]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Simplify ClientHello extension parsing
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
e56c33b9 17int tls_parse_client_renegotiate(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 18{
19 unsigned int ilen;
20 const unsigned char *data;
21
22 /* Parse the length byte */
23 if (!PACKET_get_1(pkt, &ilen)
24 || !PACKET_get_bytes(pkt, &data, ilen)) {
e56c33b9 25 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
25670f3e
MC		 26 SSL_R_RENEGOTIATION_ENCODING_ERR);
27 *al = SSL_AD_ILLEGAL_PARAMETER;
28 return 0;
29 }
30
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
e56c33b9 33 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
25670f3e
MC		 34 SSL_R_RENEGOTIATION_MISMATCH);
35 *al = SSL_AD_HANDSHAKE_FAILURE;
36 return 0;
37 }
38
39 if (memcmp(data, s->s3->previous_client_finished,
40 s->s3->previous_client_finished_len)) {
e56c33b9 41 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
25670f3e
MC		 42 SSL_R_RENEGOTIATION_MISMATCH);
43 *al = SSL_AD_HANDSHAKE_FAILURE;
44 return 0;
45 }
46
47 s->s3->send_connection_binding = 1;
48
49 return 1;
50}
51
e56c33b9 52int tls_parse_client_server_name(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 53{
54 unsigned int servname_type;
55 PACKET sni, hostname;
56
57 /*-
58 * The servername extension is treated as follows:
59 *
60 * - Only the hostname type is supported with a maximum length of 255.
61 * - The servername is rejected if too long or if it contains zeros,
62 * in which case an fatal alert is generated.
63 * - The servername field is maintained together with the session cache.
64 * - When a session is resumed, the servername call back invoked in order
65 * to allow the application to position itself to the right context.
66 * - The servername is acknowledged if it is new for a session or when
67 * it is identical to a previously used for the same session.
68 * Applications can control the behaviour. They can at any time
69 * set a 'desirable' servername for a new SSL object. This can be the
70 * case for example with HTTPS when a Host: header field is received and
71 * a renegotiation is requested. In this case, a possible servername
72 * presented in the new client hello is only acknowledged if it matches
73 * the value of the Host: field.
74 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
75 * if they provide for changing an explicit servername context for the
76 * session, i.e. when the session has been established with a servername
77 * extension.
78 * - On session reconnect, the servername extension may be absent.
79 *
80 */
81 if (!PACKET_as_length_prefixed_2(pkt, &sni)
82 /* ServerNameList must be at least 1 byte long. */
83 || PACKET_remaining(&sni) == 0) {
84 *al = SSL_AD_DECODE_ERROR;
85 return 0;
86 }
87
88 /*
89 * Although the server_name extension was intended to be
90 * extensible to new name types, RFC 4366 defined the
91 * syntax inextensibility and OpenSSL 1.0.x parses it as
92 * such.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
96 *
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
99 */
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
104 return 0;
105 }
106
107 if (!s->hit) {
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
110 return 0;
111 }
112
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
115 return 0;
116 }
117
118 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
119 *al = TLS1_AD_INTERNAL_ERROR;
120 return 0;
121 }
122
123 s->servername_done = 1;
124 } else {
125 /*
126 * TODO(openssl-team): if the SNI doesn't match, we MUST
127 * fall back to a full handshake.
128 */
129 s->servername_done = s->session->tlsext_hostname
130 && PACKET_equal(&hostname, s->session->tlsext_hostname,
131 strlen(s->session->tlsext_hostname));
132 }
133
134 return 1;
135}
136
137#ifndef OPENSSL_NO_SRP
e56c33b9 138int tls_parse_client_srp(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 139{
140 PACKET srp_I;
141
142 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
143 || PACKET_contains_zero_byte(&srp_I)) {
144 *al = SSL_AD_DECODE_ERROR;
145 return 0;
146 }
147
148 /*
149 * TODO(openssl-team): currently, we re-authenticate the user
150 * upon resumption. Instead, we MUST ignore the login.
151 */
152 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
153 *al = TLS1_AD_INTERNAL_ERROR;
154 return 0;
155 }
156
157 return 1;
158}
159#endif
160
161#ifndef OPENSSL_NO_EC
e56c33b9 162int tls_parse_client_ec_pt_formats(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 163{
164 PACKET ec_point_format_list;
165
166 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
167 || PACKET_remaining(&ec_point_format_list) == 0) {
168 *al = SSL_AD_DECODE_ERROR;
169 return 0;
170 }
171
172 if (!s->hit) {
173 if (!PACKET_memdup(&ec_point_format_list,
174 &s->session->tlsext_ecpointformatlist,
175 &s->session->tlsext_ecpointformatlist_length)) {
176 *al = TLS1_AD_INTERNAL_ERROR;
177 return 0;
178 }
179 }
180
181 return 1;
182}
183#endif /* OPENSSL_NO_EC */
184
e56c33b9 185int tls_parse_client_session_ticket(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 186{
187 if (s->tls_session_ticket_ext_cb &&
188 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
189 PACKET_remaining(pkt),
190 s->tls_session_ticket_ext_cb_arg)) {
191 *al = TLS1_AD_INTERNAL_ERROR;
192 return 0;
193 }
194
195 return 1;
196}
197
e56c33b9 198int tls_parse_client_sig_algs(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 199{
200 PACKET supported_sig_algs;
201
202 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
203 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
204 || PACKET_remaining(&supported_sig_algs) == 0) {
205 *al = SSL_AD_DECODE_ERROR;
206 return 0;
207 }
208
209 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
210 PACKET_remaining(&supported_sig_algs))) {
211 *al = TLS1_AD_INTERNAL_ERROR;
212 return 0;
213 }
214
215 return 1;
216}
217
ab83e314 218#ifndef OPENSSL_NO_OCSP
e56c33b9 219int tls_parse_client_status_request(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 220{
221 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
222 *al = SSL_AD_DECODE_ERROR;
223 return 0;
224 }
ab83e314 225
25670f3e
MC		 226 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
227 const unsigned char *ext_data;
228 PACKET responder_id_list, exts;
229 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
230 *al = SSL_AD_DECODE_ERROR;
231 return 0;
232 }
233
234 /*
235 * We remove any OCSP_RESPIDs from a previous handshake
236 * to prevent unbounded memory growth - CVE-2016-6304
237 */
238 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
239 if (PACKET_remaining(&responder_id_list) > 0) {
240 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
241 if (s->tlsext_ocsp_ids == NULL) {
242 *al = SSL_AD_INTERNAL_ERROR;
243 return 0;
244 }
245 } else {
246 s->tlsext_ocsp_ids = NULL;
247 }
248
249 while (PACKET_remaining(&responder_id_list) > 0) {
250 OCSP_RESPID *id;
251 PACKET responder_id;
252 const unsigned char *id_data;
253
254 if (!PACKET_get_length_prefixed_2(&responder_id_list,
255 &responder_id)
256 || PACKET_remaining(&responder_id) == 0) {
257 *al = SSL_AD_DECODE_ERROR;
258 return 0;
259 }
260
261 id_data = PACKET_data(&responder_id);
262 /* TODO(size_t): Convert d2i_* to size_t */
263 id = d2i_OCSP_RESPID(NULL, &id_data,
264 (int)PACKET_remaining(&responder_id));
265 if (id == NULL) {
266 *al = SSL_AD_DECODE_ERROR;
267 return 0;
268 }
269
270 if (id_data != PACKET_end(&responder_id)) {
271 OCSP_RESPID_free(id);
272 *al = SSL_AD_DECODE_ERROR;
273 return 0;
274 }
275
276 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
277 OCSP_RESPID_free(id);
278 *al = SSL_AD_INTERNAL_ERROR;
279 return 0;
280 }
281 }
282
283 /* Read in request_extensions */
284 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
285 *al = SSL_AD_DECODE_ERROR;
286 return 0;
287 }
288
289 if (PACKET_remaining(&exts) > 0) {
290 ext_data = PACKET_data(&exts);
291 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
292 X509_EXTENSION_free);
293 s->tlsext_ocsp_exts =
294 d2i_X509_EXTENSIONS(NULL, &ext_data,
295 (int)PACKET_remaining(&exts));
296 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
297 *al = SSL_AD_DECODE_ERROR;
298 return 0;
299 }
300 }
ab83e314 301 } else {
25670f3e
MC		 302 /*
303 * We don't know what to do with any other type so ignore it.
304 */
305 s->tlsext_status_type = -1;
306 }
307
308 return 1;
309}
ab83e314 310#endif
25670f3e
MC		 311
312#ifndef OPENSSL_NO_NEXTPROTONEG
e56c33b9 313int tls_parse_client_npn(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 314{
315 if (s->s3->tmp.finish_md_len == 0) {
316 /*-
317 * We shouldn't accept this extension on a
318 * renegotiation.
319 *
320 * s->new_session will be set on renegotiation, but we
321 * probably shouldn't rely that it couldn't be set on
322 * the initial renegotiation too in certain cases (when
323 * there's some other reason to disallow resuming an
324 * earlier session -- the current code won't be doing
325 * anything like that, but this might change).
326 *
327 * A valid sign that there's been a previous handshake
328 * in this connection is if s->s3->tmp.finish_md_len >
329 * 0. (We are talking about a check that will happen
330 * in the Hello protocol round, well before a new
331 * Finished message could have been computed.)
332 */
333 s->s3->next_proto_neg_seen = 1;
334 }
335
336 return 1;
337}
338#endif
339
340/*
341 * Save the ALPN extension in a ClientHello.
342 * pkt: the contents of the ALPN extension, not including type and length.
343 * al: a pointer to the alert value to send in the event of a failure.
344 * returns: 1 on success, 0 on error.
345 */
e56c33b9 346int tls_parse_client_alpn(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 347{
348 PACKET protocol_list, save_protocol_list, protocol;
349
350 if (s->s3->tmp.finish_md_len != 0)
351 return 1;
352
353 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
354 || PACKET_remaining(&protocol_list) < 2) {
355 *al = SSL_AD_DECODE_ERROR;
356 return 0;
357 }
358
359 save_protocol_list = protocol_list;
360 do {
361 /* Protocol names can't be empty. */
362 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
363 || PACKET_remaining(&protocol) == 0) {
364 *al = SSL_AD_DECODE_ERROR;
365 return 0;
366 }
367 } while (PACKET_remaining(&protocol_list) != 0);
368
369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = TLS1_AD_INTERNAL_ERROR;
372 return 0;
373 }
374
375 return 1;
376}
377
378#ifndef OPENSSL_NO_SRTP
e56c33b9 379int tls_parse_client_use_srtp(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 380{
381 SRTP_PROTECTION_PROFILE *sprof;
382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
384 int i, srtp_pref;
385 PACKET subpkt;
386
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
389 return 1;
390
391 /* Pull off the length of the cipher suite list and check it is even */
392 if (!PACKET_get_net_2(pkt, &ct)
393 || (ct & 1) != 0 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
e56c33b9 394 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
25670f3e
MC		 395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
397 return 0;
398 }
399
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
e56c33b9 407 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
25670f3e
MC		 408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
410 return 0;
411 }
412
413 /*
414 * Only look for match in profiles of higher preference than
415 * current match.
416 * If no profiles have been have been configured then this
417 * does nothing.
418 */
419 for (i = 0; i < srtp_pref; i++) {
420 sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
421 if (sprof->id == id) {
422 s->srtp_profile = sprof;
423 srtp_pref = i;
424 break;
425 }
426 }
427 }
428
429 /*
430 * Now extract the MKI value as a sanity check, but discard it for now
431 */
432 if (!PACKET_get_1(pkt, &mki_len)) {
e56c33b9 433 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
25670f3e
MC		 434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
e56c33b9 441 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 return 1;
447}
448#endif
449
e56c33b9 450int tls_parse_client_etm(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 451{
452 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
453 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
454
455 return 1;
456}
457
458/*
459 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
460 * and |checkallow| is 1 then additionally check if the group is allowed to be
461 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
462 * 1) or 0 otherwise.
463 */
464static int check_in_list(SSL *s, unsigned int group_id,
465 const unsigned char *groups, size_t num_groups,
466 int checkallow)
467{
468 size_t i;
469
470 if (groups == NULL || num_groups == 0)
471 return 0;
472
473 for (i = 0; i < num_groups; i++, groups += 2) {
474 unsigned int share_id = (groups[0] << 8) | (groups[1]);
475
476 if (group_id == share_id
477 && (!checkallow || tls_curve_allowed(s, groups,
478 SSL_SECOP_CURVE_CHECK))) {
479 break;
480 }
481 }
482
483 /* If i == num_groups then not in the list */
484 return i < num_groups;
485}
486
487/*
488 * Process a key_share extension received in the ClientHello. |pkt| contains
489 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
490 * If a failure occurs then |*al| is set to an appropriate alert value.
491 */
e56c33b9 492int tls_parse_client_key_share(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 493{
494 unsigned int group_id;
495 PACKET key_share_list, encoded_pt;
496 const unsigned char *clntcurves, *srvrcurves;
497 size_t clnt_num_curves, srvr_num_curves;
498 int group_nid, found = 0;
499 unsigned int curve_flags;
500
501 if (s->hit)
502 return 1;
503
504 /* Sanity check */
505 if (s->s3->peer_tmp != NULL) {
506 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 507 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 508 return 0;
509 }
510
511 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
512 *al = SSL_AD_HANDSHAKE_FAILURE;
e56c33b9 513 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 514 return 0;
515 }
516
517 /* Get our list of supported curves */
518 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
519 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 520 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 521 return 0;
522 }
523
24b8e4b2
MC		 524 /*
525 * Get the clients list of supported curves. Note: We rely on the fact
526 * extension parsing happens in order of type. supported_groups has a lower
527 * type than key_share so will have been processed first.
528 * TODO(TLS1.3): We should validate that we actually received
529 * supported_groups!
530 */
25670f3e
MC		 531 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
532 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 533 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 534 return 0;
535 }
536
537 while (PACKET_remaining(&key_share_list) > 0) {
538 if (!PACKET_get_net_2(&key_share_list, &group_id)
539 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
540 || PACKET_remaining(&encoded_pt) == 0) {
541 *al = SSL_AD_HANDSHAKE_FAILURE;
e56c33b9 542 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE,
25670f3e
MC		 543 SSL_R_LENGTH_MISMATCH);
544 return 0;
545 }
546
547 /*
548 * If we already found a suitable key_share we loop through the
549 * rest to verify the structure, but don't process them.
550 */
551 if (found)
552 continue;
553
554 /* Check if this share is in supported_groups sent from client */
555 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
556 *al = SSL_AD_HANDSHAKE_FAILURE;
e56c33b9 557 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 558 return 0;
559 }
560
561 /* Check if this share is for a group we can use */
562 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
563 /* Share not suitable */
564 continue;
565 }
566
567 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
568
569 if (group_nid == 0) {
570 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 571 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE,
25670f3e
MC		 572 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
573 return 0;
574 }
575
576 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
577 /* Can happen for some curves, e.g. X25519 */
578 EVP_PKEY *key = EVP_PKEY_new();
579
580 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
581 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 582 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 583 EVP_PKEY_free(key);
584 return 0;
585 }
586 s->s3->peer_tmp = key;
587 } else {
588 /* Set up EVP_PKEY with named curve as parameters */
589 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
590 if (pctx == NULL
591 || EVP_PKEY_paramgen_init(pctx) <= 0
592 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
593 group_nid) <= 0
594 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
595 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 596 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 597 EVP_PKEY_CTX_free(pctx);
598 return 0;
599 }
600 EVP_PKEY_CTX_free(pctx);
601 pctx = NULL;
602 }
603 s->s3->group_id = group_id;
604
605 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
606 PACKET_data(&encoded_pt),
607 PACKET_remaining(&encoded_pt))) {
608 *al = SSL_AD_DECODE_ERROR;
e56c33b9 609 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 610 return 0;
611 }
612
613 found = 1;
614 }
615
616 return 1;
617}
618
619#ifndef OPENSSL_NO_EC
e56c33b9 620int tls_parse_client_supported_groups(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 621{
622 PACKET supported_groups_list;
623
624 /* Each group is 2 bytes and we must have at least 1. */
625 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
626 || PACKET_remaining(&supported_groups_list) == 0
627 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
628 *al = SSL_AD_DECODE_ERROR;
629 return 0;
630 }
631
632 if (!s->hit
633 && !PACKET_memdup(&supported_groups_list,
634 &s->session->tlsext_supportedgroupslist,
635 &s->session->tlsext_supportedgroupslist_length)) {
636 *al = SSL_AD_DECODE_ERROR;
637 return 0;
638 }
639
640 return 1;
641}
642#endif
643
e56c33b9 644int tls_parse_client_ems(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 645{
646 /* The extension must always be empty */
647 if (PACKET_remaining(pkt) != 0) {
648 *al = SSL_AD_DECODE_ERROR;
649 return 0;
650 }
651
652 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
653
654 return 1;
655}
7da160b0 656
7da160b0
MC		 657/* Add the server's renegotiation binding */
658int tls_construct_server_renegotiate(SSL *s, WPACKET *pkt, int *al)
659{
660 if (!s->s3->send_connection_binding)
661 return 1;
662
663 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
664 || !WPACKET_start_sub_packet_u16(pkt)
665 || !WPACKET_start_sub_packet_u8(pkt)
666 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
667 s->s3->previous_client_finished_len)
668 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
669 s->s3->previous_server_finished_len)
670 || !WPACKET_close(pkt)
671 || !WPACKET_close(pkt)) {
672 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
673 return 0;
674 }
675
676 return 1;
677}
678
679int tls_construct_server_server_name(SSL *s, WPACKET *pkt, int *al)
680{
681 if (s->hit || s->servername_done != 1
682 || s->session->tlsext_hostname == NULL)
683 return 1;
684
685 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
686 || !WPACKET_put_bytes_u16(pkt, 0)) {
687 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_SERVER_NAME, ERR_R_INTERNAL_ERROR);
688 return 0;
689 }
690
691 return 1;
692}
693
694#ifndef OPENSSL_NO_EC
695int tls_construct_server_ec_pt_formats(SSL *s, WPACKET *pkt, int *al)
696{
697 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
698 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
699 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
700 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
701 const unsigned char *plist;
702 size_t plistlen;
703
704 if (!using_ecc)
705 return 1;
706
707 tls1_get_formatlist(s, &plist, &plistlen);
708
709 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
710 || !WPACKET_start_sub_packet_u16(pkt)
711 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
712 || !WPACKET_close(pkt)) {
713 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
714 return 0;
715 }
716
717 return 1;
718}
719#endif
720
721int tls_construct_server_session_ticket(SSL *s, WPACKET *pkt, int *al)
722{
723 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
724 s->tlsext_ticket_expected = 0;
725 return 1;
726 }
727
728 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
729 || !WPACKET_put_bytes_u16(pkt, 0)) {
730 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
731 return 0;
732 }
733
734 return 1;
735}
736
ab83e314 737#ifndef OPENSSL_NO_OCSP
7da160b0
MC		 738int tls_construct_server_status_request(SSL *s, WPACKET *pkt, int *al)
739{
740 if (!s->tlsext_status_expected)
741 return 1;
742
743 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
744 || !WPACKET_put_bytes_u16(pkt, 0)) {
745 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
746 return 0;
747 }
748
749 return 1;
750}
ab83e314 751#endif
7da160b0
MC		 752
753
754#ifndef OPENSSL_NO_NEXTPROTONEG
755int tls_construct_server_next_proto_neg(SSL *s, WPACKET *pkt, int *al)
756{
757 const unsigned char *npa;
758 unsigned int npalen;
759 int ret;
760 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
761
762 s->s3->next_proto_neg_seen = 0;
763 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
764 return 1;
765
766 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
767 s->ctx->next_protos_advertised_cb_arg);
768 if (ret == SSL_TLSEXT_ERR_OK) {
769 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
770 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
771 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_NEXT_PROTO_NEG,
772 ERR_R_INTERNAL_ERROR);
773 return 0;
774 }
775 s->s3->next_proto_neg_seen = 1;
776 }
777
778 return 1;
779}
780#endif
781
782int tls_construct_server_alpn(SSL *s, WPACKET *pkt, int *al)
783{
784 if (s->s3->alpn_selected == NULL)
785 return 1;
786
787 if (!WPACKET_put_bytes_u16(pkt,
788 TLSEXT_TYPE_application_layer_protocol_negotiation)
789 || !WPACKET_start_sub_packet_u16(pkt)
790 || !WPACKET_start_sub_packet_u16(pkt)
791 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
792 s->s3->alpn_selected_len)
793 || !WPACKET_close(pkt)
794 || !WPACKET_close(pkt)) {
795 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_ALPN, ERR_R_INTERNAL_ERROR);
796 return 0;
797 }
798
799 return 1;
800}
801
802#ifndef OPENSSL_NO_SRTP
803int tls_construct_server_use_srtp(SSL *s, WPACKET *pkt, int *al)
804{
805 if (s->srtp_profile == NULL)
806 return 1;
807
808 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
809 || !WPACKET_start_sub_packet_u16(pkt)
810 || !WPACKET_put_bytes_u16(pkt, 2)
811 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
812 || !WPACKET_put_bytes_u8(pkt, 0)
813 || !WPACKET_close(pkt)) {
814 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_USE_SRTP, ERR_R_INTERNAL_ERROR);
815 return 0;
816 }
817
818 return 1;
819}
820#endif
821
822int tls_construct_server_etm(SSL *s, WPACKET *pkt, int *al)
823{
824 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
825 return 1;
826
827 /*
828 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
829 * for other cases too.
830 */
831 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
832 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
833 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
834 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
835 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
836 return 1;
837 }
838
839 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
840 || !WPACKET_put_bytes_u16(pkt, 0)) {
841 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_ETM, ERR_R_INTERNAL_ERROR);
842 return 0;
843 }
844
845 return 1;
846}
847
848int tls_construct_server_ems(SSL *s, WPACKET *pkt, int *al)
849{
850 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
851 return 1;
852
853 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
854 || !WPACKET_put_bytes_u16(pkt, 0)) {
855 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_EMS, ERR_R_INTERNAL_ERROR);
856 return 0;
857 }
858
859 return 1;
860}
861
862int tls_construct_server_key_share(SSL *s, WPACKET *pkt, int *al)
863{
864 unsigned char *encodedPoint;
865 size_t encoded_pt_len = 0;
866 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
867
868 if (s->hit)
869 return 1;
870
871 if (ckey == NULL) {
872 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
873 return 0;
874 }
875
876 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
877 || !WPACKET_start_sub_packet_u16(pkt)
878 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
879 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
880 return 0;
881 }
882
883 skey = ssl_generate_pkey(ckey);
884 if (skey == NULL) {
885 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_MALLOC_FAILURE);
886 return 0;
887 }
888
889 /* Generate encoding of server key */
890 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
891 if (encoded_pt_len == 0) {
892 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_EC_LIB);
893 EVP_PKEY_free(skey);
894 return 0;
895 }
896
897 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
898 || !WPACKET_close(pkt)) {
899 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
900 EVP_PKEY_free(skey);
901 OPENSSL_free(encodedPoint);
902 return 0;
903 }
904 OPENSSL_free(encodedPoint);
905
906 /* This causes the crypto state to be updated based on the derived keys */
907 s->s3->tmp.pkey = skey;
908 if (ssl_derive(s, skey, ckey, 1) == 0) {
909 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
910 return 0;
911 }
912
913 return 1;
914}
915
916int tls_construct_server_cryptopro_bug(SSL *s, WPACKET *pkt, int *al)
917{
918 const unsigned char cryptopro_ext[36] = {
919 0xfd, 0xe8, /* 65000 */
920 0x00, 0x20, /* 32 bytes length */
921 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
922 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
923 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
924 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
925 };
926
927 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
928 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
929 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
930 return 1;
931
932 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
933 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
934 return 0;
935 }
936
937 return 1;
938}
A mirror of the official openssl repository