]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_clnt.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use empty renegotiate extension instead of SCSV for TLS > 1.0
[thirdparty/openssl.git] / ssl / statem / extensions_clnt.c
1 /*
2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "internal/cryptlib.h"
13 #include "statem_local.h"
14
15 EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
16 unsigned int context, X509 *x,
17 size_t chainidx)
18 {
19 if (!s->renegotiate) {
20 /* If not renegotiating, send an empty RI extension to indicate support */
21
22 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
23 # error Internal DTLS version error
24 #endif
25
26 if (!SSL_CONNECTION_IS_DTLS(s)
27 && (s->min_proto_version >= TLS1_3_VERSION
28 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)
29 && s->min_proto_version <= TLS1_VERSION))) {
30 /*
31 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this
32 * extension isn't used at all.
33 */
34 return EXT_RETURN_NOT_SENT;
35 }
36
37
38 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
39 || !WPACKET_start_sub_packet_u16(pkt)
40 || !WPACKET_put_bytes_u8(pkt, 0)
41 || !WPACKET_close(pkt)) {
42 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43 return EXT_RETURN_FAIL;
44 }
45
46 return EXT_RETURN_SENT;
47 }
48
49 /* Add a complete RI extension if renegotiating */
50 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
51 || !WPACKET_start_sub_packet_u16(pkt)
52 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
53 s->s3.previous_client_finished_len)
54 || !WPACKET_close(pkt)) {
55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
56 return EXT_RETURN_FAIL;
57 }
58
59 return EXT_RETURN_SENT;
60 }
61
62 EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
63 unsigned int context, X509 *x,
64 size_t chainidx)
65 {
66 if (s->ext.hostname == NULL)
67 return EXT_RETURN_NOT_SENT;
68
69 /* Add TLS extension servername to the Client Hello message */
70 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
71 /* Sub-packet for server_name extension */
72 || !WPACKET_start_sub_packet_u16(pkt)
73 /* Sub-packet for servername list (always 1 hostname)*/
74 || !WPACKET_start_sub_packet_u16(pkt)
75 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
76 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
77 strlen(s->ext.hostname))
78 || !WPACKET_close(pkt)
79 || !WPACKET_close(pkt)) {
80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
81 return EXT_RETURN_FAIL;
82 }
83
84 return EXT_RETURN_SENT;
85 }
86
87 /* Push a Max Fragment Len extension into ClientHello */
88 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
89 unsigned int context, X509 *x,
90 size_t chainidx)
91 {
92 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
93 return EXT_RETURN_NOT_SENT;
94
95 /* Add Max Fragment Length extension if client enabled it. */
96 /*-
97 * 4 bytes for this extension type and extension length
98 * 1 byte for the Max Fragment Length code value.
99 */
100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
101 /* Sub-packet for Max Fragment Length extension (1 byte) */
102 || !WPACKET_start_sub_packet_u16(pkt)
103 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
104 || !WPACKET_close(pkt)) {
105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
106 return EXT_RETURN_FAIL;
107 }
108
109 return EXT_RETURN_SENT;
110 }
111
112 #ifndef OPENSSL_NO_SRP
113 EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
114 unsigned int context,
115 X509 *x, size_t chainidx)
116 {
117 /* Add SRP username if there is one */
118 if (s->srp_ctx.login == NULL)
119 return EXT_RETURN_NOT_SENT;
120
121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
122 /* Sub-packet for SRP extension */
123 || !WPACKET_start_sub_packet_u16(pkt)
124 || !WPACKET_start_sub_packet_u8(pkt)
125 /* login must not be zero...internal error if so */
126 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
127 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
128 strlen(s->srp_ctx.login))
129 || !WPACKET_close(pkt)
130 || !WPACKET_close(pkt)) {
131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
132 return EXT_RETURN_FAIL;
133 }
134
135 return EXT_RETURN_SENT;
136 }
137 #endif
138
139 static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
140 {
141 int i, end, ret = 0;
142 unsigned long alg_k, alg_a;
143 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
144 const uint16_t *pgroups = NULL;
145 size_t num_groups, j;
146 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
147
148 /* See if we support any ECC ciphersuites */
149 if (s->version == SSL3_VERSION)
150 return 0;
151
152 cipher_stack = SSL_get1_supported_ciphers(ssl);
153 end = sk_SSL_CIPHER_num(cipher_stack);
154 for (i = 0; i < end; i++) {
155 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
156
157 alg_k = c->algorithm_mkey;
158 alg_a = c->algorithm_auth;
159 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
160 || (alg_a & SSL_aECDSA)
161 || c->min_tls >= TLS1_3_VERSION) {
162 ret = 1;
163 break;
164 }
165 }
166 sk_SSL_CIPHER_free(cipher_stack);
167 if (!ret)
168 return 0;
169
170 /* Check we have at least one EC supported group */
171 tls1_get_supported_groups(s, &pgroups, &num_groups);
172 for (j = 0; j < num_groups; j++) {
173 uint16_t ctmp = pgroups[j];
174
175 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
176 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
177 return 1;
178 }
179
180 return 0;
181 }
182
183 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
184 unsigned int context, X509 *x,
185 size_t chainidx)
186 {
187 const unsigned char *pformats;
188 size_t num_formats;
189 int reason, min_version, max_version;
190
191 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
192 if (reason != 0) {
193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
194 return EXT_RETURN_FAIL;
195 }
196 if (!use_ecc(s, min_version, max_version))
197 return EXT_RETURN_NOT_SENT;
198
199 /* Add TLS extension ECPointFormats to the ClientHello message */
200 tls1_get_formatlist(s, &pformats, &num_formats);
201
202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
203 /* Sub-packet for formats extension */
204 || !WPACKET_start_sub_packet_u16(pkt)
205 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
206 || !WPACKET_close(pkt)) {
207 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
208 return EXT_RETURN_FAIL;
209 }
210
211 return EXT_RETURN_SENT;
212 }
213
214 EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
215 unsigned int context, X509 *x,
216 size_t chainidx)
217 {
218 const uint16_t *pgroups = NULL;
219 size_t num_groups = 0, i, tls13added = 0, added = 0;
220 int min_version, max_version, reason;
221
222 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
223 if (reason != 0) {
224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
225 return EXT_RETURN_FAIL;
226 }
227
228 /*
229 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
230 * if we don't have EC support then we don't send this extension.
231 */
232 if (!use_ecc(s, min_version, max_version)
233 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
234 return EXT_RETURN_NOT_SENT;
235
236 /*
237 * Add TLS extension supported_groups to the ClientHello message
238 */
239 tls1_get_supported_groups(s, &pgroups, &num_groups);
240
241 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
242 /* Sub-packet for supported_groups extension */
243 || !WPACKET_start_sub_packet_u16(pkt)
244 || !WPACKET_start_sub_packet_u16(pkt)
245 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
247 return EXT_RETURN_FAIL;
248 }
249 /* Copy group ID if supported */
250 for (i = 0; i < num_groups; i++) {
251 uint16_t ctmp = pgroups[i];
252 int okfortls13;
253
254 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
255 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
256 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
258 return EXT_RETURN_FAIL;
259 }
260 if (okfortls13 && max_version == TLS1_3_VERSION)
261 tls13added++;
262 added++;
263 }
264 }
265 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
266 if (added == 0)
267 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
268 "No groups enabled for max supported SSL/TLS version");
269 else
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
271 return EXT_RETURN_FAIL;
272 }
273
274 if (tls13added == 0 && max_version == TLS1_3_VERSION) {
275 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
276 "No groups enabled for max supported SSL/TLS version");
277 return EXT_RETURN_FAIL;
278 }
279
280 return EXT_RETURN_SENT;
281 }
282
283 EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
284 unsigned int context, X509 *x,
285 size_t chainidx)
286 {
287 size_t ticklen;
288
289 if (!tls_use_ticket(s))
290 return EXT_RETURN_NOT_SENT;
291
292 if (!s->new_session && s->session != NULL
293 && s->session->ext.tick != NULL
294 && s->session->ssl_version != TLS1_3_VERSION) {
295 ticklen = s->session->ext.ticklen;
296 } else if (s->session && s->ext.session_ticket != NULL
297 && s->ext.session_ticket->data != NULL) {
298 ticklen = s->ext.session_ticket->length;
299 s->session->ext.tick = OPENSSL_malloc(ticklen);
300 if (s->session->ext.tick == NULL) {
301 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
302 return EXT_RETURN_FAIL;
303 }
304 memcpy(s->session->ext.tick,
305 s->ext.session_ticket->data, ticklen);
306 s->session->ext.ticklen = ticklen;
307 } else {
308 ticklen = 0;
309 }
310
311 if (ticklen == 0 && s->ext.session_ticket != NULL &&
312 s->ext.session_ticket->data == NULL)
313 return EXT_RETURN_NOT_SENT;
314
315 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
316 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
318 return EXT_RETURN_FAIL;
319 }
320
321 return EXT_RETURN_SENT;
322 }
323
324 EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
325 unsigned int context, X509 *x,
326 size_t chainidx)
327 {
328 size_t salglen;
329 const uint16_t *salg;
330
331 if (!SSL_CLIENT_USE_SIGALGS(s))
332 return EXT_RETURN_NOT_SENT;
333
334 salglen = tls12_get_psigalgs(s, 1, &salg);
335 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
336 /* Sub-packet for sig-algs extension */
337 || !WPACKET_start_sub_packet_u16(pkt)
338 /* Sub-packet for the actual list */
339 || !WPACKET_start_sub_packet_u16(pkt)
340 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
341 || !WPACKET_close(pkt)
342 || !WPACKET_close(pkt)) {
343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
344 return EXT_RETURN_FAIL;
345 }
346
347 return EXT_RETURN_SENT;
348 }
349
350 #ifndef OPENSSL_NO_OCSP
351 EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
352 unsigned int context, X509 *x,
353 size_t chainidx)
354 {
355 int i;
356
357 /* This extension isn't defined for client Certificates */
358 if (x != NULL)
359 return EXT_RETURN_NOT_SENT;
360
361 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
362 return EXT_RETURN_NOT_SENT;
363
364 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
365 /* Sub-packet for status request extension */
366 || !WPACKET_start_sub_packet_u16(pkt)
367 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
368 /* Sub-packet for the ids */
369 || !WPACKET_start_sub_packet_u16(pkt)) {
370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
371 return EXT_RETURN_FAIL;
372 }
373 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
374 unsigned char *idbytes;
375 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
376 int idlen = i2d_OCSP_RESPID(id, NULL);
377
378 if (idlen <= 0
379 /* Sub-packet for an individual id */
380 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
381 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
383 return EXT_RETURN_FAIL;
384 }
385 }
386 if (!WPACKET_close(pkt)
387 || !WPACKET_start_sub_packet_u16(pkt)) {
388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
389 return EXT_RETURN_FAIL;
390 }
391 if (s->ext.ocsp.exts) {
392 unsigned char *extbytes;
393 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
394
395 if (extlen < 0) {
396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
397 return EXT_RETURN_FAIL;
398 }
399 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
400 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
401 != extlen) {
402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
403 return EXT_RETURN_FAIL;
404 }
405 }
406 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
408 return EXT_RETURN_FAIL;
409 }
410
411 return EXT_RETURN_SENT;
412 }
413 #endif
414
415 #ifndef OPENSSL_NO_NEXTPROTONEG
416 EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
417 unsigned int context,
418 X509 *x, size_t chainidx)
419 {
420 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
421 || !SSL_IS_FIRST_HANDSHAKE(s))
422 return EXT_RETURN_NOT_SENT;
423
424 /*
425 * The client advertises an empty extension to indicate its support
426 * for Next Protocol Negotiation
427 */
428 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
429 || !WPACKET_put_bytes_u16(pkt, 0)) {
430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
431 return EXT_RETURN_FAIL;
432 }
433
434 return EXT_RETURN_SENT;
435 }
436 #endif
437
438 EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
439 unsigned int context,
440 X509 *x, size_t chainidx)
441 {
442 s->s3.alpn_sent = 0;
443
444 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
445 return EXT_RETURN_NOT_SENT;
446
447 if (!WPACKET_put_bytes_u16(pkt,
448 TLSEXT_TYPE_application_layer_protocol_negotiation)
449 /* Sub-packet ALPN extension */
450 || !WPACKET_start_sub_packet_u16(pkt)
451 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
452 || !WPACKET_close(pkt)) {
453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
454 return EXT_RETURN_FAIL;
455 }
456 s->s3.alpn_sent = 1;
457
458 return EXT_RETURN_SENT;
459 }
460
461
462 #ifndef OPENSSL_NO_SRTP
463 EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
464 unsigned int context, X509 *x,
465 size_t chainidx)
466 {
467 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
468 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
469 int i, end;
470
471 if (clnt == NULL)
472 return EXT_RETURN_NOT_SENT;
473
474 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
475 /* Sub-packet for SRTP extension */
476 || !WPACKET_start_sub_packet_u16(pkt)
477 /* Sub-packet for the protection profile list */
478 || !WPACKET_start_sub_packet_u16(pkt)) {
479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return EXT_RETURN_FAIL;
481 }
482
483 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
484 for (i = 0; i < end; i++) {
485 const SRTP_PROTECTION_PROFILE *prof =
486 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
487
488 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
490 return EXT_RETURN_FAIL;
491 }
492 }
493 if (!WPACKET_close(pkt)
494 /* Add an empty use_mki value */
495 || !WPACKET_put_bytes_u8(pkt, 0)
496 || !WPACKET_close(pkt)) {
497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
498 return EXT_RETURN_FAIL;
499 }
500
501 return EXT_RETURN_SENT;
502 }
503 #endif
504
505 EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
506 unsigned int context,
507 X509 *x, size_t chainidx)
508 {
509 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
510 return EXT_RETURN_NOT_SENT;
511
512 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
513 || !WPACKET_put_bytes_u16(pkt, 0)) {
514 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
515 return EXT_RETURN_FAIL;
516 }
517
518 return EXT_RETURN_SENT;
519 }
520
521 #ifndef OPENSSL_NO_CT
522 EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
523 unsigned int context,
524 X509 *x, size_t chainidx)
525 {
526 if (s->ct_validation_callback == NULL)
527 return EXT_RETURN_NOT_SENT;
528
529 /* Not defined for client Certificates */
530 if (x != NULL)
531 return EXT_RETURN_NOT_SENT;
532
533 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
534 || !WPACKET_put_bytes_u16(pkt, 0)) {
535 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
536 return EXT_RETURN_FAIL;
537 }
538
539 return EXT_RETURN_SENT;
540 }
541 #endif
542
543 EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
544 unsigned int context,
545 X509 *x, size_t chainidx)
546 {
547 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
548 return EXT_RETURN_NOT_SENT;
549
550 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
551 || !WPACKET_put_bytes_u16(pkt, 0)) {
552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
553 return EXT_RETURN_FAIL;
554 }
555
556 return EXT_RETURN_SENT;
557 }
558
559 EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
560 unsigned int context, X509 *x,
561 size_t chainidx)
562 {
563 int currv, min_version, max_version, reason;
564
565 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
566 if (reason != 0) {
567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
568 return EXT_RETURN_FAIL;
569 }
570
571 /*
572 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
573 * comparison here because we will never be called in DTLS.
574 */
575 if (max_version < TLS1_3_VERSION)
576 return EXT_RETURN_NOT_SENT;
577
578 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
579 || !WPACKET_start_sub_packet_u16(pkt)
580 || !WPACKET_start_sub_packet_u8(pkt)) {
581 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
582 return EXT_RETURN_FAIL;
583 }
584
585 for (currv = max_version; currv >= min_version; currv--) {
586 if (!WPACKET_put_bytes_u16(pkt, currv)) {
587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
588 return EXT_RETURN_FAIL;
589 }
590 }
591 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
593 return EXT_RETURN_FAIL;
594 }
595
596 return EXT_RETURN_SENT;
597 }
598
599 /*
600 * Construct a psk_kex_modes extension.
601 */
602 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
603 unsigned int context, X509 *x,
604 size_t chainidx)
605 {
606 #ifndef OPENSSL_NO_TLS1_3
607 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
608
609 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
610 || !WPACKET_start_sub_packet_u16(pkt)
611 || !WPACKET_start_sub_packet_u8(pkt)
612 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
613 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
614 || !WPACKET_close(pkt)
615 || !WPACKET_close(pkt)) {
616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
617 return EXT_RETURN_FAIL;
618 }
619
620 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
621 if (nodhe)
622 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
623 #endif
624
625 return EXT_RETURN_SENT;
626 }
627
628 #ifndef OPENSSL_NO_TLS1_3
629 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
630 {
631 unsigned char *encoded_point = NULL;
632 EVP_PKEY *key_share_key = NULL;
633 size_t encodedlen;
634
635 if (s->s3.tmp.pkey != NULL) {
636 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
638 return 0;
639 }
640 /*
641 * Could happen if we got an HRR that wasn't requesting a new key_share
642 */
643 key_share_key = s->s3.tmp.pkey;
644 } else {
645 key_share_key = ssl_generate_pkey_group(s, curve_id);
646 if (key_share_key == NULL) {
647 /* SSLfatal() already called */
648 return 0;
649 }
650 }
651
652 /* Encode the public key. */
653 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
654 &encoded_point);
655 if (encodedlen == 0) {
656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
657 goto err;
658 }
659
660 /* Create KeyShareEntry */
661 if (!WPACKET_put_bytes_u16(pkt, curve_id)
662 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
663 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
664 goto err;
665 }
666
667 /*
668 * When changing to send more than one key_share we're
669 * going to need to be able to save more than one EVP_PKEY. For now
670 * we reuse the existing tmp.pkey
671 */
672 s->s3.tmp.pkey = key_share_key;
673 s->s3.group_id = curve_id;
674 OPENSSL_free(encoded_point);
675
676 return 1;
677 err:
678 if (s->s3.tmp.pkey == NULL)
679 EVP_PKEY_free(key_share_key);
680 OPENSSL_free(encoded_point);
681 return 0;
682 }
683 #endif
684
685 EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
686 unsigned int context, X509 *x,
687 size_t chainidx)
688 {
689 #ifndef OPENSSL_NO_TLS1_3
690 size_t i, num_groups = 0;
691 const uint16_t *pgroups = NULL;
692 uint16_t curve_id = 0;
693
694 /* key_share extension */
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
696 /* Extension data sub-packet */
697 || !WPACKET_start_sub_packet_u16(pkt)
698 /* KeyShare list sub-packet */
699 || !WPACKET_start_sub_packet_u16(pkt)) {
700 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
701 return EXT_RETURN_FAIL;
702 }
703
704 tls1_get_supported_groups(s, &pgroups, &num_groups);
705
706 /*
707 * Make the number of key_shares sent configurable. For
708 * now, we just send one
709 */
710 if (s->s3.group_id != 0) {
711 curve_id = s->s3.group_id;
712 } else {
713 for (i = 0; i < num_groups; i++) {
714 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
715 continue;
716
717 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
718 0, NULL))
719 continue;
720
721 curve_id = pgroups[i];
722 break;
723 }
724 }
725
726 if (curve_id == 0) {
727 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
728 return EXT_RETURN_FAIL;
729 }
730
731 if (!add_key_share(s, pkt, curve_id)) {
732 /* SSLfatal() already called */
733 return EXT_RETURN_FAIL;
734 }
735
736 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
737 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
738 return EXT_RETURN_FAIL;
739 }
740 return EXT_RETURN_SENT;
741 #else
742 return EXT_RETURN_NOT_SENT;
743 #endif
744 }
745
746 EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
747 unsigned int context,
748 X509 *x, size_t chainidx)
749 {
750 EXT_RETURN ret = EXT_RETURN_FAIL;
751
752 /* Should only be set if we've had an HRR */
753 if (s->ext.tls13_cookie_len == 0)
754 return EXT_RETURN_NOT_SENT;
755
756 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
757 /* Extension data sub-packet */
758 || !WPACKET_start_sub_packet_u16(pkt)
759 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
760 s->ext.tls13_cookie_len)
761 || !WPACKET_close(pkt)) {
762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
763 goto end;
764 }
765
766 ret = EXT_RETURN_SENT;
767 end:
768 OPENSSL_free(s->ext.tls13_cookie);
769 s->ext.tls13_cookie = NULL;
770 s->ext.tls13_cookie_len = 0;
771
772 return ret;
773 }
774
775 EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
776 unsigned int context, X509 *x,
777 size_t chainidx)
778 {
779 #ifndef OPENSSL_NO_PSK
780 char identity[PSK_MAX_IDENTITY_LEN + 1];
781 #endif /* OPENSSL_NO_PSK */
782 const unsigned char *id = NULL;
783 size_t idlen = 0;
784 SSL_SESSION *psksess = NULL;
785 SSL_SESSION *edsess = NULL;
786 const EVP_MD *handmd = NULL;
787 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
788
789 if (s->hello_retry_request == SSL_HRR_PENDING)
790 handmd = ssl_handshake_md(s);
791
792 if (s->psk_use_session_cb != NULL
793 && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
794 || (psksess != NULL
795 && psksess->ssl_version != TLS1_3_VERSION))) {
796 SSL_SESSION_free(psksess);
797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
798 return EXT_RETURN_FAIL;
799 }
800
801 #ifndef OPENSSL_NO_PSK
802 if (psksess == NULL && s->psk_client_callback != NULL) {
803 unsigned char psk[PSK_MAX_PSK_LEN];
804 size_t psklen = 0;
805
806 memset(identity, 0, sizeof(identity));
807 psklen = s->psk_client_callback(ssl, NULL,
808 identity, sizeof(identity) - 1,
809 psk, sizeof(psk));
810
811 if (psklen > PSK_MAX_PSK_LEN) {
812 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
813 return EXT_RETURN_FAIL;
814 } else if (psklen > 0) {
815 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
816 const SSL_CIPHER *cipher;
817
818 idlen = strlen(identity);
819 if (idlen > PSK_MAX_IDENTITY_LEN) {
820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
821 return EXT_RETURN_FAIL;
822 }
823 id = (unsigned char *)identity;
824
825 /*
826 * We found a PSK using an old style callback. We don't know
827 * the digest so we default to SHA256 as per the TLSv1.3 spec
828 */
829 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
830 if (cipher == NULL) {
831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
832 return EXT_RETURN_FAIL;
833 }
834
835 psksess = SSL_SESSION_new();
836 if (psksess == NULL
837 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
838 || !SSL_SESSION_set_cipher(psksess, cipher)
839 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
841 OPENSSL_cleanse(psk, psklen);
842 return EXT_RETURN_FAIL;
843 }
844 OPENSSL_cleanse(psk, psklen);
845 }
846 }
847 #endif /* OPENSSL_NO_PSK */
848
849 SSL_SESSION_free(s->psksession);
850 s->psksession = psksess;
851 if (psksess != NULL) {
852 OPENSSL_free(s->psksession_id);
853 s->psksession_id = OPENSSL_memdup(id, idlen);
854 if (s->psksession_id == NULL) {
855 s->psksession_id_len = 0;
856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
857 return EXT_RETURN_FAIL;
858 }
859 s->psksession_id_len = idlen;
860 }
861
862 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
863 || (s->session->ext.max_early_data == 0
864 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
865 s->max_early_data = 0;
866 return EXT_RETURN_NOT_SENT;
867 }
868 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
869 s->max_early_data = edsess->ext.max_early_data;
870
871 if (edsess->ext.hostname != NULL) {
872 if (s->ext.hostname == NULL
873 || (s->ext.hostname != NULL
874 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
875 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
876 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
877 return EXT_RETURN_FAIL;
878 }
879 }
880
881 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
883 return EXT_RETURN_FAIL;
884 }
885
886 /*
887 * Verify that we are offering an ALPN protocol consistent with the early
888 * data.
889 */
890 if (edsess->ext.alpn_selected != NULL) {
891 PACKET prots, alpnpkt;
892 int found = 0;
893
894 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
896 return EXT_RETURN_FAIL;
897 }
898 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
899 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
900 edsess->ext.alpn_selected_len)) {
901 found = 1;
902 break;
903 }
904 }
905 if (!found) {
906 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
907 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
908 return EXT_RETURN_FAIL;
909 }
910 }
911
912 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
913 || !WPACKET_start_sub_packet_u16(pkt)
914 || !WPACKET_close(pkt)) {
915 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
916 return EXT_RETURN_FAIL;
917 }
918
919 /*
920 * We set this to rejected here. Later, if the server acknowledges the
921 * extension, we set it to accepted.
922 */
923 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
924 s->ext.early_data_ok = 1;
925
926 return EXT_RETURN_SENT;
927 }
928
929 #define F5_WORKAROUND_MIN_MSG_LEN 0xff
930 #define F5_WORKAROUND_MAX_MSG_LEN 0x200
931
932 /*
933 * PSK pre binder overhead =
934 * 2 bytes for TLSEXT_TYPE_psk
935 * 2 bytes for extension length
936 * 2 bytes for identities list length
937 * 2 bytes for identity length
938 * 4 bytes for obfuscated_ticket_age
939 * 2 bytes for binder list length
940 * 1 byte for binder length
941 * The above excludes the number of bytes for the identity itself and the
942 * subsequent binder bytes
943 */
944 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
945
946 EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
947 unsigned int context, X509 *x,
948 size_t chainidx)
949 {
950 unsigned char *padbytes;
951 size_t hlen;
952
953 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
954 return EXT_RETURN_NOT_SENT;
955
956 /*
957 * Add padding to workaround bugs in F5 terminators. See RFC7685.
958 * This code calculates the length of all extensions added so far but
959 * excludes the PSK extension (because that MUST be written last). Therefore
960 * this extension MUST always appear second to last.
961 */
962 if (!WPACKET_get_total_written(pkt, &hlen)) {
963 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
964 return EXT_RETURN_FAIL;
965 }
966
967 /*
968 * If we're going to send a PSK then that will be written out after this
969 * extension, so we need to calculate how long it is going to be.
970 */
971 if (s->session->ssl_version == TLS1_3_VERSION
972 && s->session->ext.ticklen != 0
973 && s->session->cipher != NULL) {
974 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
975 s->session->cipher->algorithm2);
976
977 if (md != NULL) {
978 /*
979 * Add the fixed PSK overhead, the identity length and the binder
980 * length.
981 */
982 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
983 + EVP_MD_get_size(md);
984 }
985 }
986
987 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
988 /* Calculate the amount of padding we need to add */
989 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
990
991 /*
992 * Take off the size of extension header itself (2 bytes for type and
993 * 2 bytes for length bytes), but ensure that the extension is at least
994 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
995 * 8.x are intolerant of that condition)
996 */
997 if (hlen > 4)
998 hlen -= 4;
999 else
1000 hlen = 1;
1001
1002 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
1003 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
1004 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1005 return EXT_RETURN_FAIL;
1006 }
1007 memset(padbytes, 0, hlen);
1008 }
1009
1010 return EXT_RETURN_SENT;
1011 }
1012
1013 /*
1014 * Construct the pre_shared_key extension
1015 */
1016 EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
1017 unsigned int context,
1018 X509 *x, size_t chainidx)
1019 {
1020 #ifndef OPENSSL_NO_TLS1_3
1021 uint32_t agesec, agems = 0;
1022 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
1023 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
1024 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
1025 int dores = 0;
1026 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1027 OSSL_TIME t;
1028
1029 s->ext.tick_identity = 0;
1030
1031 /*
1032 * Note: At this stage of the code we only support adding a single
1033 * resumption PSK. If we add support for multiple PSKs then the length
1034 * calculations in the padding extension will need to be adjusted.
1035 */
1036
1037 /*
1038 * If this is an incompatible or new session then we have nothing to resume
1039 * so don't add this extension.
1040 */
1041 if (s->session->ssl_version != TLS1_3_VERSION
1042 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
1043 return EXT_RETURN_NOT_SENT;
1044
1045 if (s->hello_retry_request == SSL_HRR_PENDING)
1046 handmd = ssl_handshake_md(s);
1047
1048 if (s->session->ext.ticklen != 0) {
1049 /* Get the digest associated with the ciphersuite in the session */
1050 if (s->session->cipher == NULL) {
1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1052 return EXT_RETURN_FAIL;
1053 }
1054 mdres = ssl_md(sctx, s->session->cipher->algorithm2);
1055 if (mdres == NULL) {
1056 /*
1057 * Don't recognize this cipher so we can't use the session.
1058 * Ignore it
1059 */
1060 goto dopsksess;
1061 }
1062
1063 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
1064 /*
1065 * Selected ciphersuite hash does not match the hash for the session
1066 * so we can't use it.
1067 */
1068 goto dopsksess;
1069 }
1070
1071 /*
1072 * Technically the C standard just says time() returns a time_t and says
1073 * nothing about the encoding of that type. In practice most
1074 * implementations follow POSIX which holds it as an integral type in
1075 * seconds since epoch. We've already made the assumption that we can do
1076 * this in multiple places in the code, so portability shouldn't be an
1077 * issue.
1078 */
1079 t = ossl_time_subtract(ossl_time_now(), s->session->time);
1080 agesec = (uint32_t)ossl_time2seconds(t);
1081 /*
1082 * We calculate the age in seconds but the server may work in ms. Due to
1083 * rounding errors we could overestimate the age by up to 1s. It is
1084 * better to underestimate it. Otherwise, if the RTT is very short, when
1085 * the server calculates the age reported by the client it could be
1086 * bigger than the age calculated on the server - which should never
1087 * happen.
1088 */
1089 if (agesec > 0)
1090 agesec--;
1091
1092 if (s->session->ext.tick_lifetime_hint < agesec) {
1093 /* Ticket is too old. Ignore it. */
1094 goto dopsksess;
1095 }
1096
1097 /*
1098 * Calculate age in ms. We're just doing it to nearest second. Should be
1099 * good enough.
1100 */
1101 agems = agesec * (uint32_t)1000;
1102
1103 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1104 /*
1105 * Overflow. Shouldn't happen unless this is a *really* old session.
1106 * If so we just ignore it.
1107 */
1108 goto dopsksess;
1109 }
1110
1111 /*
1112 * Obfuscate the age. Overflow here is fine, this addition is supposed
1113 * to be mod 2^32.
1114 */
1115 agems += s->session->ext.tick_age_add;
1116
1117 reshashsize = EVP_MD_get_size(mdres);
1118 s->ext.tick_identity++;
1119 dores = 1;
1120 }
1121
1122 dopsksess:
1123 if (!dores && s->psksession == NULL)
1124 return EXT_RETURN_NOT_SENT;
1125
1126 if (s->psksession != NULL) {
1127 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
1128 if (mdpsk == NULL) {
1129 /*
1130 * Don't recognize this cipher so we can't use the session.
1131 * If this happens it's an application bug.
1132 */
1133 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1134 return EXT_RETURN_FAIL;
1135 }
1136
1137 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
1138 /*
1139 * Selected ciphersuite hash does not match the hash for the PSK
1140 * session. This is an application bug.
1141 */
1142 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1143 return EXT_RETURN_FAIL;
1144 }
1145
1146 pskhashsize = EVP_MD_get_size(mdpsk);
1147 }
1148
1149 /* Create the extension, but skip over the binder for now */
1150 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1151 || !WPACKET_start_sub_packet_u16(pkt)
1152 || !WPACKET_start_sub_packet_u16(pkt)) {
1153 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1154 return EXT_RETURN_FAIL;
1155 }
1156
1157 if (dores) {
1158 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1159 s->session->ext.ticklen)
1160 || !WPACKET_put_bytes_u32(pkt, agems)) {
1161 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1162 return EXT_RETURN_FAIL;
1163 }
1164 }
1165
1166 if (s->psksession != NULL) {
1167 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1168 s->psksession_id_len)
1169 || !WPACKET_put_bytes_u32(pkt, 0)) {
1170 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1171 return EXT_RETURN_FAIL;
1172 }
1173 s->ext.tick_identity++;
1174 }
1175
1176 if (!WPACKET_close(pkt)
1177 || !WPACKET_get_total_written(pkt, &binderoffset)
1178 || !WPACKET_start_sub_packet_u16(pkt)
1179 || (dores
1180 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
1181 || (s->psksession != NULL
1182 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
1183 || !WPACKET_close(pkt)
1184 || !WPACKET_close(pkt)
1185 || !WPACKET_get_total_written(pkt, &msglen)
1186 /*
1187 * We need to fill in all the sub-packet lengths now so we can
1188 * calculate the HMAC of the message up to the binders
1189 */
1190 || !WPACKET_fill_lengths(pkt)) {
1191 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1192 return EXT_RETURN_FAIL;
1193 }
1194
1195 msgstart = WPACKET_get_curr(pkt) - msglen;
1196
1197 if (dores
1198 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1199 resbinder, s->session, 1, 0) != 1) {
1200 /* SSLfatal() already called */
1201 return EXT_RETURN_FAIL;
1202 }
1203
1204 if (s->psksession != NULL
1205 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1206 pskbinder, s->psksession, 1, 1) != 1) {
1207 /* SSLfatal() already called */
1208 return EXT_RETURN_FAIL;
1209 }
1210
1211 return EXT_RETURN_SENT;
1212 #else
1213 return EXT_RETURN_NOT_SENT;
1214 #endif
1215 }
1216
1217 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
1218 ossl_unused unsigned int context,
1219 ossl_unused X509 *x,
1220 ossl_unused size_t chainidx)
1221 {
1222 #ifndef OPENSSL_NO_TLS1_3
1223 if (!s->pha_enabled)
1224 return EXT_RETURN_NOT_SENT;
1225
1226 /* construct extension - 0 length, no contents */
1227 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1228 || !WPACKET_start_sub_packet_u16(pkt)
1229 || !WPACKET_close(pkt)) {
1230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1231 return EXT_RETURN_FAIL;
1232 }
1233
1234 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1235
1236 return EXT_RETURN_SENT;
1237 #else
1238 return EXT_RETURN_NOT_SENT;
1239 #endif
1240 }
1241
1242
1243 /*
1244 * Parse the server's renegotiation binding and abort if it's not right
1245 */
1246 int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
1247 unsigned int context,
1248 X509 *x, size_t chainidx)
1249 {
1250 size_t expected_len = s->s3.previous_client_finished_len
1251 + s->s3.previous_server_finished_len;
1252 size_t ilen;
1253 const unsigned char *data;
1254
1255 /* Check for logic errors */
1256 if (!ossl_assert(expected_len == 0
1257 || s->s3.previous_client_finished_len != 0)
1258 || !ossl_assert(expected_len == 0
1259 || s->s3.previous_server_finished_len != 0)) {
1260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1261 return 0;
1262 }
1263
1264 /* Parse the length byte */
1265 if (!PACKET_get_1_len(pkt, &ilen)) {
1266 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1267 return 0;
1268 }
1269
1270 /* Consistency check */
1271 if (PACKET_remaining(pkt) != ilen) {
1272 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1273 return 0;
1274 }
1275
1276 /* Check that the extension matches */
1277 if (ilen != expected_len) {
1278 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1279 return 0;
1280 }
1281
1282 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1283 || memcmp(data, s->s3.previous_client_finished,
1284 s->s3.previous_client_finished_len) != 0) {
1285 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1286 return 0;
1287 }
1288
1289 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1290 || memcmp(data, s->s3.previous_server_finished,
1291 s->s3.previous_server_finished_len) != 0) {
1292 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1293 return 0;
1294 }
1295 s->s3.send_connection_binding = 1;
1296
1297 return 1;
1298 }
1299
1300 /* Parse the server's max fragment len extension packet */
1301 int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
1302 unsigned int context,
1303 X509 *x, size_t chainidx)
1304 {
1305 unsigned int value;
1306
1307 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
1308 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1309 return 0;
1310 }
1311
1312 /* |value| should contains a valid max-fragment-length code. */
1313 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
1314 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1315 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1316 return 0;
1317 }
1318
1319 /* Must be the same value as client-configured one who was sent to server */
1320 /*-
1321 * RFC 6066: if a client receives a maximum fragment length negotiation
1322 * response that differs from the length it requested, ...
1323 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1324 */
1325 if (value != s->ext.max_fragment_len_mode) {
1326 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1327 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1328 return 0;
1329 }
1330
1331 /*
1332 * Maximum Fragment Length Negotiation succeeded.
1333 * The negotiated Maximum Fragment Length is binding now.
1334 */
1335 s->session->ext.max_fragment_len_mode = value;
1336
1337 return 1;
1338 }
1339
1340 int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
1341 unsigned int context,
1342 X509 *x, size_t chainidx)
1343 {
1344 if (s->ext.hostname == NULL) {
1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1346 return 0;
1347 }
1348
1349 if (PACKET_remaining(pkt) > 0) {
1350 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1351 return 0;
1352 }
1353
1354 if (!s->hit) {
1355 if (s->session->ext.hostname != NULL) {
1356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1357 return 0;
1358 }
1359 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1360 if (s->session->ext.hostname == NULL) {
1361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1362 return 0;
1363 }
1364 }
1365
1366 return 1;
1367 }
1368
1369 int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
1370 unsigned int context,
1371 X509 *x, size_t chainidx)
1372 {
1373 size_t ecpointformats_len;
1374 PACKET ecptformatlist;
1375
1376 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
1377 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1378 return 0;
1379 }
1380 if (!s->hit) {
1381 ecpointformats_len = PACKET_remaining(&ecptformatlist);
1382 if (ecpointformats_len == 0) {
1383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1384 return 0;
1385 }
1386
1387 s->ext.peer_ecpointformats_len = 0;
1388 OPENSSL_free(s->ext.peer_ecpointformats);
1389 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1390 if (s->ext.peer_ecpointformats == NULL) {
1391 s->ext.peer_ecpointformats_len = 0;
1392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1393 return 0;
1394 }
1395
1396 s->ext.peer_ecpointformats_len = ecpointformats_len;
1397
1398 if (!PACKET_copy_bytes(&ecptformatlist,
1399 s->ext.peer_ecpointformats,
1400 ecpointformats_len)) {
1401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1402 return 0;
1403 }
1404 }
1405
1406 return 1;
1407 }
1408
1409 int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
1410 unsigned int context,
1411 X509 *x, size_t chainidx)
1412 {
1413 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1414
1415 if (s->ext.session_ticket_cb != NULL &&
1416 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
1417 PACKET_remaining(pkt),
1418 s->ext.session_ticket_cb_arg)) {
1419 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1420 return 0;
1421 }
1422
1423 if (!tls_use_ticket(s)) {
1424 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1425 return 0;
1426 }
1427 if (PACKET_remaining(pkt) > 0) {
1428 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1429 return 0;
1430 }
1431
1432 s->ext.ticket_expected = 1;
1433
1434 return 1;
1435 }
1436
1437 #ifndef OPENSSL_NO_OCSP
1438 int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
1439 unsigned int context,
1440 X509 *x, size_t chainidx)
1441 {
1442 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1443 /* We ignore this if the server sends a CertificateRequest */
1444 return 1;
1445 }
1446
1447 /*
1448 * MUST only be sent if we've requested a status
1449 * request message. In TLS <= 1.2 it must also be empty.
1450 */
1451 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1452 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1453 return 0;
1454 }
1455 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
1456 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1457 return 0;
1458 }
1459
1460 if (SSL_CONNECTION_IS_TLS13(s)) {
1461 /* We only know how to handle this if it's for the first Certificate in
1462 * the chain. We ignore any other responses.
1463 */
1464 if (chainidx != 0)
1465 return 1;
1466
1467 /* SSLfatal() already called */
1468 return tls_process_cert_status_body(s, pkt);
1469 }
1470
1471 /* Set flag to expect CertificateStatus message */
1472 s->ext.status_expected = 1;
1473
1474 return 1;
1475 }
1476 #endif
1477
1478
1479 #ifndef OPENSSL_NO_CT
1480 int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1481 X509 *x, size_t chainidx)
1482 {
1483 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1484 /* We ignore this if the server sends it in a CertificateRequest */
1485 return 1;
1486 }
1487
1488 /*
1489 * Only take it if we asked for it - i.e if there is no CT validation
1490 * callback set, then a custom extension MAY be processing it, so we
1491 * need to let control continue to flow to that.
1492 */
1493 if (s->ct_validation_callback != NULL) {
1494 size_t size = PACKET_remaining(pkt);
1495
1496 /* Simply copy it off for later processing */
1497 OPENSSL_free(s->ext.scts);
1498 s->ext.scts = NULL;
1499
1500 s->ext.scts_len = (uint16_t)size;
1501 if (size > 0) {
1502 s->ext.scts = OPENSSL_malloc(size);
1503 if (s->ext.scts == NULL) {
1504 s->ext.scts_len = 0;
1505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1506 return 0;
1507 }
1508 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1509 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1510 return 0;
1511 }
1512 }
1513 } else {
1514 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1515 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1516
1517 /*
1518 * If we didn't ask for it then there must be a custom extension,
1519 * otherwise this is unsolicited.
1520 */
1521 if (custom_ext_find(&s->cert->custext, role,
1522 TLSEXT_TYPE_signed_certificate_timestamp,
1523 NULL) == NULL) {
1524 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1525 return 0;
1526 }
1527
1528 if (!custom_ext_parse(s, context,
1529 TLSEXT_TYPE_signed_certificate_timestamp,
1530 PACKET_data(pkt), PACKET_remaining(pkt),
1531 x, chainidx)) {
1532 /* SSLfatal already called */
1533 return 0;
1534 }
1535 }
1536
1537 return 1;
1538 }
1539 #endif
1540
1541
1542 #ifndef OPENSSL_NO_NEXTPROTONEG
1543 /*
1544 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1545 * elements of zero length are allowed and the set of elements must exactly
1546 * fill the length of the block. Returns 1 on success or 0 on failure.
1547 */
1548 static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
1549 {
1550 PACKET tmp_protocol;
1551
1552 while (PACKET_remaining(pkt)) {
1553 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1554 || PACKET_remaining(&tmp_protocol) == 0) {
1555 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1556 return 0;
1557 }
1558 }
1559
1560 return 1;
1561 }
1562
1563 int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1564 X509 *x, size_t chainidx)
1565 {
1566 unsigned char *selected;
1567 unsigned char selected_len;
1568 PACKET tmppkt;
1569 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1570
1571 /* Check if we are in a renegotiation. If so ignore this extension */
1572 if (!SSL_IS_FIRST_HANDSHAKE(s))
1573 return 1;
1574
1575 /* We must have requested it. */
1576 if (sctx->ext.npn_select_cb == NULL) {
1577 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1578 return 0;
1579 }
1580
1581 /* The data must be valid */
1582 tmppkt = *pkt;
1583 if (!ssl_next_proto_validate(s, &tmppkt)) {
1584 /* SSLfatal() already called */
1585 return 0;
1586 }
1587 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
1588 &selected, &selected_len,
1589 PACKET_data(pkt), PACKET_remaining(pkt),
1590 sctx->ext.npn_select_cb_arg) !=
1591 SSL_TLSEXT_ERR_OK) {
1592 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1593 return 0;
1594 }
1595
1596 /*
1597 * Could be non-NULL if server has sent multiple NPN extensions in
1598 * a single Serverhello
1599 */
1600 OPENSSL_free(s->ext.npn);
1601 s->ext.npn = OPENSSL_malloc(selected_len);
1602 if (s->ext.npn == NULL) {
1603 s->ext.npn_len = 0;
1604 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1605 return 0;
1606 }
1607
1608 memcpy(s->ext.npn, selected, selected_len);
1609 s->ext.npn_len = selected_len;
1610 s->s3.npn_seen = 1;
1611
1612 return 1;
1613 }
1614 #endif
1615
1616 int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1617 X509 *x, size_t chainidx)
1618 {
1619 size_t len;
1620
1621 /* We must have requested it. */
1622 if (!s->s3.alpn_sent) {
1623 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1624 return 0;
1625 }
1626 /*-
1627 * The extension data consists of:
1628 * uint16 list_length
1629 * uint8 proto_length;
1630 * uint8 proto[proto_length];
1631 */
1632 if (!PACKET_get_net_2_len(pkt, &len)
1633 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1634 || PACKET_remaining(pkt) != len) {
1635 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1636 return 0;
1637 }
1638 OPENSSL_free(s->s3.alpn_selected);
1639 s->s3.alpn_selected = OPENSSL_malloc(len);
1640 if (s->s3.alpn_selected == NULL) {
1641 s->s3.alpn_selected_len = 0;
1642 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1643 return 0;
1644 }
1645 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
1646 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1647 return 0;
1648 }
1649 s->s3.alpn_selected_len = len;
1650
1651 if (s->session->ext.alpn_selected == NULL
1652 || s->session->ext.alpn_selected_len != len
1653 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
1654 != 0) {
1655 /* ALPN not consistent with the old session so cannot use early_data */
1656 s->ext.early_data_ok = 0;
1657 }
1658 if (!s->hit) {
1659 /*
1660 * This is a new session and so alpn_selected should have been
1661 * initialised to NULL. We should update it with the selected ALPN.
1662 */
1663 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1665 return 0;
1666 }
1667 s->session->ext.alpn_selected =
1668 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
1669 if (s->session->ext.alpn_selected == NULL) {
1670 s->session->ext.alpn_selected_len = 0;
1671 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1672 return 0;
1673 }
1674 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
1675 }
1676
1677 return 1;
1678 }
1679
1680 #ifndef OPENSSL_NO_SRTP
1681 int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
1682 unsigned int context, X509 *x, size_t chainidx)
1683 {
1684 unsigned int id, ct, mki;
1685 int i;
1686 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1687 SRTP_PROTECTION_PROFILE *prof;
1688
1689 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1690 || !PACKET_get_net_2(pkt, &id)
1691 || !PACKET_get_1(pkt, &mki)
1692 || PACKET_remaining(pkt) != 0) {
1693 SSLfatal(s, SSL_AD_DECODE_ERROR,
1694 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1695 return 0;
1696 }
1697
1698 if (mki != 0) {
1699 /* Must be no MKI, since we never offer one */
1700 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
1701 return 0;
1702 }
1703
1704 /* Throw an error if the server gave us an unsolicited extension */
1705 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
1706 if (clnt == NULL) {
1707 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
1708 return 0;
1709 }
1710
1711 /*
1712 * Check to see if the server gave us something we support (and
1713 * presumably offered)
1714 */
1715 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1716 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1717
1718 if (prof->id == id) {
1719 s->srtp_profile = prof;
1720 return 1;
1721 }
1722 }
1723
1724 SSLfatal(s, SSL_AD_DECODE_ERROR,
1725 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1726 return 0;
1727 }
1728 #endif
1729
1730 int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1731 X509 *x, size_t chainidx)
1732 {
1733 /* Ignore if inappropriate ciphersuite */
1734 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1735 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
1736 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1737 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1738 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1739 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1740 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
1741 s->ext.use_etm = 1;
1742
1743 return 1;
1744 }
1745
1746 int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1747 X509 *x, size_t chainidx)
1748 {
1749 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1750 return 1;
1751 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1752 if (!s->hit)
1753 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1754
1755 return 1;
1756 }
1757
1758 int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
1759 unsigned int context,
1760 X509 *x, size_t chainidx)
1761 {
1762 unsigned int version;
1763
1764 if (!PACKET_get_net_2(pkt, &version)
1765 || PACKET_remaining(pkt) != 0) {
1766 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1767 return 0;
1768 }
1769
1770 /*
1771 * The only protocol version we support which is valid in this extension in
1772 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1773 */
1774 if (version != TLS1_3_VERSION) {
1775 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1776 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1777 return 0;
1778 }
1779
1780 /* We ignore this extension for HRRs except to sanity check it */
1781 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
1782 return 1;
1783
1784 /* We just set it here. We validate it in ssl_choose_client_version */
1785 s->version = version;
1786 if (!ssl_set_record_protocol_version(s, version)) {
1787 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1788 return 0;
1789 }
1790
1791 return 1;
1792 }
1793
1794 int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
1795 unsigned int context, X509 *x,
1796 size_t chainidx)
1797 {
1798 #ifndef OPENSSL_NO_TLS1_3
1799 unsigned int group_id;
1800 PACKET encoded_pt;
1801 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
1802 const TLS_GROUP_INFO *ginf = NULL;
1803
1804 /* Sanity check */
1805 if (ckey == NULL || s->s3.peer_tmp != NULL) {
1806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1807 return 0;
1808 }
1809
1810 if (!PACKET_get_net_2(pkt, &group_id)) {
1811 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1812 return 0;
1813 }
1814
1815 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1816 const uint16_t *pgroups = NULL;
1817 size_t i, num_groups;
1818
1819 if (PACKET_remaining(pkt) != 0) {
1820 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1821 return 0;
1822 }
1823
1824 /*
1825 * It is an error if the HelloRetryRequest wants a key_share that we
1826 * already sent in the first ClientHello
1827 */
1828 if (group_id == s->s3.group_id) {
1829 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1830 return 0;
1831 }
1832
1833 /* Validate the selected group is one we support */
1834 tls1_get_supported_groups(s, &pgroups, &num_groups);
1835 for (i = 0; i < num_groups; i++) {
1836 if (group_id == pgroups[i])
1837 break;
1838 }
1839 if (i >= num_groups
1840 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
1841 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
1842 0, NULL)) {
1843 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1844 return 0;
1845 }
1846
1847 s->s3.group_id = group_id;
1848 EVP_PKEY_free(s->s3.tmp.pkey);
1849 s->s3.tmp.pkey = NULL;
1850 return 1;
1851 }
1852
1853 if (group_id != s->s3.group_id) {
1854 /*
1855 * This isn't for the group that we sent in the original
1856 * key_share!
1857 */
1858 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1859 return 0;
1860 }
1861 /* Retain this group in the SSL_SESSION */
1862 if (!s->hit) {
1863 s->session->kex_group = group_id;
1864 } else if (group_id != s->session->kex_group) {
1865 /*
1866 * If this is a resumption but changed what group was used, we need
1867 * to record the new group in the session, but the session is not
1868 * a new session and could be in use by other threads. So, make
1869 * a copy of the session to record the new information so that it's
1870 * useful for any sessions resumed from tickets issued on this
1871 * connection.
1872 */
1873 SSL_SESSION *new_sess;
1874
1875 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
1876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1877 return 0;
1878 }
1879 SSL_SESSION_free(s->session);
1880 s->session = new_sess;
1881 s->session->kex_group = group_id;
1882 }
1883
1884 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1885 group_id)) == NULL) {
1886 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1887 return 0;
1888 }
1889
1890 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1891 || PACKET_remaining(&encoded_pt) == 0) {
1892 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1893 return 0;
1894 }
1895
1896 if (!ginf->is_kem) {
1897 /* Regular KEX */
1898 skey = EVP_PKEY_new();
1899 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
1900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
1901 EVP_PKEY_free(skey);
1902 return 0;
1903 }
1904
1905 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
1906 PACKET_remaining(&encoded_pt)) <= 0) {
1907 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
1908 EVP_PKEY_free(skey);
1909 return 0;
1910 }
1911
1912 if (ssl_derive(s, ckey, skey, 1) == 0) {
1913 /* SSLfatal() already called */
1914 EVP_PKEY_free(skey);
1915 return 0;
1916 }
1917 s->s3.peer_tmp = skey;
1918 } else {
1919 /* KEM Mode */
1920 const unsigned char *ct = PACKET_data(&encoded_pt);
1921 size_t ctlen = PACKET_remaining(&encoded_pt);
1922
1923 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1924 /* SSLfatal() already called */
1925 return 0;
1926 }
1927 }
1928 s->s3.did_kex = 1;
1929 #endif
1930
1931 return 1;
1932 }
1933
1934 int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1935 X509 *x, size_t chainidx)
1936 {
1937 PACKET cookie;
1938
1939 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1940 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1941 &s->ext.tls13_cookie_len)) {
1942 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1943 return 0;
1944 }
1945
1946 return 1;
1947 }
1948
1949 int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
1950 unsigned int context,
1951 X509 *x, size_t chainidx)
1952 {
1953 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1954 unsigned long max_early_data;
1955
1956 if (!PACKET_get_net_4(pkt, &max_early_data)
1957 || PACKET_remaining(pkt) != 0) {
1958 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
1959 return 0;
1960 }
1961
1962 s->session->ext.max_early_data = max_early_data;
1963
1964 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) {
1965 /*
1966 * QUIC allows missing max_early_data, or a max_early_data value
1967 * of 0xffffffff. Missing max_early_data is stored in the session
1968 * as 0. This is indistinguishable in OpenSSL from a present
1969 * max_early_data value that was 0. In order that later checks for
1970 * invalid max_early_data correctly treat as an error the case where
1971 * max_early_data is present and it is 0, we store any invalid
1972 * value in the same (non-zero) way. Otherwise we would have to
1973 * introduce a new flag just for this.
1974 */
1975 s->session->ext.max_early_data = 1;
1976 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
1977 return 0;
1978 }
1979
1980 return 1;
1981 }
1982
1983 if (PACKET_remaining(pkt) != 0) {
1984 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1985 return 0;
1986 }
1987
1988 if (!s->ext.early_data_ok
1989 || !s->hit) {
1990 /*
1991 * If we get here then we didn't send early data, or we didn't resume
1992 * using the first identity, or the SNI/ALPN is not consistent so the
1993 * server should not be accepting it.
1994 */
1995 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
1996 return 0;
1997 }
1998
1999 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
2000
2001 return 1;
2002 }
2003
2004 int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
2005 unsigned int context, X509 *x,
2006 size_t chainidx)
2007 {
2008 #ifndef OPENSSL_NO_TLS1_3
2009 unsigned int identity;
2010
2011 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
2012 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2013 return 0;
2014 }
2015
2016 if (identity >= (unsigned int)s->ext.tick_identity) {
2017 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
2018 return 0;
2019 }
2020
2021 /*
2022 * Session resumption tickets are always sent before PSK tickets. If the
2023 * ticket index is 0 then it must be for a session resumption ticket if we
2024 * sent two tickets, or if we didn't send a PSK ticket.
2025 */
2026 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
2027 s->hit = 1;
2028 SSL_SESSION_free(s->psksession);
2029 s->psksession = NULL;
2030 return 1;
2031 }
2032
2033 if (s->psksession == NULL) {
2034 /* Should never happen */
2035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2036 return 0;
2037 }
2038
2039 /*
2040 * If we used the external PSK for sending early_data then s->early_secret
2041 * is already set up, so don't overwrite it. Otherwise we copy the
2042 * early_secret across that we generated earlier.
2043 */
2044 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
2045 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
2046 || s->session->ext.max_early_data > 0
2047 || s->psksession->ext.max_early_data == 0)
2048 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
2049
2050 SSL_SESSION_free(s->session);
2051 s->session = s->psksession;
2052 s->psksession = NULL;
2053 s->hit = 1;
2054 /* Early data is only allowed if we used the first ticket */
2055 if (identity != 0)
2056 s->ext.early_data_ok = 0;
2057 #endif
2058
2059 return 1;
2060 }
2061
2062 EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2063 unsigned int context,
2064 X509 *x, size_t chainidx)
2065 {
2066 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2067 if (sc->client_cert_type == NULL)
2068 return EXT_RETURN_NOT_SENT;
2069
2070 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2071 || !WPACKET_start_sub_packet_u16(pkt)
2072 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)
2073 || !WPACKET_close(pkt)) {
2074 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2075 return EXT_RETURN_FAIL;
2076 }
2077 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2078 return EXT_RETURN_SENT;
2079 }
2080
2081 int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2082 unsigned int context,
2083 X509 *x, size_t chainidx)
2084 {
2085 unsigned int type;
2086
2087 if (PACKET_remaining(pkt) != 1) {
2088 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2089 return 0;
2090 }
2091 if (!PACKET_get_1(pkt, &type)) {
2092 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2093 return 0;
2094 }
2095 /* We did not send/ask for this */
2096 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2097 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2098 return 0;
2099 }
2100 /* We don't have this enabled */
2101 if (sc->client_cert_type == NULL) {
2102 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2103 return 0;
2104 }
2105 /* Given back a value we didn't configure */
2106 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {
2107 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2108 return 0;
2109 }
2110 sc->ext.client_cert_type = type;
2111 return 1;
2112 }
2113
2114 EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2115 unsigned int context,
2116 X509 *x, size_t chainidx)
2117 {
2118 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2119 if (sc->server_cert_type == NULL)
2120 return EXT_RETURN_NOT_SENT;
2121
2122 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2123 || !WPACKET_start_sub_packet_u16(pkt)
2124 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)
2125 || !WPACKET_close(pkt)) {
2126 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2127 return EXT_RETURN_FAIL;
2128 }
2129 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2130 return EXT_RETURN_SENT;
2131 }
2132
2133 int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2134 unsigned int context,
2135 X509 *x, size_t chainidx)
2136 {
2137 unsigned int type;
2138
2139 if (PACKET_remaining(pkt) != 1) {
2140 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2141 return 0;
2142 }
2143 if (!PACKET_get_1(pkt, &type)) {
2144 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2145 return 0;
2146 }
2147 /* We did not send/ask for this */
2148 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2149 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2150 return 0;
2151 }
2152 /* We don't have this enabled */
2153 if (sc->server_cert_type == NULL) {
2154 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2155 return 0;
2156 }
2157 /* Given back a value we didn't configure */
2158 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {
2159 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2160 return 0;
2161 }
2162 sc->ext.server_cert_type = type;
2163 return 1;
2164 }
A mirror of the official openssl repository