]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_clnt.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fail if we receive a response to an extension that we didn't request
[thirdparty/openssl.git] / ssl / statem / extensions_clnt.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <assert.h>
11 #include <openssl/ocsp.h>
12 #include "../ssl_locl.h"
13 #include "statem_locl.h"
14
15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
16 unsigned int context, X509 *x,
17 size_t chainidx, int *al)
18 {
19 /* Add RI if renegotiating */
20 if (!s->renegotiate)
21 return EXT_RETURN_NOT_SENT;
22
23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
24 || !WPACKET_start_sub_packet_u16(pkt)
25 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
26 s->s3->previous_client_finished_len)
27 || !WPACKET_close(pkt)) {
28 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
29 return EXT_RETURN_FAIL;
30 }
31
32 return EXT_RETURN_SENT;
33 }
34
35 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
36 unsigned int context, X509 *x,
37 size_t chainidx, int *al)
38 {
39 if (s->ext.hostname == NULL)
40 return EXT_RETURN_NOT_SENT;
41
42 /* Add TLS extension servername to the Client Hello message */
43 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
44 /* Sub-packet for server_name extension */
45 || !WPACKET_start_sub_packet_u16(pkt)
46 /* Sub-packet for servername list (always 1 hostname)*/
47 || !WPACKET_start_sub_packet_u16(pkt)
48 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
49 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
50 strlen(s->ext.hostname))
51 || !WPACKET_close(pkt)
52 || !WPACKET_close(pkt)) {
53 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
54 return EXT_RETURN_FAIL;
55 }
56
57 return EXT_RETURN_SENT;
58 }
59
60 #ifndef OPENSSL_NO_SRP
61 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
62 X509 *x, size_t chainidx, int *al)
63 {
64 /* Add SRP username if there is one */
65 if (s->srp_ctx.login == NULL)
66 return EXT_RETURN_NOT_SENT;
67
68 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
69 /* Sub-packet for SRP extension */
70 || !WPACKET_start_sub_packet_u16(pkt)
71 || !WPACKET_start_sub_packet_u8(pkt)
72 /* login must not be zero...internal error if so */
73 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
74 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
75 strlen(s->srp_ctx.login))
76 || !WPACKET_close(pkt)
77 || !WPACKET_close(pkt)) {
78 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR);
79 return EXT_RETURN_FAIL;
80 }
81
82 return EXT_RETURN_SENT;
83 }
84 #endif
85
86 #ifndef OPENSSL_NO_EC
87 static int use_ecc(SSL *s)
88 {
89 int i, end;
90 unsigned long alg_k, alg_a;
91 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
92
93 /* See if we support any ECC ciphersuites */
94 if (s->version == SSL3_VERSION)
95 return 0;
96
97 cipher_stack = SSL_get_ciphers(s);
98 end = sk_SSL_CIPHER_num(cipher_stack);
99 for (i = 0; i < end; i++) {
100 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
101
102 alg_k = c->algorithm_mkey;
103 alg_a = c->algorithm_auth;
104 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
105 || (alg_a & SSL_aECDSA)
106 || c->min_tls >= TLS1_3_VERSION)
107 return 1;
108 }
109
110 return 0;
111 }
112
113 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
114 unsigned int context, X509 *x,
115 size_t chainidx, int *al)
116 {
117 const unsigned char *pformats;
118 size_t num_formats;
119
120 if (!use_ecc(s))
121 return EXT_RETURN_NOT_SENT;
122
123 /* Add TLS extension ECPointFormats to the ClientHello message */
124 tls1_get_formatlist(s, &pformats, &num_formats);
125
126 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
127 /* Sub-packet for formats extension */
128 || !WPACKET_start_sub_packet_u16(pkt)
129 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
130 || !WPACKET_close(pkt)) {
131 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
132 return EXT_RETURN_FAIL;
133 }
134
135 return EXT_RETURN_SENT;
136 }
137
138 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
139 unsigned int context, X509 *x,
140 size_t chainidx, int *al)
141 {
142 const unsigned char *pcurves = NULL, *pcurvestmp;
143 size_t num_curves = 0, i;
144
145 if (!use_ecc(s))
146 return EXT_RETURN_NOT_SENT;
147
148 /*
149 * Add TLS extension supported_groups to the ClientHello message
150 */
151 /* TODO(TLS1.3): Add support for DHE groups */
152 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
153 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
154 ERR_R_INTERNAL_ERROR);
155 return EXT_RETURN_FAIL;
156 }
157 pcurvestmp = pcurves;
158
159 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
160 /* Sub-packet for supported_groups extension */
161 || !WPACKET_start_sub_packet_u16(pkt)
162 || !WPACKET_start_sub_packet_u16(pkt)) {
163 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
164 ERR_R_INTERNAL_ERROR);
165 return EXT_RETURN_FAIL;
166 }
167 /* Copy curve ID if supported */
168 for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
169 if (tls_curve_allowed(s, pcurvestmp, SSL_SECOP_CURVE_SUPPORTED)) {
170 if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
171 || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
172 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
173 ERR_R_INTERNAL_ERROR);
174 return EXT_RETURN_FAIL;
175 }
176 }
177 }
178 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
179 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
180 ERR_R_INTERNAL_ERROR);
181 return EXT_RETURN_FAIL;
182 }
183
184 return EXT_RETURN_SENT;
185 }
186 #endif
187
188 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
189 unsigned int context, X509 *x,
190 size_t chainidx, int *al)
191 {
192 size_t ticklen;
193
194 if (!tls_use_ticket(s))
195 return EXT_RETURN_NOT_SENT;
196
197 if (!s->new_session && s->session != NULL
198 && s->session->ext.tick != NULL
199 && s->session->ssl_version != TLS1_3_VERSION) {
200 ticklen = s->session->ext.ticklen;
201 } else if (s->session && s->ext.session_ticket != NULL
202 && s->ext.session_ticket->data != NULL) {
203 ticklen = s->ext.session_ticket->length;
204 s->session->ext.tick = OPENSSL_malloc(ticklen);
205 if (s->session->ext.tick == NULL) {
206 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
207 ERR_R_INTERNAL_ERROR);
208 return EXT_RETURN_FAIL;
209 }
210 memcpy(s->session->ext.tick,
211 s->ext.session_ticket->data, ticklen);
212 s->session->ext.ticklen = ticklen;
213 } else {
214 ticklen = 0;
215 }
216
217 if (ticklen == 0 && s->ext.session_ticket != NULL &&
218 s->ext.session_ticket->data == NULL)
219 return EXT_RETURN_NOT_SENT;
220
221 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
222 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
223 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
224 return EXT_RETURN_FAIL;
225 }
226
227 return EXT_RETURN_SENT;
228 }
229
230 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
231 unsigned int context, X509 *x,
232 size_t chainidx, int *al)
233 {
234 size_t salglen;
235 const uint16_t *salg;
236
237 if (!SSL_CLIENT_USE_SIGALGS(s))
238 return EXT_RETURN_NOT_SENT;
239
240 salglen = tls12_get_psigalgs(s, 1, &salg);
241 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
242 /* Sub-packet for sig-algs extension */
243 || !WPACKET_start_sub_packet_u16(pkt)
244 /* Sub-packet for the actual list */
245 || !WPACKET_start_sub_packet_u16(pkt)
246 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
247 || !WPACKET_close(pkt)
248 || !WPACKET_close(pkt)) {
249 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR);
250 return EXT_RETURN_FAIL;
251 }
252
253 return EXT_RETURN_SENT;
254 }
255
256 #ifndef OPENSSL_NO_OCSP
257 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
258 unsigned int context, X509 *x,
259 size_t chainidx, int *al)
260 {
261 int i;
262
263 /* This extension isn't defined for client Certificates */
264 if (x != NULL)
265 return EXT_RETURN_NOT_SENT;
266
267 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
268 return EXT_RETURN_NOT_SENT;
269
270 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
271 /* Sub-packet for status request extension */
272 || !WPACKET_start_sub_packet_u16(pkt)
273 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
274 /* Sub-packet for the ids */
275 || !WPACKET_start_sub_packet_u16(pkt)) {
276 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
277 return EXT_RETURN_FAIL;
278 }
279 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
280 unsigned char *idbytes;
281 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
282 int idlen = i2d_OCSP_RESPID(id, NULL);
283
284 if (idlen <= 0
285 /* Sub-packet for an individual id */
286 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
287 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
288 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
289 ERR_R_INTERNAL_ERROR);
290 return EXT_RETURN_FAIL;
291 }
292 }
293 if (!WPACKET_close(pkt)
294 || !WPACKET_start_sub_packet_u16(pkt)) {
295 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
296 return EXT_RETURN_FAIL;
297 }
298 if (s->ext.ocsp.exts) {
299 unsigned char *extbytes;
300 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
301
302 if (extlen < 0) {
303 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
304 ERR_R_INTERNAL_ERROR);
305 return EXT_RETURN_FAIL;
306 }
307 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
308 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
309 != extlen) {
310 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
311 ERR_R_INTERNAL_ERROR);
312 return EXT_RETURN_FAIL;
313 }
314 }
315 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
316 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
317 return EXT_RETURN_FAIL;
318 }
319
320 return EXT_RETURN_SENT;
321 }
322 #endif
323
324 #ifndef OPENSSL_NO_NEXTPROTONEG
325 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
326 X509 *x, size_t chainidx, int *al)
327 {
328 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
329 return EXT_RETURN_NOT_SENT;
330
331 /*
332 * The client advertises an empty extension to indicate its support
333 * for Next Protocol Negotiation
334 */
335 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
336 || !WPACKET_put_bytes_u16(pkt, 0)) {
337 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR);
338 return EXT_RETURN_FAIL;
339 }
340
341 return EXT_RETURN_SENT;
342 }
343 #endif
344
345 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
346 X509 *x, size_t chainidx, int *al)
347 {
348 s->s3->alpn_sent = 0;
349
350 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
351 return EXT_RETURN_NOT_SENT;
352
353 if (!WPACKET_put_bytes_u16(pkt,
354 TLSEXT_TYPE_application_layer_protocol_negotiation)
355 /* Sub-packet ALPN extension */
356 || !WPACKET_start_sub_packet_u16(pkt)
357 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
358 || !WPACKET_close(pkt)) {
359 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
360 return EXT_RETURN_FAIL;
361 }
362 s->s3->alpn_sent = 1;
363
364 return EXT_RETURN_SENT;
365 }
366
367
368 #ifndef OPENSSL_NO_SRTP
369 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
370 unsigned int context, X509 *x,
371 size_t chainidx, int *al)
372 {
373 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
374 int i, end;
375
376 if (clnt == NULL)
377 return EXT_RETURN_NOT_SENT;
378
379 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
380 /* Sub-packet for SRTP extension */
381 || !WPACKET_start_sub_packet_u16(pkt)
382 /* Sub-packet for the protection profile list */
383 || !WPACKET_start_sub_packet_u16(pkt)) {
384 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
385 return EXT_RETURN_FAIL;
386 }
387
388 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
389 for (i = 0; i < end; i++) {
390 const SRTP_PROTECTION_PROFILE *prof =
391 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
392
393 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
394 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
395 return EXT_RETURN_FAIL;
396 }
397 }
398 if (!WPACKET_close(pkt)
399 /* Add an empty use_mki value */
400 || !WPACKET_put_bytes_u8(pkt, 0)
401 || !WPACKET_close(pkt)) {
402 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
403 return EXT_RETURN_FAIL;
404 }
405
406 return EXT_RETURN_SENT;
407 }
408 #endif
409
410 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
411 X509 *x, size_t chainidx, int *al)
412 {
413 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
414 return EXT_RETURN_NOT_SENT;
415
416 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
417 || !WPACKET_put_bytes_u16(pkt, 0)) {
418 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR);
419 return EXT_RETURN_FAIL;
420 }
421
422 return EXT_RETURN_SENT;
423 }
424
425 #ifndef OPENSSL_NO_CT
426 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
427 X509 *x, size_t chainidx, int *al)
428 {
429 if (s->ct_validation_callback == NULL)
430 return EXT_RETURN_NOT_SENT;
431
432 /* Not defined for client Certificates */
433 if (x != NULL)
434 return EXT_RETURN_NOT_SENT;
435
436 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
437 || !WPACKET_put_bytes_u16(pkt, 0)) {
438 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR);
439 return EXT_RETURN_FAIL;
440 }
441
442 return EXT_RETURN_SENT;
443 }
444 #endif
445
446 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
447 X509 *x, size_t chainidx, int *al)
448 {
449 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
450 || !WPACKET_put_bytes_u16(pkt, 0)) {
451 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR);
452 return EXT_RETURN_FAIL;
453 }
454
455 return EXT_RETURN_SENT;
456 }
457
458 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
459 unsigned int context, X509 *x,
460 size_t chainidx, int *al)
461 {
462 int currv, min_version, max_version, reason;
463
464 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
465 || !WPACKET_start_sub_packet_u16(pkt)
466 || !WPACKET_start_sub_packet_u8(pkt)) {
467 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
468 ERR_R_INTERNAL_ERROR);
469 return EXT_RETURN_FAIL;
470 }
471
472 reason = ssl_get_min_max_version(s, &min_version, &max_version);
473 if (reason != 0) {
474 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
475 return EXT_RETURN_FAIL;
476 }
477
478 /*
479 * TODO(TLS1.3): There is some discussion on the TLS list as to whether
480 * we should include versions <TLS1.2. For the moment we do. To be
481 * reviewed later.
482 */
483 for (currv = max_version; currv >= min_version; currv--) {
484 /* TODO(TLS1.3): Remove this first if clause prior to release!! */
485 if (currv == TLS1_3_VERSION) {
486 if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
487 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
488 ERR_R_INTERNAL_ERROR);
489 return EXT_RETURN_FAIL;
490 }
491 } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
492 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
493 ERR_R_INTERNAL_ERROR);
494 return EXT_RETURN_FAIL;
495 }
496 }
497 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
498 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
499 ERR_R_INTERNAL_ERROR);
500 return EXT_RETURN_FAIL;
501 }
502
503 return EXT_RETURN_SENT;
504 }
505
506 /*
507 * Construct a psk_kex_modes extension. We only have two modes we know about
508 * at this stage, so we send both.
509 */
510 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
511 unsigned int context, X509 *x,
512 size_t chainidx, int *al)
513 {
514 #ifndef OPENSSL_NO_TLS1_3
515 /*
516 * TODO(TLS1.3): Do we want this list to be configurable? For now we always
517 * just send both supported modes
518 */
519 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
520 || !WPACKET_start_sub_packet_u16(pkt)
521 || !WPACKET_start_sub_packet_u8(pkt)
522 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
523 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)
524 || !WPACKET_close(pkt)
525 || !WPACKET_close(pkt)) {
526 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
527 return EXT_RETURN_FAIL;
528 }
529
530 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE;
531 #endif
532
533 return EXT_RETURN_SENT;
534 }
535
536 #ifndef OPENSSL_NO_TLS1_3
537 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
538 {
539 unsigned char *encoded_point = NULL;
540 EVP_PKEY *key_share_key = NULL;
541 size_t encodedlen;
542
543 if (s->s3->tmp.pkey != NULL) {
544 assert(s->hello_retry_request);
545 if (!s->hello_retry_request) {
546 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR);
547 return EXT_RETURN_FAIL;
548 }
549 /*
550 * Could happen if we got an HRR that wasn't requesting a new key_share
551 */
552 key_share_key = s->s3->tmp.pkey;
553 } else {
554 key_share_key = ssl_generate_pkey_curve(curve_id);
555 if (key_share_key == NULL) {
556 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EVP_LIB);
557 return EXT_RETURN_FAIL;
558 }
559 }
560
561 /* Encode the public key. */
562 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
563 &encoded_point);
564 if (encodedlen == 0) {
565 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
566 goto err;
567 }
568
569 /* Create KeyShareEntry */
570 if (!WPACKET_put_bytes_u16(pkt, curve_id)
571 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
572 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR);
573 goto err;
574 }
575
576 /*
577 * TODO(TLS1.3): When changing to send more than one key_share we're
578 * going to need to be able to save more than one EVP_PKEY. For now
579 * we reuse the existing tmp.pkey
580 */
581 s->s3->tmp.pkey = key_share_key;
582 s->s3->group_id = curve_id;
583 OPENSSL_free(encoded_point);
584
585 return EXT_RETURN_SENT;
586 err:
587 if (s->s3->tmp.pkey == NULL)
588 EVP_PKEY_free(key_share_key);
589 OPENSSL_free(encoded_point);
590 return EXT_RETURN_FAIL;
591 }
592 #endif
593
594 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
595 unsigned int context, X509 *x,
596 size_t chainidx, int *al)
597 {
598 #ifndef OPENSSL_NO_TLS1_3
599 size_t i, num_curves = 0;
600 const unsigned char *pcurves = NULL;
601 unsigned int curve_id = 0;
602
603 /* key_share extension */
604 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
605 /* Extension data sub-packet */
606 || !WPACKET_start_sub_packet_u16(pkt)
607 /* KeyShare list sub-packet */
608 || !WPACKET_start_sub_packet_u16(pkt)) {
609 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
610 return EXT_RETURN_FAIL;
611 }
612
613 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
614 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
615 return EXT_RETURN_FAIL;
616 }
617
618 /*
619 * TODO(TLS1.3): Make the number of key_shares sent configurable. For
620 * now, just send one
621 */
622 if (s->s3->group_id != 0) {
623 curve_id = s->s3->group_id;
624 } else {
625 for (i = 0; i < num_curves; i++, pcurves += 2) {
626
627 if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
628 continue;
629
630 curve_id = bytestogroup(pcurves);
631 break;
632 }
633 }
634
635 if (curve_id == 0) {
636 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
637 return EXT_RETURN_FAIL;
638 }
639
640 if (!add_key_share(s, pkt, curve_id))
641 return EXT_RETURN_FAIL;
642
643 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
644 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
645 return EXT_RETURN_FAIL;
646 }
647 #endif
648
649 return EXT_RETURN_SENT;
650 }
651
652 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
653 X509 *x, size_t chainidx, int *al)
654 {
655 EXT_RETURN ret = EXT_RETURN_FAIL;
656
657 /* Should only be set if we've had an HRR */
658 if (s->ext.tls13_cookie_len == 0)
659 return EXT_RETURN_NOT_SENT;
660
661 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
662 /* Extension data sub-packet */
663 || !WPACKET_start_sub_packet_u16(pkt)
664 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
665 s->ext.tls13_cookie_len)
666 || !WPACKET_close(pkt)) {
667 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, ERR_R_INTERNAL_ERROR);
668 goto end;
669 }
670
671 ret = EXT_RETURN_SENT;
672 end:
673 OPENSSL_free(s->ext.tls13_cookie);
674 s->ext.tls13_cookie = NULL;
675 s->ext.tls13_cookie_len = 0;
676
677 return ret;
678 }
679
680 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
681 unsigned int context, X509 *x,
682 size_t chainidx, int *al)
683 {
684 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
685 || s->session->ext.max_early_data == 0) {
686 s->max_early_data = 0;
687 return EXT_RETURN_NOT_SENT;
688 }
689 s->max_early_data = s->session->ext.max_early_data;
690
691 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
692 || !WPACKET_start_sub_packet_u16(pkt)
693 || !WPACKET_close(pkt)) {
694 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
695 return EXT_RETURN_FAIL;
696 }
697
698 /*
699 * We set this to rejected here. Later, if the server acknowledges the
700 * extension, we set it to accepted.
701 */
702 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
703
704 return EXT_RETURN_SENT;
705 }
706
707 #define F5_WORKAROUND_MIN_MSG_LEN 0xff
708 #define F5_WORKAROUND_MAX_MSG_LEN 0x200
709
710 /*
711 * PSK pre binder overhead =
712 * 2 bytes for TLSEXT_TYPE_psk
713 * 2 bytes for extension length
714 * 2 bytes for identities list length
715 * 2 bytes for identity length
716 * 4 bytes for obfuscated_ticket_age
717 * 2 bytes for binder list length
718 * 1 byte for binder length
719 * The above excludes the number of bytes for the identity itself and the
720 * subsequent binder bytes
721 */
722 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
723
724 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
725 unsigned int context, X509 *x,
726 size_t chainidx, int *al)
727 {
728 unsigned char *padbytes;
729 size_t hlen;
730
731 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
732 return EXT_RETURN_NOT_SENT;
733
734 /*
735 * Add padding to workaround bugs in F5 terminators. See RFC7685.
736 * This code calculates the length of all extensions added so far but
737 * excludes the PSK extension (because that MUST be written last). Therefore
738 * this extension MUST always appear second to last.
739 */
740 if (!WPACKET_get_total_written(pkt, &hlen)) {
741 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
742 return EXT_RETURN_FAIL;
743 }
744
745 /*
746 * If we're going to send a PSK then that will be written out after this
747 * extension, so we need to calculate how long it is going to be.
748 */
749 if (s->session->ssl_version == TLS1_3_VERSION
750 && s->session->ext.ticklen != 0
751 && s->session->cipher != NULL) {
752 const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
753
754 if (md != NULL) {
755 /*
756 * Add the fixed PSK overhead, the identity length and the binder
757 * length.
758 */
759 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
760 + EVP_MD_size(md);
761 }
762 }
763
764 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
765 /* Calculate the amount of padding we need to add */
766 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
767
768 /*
769 * Take off the size of extension header itself (2 bytes for type and
770 * 2 bytes for length bytes)
771 */
772 if (hlen >= 4)
773 hlen -= 4;
774 else
775 hlen = 0;
776
777 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
778 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
779 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
780 return 0;
781 }
782 memset(padbytes, 0, hlen);
783 }
784
785 return EXT_RETURN_SENT;
786 }
787
788 /*
789 * Construct the pre_shared_key extension
790 */
791 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
792 X509 *x, size_t chainidx, int *al)
793 {
794 #ifndef OPENSSL_NO_TLS1_3
795 uint32_t now, agesec, agems;
796 size_t hashsize, binderoffset, msglen;
797 unsigned char *binder = NULL, *msgstart = NULL;
798 const EVP_MD *md;
799 EXT_RETURN ret = EXT_RETURN_FAIL;
800
801 s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
802
803 /*
804 * Note: At this stage of the code we only support adding a single
805 * resumption PSK. If we add support for multiple PSKs then the length
806 * calculations in the padding extension will need to be adjusted.
807 */
808
809 /*
810 * If this is an incompatible or new session then we have nothing to resume
811 * so don't add this extension.
812 */
813 if (s->session->ssl_version != TLS1_3_VERSION
814 || s->session->ext.ticklen == 0)
815 return EXT_RETURN_NOT_SENT;
816
817 if (s->session->cipher == NULL) {
818 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
819 goto err;
820 }
821
822 md = ssl_md(s->session->cipher->algorithm2);
823 if (md == NULL) {
824 /* Don't recognize this cipher so we can't use the session. Ignore it */
825 return EXT_RETURN_NOT_SENT;
826 }
827
828 if (s->hello_retry_request && md != ssl_handshake_md(s)) {
829 /*
830 * Selected ciphersuite hash does not match the hash for the session so
831 * we can't use it.
832 */
833 return EXT_RETURN_NOT_SENT;
834 }
835
836 /*
837 * Technically the C standard just says time() returns a time_t and says
838 * nothing about the encoding of that type. In practice most implementations
839 * follow POSIX which holds it as an integral type in seconds since epoch.
840 * We've already made the assumption that we can do this in multiple places
841 * in the code, so portability shouldn't be an issue.
842 */
843 now = (uint32_t)time(NULL);
844 agesec = now - (uint32_t)s->session->time;
845
846 if (s->session->ext.tick_lifetime_hint < agesec) {
847 /* Ticket is too old. Ignore it. */
848 return EXT_RETURN_NOT_SENT;
849 }
850
851 /*
852 * Calculate age in ms. We're just doing it to nearest second. Should be
853 * good enough.
854 */
855 agems = agesec * (uint32_t)1000;
856
857 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
858 /*
859 * Overflow. Shouldn't happen unless this is a *really* old session. If
860 * so we just ignore it.
861 */
862 return EXT_RETURN_NOT_SENT;
863 }
864
865 /*
866 * Obfuscate the age. Overflow here is fine, this addition is supposed to
867 * be mod 2^32.
868 */
869 agems += s->session->ext.tick_age_add;
870
871 hashsize = EVP_MD_size(md);
872
873 /* Create the extension, but skip over the binder for now */
874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
875 || !WPACKET_start_sub_packet_u16(pkt)
876 || !WPACKET_start_sub_packet_u16(pkt)
877 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
878 s->session->ext.ticklen)
879 || !WPACKET_put_bytes_u32(pkt, agems)
880 || !WPACKET_close(pkt)
881 || !WPACKET_get_total_written(pkt, &binderoffset)
882 || !WPACKET_start_sub_packet_u16(pkt)
883 || !WPACKET_sub_allocate_bytes_u8(pkt, hashsize, &binder)
884 || !WPACKET_close(pkt)
885 || !WPACKET_close(pkt)
886 || !WPACKET_get_total_written(pkt, &msglen)
887 /*
888 * We need to fill in all the sub-packet lengths now so we can
889 * calculate the HMAC of the message up to the binders
890 */
891 || !WPACKET_fill_lengths(pkt)) {
892 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
893 goto err;
894 }
895
896 msgstart = WPACKET_get_curr(pkt) - msglen;
897
898 if (tls_psk_do_binder(s, md, msgstart, binderoffset, NULL, binder,
899 s->session, 1) != 1) {
900 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
901 goto err;
902 }
903
904 s->session->ext.tick_identity = 0;
905
906 ret = EXT_RETURN_SENT;
907 err:
908 return ret;
909 #else
910 return 1;
911 #endif
912 }
913
914 /*
915 * Parse the server's renegotiation binding and abort if it's not right
916 */
917 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
918 X509 *x, size_t chainidx, int *al)
919 {
920 size_t expected_len = s->s3->previous_client_finished_len
921 + s->s3->previous_server_finished_len;
922 size_t ilen;
923 const unsigned char *data;
924
925 /* Check for logic errors */
926 assert(expected_len == 0 || s->s3->previous_client_finished_len != 0);
927 assert(expected_len == 0 || s->s3->previous_server_finished_len != 0);
928
929 /* Parse the length byte */
930 if (!PACKET_get_1_len(pkt, &ilen)) {
931 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
932 SSL_R_RENEGOTIATION_ENCODING_ERR);
933 *al = SSL_AD_ILLEGAL_PARAMETER;
934 return 0;
935 }
936
937 /* Consistency check */
938 if (PACKET_remaining(pkt) != ilen) {
939 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
940 SSL_R_RENEGOTIATION_ENCODING_ERR);
941 *al = SSL_AD_ILLEGAL_PARAMETER;
942 return 0;
943 }
944
945 /* Check that the extension matches */
946 if (ilen != expected_len) {
947 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
948 SSL_R_RENEGOTIATION_MISMATCH);
949 *al = SSL_AD_HANDSHAKE_FAILURE;
950 return 0;
951 }
952
953 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
954 || memcmp(data, s->s3->previous_client_finished,
955 s->s3->previous_client_finished_len) != 0) {
956 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
957 SSL_R_RENEGOTIATION_MISMATCH);
958 *al = SSL_AD_HANDSHAKE_FAILURE;
959 return 0;
960 }
961
962 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
963 || memcmp(data, s->s3->previous_server_finished,
964 s->s3->previous_server_finished_len) != 0) {
965 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
966 SSL_R_RENEGOTIATION_MISMATCH);
967 *al = SSL_AD_ILLEGAL_PARAMETER;
968 return 0;
969 }
970 s->s3->send_connection_binding = 1;
971
972 return 1;
973 }
974
975 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
976 X509 *x, size_t chainidx, int *al)
977 {
978 if (s->ext.hostname == NULL || PACKET_remaining(pkt) > 0) {
979 *al = SSL_AD_UNRECOGNIZED_NAME;
980 return 0;
981 }
982
983 if (!s->hit) {
984 if (s->session->ext.hostname != NULL) {
985 *al = SSL_AD_INTERNAL_ERROR;
986 return 0;
987 }
988 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
989 if (s->session->ext.hostname == NULL) {
990 *al = SSL_AD_INTERNAL_ERROR;
991 return 0;
992 }
993 }
994
995 return 1;
996 }
997
998 #ifndef OPENSSL_NO_EC
999 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
1000 X509 *x, size_t chainidx, int *al)
1001 {
1002 unsigned int ecpointformats_len;
1003 PACKET ecptformatlist;
1004
1005 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
1006 *al = SSL_AD_DECODE_ERROR;
1007 return 0;
1008 }
1009 if (!s->hit) {
1010 ecpointformats_len = PACKET_remaining(&ecptformatlist);
1011 s->session->ext.ecpointformats_len = 0;
1012
1013 OPENSSL_free(s->session->ext.ecpointformats);
1014 s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
1015 if (s->session->ext.ecpointformats == NULL) {
1016 *al = SSL_AD_INTERNAL_ERROR;
1017 return 0;
1018 }
1019
1020 s->session->ext.ecpointformats_len = ecpointformats_len;
1021
1022 if (!PACKET_copy_bytes(&ecptformatlist,
1023 s->session->ext.ecpointformats,
1024 ecpointformats_len)) {
1025 *al = SSL_AD_INTERNAL_ERROR;
1026 return 0;
1027 }
1028 }
1029
1030 return 1;
1031 }
1032 #endif
1033
1034 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
1035 X509 *x, size_t chainidx, int *al)
1036 {
1037 if (s->ext.session_ticket_cb != NULL &&
1038 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
1039 PACKET_remaining(pkt),
1040 s->ext.session_ticket_cb_arg)) {
1041 *al = SSL_AD_INTERNAL_ERROR;
1042 return 0;
1043 }
1044
1045 if (!tls_use_ticket(s) || PACKET_remaining(pkt) > 0) {
1046 *al = SSL_AD_UNSUPPORTED_EXTENSION;
1047 return 0;
1048 }
1049
1050 s->ext.ticket_expected = 1;
1051
1052 return 1;
1053 }
1054
1055 #ifndef OPENSSL_NO_OCSP
1056 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
1057 X509 *x, size_t chainidx, int *al)
1058 {
1059 /*
1060 * MUST only be sent if we've requested a status
1061 * request message. In TLS <= 1.2 it must also be empty.
1062 */
1063 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
1064 || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
1065 *al = SSL_AD_UNSUPPORTED_EXTENSION;
1066 return 0;
1067 }
1068
1069 if (SSL_IS_TLS13(s)) {
1070 /* We only know how to handle this if it's for the first Certificate in
1071 * the chain. We ignore any other responses.
1072 */
1073 if (chainidx != 0)
1074 return 1;
1075 return tls_process_cert_status_body(s, pkt, al);
1076 }
1077
1078 /* Set flag to expect CertificateStatus message */
1079 s->ext.status_expected = 1;
1080
1081 return 1;
1082 }
1083 #endif
1084
1085
1086 #ifndef OPENSSL_NO_CT
1087 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1088 size_t chainidx, int *al)
1089 {
1090 /*
1091 * Only take it if we asked for it - i.e if there is no CT validation
1092 * callback set, then a custom extension MAY be processing it, so we
1093 * need to let control continue to flow to that.
1094 */
1095 if (s->ct_validation_callback != NULL) {
1096 size_t size = PACKET_remaining(pkt);
1097
1098 /* Simply copy it off for later processing */
1099 OPENSSL_free(s->ext.scts);
1100 s->ext.scts = NULL;
1101
1102 s->ext.scts_len = size;
1103 if (size > 0) {
1104 s->ext.scts = OPENSSL_malloc(size);
1105 if (s->ext.scts == NULL
1106 || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1107 *al = SSL_AD_INTERNAL_ERROR;
1108 return 0;
1109 }
1110 }
1111 } else {
1112 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1113 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1114
1115 /*
1116 * If we didn't ask for it then there must be a custom extension,
1117 * otherwise this is unsolicited.
1118 */
1119 if (custom_ext_find(&s->cert->custext, role,
1120 TLSEXT_TYPE_signed_certificate_timestamp,
1121 NULL) == NULL) {
1122 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1123 return 0;
1124 }
1125
1126 if (custom_ext_parse(s, context,
1127 TLSEXT_TYPE_signed_certificate_timestamp,
1128 PACKET_data(pkt), PACKET_remaining(pkt),
1129 x, chainidx, al) <= 0)
1130 return 0;
1131 }
1132
1133 return 1;
1134 }
1135 #endif
1136
1137
1138 #ifndef OPENSSL_NO_NEXTPROTONEG
1139 /*
1140 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1141 * elements of zero length are allowed and the set of elements must exactly
1142 * fill the length of the block. Returns 1 on success or 0 on failure.
1143 */
1144 static int ssl_next_proto_validate(PACKET *pkt)
1145 {
1146 PACKET tmp_protocol;
1147
1148 while (PACKET_remaining(pkt)) {
1149 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1150 || PACKET_remaining(&tmp_protocol) == 0)
1151 return 0;
1152 }
1153
1154 return 1;
1155 }
1156
1157 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1158 size_t chainidx, int *al)
1159 {
1160 unsigned char *selected;
1161 unsigned char selected_len;
1162 PACKET tmppkt;
1163
1164 /* Check if we are in a renegotiation. If so ignore this extension */
1165 if (!SSL_IS_FIRST_HANDSHAKE(s))
1166 return 1;
1167
1168 /* We must have requested it. */
1169 if (s->ctx->ext.npn_select_cb == NULL) {
1170 *al = SSL_AD_UNSUPPORTED_EXTENSION;
1171 return 0;
1172 }
1173
1174 /* The data must be valid */
1175 tmppkt = *pkt;
1176 if (!ssl_next_proto_validate(&tmppkt)) {
1177 *al = SSL_AD_DECODE_ERROR;
1178 return 0;
1179 }
1180 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
1181 PACKET_data(pkt),
1182 PACKET_remaining(pkt),
1183 s->ctx->ext.npn_select_cb_arg) !=
1184 SSL_TLSEXT_ERR_OK) {
1185 *al = SSL_AD_INTERNAL_ERROR;
1186 return 0;
1187 }
1188
1189 /*
1190 * Could be non-NULL if server has sent multiple NPN extensions in
1191 * a single Serverhello
1192 */
1193 OPENSSL_free(s->ext.npn);
1194 s->ext.npn = OPENSSL_malloc(selected_len);
1195 if (s->ext.npn == NULL) {
1196 *al = SSL_AD_INTERNAL_ERROR;
1197 return 0;
1198 }
1199
1200 memcpy(s->ext.npn, selected, selected_len);
1201 s->ext.npn_len = selected_len;
1202 s->s3->npn_seen = 1;
1203
1204 return 1;
1205 }
1206 #endif
1207
1208 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1209 size_t chainidx, int *al)
1210 {
1211 size_t len;
1212
1213 /* We must have requested it. */
1214 if (!s->s3->alpn_sent) {
1215 *al = SSL_AD_UNSUPPORTED_EXTENSION;
1216 return 0;
1217 }
1218 /*-
1219 * The extension data consists of:
1220 * uint16 list_length
1221 * uint8 proto_length;
1222 * uint8 proto[proto_length];
1223 */
1224 if (!PACKET_get_net_2_len(pkt, &len)
1225 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1226 || PACKET_remaining(pkt) != len) {
1227 *al = SSL_AD_DECODE_ERROR;
1228 return 0;
1229 }
1230 OPENSSL_free(s->s3->alpn_selected);
1231 s->s3->alpn_selected = OPENSSL_malloc(len);
1232 if (s->s3->alpn_selected == NULL) {
1233 *al = SSL_AD_INTERNAL_ERROR;
1234 return 0;
1235 }
1236 if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
1237 *al = SSL_AD_DECODE_ERROR;
1238 return 0;
1239 }
1240 s->s3->alpn_selected_len = len;
1241
1242 return 1;
1243 }
1244
1245 #ifndef OPENSSL_NO_SRTP
1246 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1247 size_t chainidx, int *al)
1248 {
1249 unsigned int id, ct, mki;
1250 int i;
1251 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1252 SRTP_PROTECTION_PROFILE *prof;
1253
1254 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1255 || !PACKET_get_net_2(pkt, &id)
1256 || !PACKET_get_1(pkt, &mki)
1257 || PACKET_remaining(pkt) != 0) {
1258 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
1259 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1260 *al = SSL_AD_DECODE_ERROR;
1261 return 0;
1262 }
1263
1264 if (mki != 0) {
1265 /* Must be no MKI, since we never offer one */
1266 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
1267 *al = SSL_AD_ILLEGAL_PARAMETER;
1268 return 0;
1269 }
1270
1271 /* Throw an error if the server gave us an unsolicited extension */
1272 clnt = SSL_get_srtp_profiles(s);
1273 if (clnt == NULL) {
1274 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES);
1275 *al = SSL_AD_DECODE_ERROR;
1276 return 0;
1277 }
1278
1279 /*
1280 * Check to see if the server gave us something we support (and
1281 * presumably offered)
1282 */
1283 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1284 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1285
1286 if (prof->id == id) {
1287 s->srtp_profile = prof;
1288 *al = 0;
1289 return 1;
1290 }
1291 }
1292
1293 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
1294 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1295 *al = SSL_AD_DECODE_ERROR;
1296 return 0;
1297 }
1298 #endif
1299
1300 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1301 size_t chainidx, int *al)
1302 {
1303 /* Ignore if inappropriate ciphersuite */
1304 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1305 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
1306 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
1307 s->ext.use_etm = 1;
1308
1309 return 1;
1310 }
1311
1312 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1313 size_t chainidx, int *al)
1314 {
1315 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1316 if (!s->hit)
1317 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1318
1319 return 1;
1320 }
1321
1322 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1323 size_t chainidx, int *al)
1324 {
1325 #ifndef OPENSSL_NO_TLS1_3
1326 unsigned int group_id;
1327 PACKET encoded_pt;
1328 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
1329
1330 /* Sanity check */
1331 if (ckey == NULL || s->s3->peer_tmp != NULL) {
1332 *al = SSL_AD_INTERNAL_ERROR;
1333 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1334 return 0;
1335 }
1336
1337 if (!PACKET_get_net_2(pkt, &group_id)) {
1338 *al = SSL_AD_DECODE_ERROR;
1339 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1340 return 0;
1341 }
1342
1343 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1344 unsigned const char *pcurves = NULL;
1345 size_t i, num_curves;
1346
1347 if (PACKET_remaining(pkt) != 0) {
1348 *al = SSL_AD_DECODE_ERROR;
1349 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1350 return 0;
1351 }
1352
1353 /*
1354 * It is an error if the HelloRetryRequest wants a key_share that we
1355 * already sent in the first ClientHello
1356 */
1357 if (group_id == s->s3->group_id) {
1358 *al = SSL_AD_ILLEGAL_PARAMETER;
1359 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1360 return 0;
1361 }
1362
1363 /* Validate the selected group is one we support */
1364 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
1365 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1366 return 0;
1367 }
1368 for (i = 0; i < num_curves; i++, pcurves += 2) {
1369 if (group_id == bytestogroup(pcurves))
1370 break;
1371 }
1372 if (i >= num_curves
1373 || !tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1374 *al = SSL_AD_ILLEGAL_PARAMETER;
1375 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1376 return 0;
1377 }
1378
1379 s->s3->group_id = group_id;
1380 EVP_PKEY_free(s->s3->tmp.pkey);
1381 s->s3->tmp.pkey = NULL;
1382 return 1;
1383 }
1384
1385 if (group_id != s->s3->group_id) {
1386 /*
1387 * This isn't for the group that we sent in the original
1388 * key_share!
1389 */
1390 *al = SSL_AD_ILLEGAL_PARAMETER;
1391 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1392 return 0;
1393 }
1394
1395 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1396 || PACKET_remaining(&encoded_pt) == 0) {
1397 *al = SSL_AD_DECODE_ERROR;
1398 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1399 return 0;
1400 }
1401
1402 skey = ssl_generate_pkey(ckey);
1403 if (skey == NULL) {
1404 *al = SSL_AD_INTERNAL_ERROR;
1405 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1406 return 0;
1407 }
1408 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
1409 PACKET_remaining(&encoded_pt))) {
1410 *al = SSL_AD_DECODE_ERROR;
1411 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT);
1412 EVP_PKEY_free(skey);
1413 return 0;
1414 }
1415
1416 if (ssl_derive(s, ckey, skey, 1) == 0) {
1417 *al = SSL_AD_INTERNAL_ERROR;
1418 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1419 EVP_PKEY_free(skey);
1420 return 0;
1421 }
1422 s->s3->peer_tmp = skey;
1423 #endif
1424
1425 return 1;
1426 }
1427
1428 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1429 size_t chainidx, int *al)
1430 {
1431 PACKET cookie;
1432
1433 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1434 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1435 &s->ext.tls13_cookie_len)) {
1436 *al = SSL_AD_DECODE_ERROR;
1437 SSLerr(SSL_F_TLS_PARSE_STOC_COOKIE, SSL_R_LENGTH_MISMATCH);
1438 return 0;
1439 }
1440
1441 return 1;
1442 }
1443
1444 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
1445 X509 *x, size_t chainidx, int *al)
1446 {
1447 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1448 unsigned long max_early_data;
1449
1450 if (!PACKET_get_net_4(pkt, &max_early_data)
1451 || PACKET_remaining(pkt) != 0) {
1452 SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA,
1453 SSL_R_INVALID_MAX_EARLY_DATA);
1454 *al = SSL_AD_DECODE_ERROR;
1455 return 0;
1456 }
1457
1458 s->session->ext.max_early_data = max_early_data;
1459
1460 return 1;
1461 }
1462
1463 if (PACKET_remaining(pkt) != 0) {
1464 *al = SSL_AD_DECODE_ERROR;
1465 return 0;
1466 }
1467
1468 if (s->ext.early_data != SSL_EARLY_DATA_REJECTED
1469 || !s->hit
1470 || s->session->ext.tick_identity != 0) {
1471 /*
1472 * If we get here then we didn't send early data, or we didn't resume
1473 * using the first identity so the server should not be accepting it.
1474 */
1475 *al = SSL_AD_ILLEGAL_PARAMETER;
1476 return 0;
1477 }
1478
1479 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1480
1481 return 1;
1482 }
1483
1484 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1485 size_t chainidx, int *al)
1486 {
1487 #ifndef OPENSSL_NO_TLS1_3
1488 unsigned int identity;
1489
1490 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
1491 *al = SSL_AD_DECODE_ERROR;
1492 SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_LENGTH_MISMATCH);
1493 return 0;
1494 }
1495
1496 if (s->session->ext.tick_identity != (int)identity) {
1497 *al = SSL_AD_ILLEGAL_PARAMETER;
1498 SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_BAD_PSK_IDENTITY);
1499 return 0;
1500 }
1501
1502 s->hit = 1;
1503 #endif
1504
1505 return 1;
1506 }
A mirror of the official openssl repository