]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Extends extension parsing to take the Certificate
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
f97d4c37
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain,
18 int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
f97d4c37
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain,
77 int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
119 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
121 return 0;
122 }
123
124 s->servername_done = 1;
125 } else {
126 /*
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
129 */
130 s->servername_done = s->session->tlsext_hostname
131 && PACKET_equal(&hostname, s->session->tlsext_hostname,
132 strlen(s->session->tlsext_hostname));
133 }
134
135 return 1;
136}
137
138#ifndef OPENSSL_NO_SRP
f97d4c37 139int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e
MC		 140{
141 PACKET srp_I;
142
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
146 return 0;
147 }
148
149 /*
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
152 */
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
155 return 0;
156 }
157
158 return 1;
159}
160#endif
161
162#ifndef OPENSSL_NO_EC
f97d4c37
MC		 163int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain,
164 int *al)
25670f3e
MC		 165{
166 PACKET ec_point_format_list;
167
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
171 return 0;
172 }
173
174 if (!s->hit) {
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->tlsext_ecpointformatlist,
177 &s->session->tlsext_ecpointformatlist_length)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
179 return 0;
180 }
181 }
182
183 return 1;
184}
185#endif /* OPENSSL_NO_EC */
186
f97d4c37
MC		 187int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain,
188 int *al)
25670f3e
MC		 189{
190 if (s->tls_session_ticket_ext_cb &&
191 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->tls_session_ticket_ext_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
195 return 0;
196 }
197
198 return 1;
199}
200
f97d4c37 201int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e
MC		 202{
203 PACKET supported_sig_algs;
204
205 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
206 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
209 return 0;
210 }
211
212 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
213 PACKET_remaining(&supported_sig_algs))) {
214 *al = TLS1_AD_INTERNAL_ERROR;
215 return 0;
216 }
217
218 return 1;
219}
220
ab83e314 221#ifndef OPENSSL_NO_OCSP
f97d4c37
MC		 222int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain,
223 int *al)
25670f3e 224{
1266eefd
MC		 225 PACKET responder_id_list, exts;
226
25670f3e
MC		 227 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
228 *al = SSL_AD_DECODE_ERROR;
229 return 0;
230 }
ab83e314 231
1266eefd 232 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 233 /*
1266eefd 234 * We don't know what to do with any other type so ignore it.
25670f3e 235 */
cbb09544 236 s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 237 return 1;
238 }
25670f3e 239
1266eefd
MC		 240 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
241 *al = SSL_AD_DECODE_ERROR;
242 return 0;
243 }
25670f3e 244
1266eefd
MC		 245 /*
246 * We remove any OCSP_RESPIDs from a previous handshake
247 * to prevent unbounded memory growth - CVE-2016-6304
248 */
249 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
250 if (PACKET_remaining(&responder_id_list) > 0) {
251 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
252 if (s->tlsext_ocsp_ids == NULL) {
253 *al = SSL_AD_INTERNAL_ERROR;
254 return 0;
255 }
256 } else {
257 s->tlsext_ocsp_ids = NULL;
258 }
25670f3e 259
1266eefd
MC		 260 while (PACKET_remaining(&responder_id_list) > 0) {
261 OCSP_RESPID *id;
262 PACKET responder_id;
263 const unsigned char *id_data;
25670f3e 264
1266eefd
MC		 265 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
266 || PACKET_remaining(&responder_id) == 0) {
267 *al = SSL_AD_DECODE_ERROR;
268 return 0;
269 }
25670f3e 270
1266eefd
MC		 271 id_data = PACKET_data(&responder_id);
272 /* TODO(size_t): Convert d2i_* to size_t */
273 id = d2i_OCSP_RESPID(NULL, &id_data,
274 (int)PACKET_remaining(&responder_id));
275 if (id == NULL) {
276 *al = SSL_AD_DECODE_ERROR;
277 return 0;
25670f3e
MC		 278 }
279
1266eefd
MC		 280 if (id_data != PACKET_end(&responder_id)) {
281 OCSP_RESPID_free(id);
25670f3e
MC		 282 *al = SSL_AD_DECODE_ERROR;
283 return 0;
284 }
285
1266eefd
MC		 286 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
287 OCSP_RESPID_free(id);
288 *al = SSL_AD_INTERNAL_ERROR;
289 return 0;
290 }
291 }
292
293 /* Read in request_extensions */
294 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
295 *al = SSL_AD_DECODE_ERROR;
296 return 0;
297 }
298
299 if (PACKET_remaining(&exts) > 0) {
300 const unsigned char *ext_data = PACKET_data(&exts);
301
302 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
303 X509_EXTENSION_free);
304 s->tlsext_ocsp_exts =
305 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
306 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
307 *al = SSL_AD_DECODE_ERROR;
308 return 0;
25670f3e 309 }
25670f3e
MC		 310 }
311
312 return 1;
313}
ab83e314 314#endif
25670f3e
MC		 315
316#ifndef OPENSSL_NO_NEXTPROTONEG
f97d4c37 317int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e 318{
1266eefd
MC		 319 /*
320 * We shouldn't accept this extension on a
321 * renegotiation.
322 *
323 * s->new_session will be set on renegotiation, but we
324 * probably shouldn't rely that it couldn't be set on
325 * the initial renegotiation too in certain cases (when
326 * there's some other reason to disallow resuming an
327 * earlier session -- the current code won't be doing
328 * anything like that, but this might change).
329 *
330 * A valid sign that there's been a previous handshake
331 * in this connection is if s->s3->tmp.finish_md_len >
332 * 0. (We are talking about a check that will happen
333 * in the Hello protocol round, well before a new
334 * Finished message could have been computed.)
335 */
336 if (s->s3->tmp.finish_md_len == 0)
25670f3e 337 s->s3->next_proto_neg_seen = 1;
25670f3e
MC		 338
339 return 1;
340}
341#endif
342
343/*
1266eefd
MC		 344 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
345 * extension, not including type and length. |al| is a pointer to the alert
346 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 347 */
f97d4c37 348int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e
MC		 349{
350 PACKET protocol_list, save_protocol_list, protocol;
351
352 if (s->s3->tmp.finish_md_len != 0)
353 return 1;
354
355 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
356 || PACKET_remaining(&protocol_list) < 2) {
357 *al = SSL_AD_DECODE_ERROR;
358 return 0;
359 }
360
361 save_protocol_list = protocol_list;
362 do {
363 /* Protocol names can't be empty. */
364 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
365 || PACKET_remaining(&protocol) == 0) {
366 *al = SSL_AD_DECODE_ERROR;
367 return 0;
368 }
369 } while (PACKET_remaining(&protocol_list) != 0);
370
371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
373 *al = TLS1_AD_INTERNAL_ERROR;
374 return 0;
375 }
376
377 return 1;
378}
379
380#ifndef OPENSSL_NO_SRTP
f97d4c37 381int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e 382{
25670f3e
MC		 383 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
384 unsigned int ct, mki_len, id;
385 int i, srtp_pref;
386 PACKET subpkt;
387
388 /* Ignore this if we have no SRTP profiles */
389 if (SSL_get_srtp_profiles(s) == NULL)
390 return 1;
391
392 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 393 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
394 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 395 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 396 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
397 *al = SSL_AD_DECODE_ERROR;
398 return 0;
399 }
400
401 srvr = SSL_get_srtp_profiles(s);
402 s->srtp_profile = NULL;
403 /* Search all profiles for a match initially */
404 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
405
406 while (PACKET_remaining(&subpkt)) {
407 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 408 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 409 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
410 *al = SSL_AD_DECODE_ERROR;
411 return 0;
412 }
413
414 /*
415 * Only look for match in profiles of higher preference than
416 * current match.
417 * If no profiles have been have been configured then this
418 * does nothing.
419 */
420 for (i = 0; i < srtp_pref; i++) {
d270de32 421 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 422 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
423
25670f3e
MC		 424 if (sprof->id == id) {
425 s->srtp_profile = sprof;
426 srtp_pref = i;
427 break;
428 }
429 }
430 }
431
1266eefd 432 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 433 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 434 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 435 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
436 *al = SSL_AD_DECODE_ERROR;
437 return 0;
438 }
439
440 if (!PACKET_forward(pkt, mki_len)
441 || PACKET_remaining(pkt)) {
7fe97c07 442 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 443 *al = SSL_AD_DECODE_ERROR;
444 return 0;
445 }
446
447 return 1;
448}
449#endif
450
f97d4c37 451int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e
MC		 452{
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
454 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
455
456 return 1;
457}
458
459/*
460 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
461 * and |checkallow| is 1 then additionally check if the group is allowed to be
462 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
463 * 1) or 0 otherwise.
464 */
3cf96e88 465#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 466static int check_in_list(SSL *s, unsigned int group_id,
467 const unsigned char *groups, size_t num_groups,
468 int checkallow)
469{
470 size_t i;
471
472 if (groups == NULL || num_groups == 0)
473 return 0;
474
475 for (i = 0; i < num_groups; i++, groups += 2) {
476 unsigned int share_id = (groups[0] << 8) | (groups[1]);
477
478 if (group_id == share_id
1266eefd
MC		 479 && (!checkallow
480 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
25670f3e
MC		 481 break;
482 }
483 }
484
485 /* If i == num_groups then not in the list */
486 return i < num_groups;
487}
3cf96e88 488#endif
25670f3e
MC		 489
490/*
491 * Process a key_share extension received in the ClientHello. |pkt| contains
492 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
493 * If a failure occurs then |*al| is set to an appropriate alert value.
494 */
f97d4c37
MC		 495int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain,
496 int *al)
25670f3e 497{
3cf96e88 498#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 499 unsigned int group_id;
500 PACKET key_share_list, encoded_pt;
501 const unsigned char *clntcurves, *srvrcurves;
502 size_t clnt_num_curves, srvr_num_curves;
503 int group_nid, found = 0;
504 unsigned int curve_flags;
505
506 if (s->hit)
507 return 1;
508
509 /* Sanity check */
510 if (s->s3->peer_tmp != NULL) {
511 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 512 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 513 return 0;
514 }
515
516 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
517 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 518 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 519 return 0;
520 }
521
522 /* Get our list of supported curves */
523 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
524 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 525 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 526 return 0;
527 }
528
24b8e4b2 529 /*
70af3d8e 530 * Get the clients list of supported curves.
24b8e4b2
MC		 531 * TODO(TLS1.3): We should validate that we actually received
532 * supported_groups!
533 */
25670f3e
MC		 534 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
535 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 536 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 537 return 0;
538 }
539
540 while (PACKET_remaining(&key_share_list) > 0) {
541 if (!PACKET_get_net_2(&key_share_list, &group_id)
542 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
543 || PACKET_remaining(&encoded_pt) == 0) {
544 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 545 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 546 SSL_R_LENGTH_MISMATCH);
547 return 0;
548 }
549
550 /*
551 * If we already found a suitable key_share we loop through the
552 * rest to verify the structure, but don't process them.
553 */
554 if (found)
555 continue;
556
557 /* Check if this share is in supported_groups sent from client */
558 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
559 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 560 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 561 return 0;
562 }
563
564 /* Check if this share is for a group we can use */
565 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
566 /* Share not suitable */
567 continue;
568 }
569
570 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
571
572 if (group_nid == 0) {
573 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 574 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 575 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
576 return 0;
577 }
578
579 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
580 /* Can happen for some curves, e.g. X25519 */
581 EVP_PKEY *key = EVP_PKEY_new();
582
583 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
584 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 585 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 586 EVP_PKEY_free(key);
587 return 0;
588 }
589 s->s3->peer_tmp = key;
590 } else {
591 /* Set up EVP_PKEY with named curve as parameters */
592 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 593
25670f3e
MC		 594 if (pctx == NULL
595 || EVP_PKEY_paramgen_init(pctx) <= 0
596 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
597 group_nid) <= 0
598 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
599 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 600 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 601 EVP_PKEY_CTX_free(pctx);
602 return 0;
603 }
604 EVP_PKEY_CTX_free(pctx);
605 pctx = NULL;
606 }
607 s->s3->group_id = group_id;
608
609 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
610 PACKET_data(&encoded_pt),
611 PACKET_remaining(&encoded_pt))) {
612 *al = SSL_AD_DECODE_ERROR;
7fe97c07 613 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 614 return 0;
615 }
616
617 found = 1;
618 }
3cf96e88 619#endif
25670f3e
MC		 620
621 return 1;
622}
623
624#ifndef OPENSSL_NO_EC
f97d4c37
MC		 625int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x, size_t chain,
626 int *al)
25670f3e
MC		 627{
628 PACKET supported_groups_list;
629
630 /* Each group is 2 bytes and we must have at least 1. */
631 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
632 || PACKET_remaining(&supported_groups_list) == 0
633 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
634 *al = SSL_AD_DECODE_ERROR;
635 return 0;
636 }
637
638 if (!s->hit
639 && !PACKET_memdup(&supported_groups_list,
640 &s->session->tlsext_supportedgroupslist,
641 &s->session->tlsext_supportedgroupslist_length)) {
642 *al = SSL_AD_DECODE_ERROR;
643 return 0;
644 }
645
646 return 1;
647}
648#endif
649
f97d4c37 650int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
25670f3e
MC		 651{
652 /* The extension must always be empty */
653 if (PACKET_remaining(pkt) != 0) {
654 *al = SSL_AD_DECODE_ERROR;
655 return 0;
656 }
657
658 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
659
660 return 1;
661}
7da160b0 662
1266eefd
MC		 663/*
664 * Add the server's renegotiation binding
665 */
30aeba43
MC		 666int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
667 int *al)
7da160b0
MC		 668{
669 if (!s->s3->send_connection_binding)
670 return 1;
671
672 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
673 || !WPACKET_start_sub_packet_u16(pkt)
674 || !WPACKET_start_sub_packet_u8(pkt)
675 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
676 s->s3->previous_client_finished_len)
677 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
678 s->s3->previous_server_finished_len)
679 || !WPACKET_close(pkt)
680 || !WPACKET_close(pkt)) {
7fe97c07 681 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 682 return 0;
683 }
684
685 return 1;
686}
687
30aeba43
MC		 688int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
689 int *al)
7da160b0
MC		 690{
691 if (s->hit || s->servername_done != 1
692 || s->session->tlsext_hostname == NULL)
693 return 1;
694
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
696 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 697 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 698 return 0;
699 }
700
701 return 1;
702}
703
704#ifndef OPENSSL_NO_EC
30aeba43
MC		 705int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
706 size_t chain, int *al)
7da160b0
MC		 707{
708 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
709 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375
MC		 710 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
711 && (s->session->tlsext_ecpointformatlist != NULL);
7da160b0
MC		 712 const unsigned char *plist;
713 size_t plistlen;
714
715 if (!using_ecc)
716 return 1;
717
718 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 719 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
720 || !WPACKET_start_sub_packet_u16(pkt)
721 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
722 || !WPACKET_close(pkt)) {
7fe97c07 723 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 724 return 0;
725 }
726
727 return 1;
728}
729#endif
730
30aeba43
MC		 731int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
732 size_t chain, int *al)
7da160b0
MC		 733{
734 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
735 s->tlsext_ticket_expected = 0;
736 return 1;
737 }
738
739 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
740 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 741 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 742 return 0;
743 }
744
745 return 1;
746}
747
ab83e314 748#ifndef OPENSSL_NO_OCSP
30aeba43
MC		 749int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
750 size_t chain, int *al)
7da160b0
MC		 751{
752 if (!s->tlsext_status_expected)
753 return 1;
754
755 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
756 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 757 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 758 return 0;
759 }
760
761 return 1;
762}
ab83e314 763#endif
7da160b0 764
7da160b0 765#ifndef OPENSSL_NO_NEXTPROTONEG
30aeba43
MC		 766int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
767 size_t chain, int *al)
7da160b0
MC		 768{
769 const unsigned char *npa;
770 unsigned int npalen;
771 int ret;
772 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
773
774 s->s3->next_proto_neg_seen = 0;
775 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
776 return 1;
777
778 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
779 s->ctx->next_protos_advertised_cb_arg);
780 if (ret == SSL_TLSEXT_ERR_OK) {
781 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
782 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 783 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0
MC		 784 ERR_R_INTERNAL_ERROR);
785 return 0;
786 }
787 s->s3->next_proto_neg_seen = 1;
788 }
789
790 return 1;
791}
792#endif
793
30aeba43
MC		 794int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
795 int *al)
7da160b0
MC		 796{
797 if (s->s3->alpn_selected == NULL)
798 return 1;
799
800 if (!WPACKET_put_bytes_u16(pkt,
801 TLSEXT_TYPE_application_layer_protocol_negotiation)
802 || !WPACKET_start_sub_packet_u16(pkt)
803 || !WPACKET_start_sub_packet_u16(pkt)
804 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
805 s->s3->alpn_selected_len)
806 || !WPACKET_close(pkt)
807 || !WPACKET_close(pkt)) {
7fe97c07 808 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 809 return 0;
810 }
811
812 return 1;
813}
814
815#ifndef OPENSSL_NO_SRTP
30aeba43
MC		 816int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
817 int *al)
7da160b0
MC		 818{
819 if (s->srtp_profile == NULL)
820 return 1;
a1448c26 821
7da160b0
MC		 822 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
823 || !WPACKET_start_sub_packet_u16(pkt)
824 || !WPACKET_put_bytes_u16(pkt, 2)
825 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
826 || !WPACKET_put_bytes_u8(pkt, 0)
827 || !WPACKET_close(pkt)) {
7fe97c07 828 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 829 return 0;
830 }
831
832 return 1;
833}
834#endif
835
30aeba43 836int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
7da160b0
MC		 837{
838 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
839 return 1;
840
841 /*
842 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
843 * for other cases too.
844 */
845 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
846 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
847 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
848 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
849 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
850 return 1;
851 }
852
853 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
854 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 855 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 856 return 0;
857 }
858
859 return 1;
860}
861
30aeba43 862int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
7da160b0
MC		 863{
864 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
865 return 1;
866
867 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
868 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 869 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 870 return 0;
871 }
872
873 return 1;
874}
875
30aeba43
MC		 876int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
877 int *al)
7da160b0 878{
3cf96e88 879#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 880 unsigned char *encodedPoint;
881 size_t encoded_pt_len = 0;
882 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
883
884 if (s->hit)
885 return 1;
886
887 if (ckey == NULL) {
7fe97c07 888 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 889 return 0;
890 }
891
892 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
893 || !WPACKET_start_sub_packet_u16(pkt)
894 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 895 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 896 return 0;
897 }
898
899 skey = ssl_generate_pkey(ckey);
900 if (skey == NULL) {
7fe97c07 901 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
7da160b0
MC		 902 return 0;
903 }
904
905 /* Generate encoding of server key */
906 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
907 if (encoded_pt_len == 0) {
7fe97c07 908 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0
MC		 909 EVP_PKEY_free(skey);
910 return 0;
911 }
912
913 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
914 || !WPACKET_close(pkt)) {
7fe97c07 915 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 916 EVP_PKEY_free(skey);
917 OPENSSL_free(encodedPoint);
918 return 0;
919 }
920 OPENSSL_free(encodedPoint);
921
922 /* This causes the crypto state to be updated based on the derived keys */
923 s->s3->tmp.pkey = skey;
924 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 925 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 926 return 0;
927 }
3cf96e88 928#endif
7da160b0
MC		 929
930 return 1;
931}
932
30aeba43
MC		 933int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
934 size_t chain, int *al)
7da160b0
MC		 935{
936 const unsigned char cryptopro_ext[36] = {
937 0xfd, 0xe8, /* 65000 */
938 0x00, 0x20, /* 32 bytes length */
939 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
940 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
941 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
942 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
943 };
944
945 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
946 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
947 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
948 return 1;
949
950 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 952 return 0;
953 }
954
955 return 1;
956}
A mirror of the official openssl repository