]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Assert that SSLfatal() only gets called once
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
b186a592 2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
25670f3e
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 18 X509 *x, size_t chainidx)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
f63a17d6
MC		 26 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 28 return 0;
29 }
30
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
f63a17d6
MC		 33 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
34 SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 35 return 0;
36 }
37
38 if (memcmp(data, s->s3->previous_client_finished,
39 s->s3->previous_client_finished_len)) {
f63a17d6
MC		 40 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
41 SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 42 return 0;
43 }
44
45 s->s3->send_connection_binding = 1;
46
47 return 1;
48}
49
1266eefd
MC		 50/*-
51 * The servername extension is treated as follows:
52 *
53 * - Only the hostname type is supported with a maximum length of 255.
54 * - The servername is rejected if too long or if it contains zeros,
55 * in which case an fatal alert is generated.
56 * - The servername field is maintained together with the session cache.
57 * - When a session is resumed, the servername call back invoked in order
58 * to allow the application to position itself to the right context.
59 * - The servername is acknowledged if it is new for a session or when
60 * it is identical to a previously used for the same session.
61 * Applications can control the behaviour. They can at any time
62 * set a 'desirable' servername for a new SSL object. This can be the
63 * case for example with HTTPS when a Host: header field is received and
64 * a renegotiation is requested. In this case, a possible servername
65 * presented in the new client hello is only acknowledged if it matches
66 * the value of the Host: field.
67 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
68 * if they provide for changing an explicit servername context for the
69 * session, i.e. when the session has been established with a servername
70 * extension.
71 * - On session reconnect, the servername extension may be absent.
72 */
61138358 73int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 74 X509 *x, size_t chainidx)
25670f3e
MC		 75{
76 unsigned int servname_type;
77 PACKET sni, hostname;
78
25670f3e
MC		 79 if (!PACKET_as_length_prefixed_2(pkt, &sni)
80 /* ServerNameList must be at least 1 byte long. */
81 || PACKET_remaining(&sni) == 0) {
f63a17d6
MC		 82 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
83 SSL_R_BAD_EXTENSION);
25670f3e
MC		 84 return 0;
85 }
86
87 /*
44e69951
F		 88 * Although the intent was for server_name to be extensible, RFC 4366
89 * was not clear about it; and so OpenSSL among other implementations,
90 * always and only allows a 'host_name' name types.
25670f3e
MC		 91 * RFC 6066 corrected the mistake but adding new name types
92 * is nevertheless no longer feasible, so act as if no other
93 * SNI types can exist, to simplify parsing.
94 *
95 * Also note that the RFC permits only one SNI value per type,
96 * i.e., we can only have a single hostname.
97 */
98 if (!PACKET_get_1(&sni, &servname_type)
99 || servname_type != TLSEXT_NAMETYPE_host_name
100 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
f63a17d6
MC		 101 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
102 SSL_R_BAD_EXTENSION);
25670f3e
MC		 103 return 0;
104 }
105
106 if (!s->hit) {
107 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
f63a17d6
MC		 108 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
109 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
110 SSL_R_BAD_EXTENSION);
25670f3e
MC		 111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
f63a17d6
MC		 115 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
116 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
117 SSL_R_BAD_EXTENSION);
25670f3e
MC		 118 return 0;
119 }
120
7d061fce
MC		 121 OPENSSL_free(s->session->ext.hostname);
122 s->session->ext.hostname = NULL;
aff8c126 123 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
f63a17d6
MC		 124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
125 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 126 return 0;
127 }
128
129 s->servername_done = 1;
130 } else {
131 /*
132 * TODO(openssl-team): if the SNI doesn't match, we MUST
133 * fall back to a full handshake.
134 */
aff8c126
RS		 135 s->servername_done = s->session->ext.hostname
136 && PACKET_equal(&hostname, s->session->ext.hostname,
137 strlen(s->session->ext.hostname));
630369d9
MC		 138
139 if (!s->servername_done && s->session->ext.hostname != NULL)
140 s->ext.early_data_ok = 0;
25670f3e
MC		 141 }
142
143 return 1;
144}
145
cf72c757 146int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 147 X509 *x, size_t chainidx)
cf72c757
F		 148{
149 unsigned int value;
150
151 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
f63a17d6
MC		 152 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
153 SSL_R_BAD_EXTENSION);
cf72c757
F		 154 return 0;
155 }
156
157 /* Received |value| should be a valid max-fragment-length code. */
158 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6
MC		 159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
160 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
161 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 162 return 0;
163 }
164
165 /*
166 * RFC 6066: The negotiated length applies for the duration of the session
167 * including session resumptions.
168 * We should receive the same code as in resumed session !
169 */
170 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6
MC		 171 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
172 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
173 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 174 return 0;
175 }
176
177 /*
178 * Store it in session, so it'll become binding for us
179 * and we'll include it in a next Server Hello.
180 */
181 s->session->ext.max_fragment_len_mode = value;
182 return 1;
183}
184
25670f3e 185#ifndef OPENSSL_NO_SRP
61138358 186int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 187 size_t chainidx)
25670f3e
MC		 188{
189 PACKET srp_I;
190
191 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
192 || PACKET_contains_zero_byte(&srp_I)) {
f63a17d6
MC		 193 SSLfatal(s, SSL_AD_DECODE_ERROR,
194 SSL_F_TLS_PARSE_CTOS_SRP,
195 SSL_R_BAD_EXTENSION);
25670f3e
MC		 196 return 0;
197 }
198
199 /*
200 * TODO(openssl-team): currently, we re-authenticate the user
201 * upon resumption. Instead, we MUST ignore the login.
202 */
203 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
f63a17d6
MC		 204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
205 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 206 return 0;
207 }
208
209 return 1;
210}
211#endif
212
213#ifndef OPENSSL_NO_EC
61138358 214int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 215 X509 *x, size_t chainidx)
25670f3e
MC		 216{
217 PACKET ec_point_format_list;
218
219 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
220 || PACKET_remaining(&ec_point_format_list) == 0) {
f63a17d6
MC		 221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
222 SSL_R_BAD_EXTENSION);
25670f3e
MC		 223 return 0;
224 }
225
226 if (!s->hit) {
227 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 228 &s->session->ext.ecpointformats,
229 &s->session->ext.ecpointformats_len)) {
f63a17d6
MC		 230 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
231 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 232 return 0;
233 }
234 }
235
236 return 1;
237}
238#endif /* OPENSSL_NO_EC */
239
61138358 240int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 241 X509 *x, size_t chainidx)
25670f3e 242{
aff8c126
RS		 243 if (s->ext.session_ticket_cb &&
244 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
245 PACKET_remaining(pkt),
246 s->ext.session_ticket_cb_arg)) {
f63a17d6
MC		 247 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
248 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 249 return 0;
250 }
251
252 return 1;
253}
254
61138358 255int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 256 size_t chainidx)
25670f3e
MC		 257{
258 PACKET supported_sig_algs;
259
260 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 261 || PACKET_remaining(&supported_sig_algs) == 0) {
f63a17d6
MC		 262 SSLfatal(s, SSL_AD_DECODE_ERROR,
263 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 264 return 0;
265 }
266
703bcee0 267 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
f63a17d6
MC		 268 SSLfatal(s, SSL_AD_DECODE_ERROR,
269 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 270 return 0;
271 }
272
273 return 1;
274}
275
ab83e314 276#ifndef OPENSSL_NO_OCSP
61138358 277int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 278 X509 *x, size_t chainidx)
25670f3e 279{
1266eefd
MC		 280 PACKET responder_id_list, exts;
281
e96e0f8e
MC		 282 /* Not defined if we get one of these in a client Certificate */
283 if (x != NULL)
284 return 1;
285
aff8c126 286 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
f63a17d6
MC		 287 SSLfatal(s, SSL_AD_DECODE_ERROR,
288 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
25670f3e
MC		 289 return 0;
290 }
ab83e314 291
aff8c126 292 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 293 /*
1266eefd 294 * We don't know what to do with any other type so ignore it.
25670f3e 295 */
aff8c126 296 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 297 return 1;
298 }
25670f3e 299
1266eefd 300 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
f63a17d6
MC		 301 SSLfatal(s, SSL_AD_DECODE_ERROR,
302 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 303 return 0;
304 }
25670f3e 305
1266eefd
MC		 306 /*
307 * We remove any OCSP_RESPIDs from a previous handshake
308 * to prevent unbounded memory growth - CVE-2016-6304
309 */
aff8c126 310 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 311 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 312 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
313 if (s->ext.ocsp.ids == NULL) {
f63a17d6
MC		 314 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
315 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 316 return 0;
317 }
318 } else {
aff8c126 319 s->ext.ocsp.ids = NULL;
1266eefd 320 }
25670f3e 321
1266eefd
MC		 322 while (PACKET_remaining(&responder_id_list) > 0) {
323 OCSP_RESPID *id;
324 PACKET responder_id;
325 const unsigned char *id_data;
25670f3e 326
1266eefd
MC		 327 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
328 || PACKET_remaining(&responder_id) == 0) {
f63a17d6
MC		 329 SSLfatal(s, SSL_AD_DECODE_ERROR,
330 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 331 return 0;
332 }
25670f3e 333
1266eefd
MC		 334 id_data = PACKET_data(&responder_id);
335 /* TODO(size_t): Convert d2i_* to size_t */
336 id = d2i_OCSP_RESPID(NULL, &id_data,
337 (int)PACKET_remaining(&responder_id));
338 if (id == NULL) {
f63a17d6
MC		 339 SSLfatal(s, SSL_AD_DECODE_ERROR,
340 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd 341 return 0;
25670f3e
MC		 342 }
343
1266eefd
MC		 344 if (id_data != PACKET_end(&responder_id)) {
345 OCSP_RESPID_free(id);
f63a17d6
MC		 346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
348
25670f3e
MC		 349 return 0;
350 }
351
aff8c126 352 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 353 OCSP_RESPID_free(id);
f63a17d6
MC		 354 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
355 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
356
1266eefd
MC		 357 return 0;
358 }
359 }
360
361 /* Read in request_extensions */
362 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
f63a17d6
MC		 363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 365 return 0;
366 }
367
368 if (PACKET_remaining(&exts) > 0) {
369 const unsigned char *ext_data = PACKET_data(&exts);
370
aff8c126 371 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 372 X509_EXTENSION_free);
aff8c126 373 s->ext.ocsp.exts =
1266eefd 374 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 375 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
f63a17d6
MC		 376 SSLfatal(s, SSL_AD_DECODE_ERROR,
377 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd 378 return 0;
25670f3e 379 }
25670f3e
MC		 380 }
381
382 return 1;
383}
ab83e314 384#endif
25670f3e
MC		 385
386#ifndef OPENSSL_NO_NEXTPROTONEG
61138358 387int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 388 size_t chainidx)
25670f3e 389{
1266eefd
MC		 390 /*
391 * We shouldn't accept this extension on a
392 * renegotiation.
1266eefd 393 */
c7f47786 394 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 395 s->s3->npn_seen = 1;
25670f3e
MC		 396
397 return 1;
398}
399#endif
400
401/*
1266eefd
MC		 402 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
403 * extension, not including type and length. |al| is a pointer to the alert
404 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 405 */
61138358 406int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 407 size_t chainidx)
25670f3e
MC		 408{
409 PACKET protocol_list, save_protocol_list, protocol;
410
c7f47786 411 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 412 return 1;
413
414 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
415 || PACKET_remaining(&protocol_list) < 2) {
f63a17d6
MC		 416 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
417 SSL_R_BAD_EXTENSION);
25670f3e
MC		 418 return 0;
419 }
420
421 save_protocol_list = protocol_list;
422 do {
423 /* Protocol names can't be empty. */
424 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
425 || PACKET_remaining(&protocol) == 0) {
f63a17d6
MC		 426 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
427 SSL_R_BAD_EXTENSION);
25670f3e
MC		 428 return 0;
429 }
430 } while (PACKET_remaining(&protocol_list) != 0);
431
7d061fce
MC		 432 OPENSSL_free(s->s3->alpn_proposed);
433 s->s3->alpn_proposed = NULL;
434 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 435 if (!PACKET_memdup(&save_protocol_list,
436 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
f63a17d6
MC		 437 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
438 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 439 return 0;
440 }
441
442 return 1;
443}
444
445#ifndef OPENSSL_NO_SRTP
61138358 446int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 447 size_t chainidx)
25670f3e 448{
25670f3e
MC		 449 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
450 unsigned int ct, mki_len, id;
451 int i, srtp_pref;
452 PACKET subpkt;
453
454 /* Ignore this if we have no SRTP profiles */
455 if (SSL_get_srtp_profiles(s) == NULL)
456 return 1;
457
458 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 459 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
460 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
f63a17d6 461 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e 462 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 463 return 0;
464 }
465
466 srvr = SSL_get_srtp_profiles(s);
467 s->srtp_profile = NULL;
468 /* Search all profiles for a match initially */
469 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
470
471 while (PACKET_remaining(&subpkt)) {
472 if (!PACKET_get_net_2(&subpkt, &id)) {
f63a17d6
MC		 473 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
474 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 475 return 0;
476 }
477
478 /*
479 * Only look for match in profiles of higher preference than
480 * current match.
481 * If no profiles have been have been configured then this
482 * does nothing.
483 */
484 for (i = 0; i < srtp_pref; i++) {
d270de32 485 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 486 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
487
25670f3e
MC		 488 if (sprof->id == id) {
489 s->srtp_profile = sprof;
490 srtp_pref = i;
491 break;
492 }
493 }
494 }
495
1266eefd 496 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 497 if (!PACKET_get_1(pkt, &mki_len)) {
f63a17d6
MC		 498 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
499 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 500 return 0;
501 }
502
503 if (!PACKET_forward(pkt, mki_len)
504 || PACKET_remaining(pkt)) {
f63a17d6
MC		 505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
506 SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 507 return 0;
508 }
509
510 return 1;
511}
512#endif
513
61138358 514int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 515 size_t chainidx)
25670f3e
MC		 516{
517 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 518 s->ext.use_etm = 1;
25670f3e
MC		 519
520 return 1;
521}
522
b2f7e8c0
MC		 523/*
524 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
525 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
526 * If a failure occurs then |*al| is set to an appropriate alert value.
527 */
61138358 528int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 529 X509 *x, size_t chainidx)
b2f7e8c0
MC		 530{
531#ifndef OPENSSL_NO_TLS1_3
532 PACKET psk_kex_modes;
533 unsigned int mode;
534
535 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
536 || PACKET_remaining(&psk_kex_modes) == 0) {
f63a17d6
MC		 537 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
538 SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 539 return 0;
540 }
541
542 while (PACKET_get_1(&psk_kex_modes, &mode)) {
543 if (mode == TLSEXT_KEX_MODE_KE_DHE)
544 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 545 else if (mode == TLSEXT_KEX_MODE_KE
546 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 547 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
548 }
549#endif
550
551 return 1;
552}
553
25670f3e
MC		 554/*
555 * Process a key_share extension received in the ClientHello. |pkt| contains
556 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
557 * If a failure occurs then |*al| is set to an appropriate alert value.
558 */
61138358 559int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 560 size_t chainidx)
25670f3e 561{
3cf96e88 562#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 563 unsigned int group_id;
564 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 565 const uint16_t *clntgroups, *srvrgroups;
566 size_t clnt_num_groups, srvr_num_groups;
43b95d73 567 int found = 0;
25670f3e 568
f4bbb37c 569 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 570 return 1;
571
572 /* Sanity check */
573 if (s->s3->peer_tmp != NULL) {
f63a17d6
MC		 574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
575 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 576 return 0;
577 }
578
579 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
f63a17d6
MC		 580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
581 SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 582 return 0;
583 }
584
f48d826e
DSH		 585 /* Get our list of supported groups */
586 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
587 /* Get the clients list of supported groups. */
588 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
589 if (clnt_num_groups == 0) {
b6fdc12d
MC		 590 /*
591 * This can only happen if the supported_groups extension was not sent,
592 * because we verify that the length is non-zero when we process that
593 * extension.
594 */
f63a17d6
MC		 595 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 597 return 0;
598 }
25670f3e
MC		 599
600 while (PACKET_remaining(&key_share_list) > 0) {
601 if (!PACKET_get_net_2(&key_share_list, &group_id)
602 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
603 || PACKET_remaining(&encoded_pt) == 0) {
f63a17d6
MC		 604 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
605 SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 606 return 0;
607 }
608
609 /*
610 * If we already found a suitable key_share we loop through the
611 * rest to verify the structure, but don't process them.
612 */
613 if (found)
614 continue;
615
616 /* Check if this share is in supported_groups sent from client */
f48d826e 617 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
f63a17d6
MC		 618 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
619 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 620 return 0;
621 }
622
623 /* Check if this share is for a group we can use */
f48d826e 624 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 625 /* Share not suitable */
626 continue;
627 }
628
612f9d22 629 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
f63a17d6 630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 631 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
632 return 0;
633 }
634
25670f3e
MC		 635 s->s3->group_id = group_id;
636
637 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
638 PACKET_data(&encoded_pt),
639 PACKET_remaining(&encoded_pt))) {
f63a17d6
MC		 640 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
641 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 642 return 0;
643 }
644
645 found = 1;
646 }
3cf96e88 647#endif
25670f3e
MC		 648
649 return 1;
650}
651
652#ifndef OPENSSL_NO_EC
61138358 653int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 654 X509 *x, size_t chainidx)
25670f3e
MC		 655{
656 PACKET supported_groups_list;
657
658 /* Each group is 2 bytes and we must have at least 1. */
659 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
660 || PACKET_remaining(&supported_groups_list) == 0
661 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
f63a17d6
MC		 662 SSLfatal(s, SSL_AD_DECODE_ERROR,
663 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 664 return 0;
665 }
666
e3743355
BK		 667 if (!s->hit || SSL_IS_TLS13(s)) {
668 OPENSSL_free(s->session->ext.supportedgroups);
669 s->session->ext.supportedgroups = NULL;
670 s->session->ext.supportedgroups_len = 0;
9e84a42d 671 if (!tls1_save_u16(&supported_groups_list,
e3743355
BK		 672 &s->session->ext.supportedgroups,
673 &s->session->ext.supportedgroups_len)) {
f63a17d6
MC		 674 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
675 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
676 ERR_R_INTERNAL_ERROR);
e3743355
BK		 677 return 0;
678 }
25670f3e
MC		 679 }
680
681 return 1;
682}
683#endif
684
61138358 685int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 686 size_t chainidx)
25670f3e
MC		 687{
688 /* The extension must always be empty */
689 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 690 SSLfatal(s, SSL_AD_DECODE_ERROR,
691 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 692 return 0;
693 }
694
695 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
696
697 return 1;
698}
7da160b0 699
38df5a45
MC		 700
701int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 702 X509 *x, size_t chainidx)
38df5a45
MC		 703{
704 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 705 SSLfatal(s, SSL_AD_DECODE_ERROR,
706 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
38df5a45
MC		 707 return 0;
708 }
709
d4504fe5 710 if (s->hello_retry_request) {
f63a17d6
MC		 711 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
712 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 713 return 0;
714 }
715
38df5a45
MC		 716 return 1;
717}
718
61138358 719int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 720 size_t chainidx)
1053a6e2
MC		 721{
722 PACKET identities, binders, binder;
723 size_t binderoffset, hashsize;
724 SSL_SESSION *sess = NULL;
3a7c56b2 725 unsigned int id, i, ext = 0;
1053a6e2
MC		 726 const EVP_MD *md = NULL;
727
1a9f457c
MC		 728 /*
729 * If we have no PSK kex mode that we recognise then we can't resume so
730 * ignore this extension
731 */
732 if ((s->ext.psk_kex_mode
733 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
734 return 1;
735
1053a6e2 736 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
f63a17d6
MC		 737 SSLfatal(s, SSL_AD_DECODE_ERROR,
738 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 739 return 0;
740 }
741
742 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
743 PACKET identity;
2c604cb9 744 unsigned long ticket_agel;
1053a6e2
MC		 745
746 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 747 || !PACKET_get_net_4(&identities, &ticket_agel)) {
f63a17d6
MC		 748 SSLfatal(s, SSL_AD_DECODE_ERROR,
749 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 750 return 0;
751 }
752
3a7c56b2 753 if (s->psk_find_session_cb != NULL
011d768a
MC		 754 && !s->psk_find_session_cb(s, PACKET_data(&identity),
755 PACKET_remaining(&identity),
756 &sess)) {
f63a17d6
MC		 757 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
758 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
011d768a
MC		 759 return 0;
760 }
761
762 if (sess != NULL) {
763 /* We found a PSK */
3a7c56b2 764 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 765
3a7c56b2 766 if (sesstmp == NULL) {
f63a17d6
MC		 767 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
768 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 769 return 0;
770 }
771 SSL_SESSION_free(sess);
772 sess = sesstmp;
773
774 /*
775 * We've just been told to use this session for this context so
776 * make sure the sid_ctx matches up.
777 */
778 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
779 sess->sid_ctx_length = s->sid_ctx_length;
780 ext = 1;
630369d9
MC		 781 if (id == 0)
782 s->ext.early_data_ok = 1;
3a7c56b2
MC		 783 } else {
784 uint32_t ticket_age = 0, now, agesec, agems;
785 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
786 PACKET_remaining(&identity), NULL, 0,
787 &sess);
788
789 if (ret == TICKET_FATAL_ERR_MALLOC
790 || ret == TICKET_FATAL_ERR_OTHER) {
f63a17d6
MC		 791 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
792 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 793 return 0;
794 }
795 if (ret == TICKET_NO_DECRYPT)
796 continue;
797
798 ticket_age = (uint32_t)ticket_agel;
799 now = (uint32_t)time(NULL);
800 agesec = now - (uint32_t)sess->time;
801 agems = agesec * (uint32_t)1000;
802 ticket_age -= sess->ext.tick_age_add;
803
804 /*
805 * For simplicity we do our age calculations in seconds. If the
806 * client does it in ms then it could appear that their ticket age
807 * is longer than ours (our ticket age calculation should always be
808 * slightly longer than the client's due to the network latency).
809 * Therefore we add 1000ms to our age calculation to adjust for
810 * rounding errors.
811 */
630369d9
MC		 812 if (id == 0
813 && sess->timeout >= (long)agesec
3a7c56b2
MC		 814 && agems / (uint32_t)1000 == agesec
815 && ticket_age <= agems + 1000
816 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
817 /*
818 * Ticket age is within tolerance and not expired. We allow it
819 * for early data
820 */
821 s->ext.early_data_ok = 1;
822 }
1053a6e2 823 }
1053a6e2 824
534a43ff 825 md = ssl_md(sess->cipher->algorithm2);
0de6d66d
MC		 826 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
827 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 828 SSL_SESSION_free(sess);
829 sess = NULL;
630369d9 830 s->ext.early_data_ok = 0;
1053a6e2
MC		 831 continue;
832 }
1053a6e2
MC		 833 break;
834 }
835
836 if (sess == NULL)
837 return 1;
838
839 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 840 hashsize = EVP_MD_size(md);
841
842 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
f63a17d6
MC		 843 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
844 SSL_R_BAD_EXTENSION);
1053a6e2
MC		 845 goto err;
846 }
847
848 for (i = 0; i <= id; i++) {
849 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
f63a17d6
MC		 850 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
851 SSL_R_BAD_EXTENSION);
1053a6e2
MC		 852 goto err;
853 }
854 }
855
856 if (PACKET_remaining(&binder) != hashsize
857 || tls_psk_do_binder(s, md,
858 (const unsigned char *)s->init_buf->data,
859 binderoffset, PACKET_data(&binder), NULL,
3a7c56b2 860 sess, 0, ext) != 1) {
635c8f77 861 /* SSLfatal() already called */
1053a6e2
MC		 862 goto err;
863 }
864
865 sess->ext.tick_identity = id;
2c604cb9 866
1053a6e2
MC		 867 SSL_SESSION_free(s->session);
868 s->session = sess;
1053a6e2
MC		 869 return 1;
870err:
312e9387 871 SSL_SESSION_free(sess);
1053a6e2
MC		 872 return 0;
873}
874
1266eefd
MC		 875/*
876 * Add the server's renegotiation binding
877 */
b186a592
MC		 878EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
879 unsigned int context, X509 *x,
f63a17d6 880 size_t chainidx)
7da160b0
MC		 881{
882 if (!s->s3->send_connection_binding)
b186a592 883 return EXT_RETURN_NOT_SENT;
7da160b0 884
db0f35dd 885 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 886 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
887 || !WPACKET_start_sub_packet_u16(pkt)
888 || !WPACKET_start_sub_packet_u8(pkt)
889 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
890 s->s3->previous_client_finished_len)
891 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
892 s->s3->previous_server_finished_len)
893 || !WPACKET_close(pkt)
894 || !WPACKET_close(pkt)) {
f63a17d6
MC		 895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
896 ERR_R_INTERNAL_ERROR);
b186a592 897 return EXT_RETURN_FAIL;
7da160b0
MC		 898 }
899
b186a592 900 return EXT_RETURN_SENT;
7da160b0
MC		 901}
902
b186a592
MC		 903EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
904 unsigned int context, X509 *x,
f63a17d6 905 size_t chainidx)
7da160b0
MC		 906{
907 if (s->hit || s->servername_done != 1
aff8c126 908 || s->session->ext.hostname == NULL)
b186a592 909 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 910
911 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
912 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
914 ERR_R_INTERNAL_ERROR);
b186a592 915 return EXT_RETURN_FAIL;
7da160b0
MC		 916 }
917
b186a592 918 return EXT_RETURN_SENT;
7da160b0
MC		 919}
920
cf72c757
F		 921/* Add/include the server's max fragment len extension into ServerHello */
922EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
923 unsigned int context, X509 *x,
f63a17d6 924 size_t chainidx)
cf72c757
F		 925{
926 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
927 return EXT_RETURN_NOT_SENT;
928
929 /*-
930 * 4 bytes for this extension type and extension length
931 * 1 byte for the Max Fragment Length code value.
932 */
933 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
934 || !WPACKET_start_sub_packet_u16(pkt)
935 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
936 || !WPACKET_close(pkt)) {
f63a17d6
MC		 937 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
938 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
cf72c757
F		 939 return EXT_RETURN_FAIL;
940 }
941
942 return EXT_RETURN_SENT;
943}
944
7da160b0 945#ifndef OPENSSL_NO_EC
b186a592
MC		 946EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
947 unsigned int context, X509 *x,
f63a17d6 948 size_t chainidx)
7da160b0
MC		 949{
950 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
951 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 952 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 953 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 954 const unsigned char *plist;
955 size_t plistlen;
956
957 if (!using_ecc)
b186a592 958 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 959
960 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 961 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
962 || !WPACKET_start_sub_packet_u16(pkt)
963 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
964 || !WPACKET_close(pkt)) {
f63a17d6
MC		 965 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
966 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 967 return EXT_RETURN_FAIL;
7da160b0
MC		 968 }
969
b186a592 970 return EXT_RETURN_SENT;
7da160b0
MC		 971}
972#endif
973
cf53cbea 974#ifndef OPENSSL_NO_EC
b186a592
MC		 975EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
976 unsigned int context, X509 *x,
f63a17d6 977 size_t chainidx)
6af87546 978{
9e84a42d 979 const uint16_t *groups;
6af87546
MC		 980 size_t numgroups, i, first = 1;
981
982 /* s->s3->group_id is non zero if we accepted a key_share */
983 if (s->s3->group_id == 0)
b186a592 984 return EXT_RETURN_NOT_SENT;
6af87546
MC		 985
986 /* Get our list of supported groups */
ff6d20a6 987 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 988 if (numgroups == 0) {
f63a17d6
MC		 989 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
990 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 991 return EXT_RETURN_FAIL;
6af87546
MC		 992 }
993
994 /* Copy group ID if supported */
9e84a42d
DSH		 995 for (i = 0; i < numgroups; i++) {
996 uint16_t group = groups[i];
997
998 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 999 if (first) {
1000 /*
1001 * Check if the client is already using our preferred group. If
1002 * so we don't need to add this extension
1003 */
9e84a42d 1004 if (s->s3->group_id == group)
b186a592 1005 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1006
1007 /* Add extension header */
1008 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1009 /* Sub-packet for supported_groups extension */
1010 || !WPACKET_start_sub_packet_u16(pkt)
1011 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1012 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1013 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1014 ERR_R_INTERNAL_ERROR);
b186a592 1015 return EXT_RETURN_FAIL;
6af87546
MC		 1016 }
1017
1018 first = 0;
1019 }
9e84a42d 1020 if (!WPACKET_put_bytes_u16(pkt, group)) {
f63a17d6
MC		 1021 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1022 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1023 ERR_R_INTERNAL_ERROR);
b186a592 1024 return EXT_RETURN_FAIL;
6af87546
MC		 1025 }
1026 }
1027 }
1028
1029 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
f63a17d6
MC		 1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1031 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1032 ERR_R_INTERNAL_ERROR);
b186a592 1033 return EXT_RETURN_FAIL;
6af87546
MC		 1034 }
1035
b186a592 1036 return EXT_RETURN_SENT;
6af87546 1037}
cf53cbea 1038#endif
6af87546 1039
b186a592
MC		 1040EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1041 unsigned int context, X509 *x,
f63a17d6 1042 size_t chainidx)
7da160b0 1043{
aff8c126
RS		 1044 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1045 s->ext.ticket_expected = 0;
b186a592 1046 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1047 }
1048
1049 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1050 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1052 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 1053 return EXT_RETURN_FAIL;
7da160b0
MC		 1054 }
1055
b186a592 1056 return EXT_RETURN_SENT;
7da160b0
MC		 1057}
1058
ab83e314 1059#ifndef OPENSSL_NO_OCSP
b186a592
MC		 1060EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1061 unsigned int context, X509 *x,
f63a17d6 1062 size_t chainidx)
7da160b0 1063{
aff8c126 1064 if (!s->ext.status_expected)
b186a592 1065 return EXT_RETURN_NOT_SENT;
7da160b0 1066
8521ced6 1067 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 1068 return EXT_RETURN_NOT_SENT;
e96e0f8e 1069
7da160b0 1070 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1071 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1072 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1073 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1074 return EXT_RETURN_FAIL;
f63e4288
MC		 1075 }
1076
1077 /*
1078 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1079 * send back an empty extension, with the certificate status appearing as a
1080 * separate message
1081 */
3ec8d113
MC		 1082 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1083 /* SSLfatal() already called */
1084 return EXT_RETURN_FAIL;
1085 }
1086 if (!WPACKET_close(pkt)) {
f63a17d6
MC		 1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1088 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1089 return EXT_RETURN_FAIL;
7da160b0
MC		 1090 }
1091
b186a592 1092 return EXT_RETURN_SENT;
7da160b0 1093}
ab83e314 1094#endif
7da160b0 1095
7da160b0 1096#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1097EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1098 unsigned int context, X509 *x,
f63a17d6 1099 size_t chainidx)
7da160b0
MC		 1100{
1101 const unsigned char *npa;
1102 unsigned int npalen;
1103 int ret;
aff8c126 1104 int npn_seen = s->s3->npn_seen;
7da160b0 1105
aff8c126
RS		 1106 s->s3->npn_seen = 0;
1107 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1108 return EXT_RETURN_NOT_SENT;
7da160b0 1109
aff8c126
RS		 1110 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1111 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1112 if (ret == SSL_TLSEXT_ERR_OK) {
1113 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1114 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
f63a17d6
MC		 1115 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1116 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1117 ERR_R_INTERNAL_ERROR);
b186a592 1118 return EXT_RETURN_FAIL;
7da160b0 1119 }
aff8c126 1120 s->s3->npn_seen = 1;
7da160b0
MC		 1121 }
1122
b186a592 1123 return EXT_RETURN_SENT;
7da160b0
MC		 1124}
1125#endif
1126
b186a592 1127EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1128 X509 *x, size_t chainidx)
7da160b0
MC		 1129{
1130 if (s->s3->alpn_selected == NULL)
b186a592 1131 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1132
1133 if (!WPACKET_put_bytes_u16(pkt,
1134 TLSEXT_TYPE_application_layer_protocol_negotiation)
1135 || !WPACKET_start_sub_packet_u16(pkt)
1136 || !WPACKET_start_sub_packet_u16(pkt)
1137 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1138 s->s3->alpn_selected_len)
1139 || !WPACKET_close(pkt)
1140 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1141 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1142 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
b186a592 1143 return EXT_RETURN_FAIL;
7da160b0
MC		 1144 }
1145
b186a592 1146 return EXT_RETURN_SENT;
7da160b0
MC		 1147}
1148
1149#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1150EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1151 unsigned int context, X509 *x,
f63a17d6 1152 size_t chainidx)
7da160b0
MC		 1153{
1154 if (s->srtp_profile == NULL)
b186a592 1155 return EXT_RETURN_NOT_SENT;
a1448c26 1156
7da160b0
MC		 1157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1158 || !WPACKET_start_sub_packet_u16(pkt)
1159 || !WPACKET_put_bytes_u16(pkt, 2)
1160 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1161 || !WPACKET_put_bytes_u8(pkt, 0)
1162 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1164 ERR_R_INTERNAL_ERROR);
b186a592 1165 return EXT_RETURN_FAIL;
7da160b0
MC		 1166 }
1167
b186a592 1168 return EXT_RETURN_SENT;
7da160b0
MC		 1169}
1170#endif
1171
b186a592 1172EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1173 X509 *x, size_t chainidx)
7da160b0 1174{
28a31a0a 1175 if (!s->ext.use_etm)
b186a592 1176 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1177
1178 /*
1179 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1180 * for other cases too.
1181 */
1182 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1183 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1184 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1185 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1186 s->ext.use_etm = 0;
b186a592 1187 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1188 }
1189
1190 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1191 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1192 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1193 ERR_R_INTERNAL_ERROR);
b186a592 1194 return EXT_RETURN_FAIL;
7da160b0
MC		 1195 }
1196
b186a592 1197 return EXT_RETURN_SENT;
7da160b0
MC		 1198}
1199
b186a592 1200EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1201 X509 *x, size_t chainidx)
7da160b0
MC		 1202{
1203 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1204 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1205
1206 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1207 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1209 ERR_R_INTERNAL_ERROR);
b186a592 1210 return EXT_RETURN_FAIL;
7da160b0
MC		 1211 }
1212
b186a592 1213 return EXT_RETURN_SENT;
7da160b0
MC		 1214}
1215
b186a592
MC		 1216EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1217 unsigned int context, X509 *x,
f63a17d6 1218 size_t chainidx)
7da160b0 1219{
3cf96e88 1220#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1221 unsigned char *encodedPoint;
1222 size_t encoded_pt_len = 0;
1223 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1224
7da160b0 1225 if (ckey == NULL) {
7d061fce
MC		 1226 /* No key_share received from client */
1227 if (s->hello_retry_request) {
7d061fce 1228 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1229 || !WPACKET_start_sub_packet_u16(pkt)
1230 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1231 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1232 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1233 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1234 ERR_R_INTERNAL_ERROR);
b186a592 1235 return EXT_RETURN_FAIL;
7d061fce
MC		 1236 }
1237
b186a592 1238 return EXT_RETURN_SENT;
7d061fce
MC		 1239 }
1240
1241 /* Must be resuming. */
0247086d 1242 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
f63a17d6
MC		 1243 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1244 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1245 return EXT_RETURN_FAIL;
0247086d 1246 }
b186a592 1247 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1248 }
1249
1250 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1251 || !WPACKET_start_sub_packet_u16(pkt)
1252 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
f63a17d6
MC		 1253 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1254 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1255 return EXT_RETURN_FAIL;
7da160b0
MC		 1256 }
1257
1258 skey = ssl_generate_pkey(ckey);
1259 if (skey == NULL) {
f63a17d6
MC		 1260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1261 ERR_R_MALLOC_FAILURE);
b186a592 1262 return EXT_RETURN_FAIL;
7da160b0
MC		 1263 }
1264
1265 /* Generate encoding of server key */
1266 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1267 if (encoded_pt_len == 0) {
f63a17d6
MC		 1268 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1269 ERR_R_EC_LIB);
7da160b0 1270 EVP_PKEY_free(skey);
b186a592 1271 return EXT_RETURN_FAIL;
7da160b0
MC		 1272 }
1273
1274 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1275 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1277 ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1278 EVP_PKEY_free(skey);
1279 OPENSSL_free(encodedPoint);
b186a592 1280 return EXT_RETURN_FAIL;
7da160b0
MC		 1281 }
1282 OPENSSL_free(encodedPoint);
1283
1284 /* This causes the crypto state to be updated based on the derived keys */
1285 s->s3->tmp.pkey = skey;
1286 if (ssl_derive(s, skey, ckey, 1) == 0) {
f63a17d6 1287 /* SSLfatal() already called */
b186a592 1288 return EXT_RETURN_FAIL;
7da160b0 1289 }
3cf96e88 1290#endif
7da160b0 1291
b186a592 1292 return EXT_RETURN_SENT;
7da160b0
MC		 1293}
1294
b186a592
MC		 1295EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1296 unsigned int context, X509 *x,
f63a17d6 1297 size_t chainidx)
7da160b0
MC		 1298{
1299 const unsigned char cryptopro_ext[36] = {
1300 0xfd, 0xe8, /* 65000 */
1301 0x00, 0x20, /* 32 bytes length */
1302 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1303 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1304 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1305 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1306 };
1307
1308 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1309 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1310 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1311 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1312
1313 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
f63a17d6
MC		 1314 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1315 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
b186a592 1316 return EXT_RETURN_FAIL;
7da160b0
MC		 1317 }
1318
b186a592 1319 return EXT_RETURN_SENT;
7da160b0 1320}
0247086d 1321
b186a592
MC		 1322EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1323 unsigned int context, X509 *x,
f63a17d6 1324 size_t chainidx)
38df5a45 1325{
fe874d27 1326 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1327 if (s->max_early_data == 0)
b186a592 1328 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1329
1330 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1331 || !WPACKET_start_sub_packet_u16(pkt)
1332 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1333 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1334 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1335 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1336 return EXT_RETURN_FAIL;
6594189f
MC		 1337 }
1338
b186a592 1339 return EXT_RETURN_SENT;
6594189f
MC		 1340 }
1341
38df5a45 1342 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1343 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1344
1345 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1346 || !WPACKET_start_sub_packet_u16(pkt)
1347 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1349 ERR_R_INTERNAL_ERROR);
b186a592 1350 return EXT_RETURN_FAIL;
38df5a45
MC		 1351 }
1352
b186a592 1353 return EXT_RETURN_SENT;
38df5a45
MC		 1354}
1355
b186a592 1356EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1357 X509 *x, size_t chainidx)
0247086d
MC		 1358{
1359 if (!s->hit)
b186a592 1360 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1361
1362 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1363 || !WPACKET_start_sub_packet_u16(pkt)
1364 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1365 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1366 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1367 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
b186a592 1368 return EXT_RETURN_FAIL;
0247086d
MC		 1369 }
1370
b186a592 1371 return EXT_RETURN_SENT;
0247086d 1372}
A mirror of the official openssl repository