]>
Commit | Line | Data |
---|---|---|
25670f3e | 1 | /* |
b186a592 | 2 | * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. |
25670f3e MC |
3 | * |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/ocsp.h> | |
11 | #include "../ssl_locl.h" | |
12 | #include "statem_locl.h" | |
13 | ||
14 | /* | |
15 | * Parse the client's renegotiation binding and abort if it's not right | |
16 | */ | |
61138358 | 17 | int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 18 | X509 *x, size_t chainidx) |
25670f3e MC |
19 | { |
20 | unsigned int ilen; | |
21 | const unsigned char *data; | |
22 | ||
23 | /* Parse the length byte */ | |
24 | if (!PACKET_get_1(pkt, &ilen) | |
25 | || !PACKET_get_bytes(pkt, &data, ilen)) { | |
f63a17d6 MC |
26 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, |
27 | SSL_R_RENEGOTIATION_ENCODING_ERR); | |
25670f3e MC |
28 | return 0; |
29 | } | |
30 | ||
31 | /* Check that the extension matches */ | |
32 | if (ilen != s->s3->previous_client_finished_len) { | |
f63a17d6 MC |
33 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, |
34 | SSL_R_RENEGOTIATION_MISMATCH); | |
25670f3e MC |
35 | return 0; |
36 | } | |
37 | ||
38 | if (memcmp(data, s->s3->previous_client_finished, | |
39 | s->s3->previous_client_finished_len)) { | |
f63a17d6 MC |
40 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, |
41 | SSL_R_RENEGOTIATION_MISMATCH); | |
25670f3e MC |
42 | return 0; |
43 | } | |
44 | ||
45 | s->s3->send_connection_binding = 1; | |
46 | ||
47 | return 1; | |
48 | } | |
49 | ||
1266eefd MC |
50 | /*- |
51 | * The servername extension is treated as follows: | |
52 | * | |
53 | * - Only the hostname type is supported with a maximum length of 255. | |
54 | * - The servername is rejected if too long or if it contains zeros, | |
55 | * in which case an fatal alert is generated. | |
56 | * - The servername field is maintained together with the session cache. | |
57 | * - When a session is resumed, the servername call back invoked in order | |
58 | * to allow the application to position itself to the right context. | |
59 | * - The servername is acknowledged if it is new for a session or when | |
60 | * it is identical to a previously used for the same session. | |
61 | * Applications can control the behaviour. They can at any time | |
62 | * set a 'desirable' servername for a new SSL object. This can be the | |
63 | * case for example with HTTPS when a Host: header field is received and | |
64 | * a renegotiation is requested. In this case, a possible servername | |
65 | * presented in the new client hello is only acknowledged if it matches | |
66 | * the value of the Host: field. | |
67 | * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | |
68 | * if they provide for changing an explicit servername context for the | |
69 | * session, i.e. when the session has been established with a servername | |
70 | * extension. | |
71 | * - On session reconnect, the servername extension may be absent. | |
72 | */ | |
61138358 | 73 | int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 74 | X509 *x, size_t chainidx) |
25670f3e MC |
75 | { |
76 | unsigned int servname_type; | |
77 | PACKET sni, hostname; | |
78 | ||
25670f3e MC |
79 | if (!PACKET_as_length_prefixed_2(pkt, &sni) |
80 | /* ServerNameList must be at least 1 byte long. */ | |
81 | || PACKET_remaining(&sni) == 0) { | |
f63a17d6 MC |
82 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, |
83 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
84 | return 0; |
85 | } | |
86 | ||
87 | /* | |
44e69951 F |
88 | * Although the intent was for server_name to be extensible, RFC 4366 |
89 | * was not clear about it; and so OpenSSL among other implementations, | |
90 | * always and only allows a 'host_name' name types. | |
25670f3e MC |
91 | * RFC 6066 corrected the mistake but adding new name types |
92 | * is nevertheless no longer feasible, so act as if no other | |
93 | * SNI types can exist, to simplify parsing. | |
94 | * | |
95 | * Also note that the RFC permits only one SNI value per type, | |
96 | * i.e., we can only have a single hostname. | |
97 | */ | |
98 | if (!PACKET_get_1(&sni, &servname_type) | |
99 | || servname_type != TLSEXT_NAMETYPE_host_name | |
100 | || !PACKET_as_length_prefixed_2(&sni, &hostname)) { | |
f63a17d6 MC |
101 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, |
102 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
103 | return 0; |
104 | } | |
105 | ||
106 | if (!s->hit) { | |
107 | if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { | |
f63a17d6 MC |
108 | SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, |
109 | SSL_F_TLS_PARSE_CTOS_SERVER_NAME, | |
110 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
111 | return 0; |
112 | } | |
113 | ||
114 | if (PACKET_contains_zero_byte(&hostname)) { | |
f63a17d6 MC |
115 | SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, |
116 | SSL_F_TLS_PARSE_CTOS_SERVER_NAME, | |
117 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
118 | return 0; |
119 | } | |
120 | ||
7d061fce MC |
121 | OPENSSL_free(s->session->ext.hostname); |
122 | s->session->ext.hostname = NULL; | |
aff8c126 | 123 | if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) { |
f63a17d6 MC |
124 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, |
125 | ERR_R_INTERNAL_ERROR); | |
25670f3e MC |
126 | return 0; |
127 | } | |
128 | ||
129 | s->servername_done = 1; | |
130 | } else { | |
131 | /* | |
132 | * TODO(openssl-team): if the SNI doesn't match, we MUST | |
133 | * fall back to a full handshake. | |
134 | */ | |
aff8c126 RS |
135 | s->servername_done = s->session->ext.hostname |
136 | && PACKET_equal(&hostname, s->session->ext.hostname, | |
137 | strlen(s->session->ext.hostname)); | |
630369d9 MC |
138 | |
139 | if (!s->servername_done && s->session->ext.hostname != NULL) | |
140 | s->ext.early_data_ok = 0; | |
25670f3e MC |
141 | } |
142 | ||
143 | return 1; | |
144 | } | |
145 | ||
cf72c757 | 146 | int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 147 | X509 *x, size_t chainidx) |
cf72c757 F |
148 | { |
149 | unsigned int value; | |
150 | ||
151 | if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { | |
f63a17d6 MC |
152 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, |
153 | SSL_R_BAD_EXTENSION); | |
cf72c757 F |
154 | return 0; |
155 | } | |
156 | ||
157 | /* Received |value| should be a valid max-fragment-length code. */ | |
158 | if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { | |
f63a17d6 MC |
159 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
160 | SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, | |
161 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); | |
cf72c757 F |
162 | return 0; |
163 | } | |
164 | ||
165 | /* | |
166 | * RFC 6066: The negotiated length applies for the duration of the session | |
167 | * including session resumptions. | |
168 | * We should receive the same code as in resumed session ! | |
169 | */ | |
170 | if (s->hit && s->session->ext.max_fragment_len_mode != value) { | |
f63a17d6 MC |
171 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
172 | SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, | |
173 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); | |
cf72c757 F |
174 | return 0; |
175 | } | |
176 | ||
177 | /* | |
178 | * Store it in session, so it'll become binding for us | |
179 | * and we'll include it in a next Server Hello. | |
180 | */ | |
181 | s->session->ext.max_fragment_len_mode = value; | |
182 | return 1; | |
183 | } | |
184 | ||
25670f3e | 185 | #ifndef OPENSSL_NO_SRP |
61138358 | 186 | int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 187 | size_t chainidx) |
25670f3e MC |
188 | { |
189 | PACKET srp_I; | |
190 | ||
191 | if (!PACKET_as_length_prefixed_1(pkt, &srp_I) | |
192 | || PACKET_contains_zero_byte(&srp_I)) { | |
f63a17d6 MC |
193 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
194 | SSL_F_TLS_PARSE_CTOS_SRP, | |
195 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
196 | return 0; |
197 | } | |
198 | ||
199 | /* | |
200 | * TODO(openssl-team): currently, we re-authenticate the user | |
201 | * upon resumption. Instead, we MUST ignore the login. | |
202 | */ | |
203 | if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { | |
f63a17d6 MC |
204 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP, |
205 | ERR_R_INTERNAL_ERROR); | |
25670f3e MC |
206 | return 0; |
207 | } | |
208 | ||
209 | return 1; | |
210 | } | |
211 | #endif | |
212 | ||
213 | #ifndef OPENSSL_NO_EC | |
61138358 | 214 | int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 215 | X509 *x, size_t chainidx) |
25670f3e MC |
216 | { |
217 | PACKET ec_point_format_list; | |
218 | ||
219 | if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list) | |
220 | || PACKET_remaining(&ec_point_format_list) == 0) { | |
f63a17d6 MC |
221 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, |
222 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
223 | return 0; |
224 | } | |
225 | ||
226 | if (!s->hit) { | |
227 | if (!PACKET_memdup(&ec_point_format_list, | |
aff8c126 RS |
228 | &s->session->ext.ecpointformats, |
229 | &s->session->ext.ecpointformats_len)) { | |
f63a17d6 MC |
230 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
231 | SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); | |
25670f3e MC |
232 | return 0; |
233 | } | |
234 | } | |
235 | ||
236 | return 1; | |
237 | } | |
238 | #endif /* OPENSSL_NO_EC */ | |
239 | ||
61138358 | 240 | int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 241 | X509 *x, size_t chainidx) |
25670f3e | 242 | { |
aff8c126 RS |
243 | if (s->ext.session_ticket_cb && |
244 | !s->ext.session_ticket_cb(s, PACKET_data(pkt), | |
245 | PACKET_remaining(pkt), | |
246 | s->ext.session_ticket_cb_arg)) { | |
f63a17d6 MC |
247 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
248 | SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); | |
25670f3e MC |
249 | return 0; |
250 | } | |
251 | ||
252 | return 1; | |
253 | } | |
254 | ||
61138358 | 255 | int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 256 | size_t chainidx) |
25670f3e MC |
257 | { |
258 | PACKET supported_sig_algs; | |
259 | ||
260 | if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) | |
25670f3e | 261 | || PACKET_remaining(&supported_sig_algs) == 0) { |
f63a17d6 MC |
262 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
263 | SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION); | |
25670f3e MC |
264 | return 0; |
265 | } | |
266 | ||
703bcee0 | 267 | if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) { |
f63a17d6 MC |
268 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
269 | SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION); | |
25670f3e MC |
270 | return 0; |
271 | } | |
272 | ||
273 | return 1; | |
274 | } | |
275 | ||
ab83e314 | 276 | #ifndef OPENSSL_NO_OCSP |
61138358 | 277 | int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 278 | X509 *x, size_t chainidx) |
25670f3e | 279 | { |
1266eefd MC |
280 | PACKET responder_id_list, exts; |
281 | ||
e96e0f8e MC |
282 | /* Not defined if we get one of these in a client Certificate */ |
283 | if (x != NULL) | |
284 | return 1; | |
285 | ||
aff8c126 | 286 | if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) { |
f63a17d6 MC |
287 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
288 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
25670f3e MC |
289 | return 0; |
290 | } | |
ab83e314 | 291 | |
aff8c126 | 292 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { |
25670f3e | 293 | /* |
1266eefd | 294 | * We don't know what to do with any other type so ignore it. |
25670f3e | 295 | */ |
aff8c126 | 296 | s->ext.status_type = TLSEXT_STATUSTYPE_nothing; |
1266eefd MC |
297 | return 1; |
298 | } | |
25670f3e | 299 | |
1266eefd | 300 | if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) { |
f63a17d6 MC |
301 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
302 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
1266eefd MC |
303 | return 0; |
304 | } | |
25670f3e | 305 | |
1266eefd MC |
306 | /* |
307 | * We remove any OCSP_RESPIDs from a previous handshake | |
308 | * to prevent unbounded memory growth - CVE-2016-6304 | |
309 | */ | |
aff8c126 | 310 | sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); |
1266eefd | 311 | if (PACKET_remaining(&responder_id_list) > 0) { |
aff8c126 RS |
312 | s->ext.ocsp.ids = sk_OCSP_RESPID_new_null(); |
313 | if (s->ext.ocsp.ids == NULL) { | |
f63a17d6 MC |
314 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
315 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE); | |
1266eefd MC |
316 | return 0; |
317 | } | |
318 | } else { | |
aff8c126 | 319 | s->ext.ocsp.ids = NULL; |
1266eefd | 320 | } |
25670f3e | 321 | |
1266eefd MC |
322 | while (PACKET_remaining(&responder_id_list) > 0) { |
323 | OCSP_RESPID *id; | |
324 | PACKET responder_id; | |
325 | const unsigned char *id_data; | |
25670f3e | 326 | |
1266eefd MC |
327 | if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) |
328 | || PACKET_remaining(&responder_id) == 0) { | |
f63a17d6 MC |
329 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
330 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
1266eefd MC |
331 | return 0; |
332 | } | |
25670f3e | 333 | |
1266eefd MC |
334 | id_data = PACKET_data(&responder_id); |
335 | /* TODO(size_t): Convert d2i_* to size_t */ | |
336 | id = d2i_OCSP_RESPID(NULL, &id_data, | |
337 | (int)PACKET_remaining(&responder_id)); | |
338 | if (id == NULL) { | |
f63a17d6 MC |
339 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
340 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
1266eefd | 341 | return 0; |
25670f3e MC |
342 | } |
343 | ||
1266eefd MC |
344 | if (id_data != PACKET_end(&responder_id)) { |
345 | OCSP_RESPID_free(id); | |
f63a17d6 MC |
346 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
347 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
348 | ||
25670f3e MC |
349 | return 0; |
350 | } | |
351 | ||
aff8c126 | 352 | if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) { |
1266eefd | 353 | OCSP_RESPID_free(id); |
f63a17d6 MC |
354 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
355 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); | |
356 | ||
1266eefd MC |
357 | return 0; |
358 | } | |
359 | } | |
360 | ||
361 | /* Read in request_extensions */ | |
362 | if (!PACKET_as_length_prefixed_2(pkt, &exts)) { | |
f63a17d6 MC |
363 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
364 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
1266eefd MC |
365 | return 0; |
366 | } | |
367 | ||
368 | if (PACKET_remaining(&exts) > 0) { | |
369 | const unsigned char *ext_data = PACKET_data(&exts); | |
370 | ||
aff8c126 | 371 | sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, |
1266eefd | 372 | X509_EXTENSION_free); |
aff8c126 | 373 | s->ext.ocsp.exts = |
1266eefd | 374 | d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts)); |
aff8c126 | 375 | if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) { |
f63a17d6 MC |
376 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
377 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); | |
1266eefd | 378 | return 0; |
25670f3e | 379 | } |
25670f3e MC |
380 | } |
381 | ||
382 | return 1; | |
383 | } | |
ab83e314 | 384 | #endif |
25670f3e MC |
385 | |
386 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
61138358 | 387 | int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 388 | size_t chainidx) |
25670f3e | 389 | { |
1266eefd MC |
390 | /* |
391 | * We shouldn't accept this extension on a | |
392 | * renegotiation. | |
1266eefd | 393 | */ |
c7f47786 | 394 | if (SSL_IS_FIRST_HANDSHAKE(s)) |
aff8c126 | 395 | s->s3->npn_seen = 1; |
25670f3e MC |
396 | |
397 | return 1; | |
398 | } | |
399 | #endif | |
400 | ||
401 | /* | |
1266eefd MC |
402 | * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN |
403 | * extension, not including type and length. |al| is a pointer to the alert | |
404 | * value to send in the event of a failure. Returns: 1 on success, 0 on error. | |
25670f3e | 405 | */ |
61138358 | 406 | int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 407 | size_t chainidx) |
25670f3e MC |
408 | { |
409 | PACKET protocol_list, save_protocol_list, protocol; | |
410 | ||
c7f47786 | 411 | if (!SSL_IS_FIRST_HANDSHAKE(s)) |
25670f3e MC |
412 | return 1; |
413 | ||
414 | if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) | |
415 | || PACKET_remaining(&protocol_list) < 2) { | |
f63a17d6 MC |
416 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN, |
417 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
418 | return 0; |
419 | } | |
420 | ||
421 | save_protocol_list = protocol_list; | |
422 | do { | |
423 | /* Protocol names can't be empty. */ | |
424 | if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) | |
425 | || PACKET_remaining(&protocol) == 0) { | |
f63a17d6 MC |
426 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN, |
427 | SSL_R_BAD_EXTENSION); | |
25670f3e MC |
428 | return 0; |
429 | } | |
430 | } while (PACKET_remaining(&protocol_list) != 0); | |
431 | ||
7d061fce MC |
432 | OPENSSL_free(s->s3->alpn_proposed); |
433 | s->s3->alpn_proposed = NULL; | |
434 | s->s3->alpn_proposed_len = 0; | |
25670f3e MC |
435 | if (!PACKET_memdup(&save_protocol_list, |
436 | &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) { | |
f63a17d6 MC |
437 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN, |
438 | ERR_R_INTERNAL_ERROR); | |
25670f3e MC |
439 | return 0; |
440 | } | |
441 | ||
442 | return 1; | |
443 | } | |
444 | ||
445 | #ifndef OPENSSL_NO_SRTP | |
61138358 | 446 | int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 447 | size_t chainidx) |
25670f3e | 448 | { |
25670f3e MC |
449 | STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; |
450 | unsigned int ct, mki_len, id; | |
451 | int i, srtp_pref; | |
452 | PACKET subpkt; | |
453 | ||
454 | /* Ignore this if we have no SRTP profiles */ | |
455 | if (SSL_get_srtp_profiles(s) == NULL) | |
456 | return 1; | |
457 | ||
458 | /* Pull off the length of the cipher suite list and check it is even */ | |
1266eefd MC |
459 | if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0 |
460 | || !PACKET_get_sub_packet(pkt, &subpkt, ct)) { | |
f63a17d6 | 461 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, |
25670f3e | 462 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
25670f3e MC |
463 | return 0; |
464 | } | |
465 | ||
466 | srvr = SSL_get_srtp_profiles(s); | |
467 | s->srtp_profile = NULL; | |
468 | /* Search all profiles for a match initially */ | |
469 | srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); | |
470 | ||
471 | while (PACKET_remaining(&subpkt)) { | |
472 | if (!PACKET_get_net_2(&subpkt, &id)) { | |
f63a17d6 MC |
473 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, |
474 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); | |
25670f3e MC |
475 | return 0; |
476 | } | |
477 | ||
478 | /* | |
479 | * Only look for match in profiles of higher preference than | |
480 | * current match. | |
481 | * If no profiles have been have been configured then this | |
482 | * does nothing. | |
483 | */ | |
484 | for (i = 0; i < srtp_pref; i++) { | |
d270de32 | 485 | SRTP_PROTECTION_PROFILE *sprof = |
1266eefd MC |
486 | sk_SRTP_PROTECTION_PROFILE_value(srvr, i); |
487 | ||
25670f3e MC |
488 | if (sprof->id == id) { |
489 | s->srtp_profile = sprof; | |
490 | srtp_pref = i; | |
491 | break; | |
492 | } | |
493 | } | |
494 | } | |
495 | ||
1266eefd | 496 | /* Now extract the MKI value as a sanity check, but discard it for now */ |
25670f3e | 497 | if (!PACKET_get_1(pkt, &mki_len)) { |
f63a17d6 MC |
498 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, |
499 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); | |
25670f3e MC |
500 | return 0; |
501 | } | |
502 | ||
503 | if (!PACKET_forward(pkt, mki_len) | |
504 | || PACKET_remaining(pkt)) { | |
f63a17d6 MC |
505 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, |
506 | SSL_R_BAD_SRTP_MKI_VALUE); | |
25670f3e MC |
507 | return 0; |
508 | } | |
509 | ||
510 | return 1; | |
511 | } | |
512 | #endif | |
513 | ||
61138358 | 514 | int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 515 | size_t chainidx) |
25670f3e MC |
516 | { |
517 | if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) | |
28a31a0a | 518 | s->ext.use_etm = 1; |
25670f3e MC |
519 | |
520 | return 1; | |
521 | } | |
522 | ||
b2f7e8c0 MC |
523 | /* |
524 | * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains | |
525 | * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. | |
526 | * If a failure occurs then |*al| is set to an appropriate alert value. | |
527 | */ | |
61138358 | 528 | int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 529 | X509 *x, size_t chainidx) |
b2f7e8c0 MC |
530 | { |
531 | #ifndef OPENSSL_NO_TLS1_3 | |
532 | PACKET psk_kex_modes; | |
533 | unsigned int mode; | |
534 | ||
535 | if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes) | |
536 | || PACKET_remaining(&psk_kex_modes) == 0) { | |
f63a17d6 MC |
537 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES, |
538 | SSL_R_BAD_EXTENSION); | |
b2f7e8c0 MC |
539 | return 0; |
540 | } | |
541 | ||
542 | while (PACKET_get_1(&psk_kex_modes, &mode)) { | |
543 | if (mode == TLSEXT_KEX_MODE_KE_DHE) | |
544 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE; | |
e3c0d76b MC |
545 | else if (mode == TLSEXT_KEX_MODE_KE |
546 | && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0) | |
b2f7e8c0 MC |
547 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; |
548 | } | |
549 | #endif | |
550 | ||
551 | return 1; | |
552 | } | |
553 | ||
25670f3e MC |
554 | /* |
555 | * Process a key_share extension received in the ClientHello. |pkt| contains | |
556 | * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. | |
557 | * If a failure occurs then |*al| is set to an appropriate alert value. | |
558 | */ | |
61138358 | 559 | int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 560 | size_t chainidx) |
25670f3e | 561 | { |
3cf96e88 | 562 | #ifndef OPENSSL_NO_TLS1_3 |
25670f3e MC |
563 | unsigned int group_id; |
564 | PACKET key_share_list, encoded_pt; | |
f48d826e DSH |
565 | const uint16_t *clntgroups, *srvrgroups; |
566 | size_t clnt_num_groups, srvr_num_groups; | |
43b95d73 | 567 | int found = 0; |
25670f3e | 568 | |
f4bbb37c | 569 | if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) |
25670f3e MC |
570 | return 1; |
571 | ||
572 | /* Sanity check */ | |
573 | if (s->s3->peer_tmp != NULL) { | |
f63a17d6 MC |
574 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, |
575 | ERR_R_INTERNAL_ERROR); | |
25670f3e MC |
576 | return 0; |
577 | } | |
578 | ||
579 | if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) { | |
f63a17d6 MC |
580 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, |
581 | SSL_R_LENGTH_MISMATCH); | |
25670f3e MC |
582 | return 0; |
583 | } | |
584 | ||
f48d826e DSH |
585 | /* Get our list of supported groups */ |
586 | tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups); | |
587 | /* Get the clients list of supported groups. */ | |
588 | tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); | |
589 | if (clnt_num_groups == 0) { | |
b6fdc12d MC |
590 | /* |
591 | * This can only happen if the supported_groups extension was not sent, | |
592 | * because we verify that the length is non-zero when we process that | |
593 | * extension. | |
594 | */ | |
f63a17d6 MC |
595 | SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, |
596 | SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION); | |
b6fdc12d MC |
597 | return 0; |
598 | } | |
25670f3e MC |
599 | |
600 | while (PACKET_remaining(&key_share_list) > 0) { | |
601 | if (!PACKET_get_net_2(&key_share_list, &group_id) | |
602 | || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt) | |
603 | || PACKET_remaining(&encoded_pt) == 0) { | |
f63a17d6 MC |
604 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, |
605 | SSL_R_LENGTH_MISMATCH); | |
25670f3e MC |
606 | return 0; |
607 | } | |
608 | ||
609 | /* | |
610 | * If we already found a suitable key_share we loop through the | |
611 | * rest to verify the structure, but don't process them. | |
612 | */ | |
613 | if (found) | |
614 | continue; | |
615 | ||
616 | /* Check if this share is in supported_groups sent from client */ | |
f48d826e | 617 | if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) { |
f63a17d6 MC |
618 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
619 | SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE); | |
25670f3e MC |
620 | return 0; |
621 | } | |
622 | ||
623 | /* Check if this share is for a group we can use */ | |
f48d826e | 624 | if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) { |
25670f3e MC |
625 | /* Share not suitable */ |
626 | continue; | |
627 | } | |
628 | ||
612f9d22 | 629 | if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) { |
f63a17d6 | 630 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, |
25670f3e MC |
631 | SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); |
632 | return 0; | |
633 | } | |
634 | ||
25670f3e MC |
635 | s->s3->group_id = group_id; |
636 | ||
637 | if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, | |
638 | PACKET_data(&encoded_pt), | |
639 | PACKET_remaining(&encoded_pt))) { | |
f63a17d6 MC |
640 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
641 | SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT); | |
25670f3e MC |
642 | return 0; |
643 | } | |
644 | ||
645 | found = 1; | |
646 | } | |
3cf96e88 | 647 | #endif |
25670f3e MC |
648 | |
649 | return 1; | |
650 | } | |
651 | ||
652 | #ifndef OPENSSL_NO_EC | |
61138358 | 653 | int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, |
f63a17d6 | 654 | X509 *x, size_t chainidx) |
25670f3e MC |
655 | { |
656 | PACKET supported_groups_list; | |
657 | ||
658 | /* Each group is 2 bytes and we must have at least 1. */ | |
659 | if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list) | |
660 | || PACKET_remaining(&supported_groups_list) == 0 | |
661 | || (PACKET_remaining(&supported_groups_list) % 2) != 0) { | |
f63a17d6 MC |
662 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
663 | SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION); | |
25670f3e MC |
664 | return 0; |
665 | } | |
666 | ||
e3743355 BK |
667 | if (!s->hit || SSL_IS_TLS13(s)) { |
668 | OPENSSL_free(s->session->ext.supportedgroups); | |
669 | s->session->ext.supportedgroups = NULL; | |
670 | s->session->ext.supportedgroups_len = 0; | |
9e84a42d | 671 | if (!tls1_save_u16(&supported_groups_list, |
e3743355 BK |
672 | &s->session->ext.supportedgroups, |
673 | &s->session->ext.supportedgroups_len)) { | |
f63a17d6 MC |
674 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
675 | SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, | |
676 | ERR_R_INTERNAL_ERROR); | |
e3743355 BK |
677 | return 0; |
678 | } | |
25670f3e MC |
679 | } |
680 | ||
681 | return 1; | |
682 | } | |
683 | #endif | |
684 | ||
61138358 | 685 | int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 686 | size_t chainidx) |
25670f3e MC |
687 | { |
688 | /* The extension must always be empty */ | |
689 | if (PACKET_remaining(pkt) != 0) { | |
f63a17d6 MC |
690 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
691 | SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION); | |
25670f3e MC |
692 | return 0; |
693 | } | |
694 | ||
695 | s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; | |
696 | ||
697 | return 1; | |
698 | } | |
7da160b0 | 699 | |
38df5a45 MC |
700 | |
701 | int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, | |
f63a17d6 | 702 | X509 *x, size_t chainidx) |
38df5a45 MC |
703 | { |
704 | if (PACKET_remaining(pkt) != 0) { | |
f63a17d6 MC |
705 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
706 | SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION); | |
38df5a45 MC |
707 | return 0; |
708 | } | |
709 | ||
d4504fe5 | 710 | if (s->hello_retry_request) { |
f63a17d6 MC |
711 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
712 | SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION); | |
d4504fe5 MC |
713 | return 0; |
714 | } | |
715 | ||
38df5a45 MC |
716 | return 1; |
717 | } | |
718 | ||
61138358 | 719 | int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
f63a17d6 | 720 | size_t chainidx) |
1053a6e2 MC |
721 | { |
722 | PACKET identities, binders, binder; | |
723 | size_t binderoffset, hashsize; | |
724 | SSL_SESSION *sess = NULL; | |
3a7c56b2 | 725 | unsigned int id, i, ext = 0; |
1053a6e2 MC |
726 | const EVP_MD *md = NULL; |
727 | ||
1a9f457c MC |
728 | /* |
729 | * If we have no PSK kex mode that we recognise then we can't resume so | |
730 | * ignore this extension | |
731 | */ | |
732 | if ((s->ext.psk_kex_mode | |
733 | & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0) | |
734 | return 1; | |
735 | ||
1053a6e2 | 736 | if (!PACKET_get_length_prefixed_2(pkt, &identities)) { |
f63a17d6 MC |
737 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
738 | SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION); | |
1053a6e2 MC |
739 | return 0; |
740 | } | |
741 | ||
742 | for (id = 0; PACKET_remaining(&identities) != 0; id++) { | |
743 | PACKET identity; | |
2c604cb9 | 744 | unsigned long ticket_agel; |
1053a6e2 MC |
745 | |
746 | if (!PACKET_get_length_prefixed_2(&identities, &identity) | |
2c604cb9 | 747 | || !PACKET_get_net_4(&identities, &ticket_agel)) { |
f63a17d6 MC |
748 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
749 | SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION); | |
1053a6e2 MC |
750 | return 0; |
751 | } | |
752 | ||
3a7c56b2 | 753 | if (s->psk_find_session_cb != NULL |
011d768a MC |
754 | && !s->psk_find_session_cb(s, PACKET_data(&identity), |
755 | PACKET_remaining(&identity), | |
756 | &sess)) { | |
f63a17d6 MC |
757 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
758 | SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION); | |
011d768a MC |
759 | return 0; |
760 | } | |
761 | ||
762 | if (sess != NULL) { | |
763 | /* We found a PSK */ | |
3a7c56b2 | 764 | SSL_SESSION *sesstmp = ssl_session_dup(sess, 0); |
1b8bacff | 765 | |
3a7c56b2 | 766 | if (sesstmp == NULL) { |
f63a17d6 MC |
767 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
768 | SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); | |
3a7c56b2 MC |
769 | return 0; |
770 | } | |
771 | SSL_SESSION_free(sess); | |
772 | sess = sesstmp; | |
773 | ||
774 | /* | |
775 | * We've just been told to use this session for this context so | |
776 | * make sure the sid_ctx matches up. | |
777 | */ | |
778 | memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length); | |
779 | sess->sid_ctx_length = s->sid_ctx_length; | |
780 | ext = 1; | |
630369d9 MC |
781 | if (id == 0) |
782 | s->ext.early_data_ok = 1; | |
3a7c56b2 MC |
783 | } else { |
784 | uint32_t ticket_age = 0, now, agesec, agems; | |
785 | int ret = tls_decrypt_ticket(s, PACKET_data(&identity), | |
786 | PACKET_remaining(&identity), NULL, 0, | |
787 | &sess); | |
788 | ||
789 | if (ret == TICKET_FATAL_ERR_MALLOC | |
790 | || ret == TICKET_FATAL_ERR_OTHER) { | |
f63a17d6 MC |
791 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
792 | SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); | |
3a7c56b2 MC |
793 | return 0; |
794 | } | |
795 | if (ret == TICKET_NO_DECRYPT) | |
796 | continue; | |
797 | ||
798 | ticket_age = (uint32_t)ticket_agel; | |
799 | now = (uint32_t)time(NULL); | |
800 | agesec = now - (uint32_t)sess->time; | |
801 | agems = agesec * (uint32_t)1000; | |
802 | ticket_age -= sess->ext.tick_age_add; | |
803 | ||
804 | /* | |
805 | * For simplicity we do our age calculations in seconds. If the | |
806 | * client does it in ms then it could appear that their ticket age | |
807 | * is longer than ours (our ticket age calculation should always be | |
808 | * slightly longer than the client's due to the network latency). | |
809 | * Therefore we add 1000ms to our age calculation to adjust for | |
810 | * rounding errors. | |
811 | */ | |
630369d9 MC |
812 | if (id == 0 |
813 | && sess->timeout >= (long)agesec | |
3a7c56b2 MC |
814 | && agems / (uint32_t)1000 == agesec |
815 | && ticket_age <= agems + 1000 | |
816 | && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { | |
817 | /* | |
818 | * Ticket age is within tolerance and not expired. We allow it | |
819 | * for early data | |
820 | */ | |
821 | s->ext.early_data_ok = 1; | |
822 | } | |
1053a6e2 | 823 | } |
1053a6e2 | 824 | |
534a43ff | 825 | md = ssl_md(sess->cipher->algorithm2); |
0de6d66d MC |
826 | if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) { |
827 | /* The ciphersuite is not compatible with this session. */ | |
1053a6e2 MC |
828 | SSL_SESSION_free(sess); |
829 | sess = NULL; | |
630369d9 | 830 | s->ext.early_data_ok = 0; |
1053a6e2 MC |
831 | continue; |
832 | } | |
1053a6e2 MC |
833 | break; |
834 | } | |
835 | ||
836 | if (sess == NULL) | |
837 | return 1; | |
838 | ||
839 | binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data; | |
1053a6e2 MC |
840 | hashsize = EVP_MD_size(md); |
841 | ||
842 | if (!PACKET_get_length_prefixed_2(pkt, &binders)) { | |
f63a17d6 MC |
843 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, |
844 | SSL_R_BAD_EXTENSION); | |
1053a6e2 MC |
845 | goto err; |
846 | } | |
847 | ||
848 | for (i = 0; i <= id; i++) { | |
849 | if (!PACKET_get_length_prefixed_1(&binders, &binder)) { | |
f63a17d6 MC |
850 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, |
851 | SSL_R_BAD_EXTENSION); | |
1053a6e2 MC |
852 | goto err; |
853 | } | |
854 | } | |
855 | ||
856 | if (PACKET_remaining(&binder) != hashsize | |
857 | || tls_psk_do_binder(s, md, | |
858 | (const unsigned char *)s->init_buf->data, | |
859 | binderoffset, PACKET_data(&binder), NULL, | |
3a7c56b2 | 860 | sess, 0, ext) != 1) { |
635c8f77 | 861 | /* SSLfatal() already called */ |
1053a6e2 MC |
862 | goto err; |
863 | } | |
864 | ||
865 | sess->ext.tick_identity = id; | |
2c604cb9 | 866 | |
1053a6e2 MC |
867 | SSL_SESSION_free(s->session); |
868 | s->session = sess; | |
1053a6e2 MC |
869 | return 1; |
870 | err: | |
312e9387 | 871 | SSL_SESSION_free(sess); |
1053a6e2 MC |
872 | return 0; |
873 | } | |
874 | ||
1266eefd MC |
875 | /* |
876 | * Add the server's renegotiation binding | |
877 | */ | |
b186a592 MC |
878 | EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, |
879 | unsigned int context, X509 *x, | |
f63a17d6 | 880 | size_t chainidx) |
7da160b0 MC |
881 | { |
882 | if (!s->s3->send_connection_binding) | |
b186a592 | 883 | return EXT_RETURN_NOT_SENT; |
7da160b0 | 884 | |
db0f35dd | 885 | /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */ |
7da160b0 MC |
886 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) |
887 | || !WPACKET_start_sub_packet_u16(pkt) | |
888 | || !WPACKET_start_sub_packet_u8(pkt) | |
889 | || !WPACKET_memcpy(pkt, s->s3->previous_client_finished, | |
890 | s->s3->previous_client_finished_len) | |
891 | || !WPACKET_memcpy(pkt, s->s3->previous_server_finished, | |
892 | s->s3->previous_server_finished_len) | |
893 | || !WPACKET_close(pkt) | |
894 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
895 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, |
896 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 897 | return EXT_RETURN_FAIL; |
7da160b0 MC |
898 | } |
899 | ||
b186a592 | 900 | return EXT_RETURN_SENT; |
7da160b0 MC |
901 | } |
902 | ||
b186a592 MC |
903 | EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, |
904 | unsigned int context, X509 *x, | |
f63a17d6 | 905 | size_t chainidx) |
7da160b0 MC |
906 | { |
907 | if (s->hit || s->servername_done != 1 | |
aff8c126 | 908 | || s->session->ext.hostname == NULL) |
b186a592 | 909 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
910 | |
911 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) | |
912 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
f63a17d6 MC |
913 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, |
914 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 915 | return EXT_RETURN_FAIL; |
7da160b0 MC |
916 | } |
917 | ||
b186a592 | 918 | return EXT_RETURN_SENT; |
7da160b0 MC |
919 | } |
920 | ||
cf72c757 F |
921 | /* Add/include the server's max fragment len extension into ServerHello */ |
922 | EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, | |
923 | unsigned int context, X509 *x, | |
f63a17d6 | 924 | size_t chainidx) |
cf72c757 F |
925 | { |
926 | if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) | |
927 | return EXT_RETURN_NOT_SENT; | |
928 | ||
929 | /*- | |
930 | * 4 bytes for this extension type and extension length | |
931 | * 1 byte for the Max Fragment Length code value. | |
932 | */ | |
933 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) | |
934 | || !WPACKET_start_sub_packet_u16(pkt) | |
935 | || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode) | |
936 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
937 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
938 | SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); | |
cf72c757 F |
939 | return EXT_RETURN_FAIL; |
940 | } | |
941 | ||
942 | return EXT_RETURN_SENT; | |
943 | } | |
944 | ||
7da160b0 | 945 | #ifndef OPENSSL_NO_EC |
b186a592 MC |
946 | EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, |
947 | unsigned int context, X509 *x, | |
f63a17d6 | 948 | size_t chainidx) |
7da160b0 MC |
949 | { |
950 | unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
951 | unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
89247375 | 952 | int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) |
aff8c126 | 953 | && (s->session->ext.ecpointformats != NULL); |
7da160b0 MC |
954 | const unsigned char *plist; |
955 | size_t plistlen; | |
956 | ||
957 | if (!using_ecc) | |
b186a592 | 958 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
959 | |
960 | tls1_get_formatlist(s, &plist, &plistlen); | |
7da160b0 MC |
961 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) |
962 | || !WPACKET_start_sub_packet_u16(pkt) | |
963 | || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen) | |
964 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
965 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
966 | SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); | |
b186a592 | 967 | return EXT_RETURN_FAIL; |
7da160b0 MC |
968 | } |
969 | ||
b186a592 | 970 | return EXT_RETURN_SENT; |
7da160b0 MC |
971 | } |
972 | #endif | |
973 | ||
cf53cbea | 974 | #ifndef OPENSSL_NO_EC |
b186a592 MC |
975 | EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, |
976 | unsigned int context, X509 *x, | |
f63a17d6 | 977 | size_t chainidx) |
6af87546 | 978 | { |
9e84a42d | 979 | const uint16_t *groups; |
6af87546 MC |
980 | size_t numgroups, i, first = 1; |
981 | ||
982 | /* s->s3->group_id is non zero if we accepted a key_share */ | |
983 | if (s->s3->group_id == 0) | |
b186a592 | 984 | return EXT_RETURN_NOT_SENT; |
6af87546 MC |
985 | |
986 | /* Get our list of supported groups */ | |
ff6d20a6 | 987 | tls1_get_supported_groups(s, &groups, &numgroups); |
34e5292c | 988 | if (numgroups == 0) { |
f63a17d6 MC |
989 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
990 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); | |
b186a592 | 991 | return EXT_RETURN_FAIL; |
6af87546 MC |
992 | } |
993 | ||
994 | /* Copy group ID if supported */ | |
9e84a42d DSH |
995 | for (i = 0; i < numgroups; i++) { |
996 | uint16_t group = groups[i]; | |
997 | ||
998 | if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { | |
6af87546 MC |
999 | if (first) { |
1000 | /* | |
1001 | * Check if the client is already using our preferred group. If | |
1002 | * so we don't need to add this extension | |
1003 | */ | |
9e84a42d | 1004 | if (s->s3->group_id == group) |
b186a592 | 1005 | return EXT_RETURN_NOT_SENT; |
6af87546 MC |
1006 | |
1007 | /* Add extension header */ | |
1008 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) | |
1009 | /* Sub-packet for supported_groups extension */ | |
1010 | || !WPACKET_start_sub_packet_u16(pkt) | |
1011 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
f63a17d6 MC |
1012 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1013 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, | |
1014 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1015 | return EXT_RETURN_FAIL; |
6af87546 MC |
1016 | } |
1017 | ||
1018 | first = 0; | |
1019 | } | |
9e84a42d | 1020 | if (!WPACKET_put_bytes_u16(pkt, group)) { |
f63a17d6 MC |
1021 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1022 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, | |
1023 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1024 | return EXT_RETURN_FAIL; |
6af87546 MC |
1025 | } |
1026 | } | |
1027 | } | |
1028 | ||
1029 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1030 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1031 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, | |
1032 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1033 | return EXT_RETURN_FAIL; |
6af87546 MC |
1034 | } |
1035 | ||
b186a592 | 1036 | return EXT_RETURN_SENT; |
6af87546 | 1037 | } |
cf53cbea | 1038 | #endif |
6af87546 | 1039 | |
b186a592 MC |
1040 | EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, |
1041 | unsigned int context, X509 *x, | |
f63a17d6 | 1042 | size_t chainidx) |
7da160b0 | 1043 | { |
aff8c126 RS |
1044 | if (!s->ext.ticket_expected || !tls_use_ticket(s)) { |
1045 | s->ext.ticket_expected = 0; | |
b186a592 | 1046 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1047 | } |
1048 | ||
1049 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) | |
1050 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
f63a17d6 MC |
1051 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1052 | SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1053 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1054 | } |
1055 | ||
b186a592 | 1056 | return EXT_RETURN_SENT; |
7da160b0 MC |
1057 | } |
1058 | ||
ab83e314 | 1059 | #ifndef OPENSSL_NO_OCSP |
b186a592 MC |
1060 | EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, |
1061 | unsigned int context, X509 *x, | |
f63a17d6 | 1062 | size_t chainidx) |
7da160b0 | 1063 | { |
aff8c126 | 1064 | if (!s->ext.status_expected) |
b186a592 | 1065 | return EXT_RETURN_NOT_SENT; |
7da160b0 | 1066 | |
8521ced6 | 1067 | if (SSL_IS_TLS13(s) && chainidx != 0) |
b186a592 | 1068 | return EXT_RETURN_NOT_SENT; |
e96e0f8e | 1069 | |
7da160b0 | 1070 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) |
f63e4288 | 1071 | || !WPACKET_start_sub_packet_u16(pkt)) { |
f63a17d6 MC |
1072 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1073 | SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1074 | return EXT_RETURN_FAIL; |
f63e4288 MC |
1075 | } |
1076 | ||
1077 | /* | |
1078 | * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we | |
1079 | * send back an empty extension, with the certificate status appearing as a | |
1080 | * separate message | |
1081 | */ | |
3ec8d113 MC |
1082 | if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) { |
1083 | /* SSLfatal() already called */ | |
1084 | return EXT_RETURN_FAIL; | |
1085 | } | |
1086 | if (!WPACKET_close(pkt)) { | |
f63a17d6 MC |
1087 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1088 | SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1089 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1090 | } |
1091 | ||
b186a592 | 1092 | return EXT_RETURN_SENT; |
7da160b0 | 1093 | } |
ab83e314 | 1094 | #endif |
7da160b0 | 1095 | |
7da160b0 | 1096 | #ifndef OPENSSL_NO_NEXTPROTONEG |
b186a592 MC |
1097 | EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, |
1098 | unsigned int context, X509 *x, | |
f63a17d6 | 1099 | size_t chainidx) |
7da160b0 MC |
1100 | { |
1101 | const unsigned char *npa; | |
1102 | unsigned int npalen; | |
1103 | int ret; | |
aff8c126 | 1104 | int npn_seen = s->s3->npn_seen; |
7da160b0 | 1105 | |
aff8c126 RS |
1106 | s->s3->npn_seen = 0; |
1107 | if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL) | |
b186a592 | 1108 | return EXT_RETURN_NOT_SENT; |
7da160b0 | 1109 | |
aff8c126 RS |
1110 | ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen, |
1111 | s->ctx->ext.npn_advertised_cb_arg); | |
7da160b0 MC |
1112 | if (ret == SSL_TLSEXT_ERR_OK) { |
1113 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) | |
1114 | || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) { | |
f63a17d6 MC |
1115 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1116 | SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG, | |
1117 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1118 | return EXT_RETURN_FAIL; |
7da160b0 | 1119 | } |
aff8c126 | 1120 | s->s3->npn_seen = 1; |
7da160b0 MC |
1121 | } |
1122 | ||
b186a592 | 1123 | return EXT_RETURN_SENT; |
7da160b0 MC |
1124 | } |
1125 | #endif | |
1126 | ||
b186a592 | 1127 | EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, |
f63a17d6 | 1128 | X509 *x, size_t chainidx) |
7da160b0 MC |
1129 | { |
1130 | if (s->s3->alpn_selected == NULL) | |
b186a592 | 1131 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1132 | |
1133 | if (!WPACKET_put_bytes_u16(pkt, | |
1134 | TLSEXT_TYPE_application_layer_protocol_negotiation) | |
1135 | || !WPACKET_start_sub_packet_u16(pkt) | |
1136 | || !WPACKET_start_sub_packet_u16(pkt) | |
1137 | || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected, | |
1138 | s->s3->alpn_selected_len) | |
1139 | || !WPACKET_close(pkt) | |
1140 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1141 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1142 | SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1143 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1144 | } |
1145 | ||
b186a592 | 1146 | return EXT_RETURN_SENT; |
7da160b0 MC |
1147 | } |
1148 | ||
1149 | #ifndef OPENSSL_NO_SRTP | |
b186a592 MC |
1150 | EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, |
1151 | unsigned int context, X509 *x, | |
f63a17d6 | 1152 | size_t chainidx) |
7da160b0 MC |
1153 | { |
1154 | if (s->srtp_profile == NULL) | |
b186a592 | 1155 | return EXT_RETURN_NOT_SENT; |
a1448c26 | 1156 | |
7da160b0 MC |
1157 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) |
1158 | || !WPACKET_start_sub_packet_u16(pkt) | |
1159 | || !WPACKET_put_bytes_u16(pkt, 2) | |
1160 | || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id) | |
1161 | || !WPACKET_put_bytes_u8(pkt, 0) | |
1162 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1163 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, |
1164 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1165 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1166 | } |
1167 | ||
b186a592 | 1168 | return EXT_RETURN_SENT; |
7da160b0 MC |
1169 | } |
1170 | #endif | |
1171 | ||
b186a592 | 1172 | EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, |
f63a17d6 | 1173 | X509 *x, size_t chainidx) |
7da160b0 | 1174 | { |
28a31a0a | 1175 | if (!s->ext.use_etm) |
b186a592 | 1176 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1177 | |
1178 | /* | |
1179 | * Don't use encrypt_then_mac if AEAD or RC4 might want to disable | |
1180 | * for other cases too. | |
1181 | */ | |
1182 | if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD | |
1183 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4 | |
1184 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT | |
1185 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) { | |
28a31a0a | 1186 | s->ext.use_etm = 0; |
b186a592 | 1187 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1188 | } |
1189 | ||
1190 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) | |
1191 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
f63a17d6 MC |
1192 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM, |
1193 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1194 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1195 | } |
1196 | ||
b186a592 | 1197 | return EXT_RETURN_SENT; |
7da160b0 MC |
1198 | } |
1199 | ||
b186a592 | 1200 | EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, |
f63a17d6 | 1201 | X509 *x, size_t chainidx) |
7da160b0 MC |
1202 | { |
1203 | if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) | |
b186a592 | 1204 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1205 | |
1206 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) | |
1207 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
f63a17d6 MC |
1208 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS, |
1209 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1210 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1211 | } |
1212 | ||
b186a592 | 1213 | return EXT_RETURN_SENT; |
7da160b0 MC |
1214 | } |
1215 | ||
b186a592 MC |
1216 | EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, |
1217 | unsigned int context, X509 *x, | |
f63a17d6 | 1218 | size_t chainidx) |
7da160b0 | 1219 | { |
3cf96e88 | 1220 | #ifndef OPENSSL_NO_TLS1_3 |
7da160b0 MC |
1221 | unsigned char *encodedPoint; |
1222 | size_t encoded_pt_len = 0; | |
1223 | EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL; | |
1224 | ||
7da160b0 | 1225 | if (ckey == NULL) { |
7d061fce MC |
1226 | /* No key_share received from client */ |
1227 | if (s->hello_retry_request) { | |
7d061fce | 1228 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) |
aff9929b MC |
1229 | || !WPACKET_start_sub_packet_u16(pkt) |
1230 | || !WPACKET_put_bytes_u16(pkt, s->s3->group_id) | |
1231 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1232 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1233 | SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, | |
1234 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1235 | return EXT_RETURN_FAIL; |
7d061fce MC |
1236 | } |
1237 | ||
b186a592 | 1238 | return EXT_RETURN_SENT; |
7d061fce MC |
1239 | } |
1240 | ||
1241 | /* Must be resuming. */ | |
0247086d | 1242 | if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { |
f63a17d6 MC |
1243 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1244 | SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1245 | return EXT_RETURN_FAIL; |
0247086d | 1246 | } |
b186a592 | 1247 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1248 | } |
1249 | ||
1250 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) | |
1251 | || !WPACKET_start_sub_packet_u16(pkt) | |
1252 | || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) { | |
f63a17d6 MC |
1253 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1254 | SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1255 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1256 | } |
1257 | ||
1258 | skey = ssl_generate_pkey(ckey); | |
1259 | if (skey == NULL) { | |
f63a17d6 MC |
1260 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, |
1261 | ERR_R_MALLOC_FAILURE); | |
b186a592 | 1262 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1263 | } |
1264 | ||
1265 | /* Generate encoding of server key */ | |
1266 | encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint); | |
1267 | if (encoded_pt_len == 0) { | |
f63a17d6 MC |
1268 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, |
1269 | ERR_R_EC_LIB); | |
7da160b0 | 1270 | EVP_PKEY_free(skey); |
b186a592 | 1271 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1272 | } |
1273 | ||
1274 | if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) | |
1275 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1276 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, |
1277 | ERR_R_INTERNAL_ERROR); | |
7da160b0 MC |
1278 | EVP_PKEY_free(skey); |
1279 | OPENSSL_free(encodedPoint); | |
b186a592 | 1280 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1281 | } |
1282 | OPENSSL_free(encodedPoint); | |
1283 | ||
1284 | /* This causes the crypto state to be updated based on the derived keys */ | |
1285 | s->s3->tmp.pkey = skey; | |
1286 | if (ssl_derive(s, skey, ckey, 1) == 0) { | |
f63a17d6 | 1287 | /* SSLfatal() already called */ |
b186a592 | 1288 | return EXT_RETURN_FAIL; |
7da160b0 | 1289 | } |
3cf96e88 | 1290 | #endif |
7da160b0 | 1291 | |
b186a592 | 1292 | return EXT_RETURN_SENT; |
7da160b0 MC |
1293 | } |
1294 | ||
b186a592 MC |
1295 | EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, |
1296 | unsigned int context, X509 *x, | |
f63a17d6 | 1297 | size_t chainidx) |
7da160b0 MC |
1298 | { |
1299 | const unsigned char cryptopro_ext[36] = { | |
1300 | 0xfd, 0xe8, /* 65000 */ | |
1301 | 0x00, 0x20, /* 32 bytes length */ | |
1302 | 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, | |
1303 | 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, | |
1304 | 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, | |
1305 | 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 | |
1306 | }; | |
1307 | ||
1308 | if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80 | |
1309 | && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81) | |
1310 | || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0) | |
b186a592 | 1311 | return EXT_RETURN_NOT_SENT; |
7da160b0 MC |
1312 | |
1313 | if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) { | |
f63a17d6 MC |
1314 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1315 | SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1316 | return EXT_RETURN_FAIL; |
7da160b0 MC |
1317 | } |
1318 | ||
b186a592 | 1319 | return EXT_RETURN_SENT; |
7da160b0 | 1320 | } |
0247086d | 1321 | |
b186a592 MC |
1322 | EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, |
1323 | unsigned int context, X509 *x, | |
f63a17d6 | 1324 | size_t chainidx) |
38df5a45 | 1325 | { |
fe874d27 | 1326 | if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { |
6594189f | 1327 | if (s->max_early_data == 0) |
b186a592 | 1328 | return EXT_RETURN_NOT_SENT; |
6594189f MC |
1329 | |
1330 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) | |
1331 | || !WPACKET_start_sub_packet_u16(pkt) | |
1332 | || !WPACKET_put_bytes_u32(pkt, s->max_early_data) | |
1333 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1334 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1335 | SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1336 | return EXT_RETURN_FAIL; |
6594189f MC |
1337 | } |
1338 | ||
b186a592 | 1339 | return EXT_RETURN_SENT; |
6594189f MC |
1340 | } |
1341 | ||
38df5a45 | 1342 | if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) |
b186a592 | 1343 | return EXT_RETURN_NOT_SENT; |
38df5a45 MC |
1344 | |
1345 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) | |
1346 | || !WPACKET_start_sub_packet_u16(pkt) | |
1347 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1348 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, |
1349 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1350 | return EXT_RETURN_FAIL; |
38df5a45 MC |
1351 | } |
1352 | ||
b186a592 | 1353 | return EXT_RETURN_SENT; |
38df5a45 MC |
1354 | } |
1355 | ||
b186a592 | 1356 | EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, |
f63a17d6 | 1357 | X509 *x, size_t chainidx) |
0247086d MC |
1358 | { |
1359 | if (!s->hit) | |
b186a592 | 1360 | return EXT_RETURN_NOT_SENT; |
0247086d MC |
1361 | |
1362 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) | |
1363 | || !WPACKET_start_sub_packet_u16(pkt) | |
1364 | || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity) | |
1365 | || !WPACKET_close(pkt)) { | |
f63a17d6 MC |
1366 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
1367 | SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR); | |
b186a592 | 1368 | return EXT_RETURN_FAIL; |
0247086d MC |
1369 | } |
1370 | ||
b186a592 | 1371 | return EXT_RETURN_SENT; |
0247086d | 1372 | } |