]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Change TLSEXT_IDX_* values into an enum
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
1266eefd 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 18{
19 unsigned int ilen;
20 const unsigned char *data;
21
22 /* Parse the length byte */
23 if (!PACKET_get_1(pkt, &ilen)
24 || !PACKET_get_bytes(pkt, &data, ilen)) {
e56c33b9 25 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
25670f3e
MC		 26 SSL_R_RENEGOTIATION_ENCODING_ERR);
27 *al = SSL_AD_ILLEGAL_PARAMETER;
28 return 0;
29 }
30
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
e56c33b9 33 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
25670f3e
MC		 34 SSL_R_RENEGOTIATION_MISMATCH);
35 *al = SSL_AD_HANDSHAKE_FAILURE;
36 return 0;
37 }
38
39 if (memcmp(data, s->s3->previous_client_finished,
40 s->s3->previous_client_finished_len)) {
e56c33b9 41 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
25670f3e
MC		 42 SSL_R_RENEGOTIATION_MISMATCH);
43 *al = SSL_AD_HANDSHAKE_FAILURE;
44 return 0;
45 }
46
47 s->s3->send_connection_binding = 1;
48
49 return 1;
50}
51
1266eefd
MC		 52/*-
53 * The servername extension is treated as follows:
54 *
55 * - Only the hostname type is supported with a maximum length of 255.
56 * - The servername is rejected if too long or if it contains zeros,
57 * in which case an fatal alert is generated.
58 * - The servername field is maintained together with the session cache.
59 * - When a session is resumed, the servername call back invoked in order
60 * to allow the application to position itself to the right context.
61 * - The servername is acknowledged if it is new for a session or when
62 * it is identical to a previously used for the same session.
63 * Applications can control the behaviour. They can at any time
64 * set a 'desirable' servername for a new SSL object. This can be the
65 * case for example with HTTPS when a Host: header field is received and
66 * a renegotiation is requested. In this case, a possible servername
67 * presented in the new client hello is only acknowledged if it matches
68 * the value of the Host: field.
69 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
70 * if they provide for changing an explicit servername context for the
71 * session, i.e. when the session has been established with a servername
72 * extension.
73 * - On session reconnect, the servername extension may be absent.
74 */
75int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 76{
77 unsigned int servname_type;
78 PACKET sni, hostname;
79
25670f3e
MC		 80 if (!PACKET_as_length_prefixed_2(pkt, &sni)
81 /* ServerNameList must be at least 1 byte long. */
82 || PACKET_remaining(&sni) == 0) {
83 *al = SSL_AD_DECODE_ERROR;
84 return 0;
85 }
86
87 /*
88 * Although the server_name extension was intended to be
89 * extensible to new name types, RFC 4366 defined the
1266eefd 90 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 91 * such.
92 * RFC 6066 corrected the mistake but adding new name types
93 * is nevertheless no longer feasible, so act as if no other
94 * SNI types can exist, to simplify parsing.
95 *
96 * Also note that the RFC permits only one SNI value per type,
97 * i.e., we can only have a single hostname.
98 */
99 if (!PACKET_get_1(&sni, &servname_type)
100 || servname_type != TLSEXT_NAMETYPE_host_name
101 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
102 *al = SSL_AD_DECODE_ERROR;
103 return 0;
104 }
105
106 if (!s->hit) {
107 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
108 *al = TLS1_AD_UNRECOGNIZED_NAME;
109 return 0;
110 }
111
112 if (PACKET_contains_zero_byte(&hostname)) {
113 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 return 0;
115 }
116
117 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
118 *al = TLS1_AD_INTERNAL_ERROR;
119 return 0;
120 }
121
122 s->servername_done = 1;
123 } else {
124 /*
125 * TODO(openssl-team): if the SNI doesn't match, we MUST
126 * fall back to a full handshake.
127 */
128 s->servername_done = s->session->tlsext_hostname
129 && PACKET_equal(&hostname, s->session->tlsext_hostname,
130 strlen(s->session->tlsext_hostname));
131 }
132
133 return 1;
134}
135
136#ifndef OPENSSL_NO_SRP
1266eefd 137int tls_parse_ctos_srp(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 138{
139 PACKET srp_I;
140
141 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
142 || PACKET_contains_zero_byte(&srp_I)) {
143 *al = SSL_AD_DECODE_ERROR;
144 return 0;
145 }
146
147 /*
148 * TODO(openssl-team): currently, we re-authenticate the user
149 * upon resumption. Instead, we MUST ignore the login.
150 */
151 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
152 *al = TLS1_AD_INTERNAL_ERROR;
153 return 0;
154 }
155
156 return 1;
157}
158#endif
159
160#ifndef OPENSSL_NO_EC
1266eefd 161int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 162{
163 PACKET ec_point_format_list;
164
165 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
166 || PACKET_remaining(&ec_point_format_list) == 0) {
167 *al = SSL_AD_DECODE_ERROR;
168 return 0;
169 }
170
171 if (!s->hit) {
172 if (!PACKET_memdup(&ec_point_format_list,
173 &s->session->tlsext_ecpointformatlist,
174 &s->session->tlsext_ecpointformatlist_length)) {
175 *al = TLS1_AD_INTERNAL_ERROR;
176 return 0;
177 }
178 }
179
180 return 1;
181}
182#endif /* OPENSSL_NO_EC */
183
1266eefd 184int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 185{
186 if (s->tls_session_ticket_ext_cb &&
187 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
188 PACKET_remaining(pkt),
189 s->tls_session_ticket_ext_cb_arg)) {
190 *al = TLS1_AD_INTERNAL_ERROR;
191 return 0;
192 }
193
194 return 1;
195}
196
1266eefd 197int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 198{
199 PACKET supported_sig_algs;
200
201 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
202 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
203 || PACKET_remaining(&supported_sig_algs) == 0) {
204 *al = SSL_AD_DECODE_ERROR;
205 return 0;
206 }
207
208 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
209 PACKET_remaining(&supported_sig_algs))) {
210 *al = TLS1_AD_INTERNAL_ERROR;
211 return 0;
212 }
213
214 return 1;
215}
216
ab83e314 217#ifndef OPENSSL_NO_OCSP
1266eefd 218int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, int *al)
25670f3e 219{
1266eefd
MC		 220 PACKET responder_id_list, exts;
221
25670f3e
MC		 222 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
223 *al = SSL_AD_DECODE_ERROR;
224 return 0;
225 }
ab83e314 226
1266eefd 227 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 228 /*
1266eefd 229 * We don't know what to do with any other type so ignore it.
25670f3e 230 */
1266eefd
MC		 231 s->tlsext_status_type = -1;
232 return 1;
233 }
25670f3e 234
1266eefd
MC		 235 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
236 *al = SSL_AD_DECODE_ERROR;
237 return 0;
238 }
25670f3e 239
1266eefd
MC		 240 /*
241 * We remove any OCSP_RESPIDs from a previous handshake
242 * to prevent unbounded memory growth - CVE-2016-6304
243 */
244 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
245 if (PACKET_remaining(&responder_id_list) > 0) {
246 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
247 if (s->tlsext_ocsp_ids == NULL) {
248 *al = SSL_AD_INTERNAL_ERROR;
249 return 0;
250 }
251 } else {
252 s->tlsext_ocsp_ids = NULL;
253 }
25670f3e 254
1266eefd
MC		 255 while (PACKET_remaining(&responder_id_list) > 0) {
256 OCSP_RESPID *id;
257 PACKET responder_id;
258 const unsigned char *id_data;
25670f3e 259
1266eefd
MC		 260 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
261 || PACKET_remaining(&responder_id) == 0) {
262 *al = SSL_AD_DECODE_ERROR;
263 return 0;
264 }
25670f3e 265
1266eefd
MC		 266 id_data = PACKET_data(&responder_id);
267 /* TODO(size_t): Convert d2i_* to size_t */
268 id = d2i_OCSP_RESPID(NULL, &id_data,
269 (int)PACKET_remaining(&responder_id));
270 if (id == NULL) {
271 *al = SSL_AD_DECODE_ERROR;
272 return 0;
25670f3e
MC		 273 }
274
1266eefd
MC		 275 if (id_data != PACKET_end(&responder_id)) {
276 OCSP_RESPID_free(id);
25670f3e
MC		 277 *al = SSL_AD_DECODE_ERROR;
278 return 0;
279 }
280
1266eefd
MC		 281 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
282 OCSP_RESPID_free(id);
283 *al = SSL_AD_INTERNAL_ERROR;
284 return 0;
285 }
286 }
287
288 /* Read in request_extensions */
289 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
290 *al = SSL_AD_DECODE_ERROR;
291 return 0;
292 }
293
294 if (PACKET_remaining(&exts) > 0) {
295 const unsigned char *ext_data = PACKET_data(&exts);
296
297 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
298 X509_EXTENSION_free);
299 s->tlsext_ocsp_exts =
300 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
301 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
302 *al = SSL_AD_DECODE_ERROR;
303 return 0;
25670f3e 304 }
25670f3e
MC		 305 }
306
307 return 1;
308}
ab83e314 309#endif
25670f3e
MC		 310
311#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 312int tls_parse_ctos_npn(SSL *s, PACKET *pkt, int *al)
25670f3e 313{
1266eefd
MC		 314 /*
315 * We shouldn't accept this extension on a
316 * renegotiation.
317 *
318 * s->new_session will be set on renegotiation, but we
319 * probably shouldn't rely that it couldn't be set on
320 * the initial renegotiation too in certain cases (when
321 * there's some other reason to disallow resuming an
322 * earlier session -- the current code won't be doing
323 * anything like that, but this might change).
324 *
325 * A valid sign that there's been a previous handshake
326 * in this connection is if s->s3->tmp.finish_md_len >
327 * 0. (We are talking about a check that will happen
328 * in the Hello protocol round, well before a new
329 * Finished message could have been computed.)
330 */
331 if (s->s3->tmp.finish_md_len == 0)
25670f3e 332 s->s3->next_proto_neg_seen = 1;
25670f3e
MC		 333
334 return 1;
335}
336#endif
337
338/*
1266eefd
MC		 339 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
340 * extension, not including type and length. |al| is a pointer to the alert
341 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 342 */
1266eefd 343int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 344{
345 PACKET protocol_list, save_protocol_list, protocol;
346
347 if (s->s3->tmp.finish_md_len != 0)
348 return 1;
349
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
353 return 0;
354 }
355
356 save_protocol_list = protocol_list;
357 do {
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364 } while (PACKET_remaining(&protocol_list) != 0);
365
366 if (!PACKET_memdup(&save_protocol_list,
367 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
368 *al = TLS1_AD_INTERNAL_ERROR;
369 return 0;
370 }
371
372 return 1;
373}
374
375#ifndef OPENSSL_NO_SRTP
1266eefd 376int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, int *al)
25670f3e 377{
25670f3e
MC		 378 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
379 unsigned int ct, mki_len, id;
380 int i, srtp_pref;
381 PACKET subpkt;
382
383 /* Ignore this if we have no SRTP profiles */
384 if (SSL_get_srtp_profiles(s) == NULL)
385 return 1;
386
387 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 388 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
389 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
e56c33b9 390 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
25670f3e
MC		 391 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
392 *al = SSL_AD_DECODE_ERROR;
393 return 0;
394 }
395
396 srvr = SSL_get_srtp_profiles(s);
397 s->srtp_profile = NULL;
398 /* Search all profiles for a match initially */
399 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
400
401 while (PACKET_remaining(&subpkt)) {
402 if (!PACKET_get_net_2(&subpkt, &id)) {
e56c33b9 403 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
25670f3e
MC		 404 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
405 *al = SSL_AD_DECODE_ERROR;
406 return 0;
407 }
408
409 /*
410 * Only look for match in profiles of higher preference than
411 * current match.
412 * If no profiles have been have been configured then this
413 * does nothing.
414 */
415 for (i = 0; i < srtp_pref; i++) {
d270de32 416 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 417 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
418
25670f3e
MC		 419 if (sprof->id == id) {
420 s->srtp_profile = sprof;
421 srtp_pref = i;
422 break;
423 }
424 }
425 }
426
1266eefd 427 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 428 if (!PACKET_get_1(pkt, &mki_len)) {
e56c33b9 429 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
25670f3e
MC		 430 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
431 *al = SSL_AD_DECODE_ERROR;
432 return 0;
433 }
434
435 if (!PACKET_forward(pkt, mki_len)
436 || PACKET_remaining(pkt)) {
e56c33b9 437 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 438 *al = SSL_AD_DECODE_ERROR;
439 return 0;
440 }
441
442 return 1;
443}
444#endif
445
1266eefd 446int tls_parse_ctos_etm(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 447{
448 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
449 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
450
451 return 1;
452}
453
454/*
455 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
456 * and |checkallow| is 1 then additionally check if the group is allowed to be
457 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
458 * 1) or 0 otherwise.
459 */
460static int check_in_list(SSL *s, unsigned int group_id,
461 const unsigned char *groups, size_t num_groups,
462 int checkallow)
463{
464 size_t i;
465
466 if (groups == NULL || num_groups == 0)
467 return 0;
468
469 for (i = 0; i < num_groups; i++, groups += 2) {
470 unsigned int share_id = (groups[0] << 8) | (groups[1]);
471
472 if (group_id == share_id
1266eefd
MC		 473 && (!checkallow
474 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
25670f3e
MC		 475 break;
476 }
477 }
478
479 /* If i == num_groups then not in the list */
480 return i < num_groups;
481}
482
483/*
484 * Process a key_share extension received in the ClientHello. |pkt| contains
485 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
486 * If a failure occurs then |*al| is set to an appropriate alert value.
487 */
1266eefd 488int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 489{
490 unsigned int group_id;
491 PACKET key_share_list, encoded_pt;
492 const unsigned char *clntcurves, *srvrcurves;
493 size_t clnt_num_curves, srvr_num_curves;
494 int group_nid, found = 0;
495 unsigned int curve_flags;
496
497 if (s->hit)
498 return 1;
499
500 /* Sanity check */
501 if (s->s3->peer_tmp != NULL) {
502 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 503 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 504 return 0;
505 }
506
507 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
508 *al = SSL_AD_HANDSHAKE_FAILURE;
e56c33b9 509 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 510 return 0;
511 }
512
513 /* Get our list of supported curves */
514 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
515 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 516 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 517 return 0;
518 }
519
24b8e4b2 520 /*
70af3d8e 521 * Get the clients list of supported curves.
24b8e4b2
MC		 522 * TODO(TLS1.3): We should validate that we actually received
523 * supported_groups!
524 */
25670f3e
MC		 525 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
526 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 527 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 528 return 0;
529 }
530
531 while (PACKET_remaining(&key_share_list) > 0) {
532 if (!PACKET_get_net_2(&key_share_list, &group_id)
533 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
534 || PACKET_remaining(&encoded_pt) == 0) {
535 *al = SSL_AD_HANDSHAKE_FAILURE;
e56c33b9 536 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE,
25670f3e
MC		 537 SSL_R_LENGTH_MISMATCH);
538 return 0;
539 }
540
541 /*
542 * If we already found a suitable key_share we loop through the
543 * rest to verify the structure, but don't process them.
544 */
545 if (found)
546 continue;
547
548 /* Check if this share is in supported_groups sent from client */
549 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
550 *al = SSL_AD_HANDSHAKE_FAILURE;
e56c33b9 551 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 552 return 0;
553 }
554
555 /* Check if this share is for a group we can use */
556 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
557 /* Share not suitable */
558 continue;
559 }
560
561 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
562
563 if (group_nid == 0) {
564 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 565 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE,
25670f3e
MC		 566 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
567 return 0;
568 }
569
570 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
571 /* Can happen for some curves, e.g. X25519 */
572 EVP_PKEY *key = EVP_PKEY_new();
573
574 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
575 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 576 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 577 EVP_PKEY_free(key);
578 return 0;
579 }
580 s->s3->peer_tmp = key;
581 } else {
582 /* Set up EVP_PKEY with named curve as parameters */
583 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 584
25670f3e
MC		 585 if (pctx == NULL
586 || EVP_PKEY_paramgen_init(pctx) <= 0
587 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
588 group_nid) <= 0
589 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
590 *al = SSL_AD_INTERNAL_ERROR;
e56c33b9 591 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 592 EVP_PKEY_CTX_free(pctx);
593 return 0;
594 }
595 EVP_PKEY_CTX_free(pctx);
596 pctx = NULL;
597 }
598 s->s3->group_id = group_id;
599
600 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
601 PACKET_data(&encoded_pt),
602 PACKET_remaining(&encoded_pt))) {
603 *al = SSL_AD_DECODE_ERROR;
e56c33b9 604 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 605 return 0;
606 }
607
608 found = 1;
609 }
610
611 return 1;
612}
613
614#ifndef OPENSSL_NO_EC
1266eefd 615int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 616{
617 PACKET supported_groups_list;
618
619 /* Each group is 2 bytes and we must have at least 1. */
620 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
621 || PACKET_remaining(&supported_groups_list) == 0
622 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
623 *al = SSL_AD_DECODE_ERROR;
624 return 0;
625 }
626
627 if (!s->hit
628 && !PACKET_memdup(&supported_groups_list,
629 &s->session->tlsext_supportedgroupslist,
630 &s->session->tlsext_supportedgroupslist_length)) {
631 *al = SSL_AD_DECODE_ERROR;
632 return 0;
633 }
634
635 return 1;
636}
637#endif
638
1266eefd 639int tls_parse_ctos_ems(SSL *s, PACKET *pkt, int *al)
25670f3e
MC		 640{
641 /* The extension must always be empty */
642 if (PACKET_remaining(pkt) != 0) {
643 *al = SSL_AD_DECODE_ERROR;
644 return 0;
645 }
646
647 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
648
649 return 1;
650}
7da160b0 651
1266eefd
MC		 652/*
653 * Add the server's renegotiation binding
654 */
655int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 656{
657 if (!s->s3->send_connection_binding)
658 return 1;
659
660 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
661 || !WPACKET_start_sub_packet_u16(pkt)
662 || !WPACKET_start_sub_packet_u8(pkt)
663 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
664 s->s3->previous_client_finished_len)
665 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
666 s->s3->previous_server_finished_len)
667 || !WPACKET_close(pkt)
668 || !WPACKET_close(pkt)) {
669 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
670 return 0;
671 }
672
673 return 1;
674}
675
1266eefd 676int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 677{
678 if (s->hit || s->servername_done != 1
679 || s->session->tlsext_hostname == NULL)
680 return 1;
681
682 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
683 || !WPACKET_put_bytes_u16(pkt, 0)) {
684 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_SERVER_NAME, ERR_R_INTERNAL_ERROR);
685 return 0;
686 }
687
688 return 1;
689}
690
691#ifndef OPENSSL_NO_EC
1266eefd 692int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 693{
694 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
695 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375
MC		 696 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
697 && (s->session->tlsext_ecpointformatlist != NULL);
7da160b0
MC		 698 const unsigned char *plist;
699 size_t plistlen;
700
701 if (!using_ecc)
702 return 1;
703
704 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 705 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
706 || !WPACKET_start_sub_packet_u16(pkt)
707 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
708 || !WPACKET_close(pkt)) {
709 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
710 return 0;
711 }
712
713 return 1;
714}
715#endif
716
1266eefd 717int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 718{
719 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
720 s->tlsext_ticket_expected = 0;
721 return 1;
722 }
723
724 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
725 || !WPACKET_put_bytes_u16(pkt, 0)) {
726 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
727 return 0;
728 }
729
730 return 1;
731}
732
ab83e314 733#ifndef OPENSSL_NO_OCSP
1266eefd 734int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 735{
736 if (!s->tlsext_status_expected)
737 return 1;
738
739 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
740 || !WPACKET_put_bytes_u16(pkt, 0)) {
741 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
742 return 0;
743 }
744
745 return 1;
746}
ab83e314 747#endif
7da160b0
MC		 748
749
750#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 751int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 752{
753 const unsigned char *npa;
754 unsigned int npalen;
755 int ret;
756 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
757
758 s->s3->next_proto_neg_seen = 0;
759 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
760 return 1;
761
762 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
763 s->ctx->next_protos_advertised_cb_arg);
764 if (ret == SSL_TLSEXT_ERR_OK) {
765 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
766 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
767 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_NEXT_PROTO_NEG,
768 ERR_R_INTERNAL_ERROR);
769 return 0;
770 }
771 s->s3->next_proto_neg_seen = 1;
772 }
773
774 return 1;
775}
776#endif
777
1266eefd 778int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 779{
780 if (s->s3->alpn_selected == NULL)
781 return 1;
782
783 if (!WPACKET_put_bytes_u16(pkt,
784 TLSEXT_TYPE_application_layer_protocol_negotiation)
785 || !WPACKET_start_sub_packet_u16(pkt)
786 || !WPACKET_start_sub_packet_u16(pkt)
787 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
788 s->s3->alpn_selected_len)
789 || !WPACKET_close(pkt)
790 || !WPACKET_close(pkt)) {
791 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_ALPN, ERR_R_INTERNAL_ERROR);
792 return 0;
793 }
794
795 return 1;
796}
797
798#ifndef OPENSSL_NO_SRTP
1266eefd 799int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 800{
801 if (s->srtp_profile == NULL)
802 return 1;
a1448c26 803
7da160b0
MC		 804 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
805 || !WPACKET_start_sub_packet_u16(pkt)
806 || !WPACKET_put_bytes_u16(pkt, 2)
807 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
808 || !WPACKET_put_bytes_u8(pkt, 0)
809 || !WPACKET_close(pkt)) {
810 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_USE_SRTP, ERR_R_INTERNAL_ERROR);
811 return 0;
812 }
813
814 return 1;
815}
816#endif
817
1266eefd 818int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 819{
820 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
821 return 1;
822
823 /*
824 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
825 * for other cases too.
826 */
827 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
828 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
829 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
830 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
831 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
832 return 1;
833 }
834
835 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
836 || !WPACKET_put_bytes_u16(pkt, 0)) {
837 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_ETM, ERR_R_INTERNAL_ERROR);
838 return 0;
839 }
840
841 return 1;
842}
843
1266eefd 844int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 845{
846 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
847 return 1;
848
849 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
850 || !WPACKET_put_bytes_u16(pkt, 0)) {
851 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_EMS, ERR_R_INTERNAL_ERROR);
852 return 0;
853 }
854
855 return 1;
856}
857
1266eefd 858int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 859{
860 unsigned char *encodedPoint;
861 size_t encoded_pt_len = 0;
862 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
863
864 if (s->hit)
865 return 1;
866
867 if (ckey == NULL) {
868 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
869 return 0;
870 }
871
872 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
873 || !WPACKET_start_sub_packet_u16(pkt)
874 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
875 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
876 return 0;
877 }
878
879 skey = ssl_generate_pkey(ckey);
880 if (skey == NULL) {
881 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_MALLOC_FAILURE);
882 return 0;
883 }
884
885 /* Generate encoding of server key */
886 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
887 if (encoded_pt_len == 0) {
888 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_EC_LIB);
889 EVP_PKEY_free(skey);
890 return 0;
891 }
892
893 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
894 || !WPACKET_close(pkt)) {
895 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
896 EVP_PKEY_free(skey);
897 OPENSSL_free(encodedPoint);
898 return 0;
899 }
900 OPENSSL_free(encodedPoint);
901
902 /* This causes the crypto state to be updated based on the derived keys */
903 s->s3->tmp.pkey = skey;
904 if (ssl_derive(s, skey, ckey, 1) == 0) {
905 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
906 return 0;
907 }
908
909 return 1;
910}
911
1266eefd 912int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, int *al)
7da160b0
MC		 913{
914 const unsigned char cryptopro_ext[36] = {
915 0xfd, 0xe8, /* 65000 */
916 0x00, 0x20, /* 32 bytes length */
917 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
918 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
919 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
920 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
921 };
922
923 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
924 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
925 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
926 return 1;
927
928 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
929 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
930 return 0;
931 }
932
933 return 1;
934}
A mirror of the official openssl repository