]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Construct the server side early_data extension
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
61138358
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
7d061fce
MC		 119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
aff8c126 121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
25670f3e
MC		 122 *al = TLS1_AD_INTERNAL_ERROR;
123 return 0;
124 }
125
126 s->servername_done = 1;
127 } else {
128 /*
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
131 */
aff8c126
RS		 132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
25670f3e
MC		 135 }
136
137 return 1;
138}
139
140#ifndef OPENSSL_NO_SRP
61138358
MC		 141int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
25670f3e
MC		 143{
144 PACKET srp_I;
145
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
149 return 0;
150 }
151
152 /*
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
155 */
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = TLS1_AD_INTERNAL_ERROR;
158 return 0;
159 }
160
161 return 1;
162}
163#endif
164
0a87d0ac
MC		 165int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
166 X509 *x, size_t chainidx, int *al)
167{
168 if (PACKET_remaining(pkt) != 0) {
169 *al = SSL_AD_DECODE_ERROR;
170 return 0;
171 }
172
1ea4d09a
MC		 173 if (s->max_early_data == 0 || !s->hit || s->session->ext.tick_identity != 0
174 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING) {
175 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
176 } else {
177 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
178
179 if (!tls13_change_cipher_state(s,
180 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
181 *al = SSL_AD_INTERNAL_ERROR;
182 return 0;
183 }
184 }
0a87d0ac
MC		 185
186 return 1;
187}
188
25670f3e 189#ifndef OPENSSL_NO_EC
61138358
MC		 190int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 192{
193 PACKET ec_point_format_list;
194
195 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
196 || PACKET_remaining(&ec_point_format_list) == 0) {
197 *al = SSL_AD_DECODE_ERROR;
198 return 0;
199 }
200
201 if (!s->hit) {
202 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 203 &s->session->ext.ecpointformats,
204 &s->session->ext.ecpointformats_len)) {
25670f3e
MC		 205 *al = TLS1_AD_INTERNAL_ERROR;
206 return 0;
207 }
208 }
209
210 return 1;
211}
212#endif /* OPENSSL_NO_EC */
213
61138358
MC		 214int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx, int *al)
25670f3e 216{
aff8c126
RS		 217 if (s->ext.session_ticket_cb &&
218 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
219 PACKET_remaining(pkt),
220 s->ext.session_ticket_cb_arg)) {
25670f3e
MC		 221 *al = TLS1_AD_INTERNAL_ERROR;
222 return 0;
223 }
224
225 return 1;
226}
227
61138358
MC		 228int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
229 size_t chainidx, int *al)
25670f3e
MC		 230{
231 PACKET supported_sig_algs;
232
233 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e
MC		 234 || PACKET_remaining(&supported_sig_algs) == 0) {
235 *al = SSL_AD_DECODE_ERROR;
236 return 0;
237 }
238
703bcee0
MC		 239 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
240 *al = TLS1_AD_DECODE_ERROR;
25670f3e
MC		 241 return 0;
242 }
243
244 return 1;
245}
246
ab83e314 247#ifndef OPENSSL_NO_OCSP
61138358
MC		 248int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
249 X509 *x, size_t chainidx, int *al)
25670f3e 250{
1266eefd
MC		 251 PACKET responder_id_list, exts;
252
e96e0f8e
MC		 253 /* Not defined if we get one of these in a client Certificate */
254 if (x != NULL)
255 return 1;
256
aff8c126 257 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
25670f3e
MC		 258 *al = SSL_AD_DECODE_ERROR;
259 return 0;
260 }
ab83e314 261
aff8c126 262 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 263 /*
1266eefd 264 * We don't know what to do with any other type so ignore it.
25670f3e 265 */
aff8c126 266 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 267 return 1;
268 }
25670f3e 269
1266eefd
MC		 270 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
271 *al = SSL_AD_DECODE_ERROR;
272 return 0;
273 }
25670f3e 274
1266eefd
MC		 275 /*
276 * We remove any OCSP_RESPIDs from a previous handshake
277 * to prevent unbounded memory growth - CVE-2016-6304
278 */
aff8c126 279 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 280 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 281 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
282 if (s->ext.ocsp.ids == NULL) {
1266eefd
MC		 283 *al = SSL_AD_INTERNAL_ERROR;
284 return 0;
285 }
286 } else {
aff8c126 287 s->ext.ocsp.ids = NULL;
1266eefd 288 }
25670f3e 289
1266eefd
MC		 290 while (PACKET_remaining(&responder_id_list) > 0) {
291 OCSP_RESPID *id;
292 PACKET responder_id;
293 const unsigned char *id_data;
25670f3e 294
1266eefd
MC		 295 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
296 || PACKET_remaining(&responder_id) == 0) {
297 *al = SSL_AD_DECODE_ERROR;
298 return 0;
299 }
25670f3e 300
1266eefd
MC		 301 id_data = PACKET_data(&responder_id);
302 /* TODO(size_t): Convert d2i_* to size_t */
303 id = d2i_OCSP_RESPID(NULL, &id_data,
304 (int)PACKET_remaining(&responder_id));
305 if (id == NULL) {
306 *al = SSL_AD_DECODE_ERROR;
307 return 0;
25670f3e
MC		 308 }
309
1266eefd
MC		 310 if (id_data != PACKET_end(&responder_id)) {
311 OCSP_RESPID_free(id);
25670f3e
MC		 312 *al = SSL_AD_DECODE_ERROR;
313 return 0;
314 }
315
aff8c126 316 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd
MC		 317 OCSP_RESPID_free(id);
318 *al = SSL_AD_INTERNAL_ERROR;
319 return 0;
320 }
321 }
322
323 /* Read in request_extensions */
324 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
325 *al = SSL_AD_DECODE_ERROR;
326 return 0;
327 }
328
329 if (PACKET_remaining(&exts) > 0) {
330 const unsigned char *ext_data = PACKET_data(&exts);
331
aff8c126 332 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 333 X509_EXTENSION_free);
aff8c126 334 s->ext.ocsp.exts =
1266eefd 335 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 336 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
1266eefd
MC		 337 *al = SSL_AD_DECODE_ERROR;
338 return 0;
25670f3e 339 }
25670f3e
MC		 340 }
341
342 return 1;
343}
ab83e314 344#endif
25670f3e
MC		 345
346#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 347int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
348 size_t chainidx, int *al)
25670f3e 349{
1266eefd
MC		 350 /*
351 * We shouldn't accept this extension on a
352 * renegotiation.
1266eefd 353 */
c7f47786 354 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 355 s->s3->npn_seen = 1;
25670f3e
MC		 356
357 return 1;
358}
359#endif
360
361/*
1266eefd
MC		 362 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
363 * extension, not including type and length. |al| is a pointer to the alert
364 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 365 */
61138358
MC		 366int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
367 size_t chainidx, int *al)
25670f3e
MC		 368{
369 PACKET protocol_list, save_protocol_list, protocol;
370
c7f47786 371 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 372 return 1;
373
374 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
375 || PACKET_remaining(&protocol_list) < 2) {
376 *al = SSL_AD_DECODE_ERROR;
377 return 0;
378 }
379
380 save_protocol_list = protocol_list;
381 do {
382 /* Protocol names can't be empty. */
383 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
384 || PACKET_remaining(&protocol) == 0) {
385 *al = SSL_AD_DECODE_ERROR;
386 return 0;
387 }
388 } while (PACKET_remaining(&protocol_list) != 0);
389
7d061fce
MC		 390 OPENSSL_free(s->s3->alpn_proposed);
391 s->s3->alpn_proposed = NULL;
392 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 393 if (!PACKET_memdup(&save_protocol_list,
394 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
395 *al = TLS1_AD_INTERNAL_ERROR;
396 return 0;
397 }
398
399 return 1;
400}
401
402#ifndef OPENSSL_NO_SRTP
61138358
MC		 403int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
404 size_t chainidx, int *al)
25670f3e 405{
25670f3e
MC		 406 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
407 unsigned int ct, mki_len, id;
408 int i, srtp_pref;
409 PACKET subpkt;
410
411 /* Ignore this if we have no SRTP profiles */
412 if (SSL_get_srtp_profiles(s) == NULL)
413 return 1;
414
415 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 416 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
417 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 418 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 419 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
420 *al = SSL_AD_DECODE_ERROR;
421 return 0;
422 }
423
424 srvr = SSL_get_srtp_profiles(s);
425 s->srtp_profile = NULL;
426 /* Search all profiles for a match initially */
427 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
428
429 while (PACKET_remaining(&subpkt)) {
430 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 431 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 432 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
433 *al = SSL_AD_DECODE_ERROR;
434 return 0;
435 }
436
437 /*
438 * Only look for match in profiles of higher preference than
439 * current match.
440 * If no profiles have been have been configured then this
441 * does nothing.
442 */
443 for (i = 0; i < srtp_pref; i++) {
d270de32 444 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 445 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
446
25670f3e
MC		 447 if (sprof->id == id) {
448 s->srtp_profile = sprof;
449 srtp_pref = i;
450 break;
451 }
452 }
453 }
454
1266eefd 455 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 456 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 457 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 458 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
459 *al = SSL_AD_DECODE_ERROR;
460 return 0;
461 }
462
463 if (!PACKET_forward(pkt, mki_len)
464 || PACKET_remaining(pkt)) {
7fe97c07 465 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 466 *al = SSL_AD_DECODE_ERROR;
467 return 0;
468 }
469
470 return 1;
471}
472#endif
473
61138358
MC		 474int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
475 size_t chainidx, int *al)
25670f3e
MC		 476{
477 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 478 s->ext.use_etm = 1;
25670f3e
MC		 479
480 return 1;
481}
482
b2f7e8c0
MC		 483/*
484 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
485 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
486 * If a failure occurs then |*al| is set to an appropriate alert value.
487 */
61138358
MC		 488int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
489 X509 *x, size_t chainidx, int *al)
b2f7e8c0
MC		 490{
491#ifndef OPENSSL_NO_TLS1_3
492 PACKET psk_kex_modes;
493 unsigned int mode;
494
495 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
496 || PACKET_remaining(&psk_kex_modes) == 0) {
497 *al = SSL_AD_DECODE_ERROR;
498 return 0;
499 }
500
501 while (PACKET_get_1(&psk_kex_modes, &mode)) {
502 if (mode == TLSEXT_KEX_MODE_KE_DHE)
503 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
504 else if (mode == TLSEXT_KEX_MODE_KE)
505 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
506 }
507#endif
508
509 return 1;
510}
511
25670f3e
MC		 512/*
513 * Process a key_share extension received in the ClientHello. |pkt| contains
514 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
515 * If a failure occurs then |*al| is set to an appropriate alert value.
516 */
61138358
MC		 517int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
518 size_t chainidx, int *al)
25670f3e 519{
3cf96e88 520#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 521 unsigned int group_id;
522 PACKET key_share_list, encoded_pt;
523 const unsigned char *clntcurves, *srvrcurves;
524 size_t clnt_num_curves, srvr_num_curves;
525 int group_nid, found = 0;
526 unsigned int curve_flags;
527
f4bbb37c 528 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 529 return 1;
530
531 /* Sanity check */
532 if (s->s3->peer_tmp != NULL) {
533 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 534 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 535 return 0;
536 }
537
538 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
539 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 541 return 0;
542 }
543
544 /* Get our list of supported curves */
545 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
546 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 547 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 548 return 0;
549 }
550
24b8e4b2 551 /*
70af3d8e 552 * Get the clients list of supported curves.
24b8e4b2
MC		 553 * TODO(TLS1.3): We should validate that we actually received
554 * supported_groups!
555 */
25670f3e
MC		 556 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
557 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 558 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 559 return 0;
560 }
561
562 while (PACKET_remaining(&key_share_list) > 0) {
563 if (!PACKET_get_net_2(&key_share_list, &group_id)
564 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
565 || PACKET_remaining(&encoded_pt) == 0) {
566 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 567 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 568 SSL_R_LENGTH_MISMATCH);
569 return 0;
570 }
571
572 /*
573 * If we already found a suitable key_share we loop through the
574 * rest to verify the structure, but don't process them.
575 */
576 if (found)
577 continue;
578
579 /* Check if this share is in supported_groups sent from client */
580 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
581 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 582 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 583 return 0;
584 }
585
586 /* Check if this share is for a group we can use */
587 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
588 /* Share not suitable */
589 continue;
590 }
591
592 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
593
594 if (group_nid == 0) {
595 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 596 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 597 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
598 return 0;
599 }
600
601 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
602 /* Can happen for some curves, e.g. X25519 */
603 EVP_PKEY *key = EVP_PKEY_new();
604
605 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
606 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 607 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 608 EVP_PKEY_free(key);
609 return 0;
610 }
611 s->s3->peer_tmp = key;
612 } else {
613 /* Set up EVP_PKEY with named curve as parameters */
614 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 615
25670f3e
MC		 616 if (pctx == NULL
617 || EVP_PKEY_paramgen_init(pctx) <= 0
618 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
619 group_nid) <= 0
620 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
621 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 622 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 623 EVP_PKEY_CTX_free(pctx);
624 return 0;
625 }
626 EVP_PKEY_CTX_free(pctx);
627 pctx = NULL;
628 }
629 s->s3->group_id = group_id;
630
631 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
632 PACKET_data(&encoded_pt),
633 PACKET_remaining(&encoded_pt))) {
634 *al = SSL_AD_DECODE_ERROR;
7fe97c07 635 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 636 return 0;
637 }
638
639 found = 1;
640 }
3cf96e88 641#endif
25670f3e
MC		 642
643 return 1;
644}
645
646#ifndef OPENSSL_NO_EC
61138358
MC		 647int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
648 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 649{
650 PACKET supported_groups_list;
651
652 /* Each group is 2 bytes and we must have at least 1. */
653 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
654 || PACKET_remaining(&supported_groups_list) == 0
655 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
656 *al = SSL_AD_DECODE_ERROR;
657 return 0;
658 }
659
7d061fce
MC		 660 OPENSSL_free(s->session->ext.supportedgroups);
661 s->session->ext.supportedgroups = NULL;
662 s->session->ext.supportedgroups_len = 0;
1053a6e2
MC		 663 if (!PACKET_memdup(&supported_groups_list,
664 &s->session->ext.supportedgroups,
665 &s->session->ext.supportedgroups_len)) {
25670f3e
MC		 666 *al = SSL_AD_DECODE_ERROR;
667 return 0;
668 }
669
670 return 1;
671}
672#endif
673
61138358
MC		 674int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
675 size_t chainidx, int *al)
25670f3e
MC		 676{
677 /* The extension must always be empty */
678 if (PACKET_remaining(pkt) != 0) {
679 *al = SSL_AD_DECODE_ERROR;
680 return 0;
681 }
682
683 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
684
685 return 1;
686}
7da160b0 687
61138358
MC		 688int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
689 size_t chainidx, int *al)
1053a6e2
MC		 690{
691 PACKET identities, binders, binder;
692 size_t binderoffset, hashsize;
693 SSL_SESSION *sess = NULL;
694 unsigned int id, i;
695 const EVP_MD *md = NULL;
696
1a9f457c
MC		 697 /*
698 * If we have no PSK kex mode that we recognise then we can't resume so
699 * ignore this extension
700 */
701 if ((s->ext.psk_kex_mode
702 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
703 return 1;
704
1053a6e2
MC		 705 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
706 *al = SSL_AD_DECODE_ERROR;
707 return 0;
708 }
709
710 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
711 PACKET identity;
712 unsigned long ticket_age;
713 int ret;
714
715 if (!PACKET_get_length_prefixed_2(&identities, &identity)
716 || !PACKET_get_net_4(&identities, &ticket_age)) {
717 *al = SSL_AD_DECODE_ERROR;
718 return 0;
719 }
720
1b8bacff
MC		 721 /* TODO(TLS1.3): Should we validate the ticket age? */
722
1053a6e2
MC		 723 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
724 PACKET_remaining(&identity), NULL, 0, &sess);
725 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
726 *al = SSL_AD_INTERNAL_ERROR;
727 return 0;
728 }
729 if (ret == TICKET_NO_DECRYPT)
730 continue;
731
534a43ff 732 md = ssl_md(sess->cipher->algorithm2);
1053a6e2
MC		 733 if (md == NULL) {
734 /*
735 * Don't recognise this cipher so we can't use the session.
736 * Ignore it
737 */
738 SSL_SESSION_free(sess);
739 sess = NULL;
740 continue;
741 }
742
743 /*
744 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
745 * Ignored for now
746 */
747
748 break;
749 }
750
751 if (sess == NULL)
752 return 1;
753
754 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 755 hashsize = EVP_MD_size(md);
756
757 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
758 *al = SSL_AD_DECODE_ERROR;
759 goto err;
760 }
761
762 for (i = 0; i <= id; i++) {
763 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
764 *al = SSL_AD_DECODE_ERROR;
765 goto err;
766 }
767 }
768
769 if (PACKET_remaining(&binder) != hashsize
770 || tls_psk_do_binder(s, md,
771 (const unsigned char *)s->init_buf->data,
772 binderoffset, PACKET_data(&binder), NULL,
773 sess, 0) != 1) {
774 *al = SSL_AD_DECODE_ERROR;
775 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
776 goto err;
777 }
778
779 sess->ext.tick_identity = id;
780 SSL_SESSION_free(s->session);
781 s->session = sess;
1053a6e2
MC		 782 return 1;
783err:
784 return 0;
785}
786
1266eefd
MC		 787/*
788 * Add the server's renegotiation binding
789 */
61138358
MC		 790int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
791 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 792{
793 if (!s->s3->send_connection_binding)
794 return 1;
795
796 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
797 || !WPACKET_start_sub_packet_u16(pkt)
798 || !WPACKET_start_sub_packet_u8(pkt)
799 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
800 s->s3->previous_client_finished_len)
801 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
802 s->s3->previous_server_finished_len)
803 || !WPACKET_close(pkt)
804 || !WPACKET_close(pkt)) {
7fe97c07 805 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 806 return 0;
807 }
808
809 return 1;
810}
811
61138358
MC		 812int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
813 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 814{
815 if (s->hit || s->servername_done != 1
aff8c126 816 || s->session->ext.hostname == NULL)
7da160b0
MC		 817 return 1;
818
819 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
820 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 821 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 822 return 0;
823 }
824
825 return 1;
826}
827
3fc8d856
MC		 828int tls_construct_stoc_early_data_info(SSL *s, WPACKET *pkt,
829 unsigned int context, X509 *x,
830 size_t chainidx, int *al)
831{
832 if (s->max_early_data == 0)
833 return 1;
834
835 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data_info)
836 || !WPACKET_start_sub_packet_u16(pkt)
837 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
838 || !WPACKET_close(pkt)) {
839 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO, ERR_R_INTERNAL_ERROR);
840 return 0;
841 }
842
843 return 1;
844}
845
1ea4d09a
MC		 846int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
847 X509 *x, size_t chainidx, int *al)
848{
849 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
850 return 1;
851
852 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
853 || !WPACKET_start_sub_packet_u16(pkt)
854 || !WPACKET_close(pkt)) {
855 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
856 return 0;
857 }
858
859 return 1;
860}
861
7da160b0 862#ifndef OPENSSL_NO_EC
61138358
MC		 863int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
864 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 865{
866 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
867 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 868 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 869 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 870 const unsigned char *plist;
871 size_t plistlen;
872
873 if (!using_ecc)
874 return 1;
875
876 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 877 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
878 || !WPACKET_start_sub_packet_u16(pkt)
879 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
880 || !WPACKET_close(pkt)) {
7fe97c07 881 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 882 return 0;
883 }
884
885 return 1;
886}
887#endif
888
61138358
MC		 889int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
890 unsigned int context, X509 *x,
8521ced6 891 size_t chainidx, int *al)
7da160b0 892{
aff8c126
RS		 893 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
894 s->ext.ticket_expected = 0;
7da160b0
MC		 895 return 1;
896 }
897
898 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
899 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 900 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 901 return 0;
902 }
903
904 return 1;
905}
906
ab83e314 907#ifndef OPENSSL_NO_OCSP
61138358
MC		 908int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
909 unsigned int context, X509 *x,
910 size_t chainidx, int *al)
7da160b0 911{
aff8c126 912 if (!s->ext.status_expected)
7da160b0
MC		 913 return 1;
914
8521ced6 915 if (SSL_IS_TLS13(s) && chainidx != 0)
e96e0f8e
MC		 916 return 1;
917
7da160b0 918 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 919 || !WPACKET_start_sub_packet_u16(pkt)) {
920 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
921 return 0;
922 }
923
924 /*
925 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
926 * send back an empty extension, with the certificate status appearing as a
927 * separate message
928 */
929 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
930 || !WPACKET_close(pkt)) {
7fe97c07 931 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 932 return 0;
933 }
934
935 return 1;
936}
ab83e314 937#endif
7da160b0 938
7da160b0 939#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 940int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
941 unsigned int context, X509 *x,
8521ced6 942 size_t chainidx, int *al)
7da160b0
MC		 943{
944 const unsigned char *npa;
945 unsigned int npalen;
946 int ret;
aff8c126 947 int npn_seen = s->s3->npn_seen;
7da160b0 948
aff8c126
RS		 949 s->s3->npn_seen = 0;
950 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
7da160b0
MC		 951 return 1;
952
aff8c126
RS		 953 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
954 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 955 if (ret == SSL_TLSEXT_ERR_OK) {
956 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
957 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 958 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0
MC		 959 ERR_R_INTERNAL_ERROR);
960 return 0;
961 }
aff8c126 962 s->s3->npn_seen = 1;
7da160b0
MC		 963 }
964
965 return 1;
966}
967#endif
968
61138358
MC		 969int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
970 size_t chainidx, int *al)
7da160b0
MC		 971{
972 if (s->s3->alpn_selected == NULL)
973 return 1;
974
975 if (!WPACKET_put_bytes_u16(pkt,
976 TLSEXT_TYPE_application_layer_protocol_negotiation)
977 || !WPACKET_start_sub_packet_u16(pkt)
978 || !WPACKET_start_sub_packet_u16(pkt)
979 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
980 s->s3->alpn_selected_len)
981 || !WPACKET_close(pkt)
982 || !WPACKET_close(pkt)) {
7fe97c07 983 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 984 return 0;
985 }
986
987 return 1;
988}
989
990#ifndef OPENSSL_NO_SRTP
61138358
MC		 991int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
992 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 993{
994 if (s->srtp_profile == NULL)
995 return 1;
a1448c26 996
7da160b0
MC		 997 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
998 || !WPACKET_start_sub_packet_u16(pkt)
999 || !WPACKET_put_bytes_u16(pkt, 2)
1000 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1001 || !WPACKET_put_bytes_u8(pkt, 0)
1002 || !WPACKET_close(pkt)) {
7fe97c07 1003 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1004 return 0;
1005 }
1006
1007 return 1;
1008}
1009#endif
1010
61138358
MC		 1011int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1012 size_t chainidx, int *al)
7da160b0 1013{
28a31a0a 1014 if (!s->ext.use_etm)
7da160b0
MC		 1015 return 1;
1016
1017 /*
1018 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1019 * for other cases too.
1020 */
1021 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1022 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1023 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1024 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1025 s->ext.use_etm = 0;
7da160b0
MC		 1026 return 1;
1027 }
1028
1029 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1030 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1031 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1032 return 0;
1033 }
1034
1035 return 1;
1036}
1037
61138358
MC		 1038int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1039 size_t chainidx, int *al)
7da160b0
MC		 1040{
1041 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1042 return 1;
1043
1044 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1045 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1046 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1047 return 0;
1048 }
1049
1050 return 1;
1051}
1052
61138358
MC		 1053int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
1054 X509 *x, size_t chainidx, int *al)
7da160b0 1055{
3cf96e88 1056#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1057 unsigned char *encodedPoint;
1058 size_t encoded_pt_len = 0;
1059 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1060
7da160b0 1061 if (ckey == NULL) {
7d061fce
MC		 1062 /* No key_share received from client */
1063 if (s->hello_retry_request) {
7d061fce 1064 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1065 || !WPACKET_start_sub_packet_u16(pkt)
1066 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1067 || !WPACKET_close(pkt)) {
7d061fce
MC		 1068 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1069 ERR_R_INTERNAL_ERROR);
1070 return 0;
1071 }
1072
1073 return 1;
1074 }
1075
1076 /* Must be resuming. */
0247086d
MC		 1077 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1078 *al = SSL_AD_INTERNAL_ERROR;
1079 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1080 return 0;
1081 }
1082 return 1;
7da160b0
MC		 1083 }
1084
1085 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1086 || !WPACKET_start_sub_packet_u16(pkt)
1087 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 1088 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1089 return 0;
1090 }
1091
1092 skey = ssl_generate_pkey(ckey);
1093 if (skey == NULL) {
7fe97c07 1094 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
7da160b0
MC		 1095 return 0;
1096 }
1097
1098 /* Generate encoding of server key */
1099 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1100 if (encoded_pt_len == 0) {
7fe97c07 1101 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0
MC		 1102 EVP_PKEY_free(skey);
1103 return 0;
1104 }
1105
1106 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1107 || !WPACKET_close(pkt)) {
7fe97c07 1108 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1109 EVP_PKEY_free(skey);
1110 OPENSSL_free(encodedPoint);
1111 return 0;
1112 }
1113 OPENSSL_free(encodedPoint);
1114
1115 /* This causes the crypto state to be updated based on the derived keys */
1116 s->s3->tmp.pkey = skey;
1117 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1119 return 0;
1120 }
3cf96e88 1121#endif
7da160b0
MC		 1122
1123 return 1;
1124}
1125
61138358
MC		 1126int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
1127 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1128{
1129 const unsigned char cryptopro_ext[36] = {
1130 0xfd, 0xe8, /* 65000 */
1131 0x00, 0x20, /* 32 bytes length */
1132 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1133 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1134 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1135 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1136 };
1137
1138 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1139 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1140 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1141 return 1;
1142
1143 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 1144 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1145 return 0;
1146 }
1147
1148 return 1;
1149}
0247086d 1150
61138358
MC		 1151int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1152 size_t chainidx, int *al)
0247086d
MC		 1153{
1154 if (!s->hit)
1155 return 1;
1156
1157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1158 || !WPACKET_start_sub_packet_u16(pkt)
1159 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1160 || !WPACKET_close(pkt)) {
1161 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1162 return 0;
1163 }
1164
1165 return 1;
1166}
A mirror of the official openssl repository