACKET supported_groups_list;
627
628 /* Each group is 2 bytes and we must have at least 1. */
629 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
630 || PACKET_remaining(&supported_groups_list) == 0
631 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
632 *al = SSL_AD_DECODE_ERROR;
633 return 0;
634 }
635
7d061fce
MC		 636 OPENSSL_free(s->session->ext.supportedgroups);
637 s->session->ext.supportedgroups = NULL;
638 s->session->ext.supportedgroups_len = 0;
1053a6e2
MC		 639 if (!PACKET_memdup(&supported_groups_list,
640 &s->session->ext.supportedgroups,
641 &s->session->ext.supportedgroups_len)) {
25670f3e
MC		 642 *al = SSL_AD_DECODE_ERROR;
643 return 0;
644 }
645
646 return 1;
647}
648#endif
649
61138358
MC		 650int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
651 size_t chainidx, int *al)
25670f3e
MC		 652{
653 /* The extension must always be empty */
654 if (PACKET_remaining(pkt) != 0) {
655 *al = SSL_AD_DECODE_ERROR;
656 return 0;
657 }
658
659 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
660
661 return 1;
662}
7da160b0 663
38df5a45
MC		 664
665int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
666 X509 *x, size_t chainidx, int *al)
667{
668 if (PACKET_remaining(pkt) != 0) {
669 *al = SSL_AD_DECODE_ERROR;
670 return 0;
671 }
672
673 return 1;
674}
675
61138358
MC		 676int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
677 size_t chainidx, int *al)
1053a6e2
MC		 678{
679 PACKET identities, binders, binder;
680 size_t binderoffset, hashsize;
681 SSL_SESSION *sess = NULL;
682 unsigned int id, i;
683 const EVP_MD *md = NULL;
30d1bab1 684 uint32_t ticket_age = 0, now, agesec, agems;
1053a6e2 685
1a9f457c
MC		 686 /*
687 * If we have no PSK kex mode that we recognise then we can't resume so
688 * ignore this extension
689 */
690 if ((s->ext.psk_kex_mode
691 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
692 return 1;
693
1053a6e2
MC		 694 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
695 *al = SSL_AD_DECODE_ERROR;
696 return 0;
697 }
698
699 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
700 PACKET identity;
2c604cb9 701 unsigned long ticket_agel;
1053a6e2
MC		 702 int ret;
703
704 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 705 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1053a6e2
MC		 706 *al = SSL_AD_DECODE_ERROR;
707 return 0;
708 }
709
2c604cb9 710 ticket_age = (uint32_t)ticket_agel;
1b8bacff 711
1053a6e2
MC		 712 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
713 PACKET_remaining(&identity), NULL, 0, &sess);
714 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
715 *al = SSL_AD_INTERNAL_ERROR;
716 return 0;
717 }
718 if (ret == TICKET_NO_DECRYPT)
719 continue;
720
534a43ff 721 md = ssl_md(sess->cipher->algorithm2);
1053a6e2
MC		 722 if (md == NULL) {
723 /*
724 * Don't recognise this cipher so we can't use the session.
725 * Ignore it
726 */
727 SSL_SESSION_free(sess);
728 sess = NULL;
729 continue;
730 }
731
732 /*
733 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
734 * Ignored for now
735 */
736
737 break;
738 }
739
740 if (sess == NULL)
741 return 1;
742
743 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 744 hashsize = EVP_MD_size(md);
745
746 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
747 *al = SSL_AD_DECODE_ERROR;
748 goto err;
749 }
750
751 for (i = 0; i <= id; i++) {
752 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
753 *al = SSL_AD_DECODE_ERROR;
754 goto err;
755 }
756 }
757
758 if (PACKET_remaining(&binder) != hashsize
759 || tls_psk_do_binder(s, md,
760 (const unsigned char *)s->init_buf->data,
761 binderoffset, PACKET_data(&binder), NULL,
762 sess, 0) != 1) {
763 *al = SSL_AD_DECODE_ERROR;
764 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
765 goto err;
766 }
767
768 sess->ext.tick_identity = id;
2c604cb9
MC		 769
770 now = (uint32_t)time(NULL);
771 agesec = now - (uint32_t)sess->time;
772 agems = agesec * (uint32_t)1000;
773 ticket_age -= sess->ext.tick_age_add;
774
775
776 /*
777 * For simplicity we do our age calculations in seconds. If the client does
778 * it in ms then it could appear that their ticket age is longer than ours
779 * (our ticket age calculation should always be slightly longer than the
780 * client's due to the network latency). Therefore we add 1000ms to our age
781 * calculation to adjust for rounding errors.
782 */
d1186c30 783 if (sess->timeout >= (long)agesec
2c604cb9
MC		 784 && agems / (uint32_t)1000 == agesec
785 && ticket_age <= agems + 1000
786 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
787 /*
788 * Ticket age is within tolerance and not expired. We allow it for early
789 * data
790 */
791 s->ext.early_data_ok = 1;
792 }
793
794
1053a6e2
MC		 795 SSL_SESSION_free(s->session);
796 s->session = sess;
1053a6e2
MC		 797 return 1;
798err:
312e9387 799 SSL_SESSION_free(sess);
1053a6e2
MC		 800 return 0;
801}
802
1266eefd
MC		 803/*
804 * Add the server's renegotiation binding
805 */
61138358
MC		 806int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
807 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 808{
809 if (!s->s3->send_connection_binding)
810 return 1;
811
812 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
813 || !WPACKET_start_sub_packet_u16(pkt)
814 || !WPACKET_start_sub_packet_u8(pkt)
815 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
816 s->s3->previous_client_finished_len)
817 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
818 s->s3->previous_server_finished_len)
819 || !WPACKET_close(pkt)
820 || !WPACKET_close(pkt)) {
7fe97c07 821 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 822 return 0;
823 }
824
825 return 1;
826}
827
61138358
MC		 828int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
829 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 830{
831 if (s->hit || s->servername_done != 1
aff8c126 832 || s->session->ext.hostname == NULL)
7da160b0
MC		 833 return 1;
834
835 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
836 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 837 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 838 return 0;
839 }
840
841 return 1;
842}
843
844#ifndef OPENSSL_NO_EC
61138358
MC		 845int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
846 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 847{
848 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
849 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 850 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 851 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 852 const unsigned char *plist;
853 size_t plistlen;
854
855 if (!using_ecc)
856 return 1;
857
858 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 859 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
860 || !WPACKET_start_sub_packet_u16(pkt)
861 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
862 || !WPACKET_close(pkt)) {
7fe97c07 863 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 864 return 0;
865 }
866
867 return 1;
868}
869#endif
870
cf53cbea 871#ifndef OPENSSL_NO_EC
6af87546
MC		 872int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
873 unsigned int context, X509 *x,
874 size_t chainidx, int *al)
875{
876 const unsigned char *groups;
877 size_t numgroups, i, first = 1;
878
879 /* s->s3->group_id is non zero if we accepted a key_share */
880 if (s->s3->group_id == 0)
881 return 1;
882
883 /* Get our list of supported groups */
884 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
885 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
886 return 0;
887 }
888
889 /* Copy group ID if supported */
890 for (i = 0; i < numgroups; i++, groups += 2) {
891 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
892 if (first) {
893 /*
894 * Check if the client is already using our preferred group. If
895 * so we don't need to add this extension
896 */
897 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
898 return 1;
899
900 /* Add extension header */
901 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
902 /* Sub-packet for supported_groups extension */
903 || !WPACKET_start_sub_packet_u16(pkt)
904 || !WPACKET_start_sub_packet_u16(pkt)) {
905 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
906 ERR_R_INTERNAL_ERROR);
907 return 0;
908 }
909
910 first = 0;
911 }
12635aa0 912 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
6af87546
MC		 913 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
914 ERR_R_INTERNAL_ERROR);
915 return 0;
916 }
917 }
918 }
919
920 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
921 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
922 return 0;
923 }
924
925 return 1;
926}
cf53cbea 927#endif
6af87546 928
61138358
MC		 929int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
930 unsigned int context, X509 *x,
8521ced6 931 size_t chainidx, int *al)
7da160b0 932{
aff8c126
RS		 933 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
934 s->ext.ticket_expected = 0;
7da160b0
MC		 935 return 1;
936 }
937
938 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
939 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 940 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 941 return 0;
942 }
943
944 return 1;
945}
946
ab83e314 947#ifndef OPENSSL_NO_OCSP
61138358
MC		 948int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
949 unsigned int context, X509 *x,
950 size_t chainidx, int *al)
7da160b0 951{
aff8c126 952 if (!s->ext.status_expected)
7da160b0
MC		 953 return 1;
954
8521ced6 955 if (SSL_IS_TLS13(s) && chainidx != 0)
e96e0f8e
MC		 956 return 1;
957
7da160b0 958 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 959 || !WPACKET_start_sub_packet_u16(pkt)) {
960 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
961 return 0;
962 }
963
964 /*
965 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
966 * send back an empty extension, with the certificate status appearing as a
967 * separate message
968 */
969 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
970 || !WPACKET_close(pkt)) {
7fe97c07 971 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 972 return 0;
973 }
974
975 return 1;
976}
ab83e314 977#endif
7da160b0 978
7da160b0 979#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 980int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
981 unsigned int context, X509 *x,
8521ced6 982 size_t chainidx, int *al)
7da160b0
MC		 983{
984 const unsigned char *npa;
985 unsigned int npalen;
986 int ret;
aff8c126 987 int npn_seen = s->s3->npn_seen;
7da160b0 988
aff8c126
RS		 989 s->s3->npn_seen = 0;
990 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
7da160b0
MC		 991 return 1;
992
aff8c126
RS		 993 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
994 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 995 if (ret == SSL_TLSEXT_ERR_OK) {
996 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
997 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 998 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0
MC		 999 ERR_R_INTERNAL_ERROR);
1000 return 0;
1001 }
aff8c126 1002 s->s3->npn_seen = 1;
7da160b0
MC		 1003 }
1004
1005 return 1;
1006}
1007#endif
1008
61138358
MC		 1009int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1010 size_t chainidx, int *al)
7da160b0
MC		 1011{
1012 if (s->s3->alpn_selected == NULL)
1013 return 1;
1014
1015 if (!WPACKET_put_bytes_u16(pkt,
1016 TLSEXT_TYPE_application_layer_protocol_negotiation)
1017 || !WPACKET_start_sub_packet_u16(pkt)
1018 || !WPACKET_start_sub_packet_u16(pkt)
1019 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1020 s->s3->alpn_selected_len)
1021 || !WPACKET_close(pkt)
1022 || !WPACKET_close(pkt)) {
7fe97c07 1023 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1024 return 0;
1025 }
1026
1027 return 1;
1028}
1029
1030#ifndef OPENSSL_NO_SRTP
61138358
MC		 1031int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
1032 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1033{
1034 if (s->srtp_profile == NULL)
1035 return 1;
a1448c26 1036
7da160b0
MC		 1037 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1038 || !WPACKET_start_sub_packet_u16(pkt)
1039 || !WPACKET_put_bytes_u16(pkt, 2)
1040 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1041 || !WPACKET_put_bytes_u8(pkt, 0)
1042 || !WPACKET_close(pkt)) {
7fe97c07 1043 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1044 return 0;
1045 }
1046
1047 return 1;
1048}
1049#endif
1050
61138358
MC		 1051int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1052 size_t chainidx, int *al)
7da160b0 1053{
28a31a0a 1054 if (!s->ext.use_etm)
7da160b0
MC		 1055 return 1;
1056
1057 /*
1058 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1059 * for other cases too.
1060 */
1061 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1062 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1063 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1064 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1065 s->ext.use_etm = 0;
7da160b0
MC		 1066 return 1;
1067 }
1068
1069 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1070 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1071 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1072 return 0;
1073 }
1074
1075 return 1;
1076}
1077
61138358
MC		 1078int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1079 size_t chainidx, int *al)
7da160b0
MC		 1080{
1081 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1082 return 1;
1083
1084 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1085 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1086 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1087 return 0;
1088 }
1089
1090 return 1;
1091}
1092
61138358
MC		 1093int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
1094 X509 *x, size_t chainidx, int *al)
7da160b0 1095{
3cf96e88 1096#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1097 unsigned char *encodedPoint;
1098 size_t encoded_pt_len = 0;
1099 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1100
7da160b0 1101 if (ckey == NULL) {
7d061fce
MC		 1102 /* No key_share received from client */
1103 if (s->hello_retry_request) {
7d061fce 1104 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1105 || !WPACKET_start_sub_packet_u16(pkt)
1106 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1107 || !WPACKET_close(pkt)) {
7d061fce
MC		 1108 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1109 ERR_R_INTERNAL_ERROR);
1110 return 0;
1111 }
1112
1113 return 1;
1114 }
1115
1116 /* Must be resuming. */
0247086d
MC		 1117 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1118 *al = SSL_AD_INTERNAL_ERROR;
1119 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1120 return 0;
1121 }
1122 return 1;
7da160b0
MC		 1123 }
1124
1125 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1126 || !WPACKET_start_sub_packet_u16(pkt)
1127 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 1128 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1129 return 0;
1130 }
1131
1132 skey = ssl_generate_pkey(ckey);
1133 if (skey == NULL) {
7fe97c07 1134 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
7da160b0
MC		 1135 return 0;
1136 }
1137
1138 /* Generate encoding of server key */
1139 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1140 if (encoded_pt_len == 0) {
7fe97c07 1141 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0
MC		 1142 EVP_PKEY_free(skey);
1143 return 0;
1144 }
1145
1146 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1147 || !WPACKET_close(pkt)) {
7fe97c07 1148 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1149 EVP_PKEY_free(skey);
1150 OPENSSL_free(encodedPoint);
1151 return 0;
1152 }
1153 OPENSSL_free(encodedPoint);
1154
1155 /* This causes the crypto state to be updated based on the derived keys */
1156 s->s3->tmp.pkey = skey;
1157 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 1158 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1159 return 0;
1160 }
3cf96e88 1161#endif
7da160b0
MC		 1162
1163 return 1;
1164}
1165
61138358
MC		 1166int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
1167 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1168{
1169 const unsigned char cryptopro_ext[36] = {
1170 0xfd, 0xe8, /* 65000 */
1171 0x00, 0x20, /* 32 bytes length */
1172 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1173 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1174 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1175 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1176 };
1177
1178 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1179 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1180 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1181 return 1;
1182
1183 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 1184 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1185 return 0;
1186 }
1187
1188 return 1;
1189}
0247086d 1190
38df5a45
MC		 1191int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
1192 X509 *x, size_t chainidx, int *al)
1193{
fe874d27 1194 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f
MC		 1195 if (s->max_early_data == 0)
1196 return 1;
1197
1198 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1199 || !WPACKET_start_sub_packet_u16(pkt)
1200 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1201 || !WPACKET_close(pkt)) {
1202 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1203 return 0;
1204 }
1205
1206 return 1;
1207 }
1208
38df5a45
MC		 1209 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1210 return 1;
1211
1212 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1213 || !WPACKET_start_sub_packet_u16(pkt)
1214 || !WPACKET_close(pkt)) {
1215 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1216 return 0;
1217 }
1218
1219 return 1;
1220}
1221
61138358
MC		 1222int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1223 size_t chainidx, int *al)
0247086d
MC		 1224{
1225 if (!s->hit)
1226 return 1;
1227
1228 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1229 || !WPACKET_start_sub_packet_u16(pkt)
1230 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1231 || !WPACKET_close(pkt)) {
1232 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1233 return 0;
1234 }
1235
1236 return 1;
1237}
A mirror of the official openssl repository