]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SSL object refactoring using SSL_CONNECTION object
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14
15 #define COOKIE_STATE_FORMAT_VERSION 0
16
17 /*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23 */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27 /*
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
33 */
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
37
38 /*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
41 int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
43 X509 *x, size_t chainidx)
44 {
45 unsigned int ilen;
46 const unsigned char *data;
47
48 /* Parse the length byte */
49 if (!PACKET_get_1(pkt, &ilen)
50 || !PACKET_get_bytes(pkt, &data, ilen)) {
51 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
52 return 0;
53 }
54
55 /* Check that the extension matches */
56 if (ilen != s->s3.previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
58 return 0;
59 }
60
61 if (memcmp(data, s->s3.previous_client_finished,
62 s->s3.previous_client_finished_len)) {
63 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
64 return 0;
65 }
66
67 s->s3.send_connection_binding = 1;
68
69 return 1;
70 }
71
72 /*-
73 * The servername extension is treated as follows:
74 *
75 * - Only the hostname type is supported with a maximum length of 255.
76 * - The servername is rejected if too long or if it contains zeros,
77 * in which case an fatal alert is generated.
78 * - The servername field is maintained together with the session cache.
79 * - When a session is resumed, the servername call back invoked in order
80 * to allow the application to position itself to the right context.
81 * - The servername is acknowledged if it is new for a session or when
82 * it is identical to a previously used for the same session.
83 * Applications can control the behaviour. They can at any time
84 * set a 'desirable' servername for a new SSL object. This can be the
85 * case for example with HTTPS when a Host: header field is received and
86 * a renegotiation is requested. In this case, a possible servername
87 * presented in the new client hello is only acknowledged if it matches
88 * the value of the Host: field.
89 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
90 * if they provide for changing an explicit servername context for the
91 * session, i.e. when the session has been established with a servername
92 * extension.
93 * - On session reconnect, the servername extension may be absent.
94 */
95 int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
96 unsigned int context, X509 *x, size_t chainidx)
97 {
98 unsigned int servname_type;
99 PACKET sni, hostname;
100
101 if (!PACKET_as_length_prefixed_2(pkt, &sni)
102 /* ServerNameList must be at least 1 byte long. */
103 || PACKET_remaining(&sni) == 0) {
104 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
105 return 0;
106 }
107
108 /*
109 * Although the intent was for server_name to be extensible, RFC 4366
110 * was not clear about it; and so OpenSSL among other implementations,
111 * always and only allows a 'host_name' name types.
112 * RFC 6066 corrected the mistake but adding new name types
113 * is nevertheless no longer feasible, so act as if no other
114 * SNI types can exist, to simplify parsing.
115 *
116 * Also note that the RFC permits only one SNI value per type,
117 * i.e., we can only have a single hostname.
118 */
119 if (!PACKET_get_1(&sni, &servname_type)
120 || servname_type != TLSEXT_NAMETYPE_host_name
121 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
122 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
123 return 0;
124 }
125
126 /*
127 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
128 * we always use the SNI value from the handshake.
129 */
130 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
133 return 0;
134 }
135
136 if (PACKET_contains_zero_byte(&hostname)) {
137 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
138 return 0;
139 }
140
141 /*
142 * Store the requested SNI in the SSL as temporary storage.
143 * If we accept it, it will get stored in the SSL_SESSION as well.
144 */
145 OPENSSL_free(s->ext.hostname);
146 s->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
149 return 0;
150 }
151
152 s->servername_done = 1;
153 } else {
154 /*
155 * In TLSv1.2 and below we should check if the SNI is consistent between
156 * the initial handshake and the resumption. In TLSv1.3 SNI is not
157 * associated with the session.
158 */
159 s->servername_done = (s->session->ext.hostname != NULL)
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
162 }
163
164 return 1;
165 }
166
167 int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
168 unsigned int context,
169 X509 *x, size_t chainidx)
170 {
171 unsigned int value;
172
173 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
174 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
175 return 0;
176 }
177
178 /* Received |value| should be a valid max-fragment-length code. */
179 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
180 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
181 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
182 return 0;
183 }
184
185 /*
186 * RFC 6066: The negotiated length applies for the duration of the session
187 * including session resumptions.
188 * We should receive the same code as in resumed session !
189 */
190 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
191 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
192 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
193 return 0;
194 }
195
196 /*
197 * Store it in session, so it'll become binding for us
198 * and we'll include it in a next Server Hello.
199 */
200 s->session->ext.max_fragment_len_mode = value;
201 return 1;
202 }
203
204 #ifndef OPENSSL_NO_SRP
205 int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
206 X509 *x, size_t chainidx)
207 {
208 PACKET srp_I;
209
210 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
211 || PACKET_contains_zero_byte(&srp_I)) {
212 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
213 return 0;
214 }
215
216 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
218 return 0;
219 }
220
221 return 1;
222 }
223 #endif
224
225 int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
226 unsigned int context,
227 X509 *x, size_t chainidx)
228 {
229 PACKET ec_point_format_list;
230
231 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
232 || PACKET_remaining(&ec_point_format_list) == 0) {
233 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
234 return 0;
235 }
236
237 if (!s->hit) {
238 if (!PACKET_memdup(&ec_point_format_list,
239 &s->ext.peer_ecpointformats,
240 &s->ext.peer_ecpointformats_len)) {
241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
242 return 0;
243 }
244 }
245
246 return 1;
247 }
248
249 int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
250 unsigned int context,
251 X509 *x, size_t chainidx)
252 {
253 if (s->ext.session_ticket_cb &&
254 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
255 PACKET_data(pkt), PACKET_remaining(pkt),
256 s->ext.session_ticket_cb_arg)) {
257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
258 return 0;
259 }
260
261 return 1;
262 }
263
264 int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
265 ossl_unused unsigned int context,
266 ossl_unused X509 *x,
267 ossl_unused size_t chainidx)
268 {
269 PACKET supported_sig_algs;
270
271 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
272 || PACKET_remaining(&supported_sig_algs) == 0) {
273 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
274 return 0;
275 }
276
277 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
279 return 0;
280 }
281
282 return 1;
283 }
284
285 int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
286 unsigned int context, X509 *x, size_t chainidx)
287 {
288 PACKET supported_sig_algs;
289
290 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
291 || PACKET_remaining(&supported_sig_algs) == 0) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
293 return 0;
294 }
295
296 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
297 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
298 return 0;
299 }
300
301 return 1;
302 }
303
304 #ifndef OPENSSL_NO_OCSP
305 int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
306 unsigned int context,
307 X509 *x, size_t chainidx)
308 {
309 PACKET responder_id_list, exts;
310
311 /* We ignore this in a resumption handshake */
312 if (s->hit)
313 return 1;
314
315 /* Not defined if we get one of these in a client Certificate */
316 if (x != NULL)
317 return 1;
318
319 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
321 return 0;
322 }
323
324 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
325 /*
326 * We don't know what to do with any other type so ignore it.
327 */
328 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
329 return 1;
330 }
331
332 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
333 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
334 return 0;
335 }
336
337 /*
338 * We remove any OCSP_RESPIDs from a previous handshake
339 * to prevent unbounded memory growth - CVE-2016-6304
340 */
341 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
342 if (PACKET_remaining(&responder_id_list) > 0) {
343 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
344 if (s->ext.ocsp.ids == NULL) {
345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
346 return 0;
347 }
348 } else {
349 s->ext.ocsp.ids = NULL;
350 }
351
352 while (PACKET_remaining(&responder_id_list) > 0) {
353 OCSP_RESPID *id;
354 PACKET responder_id;
355 const unsigned char *id_data;
356
357 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
358 || PACKET_remaining(&responder_id) == 0) {
359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
360 return 0;
361 }
362
363 id_data = PACKET_data(&responder_id);
364 id = d2i_OCSP_RESPID(NULL, &id_data,
365 (int)PACKET_remaining(&responder_id));
366 if (id == NULL) {
367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
368 return 0;
369 }
370
371 if (id_data != PACKET_end(&responder_id)) {
372 OCSP_RESPID_free(id);
373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
374
375 return 0;
376 }
377
378 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
379 OCSP_RESPID_free(id);
380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
381
382 return 0;
383 }
384 }
385
386 /* Read in request_extensions */
387 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
389 return 0;
390 }
391
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
394
395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396 X509_EXTENSION_free);
397 s->ext.ocsp.exts =
398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
401 return 0;
402 }
403 }
404
405 return 1;
406 }
407 #endif
408
409 #ifndef OPENSSL_NO_NEXTPROTONEG
410 int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
411 X509 *x, size_t chainidx)
412 {
413 /*
414 * We shouldn't accept this extension on a
415 * renegotiation.
416 */
417 if (SSL_IS_FIRST_HANDSHAKE(s))
418 s->s3.npn_seen = 1;
419
420 return 1;
421 }
422 #endif
423
424 /*
425 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
426 * extension, not including type and length. Returns: 1 on success, 0 on error.
427 */
428 int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
429 X509 *x, size_t chainidx)
430 {
431 PACKET protocol_list, save_protocol_list, protocol;
432
433 if (!SSL_IS_FIRST_HANDSHAKE(s))
434 return 1;
435
436 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
437 || PACKET_remaining(&protocol_list) < 2) {
438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
439 return 0;
440 }
441
442 save_protocol_list = protocol_list;
443 do {
444 /* Protocol names can't be empty. */
445 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
446 || PACKET_remaining(&protocol) == 0) {
447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
448 return 0;
449 }
450 } while (PACKET_remaining(&protocol_list) != 0);
451
452 OPENSSL_free(s->s3.alpn_proposed);
453 s->s3.alpn_proposed = NULL;
454 s->s3.alpn_proposed_len = 0;
455 if (!PACKET_memdup(&save_protocol_list,
456 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
458 return 0;
459 }
460
461 return 1;
462 }
463
464 #ifndef OPENSSL_NO_SRTP
465 int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
466 unsigned int context, X509 *x, size_t chainidx)
467 {
468 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
469 unsigned int ct, mki_len, id;
470 int i, srtp_pref;
471 PACKET subpkt;
472 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
473
474 /* Ignore this if we have no SRTP profiles */
475 if (SSL_get_srtp_profiles(ssl) == NULL)
476 return 1;
477
478 /* Pull off the length of the cipher suite list and check it is even */
479 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
480 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
481 SSLfatal(s, SSL_AD_DECODE_ERROR,
482 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
483 return 0;
484 }
485
486 srvr = SSL_get_srtp_profiles(ssl);
487 s->srtp_profile = NULL;
488 /* Search all profiles for a match initially */
489 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
490
491 while (PACKET_remaining(&subpkt)) {
492 if (!PACKET_get_net_2(&subpkt, &id)) {
493 SSLfatal(s, SSL_AD_DECODE_ERROR,
494 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
495 return 0;
496 }
497
498 /*
499 * Only look for match in profiles of higher preference than
500 * current match.
501 * If no profiles have been have been configured then this
502 * does nothing.
503 */
504 for (i = 0; i < srtp_pref; i++) {
505 SRTP_PROTECTION_PROFILE *sprof =
506 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
507
508 if (sprof->id == id) {
509 s->srtp_profile = sprof;
510 srtp_pref = i;
511 break;
512 }
513 }
514 }
515
516 /* Now extract the MKI value as a sanity check, but discard it for now */
517 if (!PACKET_get_1(pkt, &mki_len)) {
518 SSLfatal(s, SSL_AD_DECODE_ERROR,
519 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
520 return 0;
521 }
522
523 if (!PACKET_forward(pkt, mki_len)
524 || PACKET_remaining(pkt)) {
525 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
526 return 0;
527 }
528
529 return 1;
530 }
531 #endif
532
533 int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
534 X509 *x, size_t chainidx)
535 {
536 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
537 s->ext.use_etm = 1;
538
539 return 1;
540 }
541
542 /*
543 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
544 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
545 */
546 int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
547 unsigned int context,
548 X509 *x, size_t chainidx)
549 {
550 #ifndef OPENSSL_NO_TLS1_3
551 PACKET psk_kex_modes;
552 unsigned int mode;
553
554 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
555 || PACKET_remaining(&psk_kex_modes) == 0) {
556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
557 return 0;
558 }
559
560 while (PACKET_get_1(&psk_kex_modes, &mode)) {
561 if (mode == TLSEXT_KEX_MODE_KE_DHE)
562 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
563 else if (mode == TLSEXT_KEX_MODE_KE
564 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
565 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
566 }
567 #endif
568
569 return 1;
570 }
571
572 /*
573 * Process a key_share extension received in the ClientHello. |pkt| contains
574 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
575 */
576 int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
577 unsigned int context, X509 *x, size_t chainidx)
578 {
579 #ifndef OPENSSL_NO_TLS1_3
580 unsigned int group_id;
581 PACKET key_share_list, encoded_pt;
582 const uint16_t *clntgroups, *srvrgroups;
583 size_t clnt_num_groups, srvr_num_groups;
584 int found = 0;
585
586 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
587 return 1;
588
589 /* Sanity check */
590 if (s->s3.peer_tmp != NULL) {
591 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
592 return 0;
593 }
594
595 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
597 return 0;
598 }
599
600 /* Get our list of supported groups */
601 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
602 /* Get the clients list of supported groups. */
603 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
604 if (clnt_num_groups == 0) {
605 /*
606 * This can only happen if the supported_groups extension was not sent,
607 * because we verify that the length is non-zero when we process that
608 * extension.
609 */
610 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
611 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
612 return 0;
613 }
614
615 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
616 /*
617 * If we set a group_id already, then we must have sent an HRR
618 * requesting a new key_share. If we haven't got one then that is an
619 * error
620 */
621 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
622 return 0;
623 }
624
625 while (PACKET_remaining(&key_share_list) > 0) {
626 if (!PACKET_get_net_2(&key_share_list, &group_id)
627 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
628 || PACKET_remaining(&encoded_pt) == 0) {
629 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
630 return 0;
631 }
632
633 /*
634 * If we already found a suitable key_share we loop through the
635 * rest to verify the structure, but don't process them.
636 */
637 if (found)
638 continue;
639
640 /*
641 * If we sent an HRR then the key_share sent back MUST be for the group
642 * we requested, and must be the only key_share sent.
643 */
644 if (s->s3.group_id != 0
645 && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
646 || PACKET_remaining(&key_share_list) != 0)) {
647 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
648 return 0;
649 }
650
651 /* Check if this share is in supported_groups sent from client */
652 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
653 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
654 return 0;
655 }
656
657 /* Check if this share is for a group we can use */
658 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
659 /* Share not suitable */
660 continue;
661 }
662
663 s->s3.group_id = group_id;
664 /* Cache the selected group ID in the SSL_SESSION */
665 s->session->kex_group = group_id;
666
667 group_id = ssl_group_id_tls13_to_internal(group_id);
668
669 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
670 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
671 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
672 return 0;
673 }
674
675 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
676 PACKET_data(&encoded_pt),
677 PACKET_remaining(&encoded_pt)) <= 0) {
678 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
679 return 0;
680 }
681
682 found = 1;
683 }
684 #endif
685
686 return 1;
687 }
688
689 int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
690 X509 *x, size_t chainidx)
691 {
692 #ifndef OPENSSL_NO_TLS1_3
693 unsigned int format, version, key_share, group_id;
694 EVP_MD_CTX *hctx;
695 EVP_PKEY *pkey;
696 PACKET cookie, raw, chhash, appcookie;
697 WPACKET hrrpkt;
698 const unsigned char *data, *mdin, *ciphdata;
699 unsigned char hmac[SHA256_DIGEST_LENGTH];
700 unsigned char hrr[MAX_HRR_SIZE];
701 size_t rawlen, hmaclen, hrrlen, ciphlen;
702 unsigned long tm, now;
703 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
704 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
705
706 /* Ignore any cookie if we're not set up to verify it */
707 if (sctx->verify_stateless_cookie_cb == NULL
708 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
709 return 1;
710
711 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
712 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
713 return 0;
714 }
715
716 raw = cookie;
717 data = PACKET_data(&raw);
718 rawlen = PACKET_remaining(&raw);
719 if (rawlen < SHA256_DIGEST_LENGTH
720 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
721 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
722 return 0;
723 }
724 mdin = PACKET_data(&raw);
725
726 /* Verify the HMAC of the cookie */
727 hctx = EVP_MD_CTX_create();
728 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
729 sctx->propq,
730 s->session_ctx->ext.cookie_hmac_key,
731 sizeof(s->session_ctx->ext.cookie_hmac_key));
732 if (hctx == NULL || pkey == NULL) {
733 EVP_MD_CTX_free(hctx);
734 EVP_PKEY_free(pkey);
735 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
736 return 0;
737 }
738
739 hmaclen = SHA256_DIGEST_LENGTH;
740 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
741 sctx->propq, pkey, NULL) <= 0
742 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
743 rawlen - SHA256_DIGEST_LENGTH) <= 0
744 || hmaclen != SHA256_DIGEST_LENGTH) {
745 EVP_MD_CTX_free(hctx);
746 EVP_PKEY_free(pkey);
747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
748 return 0;
749 }
750
751 EVP_MD_CTX_free(hctx);
752 EVP_PKEY_free(pkey);
753
754 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
755 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
756 return 0;
757 }
758
759 if (!PACKET_get_net_2(&cookie, &format)) {
760 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
761 return 0;
762 }
763 /* Check the cookie format is something we recognise. Ignore it if not */
764 if (format != COOKIE_STATE_FORMAT_VERSION)
765 return 1;
766
767 /*
768 * The rest of these checks really shouldn't fail since we have verified the
769 * HMAC above.
770 */
771
772 /* Check the version number is sane */
773 if (!PACKET_get_net_2(&cookie, &version)) {
774 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
775 return 0;
776 }
777 if (version != TLS1_3_VERSION) {
778 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
779 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
780 return 0;
781 }
782
783 if (!PACKET_get_net_2(&cookie, &group_id)) {
784 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
785 return 0;
786 }
787
788 ciphdata = PACKET_data(&cookie);
789 if (!PACKET_forward(&cookie, 2)) {
790 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
791 return 0;
792 }
793 if (group_id != s->s3.group_id
794 || s->s3.tmp.new_cipher
795 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
796 /*
797 * We chose a different cipher or group id this time around to what is
798 * in the cookie. Something must have changed.
799 */
800 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
801 return 0;
802 }
803
804 if (!PACKET_get_1(&cookie, &key_share)
805 || !PACKET_get_net_4(&cookie, &tm)
806 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
807 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
808 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
809 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
810 return 0;
811 }
812
813 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
814 now = (unsigned long)time(NULL);
815 if (tm > now || (now - tm) > 600) {
816 /* Cookie is stale. Ignore it */
817 return 1;
818 }
819
820 /* Verify the app cookie */
821 if (sctx->verify_stateless_cookie_cb(ssl,
822 PACKET_data(&appcookie),
823 PACKET_remaining(&appcookie)) == 0) {
824 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
825 return 0;
826 }
827
828 /*
829 * Reconstruct the HRR that we would have sent in response to the original
830 * ClientHello so we can add it to the transcript hash.
831 * Note: This won't work with custom HRR extensions
832 */
833 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
835 return 0;
836 }
837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838 || !WPACKET_start_sub_packet_u24(&hrrpkt)
839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842 s->tmp_session_id_len)
843 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
844 &ciphlen)
845 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847 WPACKET_cleanup(&hrrpkt);
848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
849 return 0;
850 }
851 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
852 || !WPACKET_start_sub_packet_u16(&hrrpkt)
853 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
854 || !WPACKET_close(&hrrpkt)) {
855 WPACKET_cleanup(&hrrpkt);
856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
857 return 0;
858 }
859 if (key_share) {
860 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
861 || !WPACKET_start_sub_packet_u16(&hrrpkt)
862 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
863 || !WPACKET_close(&hrrpkt)) {
864 WPACKET_cleanup(&hrrpkt);
865 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
866 return 0;
867 }
868 }
869 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
870 || !WPACKET_start_sub_packet_u16(&hrrpkt)
871 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
872 || !WPACKET_close(&hrrpkt) /* cookie extension */
873 || !WPACKET_close(&hrrpkt) /* extension block */
874 || !WPACKET_close(&hrrpkt) /* message */
875 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
876 || !WPACKET_finish(&hrrpkt)) {
877 WPACKET_cleanup(&hrrpkt);
878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
879 return 0;
880 }
881
882 /* Reconstruct the transcript hash */
883 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
884 PACKET_remaining(&chhash), hrr,
885 hrrlen)) {
886 /* SSLfatal() already called */
887 return 0;
888 }
889
890 /* Act as if this ClientHello came after a HelloRetryRequest */
891 s->hello_retry_request = 1;
892
893 s->ext.cookieok = 1;
894 #endif
895
896 return 1;
897 }
898
899 int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
900 unsigned int context,
901 X509 *x, size_t chainidx)
902 {
903 PACKET supported_groups_list;
904
905 /* Each group is 2 bytes and we must have at least 1. */
906 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
907 || PACKET_remaining(&supported_groups_list) == 0
908 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
909 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
910 return 0;
911 }
912
913 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
914 OPENSSL_free(s->ext.peer_supportedgroups);
915 s->ext.peer_supportedgroups = NULL;
916 s->ext.peer_supportedgroups_len = 0;
917 if (!tls1_save_u16(&supported_groups_list,
918 &s->ext.peer_supportedgroups,
919 &s->ext.peer_supportedgroups_len)) {
920 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
921 return 0;
922 }
923 }
924
925 return 1;
926 }
927
928 int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
929 X509 *x, size_t chainidx)
930 {
931 /* The extension must always be empty */
932 if (PACKET_remaining(pkt) != 0) {
933 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
934 return 0;
935 }
936
937 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
938 return 1;
939
940 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
941
942 return 1;
943 }
944
945
946 int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
947 X509 *x, size_t chainidx)
948 {
949 if (PACKET_remaining(pkt) != 0) {
950 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
951 return 0;
952 }
953
954 if (s->hello_retry_request != SSL_HRR_NONE) {
955 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
956 return 0;
957 }
958
959 return 1;
960 }
961
962 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
963 SSL_SESSION **sess)
964 {
965 SSL_SESSION *tmpsess = NULL;
966
967 s->ext.ticket_expected = 1;
968
969 switch (PACKET_remaining(tick)) {
970 case 0:
971 return SSL_TICKET_EMPTY;
972
973 case SSL_MAX_SSL_SESSION_ID_LENGTH:
974 break;
975
976 default:
977 return SSL_TICKET_NO_DECRYPT;
978 }
979
980 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
981 SSL_MAX_SSL_SESSION_ID_LENGTH);
982
983 if (tmpsess == NULL)
984 return SSL_TICKET_NO_DECRYPT;
985
986 *sess = tmpsess;
987 return SSL_TICKET_SUCCESS;
988 }
989
990 int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
991 X509 *x, size_t chainidx)
992 {
993 PACKET identities, binders, binder;
994 size_t binderoffset, hashsize;
995 SSL_SESSION *sess = NULL;
996 unsigned int id, i, ext = 0;
997 const EVP_MD *md = NULL;
998 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
999 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1000
1001 /*
1002 * If we have no PSK kex mode that we recognise then we can't resume so
1003 * ignore this extension
1004 */
1005 if ((s->ext.psk_kex_mode
1006 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1007 return 1;
1008
1009 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1010 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1011 return 0;
1012 }
1013
1014 s->ext.ticket_expected = 0;
1015 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1016 PACKET identity;
1017 unsigned long ticket_agel;
1018 size_t idlen;
1019
1020 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1021 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1022 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1023 return 0;
1024 }
1025
1026 idlen = PACKET_remaining(&identity);
1027 if (s->psk_find_session_cb != NULL
1028 && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
1029 &sess)) {
1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1031 return 0;
1032 }
1033
1034 #ifndef OPENSSL_NO_PSK
1035 if (sess == NULL
1036 && s->psk_server_callback != NULL
1037 && idlen <= PSK_MAX_IDENTITY_LEN) {
1038 char *pskid = NULL;
1039 unsigned char pskdata[PSK_MAX_PSK_LEN];
1040 unsigned int pskdatalen;
1041
1042 if (!PACKET_strndup(&identity, &pskid)) {
1043 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1044 return 0;
1045 }
1046 pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
1047 sizeof(pskdata));
1048 OPENSSL_free(pskid);
1049 if (pskdatalen > PSK_MAX_PSK_LEN) {
1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1051 return 0;
1052 } else if (pskdatalen > 0) {
1053 const SSL_CIPHER *cipher;
1054 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1055
1056 /*
1057 * We found a PSK using an old style callback. We don't know
1058 * the digest so we default to SHA256 as per the TLSv1.3 spec
1059 */
1060 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
1061 if (cipher == NULL) {
1062 OPENSSL_cleanse(pskdata, pskdatalen);
1063 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1064 return 0;
1065 }
1066
1067 sess = SSL_SESSION_new();
1068 if (sess == NULL
1069 || !SSL_SESSION_set1_master_key(sess, pskdata,
1070 pskdatalen)
1071 || !SSL_SESSION_set_cipher(sess, cipher)
1072 || !SSL_SESSION_set_protocol_version(sess,
1073 TLS1_3_VERSION)) {
1074 OPENSSL_cleanse(pskdata, pskdatalen);
1075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1076 goto err;
1077 }
1078 OPENSSL_cleanse(pskdata, pskdatalen);
1079 }
1080 }
1081 #endif /* OPENSSL_NO_PSK */
1082
1083 if (sess != NULL) {
1084 /* We found a PSK */
1085 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1086
1087 if (sesstmp == NULL) {
1088 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1089 return 0;
1090 }
1091 SSL_SESSION_free(sess);
1092 sess = sesstmp;
1093
1094 /*
1095 * We've just been told to use this session for this context so
1096 * make sure the sid_ctx matches up.
1097 */
1098 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1099 sess->sid_ctx_length = s->sid_ctx_length;
1100 ext = 1;
1101 if (id == 0)
1102 s->ext.early_data_ok = 1;
1103 s->ext.ticket_expected = 1;
1104 } else {
1105 uint32_t ticket_age = 0, now, agesec, agems;
1106 int ret;
1107
1108 /*
1109 * If we are using anti-replay protection then we behave as if
1110 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1111 * is no point in using full stateless tickets.
1112 */
1113 if ((s->options & SSL_OP_NO_TICKET) != 0
1114 || (s->max_early_data > 0
1115 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1116 ret = tls_get_stateful_ticket(s, &identity, &sess);
1117 else
1118 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1119 PACKET_remaining(&identity), NULL, 0,
1120 &sess);
1121
1122 if (ret == SSL_TICKET_EMPTY) {
1123 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1124 return 0;
1125 }
1126
1127 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1128 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1130 return 0;
1131 }
1132 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1133 continue;
1134
1135 /* Check for replay */
1136 if (s->max_early_data > 0
1137 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1138 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1139 SSL_SESSION_free(sess);
1140 sess = NULL;
1141 continue;
1142 }
1143
1144 ticket_age = (uint32_t)ticket_agel;
1145 now = (uint32_t)time(NULL);
1146 agesec = now - (uint32_t)sess->time;
1147 agems = agesec * (uint32_t)1000;
1148 ticket_age -= sess->ext.tick_age_add;
1149
1150 /*
1151 * For simplicity we do our age calculations in seconds. If the
1152 * client does it in ms then it could appear that their ticket age
1153 * is longer than ours (our ticket age calculation should always be
1154 * slightly longer than the client's due to the network latency).
1155 * Therefore we add 1000ms to our age calculation to adjust for
1156 * rounding errors.
1157 */
1158 if (id == 0
1159 && sess->timeout >= (long)agesec
1160 && agems / (uint32_t)1000 == agesec
1161 && ticket_age <= agems + 1000
1162 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1163 /*
1164 * Ticket age is within tolerance and not expired. We allow it
1165 * for early data
1166 */
1167 s->ext.early_data_ok = 1;
1168 }
1169 }
1170
1171 md = ssl_md(sctx, sess->cipher->algorithm2);
1172 if (md == NULL) {
1173 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1174 goto err;
1175 }
1176 if (!EVP_MD_is_a(md,
1177 EVP_MD_get0_name(ssl_md(sctx,
1178 s->s3.tmp.new_cipher->algorithm2)))) {
1179 /* The ciphersuite is not compatible with this session. */
1180 SSL_SESSION_free(sess);
1181 sess = NULL;
1182 s->ext.early_data_ok = 0;
1183 s->ext.ticket_expected = 0;
1184 continue;
1185 }
1186 break;
1187 }
1188
1189 if (sess == NULL)
1190 return 1;
1191
1192 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1193 hashsize = EVP_MD_get_size(md);
1194
1195 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1196 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1197 goto err;
1198 }
1199
1200 for (i = 0; i <= id; i++) {
1201 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1202 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1203 goto err;
1204 }
1205 }
1206
1207 if (PACKET_remaining(&binder) != hashsize) {
1208 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1209 goto err;
1210 }
1211 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1212 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1213 ext) != 1) {
1214 /* SSLfatal() already called */
1215 goto err;
1216 }
1217
1218 s->ext.tick_identity = id;
1219
1220 SSL_SESSION_free(s->session);
1221 s->session = sess;
1222 return 1;
1223 err:
1224 SSL_SESSION_free(sess);
1225 return 0;
1226 }
1227
1228 int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
1229 ossl_unused unsigned int context,
1230 ossl_unused X509 *x,
1231 ossl_unused size_t chainidx)
1232 {
1233 if (PACKET_remaining(pkt) != 0) {
1234 SSLfatal(s, SSL_AD_DECODE_ERROR,
1235 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1236 return 0;
1237 }
1238
1239 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1240
1241 return 1;
1242 }
1243
1244 /*
1245 * Add the server's renegotiation binding
1246 */
1247 EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
1248 unsigned int context, X509 *x,
1249 size_t chainidx)
1250 {
1251 if (!s->s3.send_connection_binding)
1252 return EXT_RETURN_NOT_SENT;
1253
1254 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1255 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1256 || !WPACKET_start_sub_packet_u16(pkt)
1257 || !WPACKET_start_sub_packet_u8(pkt)
1258 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1259 s->s3.previous_client_finished_len)
1260 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1261 s->s3.previous_server_finished_len)
1262 || !WPACKET_close(pkt)
1263 || !WPACKET_close(pkt)) {
1264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1265 return EXT_RETURN_FAIL;
1266 }
1267
1268 return EXT_RETURN_SENT;
1269 }
1270
1271 EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
1272 unsigned int context, X509 *x,
1273 size_t chainidx)
1274 {
1275 if (s->servername_done != 1)
1276 return EXT_RETURN_NOT_SENT;
1277
1278 /*
1279 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1280 * We just use the servername from the initial handshake.
1281 */
1282 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
1283 return EXT_RETURN_NOT_SENT;
1284
1285 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1286 || !WPACKET_put_bytes_u16(pkt, 0)) {
1287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1288 return EXT_RETURN_FAIL;
1289 }
1290
1291 return EXT_RETURN_SENT;
1292 }
1293
1294 /* Add/include the server's max fragment len extension into ServerHello */
1295 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
1296 unsigned int context, X509 *x,
1297 size_t chainidx)
1298 {
1299 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1300 return EXT_RETURN_NOT_SENT;
1301
1302 /*-
1303 * 4 bytes for this extension type and extension length
1304 * 1 byte for the Max Fragment Length code value.
1305 */
1306 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1307 || !WPACKET_start_sub_packet_u16(pkt)
1308 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1309 || !WPACKET_close(pkt)) {
1310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1311 return EXT_RETURN_FAIL;
1312 }
1313
1314 return EXT_RETURN_SENT;
1315 }
1316
1317 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
1318 unsigned int context, X509 *x,
1319 size_t chainidx)
1320 {
1321 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1322 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1323 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1324 && (s->ext.peer_ecpointformats != NULL);
1325 const unsigned char *plist;
1326 size_t plistlen;
1327
1328 if (!using_ecc)
1329 return EXT_RETURN_NOT_SENT;
1330
1331 tls1_get_formatlist(s, &plist, &plistlen);
1332 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1333 || !WPACKET_start_sub_packet_u16(pkt)
1334 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1335 || !WPACKET_close(pkt)) {
1336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1337 return EXT_RETURN_FAIL;
1338 }
1339
1340 return EXT_RETURN_SENT;
1341 }
1342
1343 EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
1344 unsigned int context, X509 *x,
1345 size_t chainidx)
1346 {
1347 const uint16_t *groups;
1348 size_t numgroups, i, first = 1;
1349 int version;
1350
1351 /* s->s3.group_id is non zero if we accepted a key_share */
1352 if (s->s3.group_id == 0)
1353 return EXT_RETURN_NOT_SENT;
1354
1355 /* Get our list of supported groups */
1356 tls1_get_supported_groups(s, &groups, &numgroups);
1357 if (numgroups == 0) {
1358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1359 return EXT_RETURN_FAIL;
1360 }
1361
1362 /* Copy group ID if supported */
1363 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
1364 for (i = 0; i < numgroups; i++) {
1365 uint16_t group = groups[i];
1366
1367 if (tls_valid_group(s, group, version, version, 0, NULL)
1368 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1369 if (first) {
1370 /*
1371 * Check if the client is already using our preferred group. If
1372 * so we don't need to add this extension
1373 */
1374 if (s->s3.group_id == group)
1375 return EXT_RETURN_NOT_SENT;
1376
1377 /* Add extension header */
1378 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1379 /* Sub-packet for supported_groups extension */
1380 || !WPACKET_start_sub_packet_u16(pkt)
1381 || !WPACKET_start_sub_packet_u16(pkt)) {
1382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1383 return EXT_RETURN_FAIL;
1384 }
1385
1386 first = 0;
1387 }
1388 if (!WPACKET_put_bytes_u16(pkt, group)) {
1389 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1390 return EXT_RETURN_FAIL;
1391 }
1392 }
1393 }
1394
1395 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1397 return EXT_RETURN_FAIL;
1398 }
1399
1400 return EXT_RETURN_SENT;
1401 }
1402
1403 EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
1404 unsigned int context, X509 *x,
1405 size_t chainidx)
1406 {
1407 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1408 s->ext.ticket_expected = 0;
1409 return EXT_RETURN_NOT_SENT;
1410 }
1411
1412 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1413 || !WPACKET_put_bytes_u16(pkt, 0)) {
1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1415 return EXT_RETURN_FAIL;
1416 }
1417
1418 return EXT_RETURN_SENT;
1419 }
1420
1421 #ifndef OPENSSL_NO_OCSP
1422 EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
1423 unsigned int context, X509 *x,
1424 size_t chainidx)
1425 {
1426 /* We don't currently support this extension inside a CertificateRequest */
1427 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1428 return EXT_RETURN_NOT_SENT;
1429
1430 if (!s->ext.status_expected)
1431 return EXT_RETURN_NOT_SENT;
1432
1433 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
1434 return EXT_RETURN_NOT_SENT;
1435
1436 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1437 || !WPACKET_start_sub_packet_u16(pkt)) {
1438 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1439 return EXT_RETURN_FAIL;
1440 }
1441
1442 /*
1443 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1444 * send back an empty extension, with the certificate status appearing as a
1445 * separate message
1446 */
1447 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1448 /* SSLfatal() already called */
1449 return EXT_RETURN_FAIL;
1450 }
1451 if (!WPACKET_close(pkt)) {
1452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1453 return EXT_RETURN_FAIL;
1454 }
1455
1456 return EXT_RETURN_SENT;
1457 }
1458 #endif
1459
1460 #ifndef OPENSSL_NO_NEXTPROTONEG
1461 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
1462 unsigned int context, X509 *x,
1463 size_t chainidx)
1464 {
1465 const unsigned char *npa;
1466 unsigned int npalen;
1467 int ret;
1468 int npn_seen = s->s3.npn_seen;
1469 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1470
1471 s->s3.npn_seen = 0;
1472 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
1473 return EXT_RETURN_NOT_SENT;
1474
1475 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1476 sctx->ext.npn_advertised_cb_arg);
1477 if (ret == SSL_TLSEXT_ERR_OK) {
1478 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1479 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1480 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1481 return EXT_RETURN_FAIL;
1482 }
1483 s->s3.npn_seen = 1;
1484 }
1485
1486 return EXT_RETURN_SENT;
1487 }
1488 #endif
1489
1490 EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
1491 X509 *x, size_t chainidx)
1492 {
1493 if (s->s3.alpn_selected == NULL)
1494 return EXT_RETURN_NOT_SENT;
1495
1496 if (!WPACKET_put_bytes_u16(pkt,
1497 TLSEXT_TYPE_application_layer_protocol_negotiation)
1498 || !WPACKET_start_sub_packet_u16(pkt)
1499 || !WPACKET_start_sub_packet_u16(pkt)
1500 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1501 s->s3.alpn_selected_len)
1502 || !WPACKET_close(pkt)
1503 || !WPACKET_close(pkt)) {
1504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1505 return EXT_RETURN_FAIL;
1506 }
1507
1508 return EXT_RETURN_SENT;
1509 }
1510
1511 #ifndef OPENSSL_NO_SRTP
1512 EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
1513 unsigned int context, X509 *x,
1514 size_t chainidx)
1515 {
1516 if (s->srtp_profile == NULL)
1517 return EXT_RETURN_NOT_SENT;
1518
1519 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1520 || !WPACKET_start_sub_packet_u16(pkt)
1521 || !WPACKET_put_bytes_u16(pkt, 2)
1522 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1523 || !WPACKET_put_bytes_u8(pkt, 0)
1524 || !WPACKET_close(pkt)) {
1525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1526 return EXT_RETURN_FAIL;
1527 }
1528
1529 return EXT_RETURN_SENT;
1530 }
1531 #endif
1532
1533 EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1534 unsigned int context,
1535 X509 *x, size_t chainidx)
1536 {
1537 if (!s->ext.use_etm)
1538 return EXT_RETURN_NOT_SENT;
1539
1540 /*
1541 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1542 * for other cases too.
1543 */
1544 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1545 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1546 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1547 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1548 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1549 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1550 s->ext.use_etm = 0;
1551 return EXT_RETURN_NOT_SENT;
1552 }
1553
1554 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1555 || !WPACKET_put_bytes_u16(pkt, 0)) {
1556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1557 return EXT_RETURN_FAIL;
1558 }
1559
1560 return EXT_RETURN_SENT;
1561 }
1562
1563 EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1564 unsigned int context,
1565 X509 *x, size_t chainidx)
1566 {
1567 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1568 return EXT_RETURN_NOT_SENT;
1569
1570 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1571 || !WPACKET_put_bytes_u16(pkt, 0)) {
1572 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1573 return EXT_RETURN_FAIL;
1574 }
1575
1576 return EXT_RETURN_SENT;
1577 }
1578
1579 EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
1580 unsigned int context, X509 *x,
1581 size_t chainidx)
1582 {
1583 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
1584 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1585 return EXT_RETURN_FAIL;
1586 }
1587
1588 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1589 || !WPACKET_start_sub_packet_u16(pkt)
1590 || !WPACKET_put_bytes_u16(pkt, s->version)
1591 || !WPACKET_close(pkt)) {
1592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1593 return EXT_RETURN_FAIL;
1594 }
1595
1596 return EXT_RETURN_SENT;
1597 }
1598
1599 EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
1600 unsigned int context, X509 *x,
1601 size_t chainidx)
1602 {
1603 #ifndef OPENSSL_NO_TLS1_3
1604 unsigned char *encodedPoint;
1605 size_t encoded_pt_len = 0;
1606 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1607 const TLS_GROUP_INFO *ginf = NULL;
1608
1609 if (s->hello_retry_request == SSL_HRR_PENDING) {
1610 if (ckey != NULL) {
1611 /* Original key_share was acceptable so don't ask for another one */
1612 return EXT_RETURN_NOT_SENT;
1613 }
1614 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1615 || !WPACKET_start_sub_packet_u16(pkt)
1616 || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
1617 s->s3.group_id))
1618 || !WPACKET_close(pkt)) {
1619 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1620 return EXT_RETURN_FAIL;
1621 }
1622
1623 return EXT_RETURN_SENT;
1624 }
1625
1626 if (ckey == NULL) {
1627 /* No key_share received from client - must be resuming */
1628 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1630 return EXT_RETURN_FAIL;
1631 }
1632 return EXT_RETURN_NOT_SENT;
1633 }
1634 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1635 /*
1636 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1637 * DHE option we always take it); don't send key share.
1638 */
1639 return EXT_RETURN_NOT_SENT;
1640 }
1641
1642 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1643 || !WPACKET_start_sub_packet_u16(pkt)
1644 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1645 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1646 return EXT_RETURN_FAIL;
1647 }
1648
1649 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1650 s->s3.group_id)) == NULL) {
1651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1652 return EXT_RETURN_FAIL;
1653 }
1654
1655 if (!ginf->is_kem) {
1656 /* Regular KEX */
1657 skey = ssl_generate_pkey(s, ckey);
1658 if (skey == NULL) {
1659 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1660 return EXT_RETURN_FAIL;
1661 }
1662
1663 /* Generate encoding of server key */
1664 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1665 if (encoded_pt_len == 0) {
1666 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1667 EVP_PKEY_free(skey);
1668 return EXT_RETURN_FAIL;
1669 }
1670
1671 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1672 || !WPACKET_close(pkt)) {
1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1674 EVP_PKEY_free(skey);
1675 OPENSSL_free(encodedPoint);
1676 return EXT_RETURN_FAIL;
1677 }
1678 OPENSSL_free(encodedPoint);
1679
1680 /*
1681 * This causes the crypto state to be updated based on the derived keys
1682 */
1683 s->s3.tmp.pkey = skey;
1684 if (ssl_derive(s, skey, ckey, 1) == 0) {
1685 /* SSLfatal() already called */
1686 return EXT_RETURN_FAIL;
1687 }
1688 } else {
1689 /* KEM mode */
1690 unsigned char *ct = NULL;
1691 size_t ctlen = 0;
1692
1693 /*
1694 * This does not update the crypto state.
1695 *
1696 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1697 * ssl_gensecret().
1698 */
1699 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1700 /* SSLfatal() already called */
1701 return EXT_RETURN_FAIL;
1702 }
1703
1704 if (ctlen == 0) {
1705 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1706 OPENSSL_free(ct);
1707 return EXT_RETURN_FAIL;
1708 }
1709
1710 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1711 || !WPACKET_close(pkt)) {
1712 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1713 OPENSSL_free(ct);
1714 return EXT_RETURN_FAIL;
1715 }
1716 OPENSSL_free(ct);
1717
1718 /*
1719 * This causes the crypto state to be updated based on the generated pms
1720 */
1721 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1722 /* SSLfatal() already called */
1723 return EXT_RETURN_FAIL;
1724 }
1725 }
1726 s->s3.did_kex = 1;
1727 return EXT_RETURN_SENT;
1728 #else
1729 return EXT_RETURN_FAIL;
1730 #endif
1731 }
1732
1733 EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1734 unsigned int context,
1735 X509 *x, size_t chainidx)
1736 {
1737 #ifndef OPENSSL_NO_TLS1_3
1738 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1739 unsigned char *hmac, *hmac2;
1740 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1741 EVP_MD_CTX *hctx;
1742 EVP_PKEY *pkey;
1743 int ret = EXT_RETURN_FAIL;
1744 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1745 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1746
1747 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1748 return EXT_RETURN_NOT_SENT;
1749
1750 if (sctx->gen_stateless_cookie_cb == NULL) {
1751 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1752 return EXT_RETURN_FAIL;
1753 }
1754
1755 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1756 || !WPACKET_start_sub_packet_u16(pkt)
1757 || !WPACKET_start_sub_packet_u16(pkt)
1758 || !WPACKET_get_total_written(pkt, &startlen)
1759 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1760 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1761 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1762 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1763 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1764 &ciphlen)
1765 /* Is there a key_share extension present in this HRR? */
1766 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1767 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1768 || !WPACKET_start_sub_packet_u16(pkt)
1769 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1771 return EXT_RETURN_FAIL;
1772 }
1773
1774 /*
1775 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1776 * on raw buffers, so we first reserve sufficient bytes (above) and then
1777 * subsequently allocate them (below)
1778 */
1779 if (!ssl3_digest_cached_records(s, 0)
1780 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1781 /* SSLfatal() already called */
1782 return EXT_RETURN_FAIL;
1783 }
1784
1785 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1786 || !ossl_assert(hashval1 == hashval2)
1787 || !WPACKET_close(pkt)
1788 || !WPACKET_start_sub_packet_u8(pkt)
1789 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1790 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1791 return EXT_RETURN_FAIL;
1792 }
1793
1794 /* Generate the application cookie */
1795 if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1796 &appcookielen) == 0) {
1797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1798 return EXT_RETURN_FAIL;
1799 }
1800
1801 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1802 || !ossl_assert(appcookie1 == appcookie2)
1803 || !WPACKET_close(pkt)
1804 || !WPACKET_get_total_written(pkt, &totcookielen)
1805 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1807 return EXT_RETURN_FAIL;
1808 }
1809 hmaclen = SHA256_DIGEST_LENGTH;
1810
1811 totcookielen -= startlen;
1812 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1814 return EXT_RETURN_FAIL;
1815 }
1816
1817 /* HMAC the cookie */
1818 hctx = EVP_MD_CTX_create();
1819 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1820 sctx->propq,
1821 s->session_ctx->ext.cookie_hmac_key,
1822 sizeof(s->session_ctx->ext.cookie_hmac_key));
1823 if (hctx == NULL || pkey == NULL) {
1824 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1825 goto err;
1826 }
1827
1828 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1829 sctx->propq, pkey, NULL) <= 0
1830 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1831 totcookielen) <= 0) {
1832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1833 goto err;
1834 }
1835
1836 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1837 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1838 goto err;
1839 }
1840
1841 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1842 || !ossl_assert(hmac == hmac2)
1843 || !ossl_assert(cookie == hmac - totcookielen)
1844 || !WPACKET_close(pkt)
1845 || !WPACKET_close(pkt)) {
1846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1847 goto err;
1848 }
1849
1850 ret = EXT_RETURN_SENT;
1851
1852 err:
1853 EVP_MD_CTX_free(hctx);
1854 EVP_PKEY_free(pkey);
1855 return ret;
1856 #else
1857 return EXT_RETURN_FAIL;
1858 #endif
1859 }
1860
1861 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
1862 unsigned int context, X509 *x,
1863 size_t chainidx)
1864 {
1865 const unsigned char cryptopro_ext[36] = {
1866 0xfd, 0xe8, /* 65000 */
1867 0x00, 0x20, /* 32 bytes length */
1868 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1869 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1870 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1871 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1872 };
1873
1874 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1875 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1876 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1877 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1878 return EXT_RETURN_NOT_SENT;
1879
1880 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1882 return EXT_RETURN_FAIL;
1883 }
1884
1885 return EXT_RETURN_SENT;
1886 }
1887
1888 EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
1889 unsigned int context, X509 *x,
1890 size_t chainidx)
1891 {
1892 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1893 if (s->max_early_data == 0)
1894 return EXT_RETURN_NOT_SENT;
1895
1896 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1897 || !WPACKET_start_sub_packet_u16(pkt)
1898 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1899 || !WPACKET_close(pkt)) {
1900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1901 return EXT_RETURN_FAIL;
1902 }
1903
1904 return EXT_RETURN_SENT;
1905 }
1906
1907 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1908 return EXT_RETURN_NOT_SENT;
1909
1910 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1911 || !WPACKET_start_sub_packet_u16(pkt)
1912 || !WPACKET_close(pkt)) {
1913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1914 return EXT_RETURN_FAIL;
1915 }
1916
1917 return EXT_RETURN_SENT;
1918 }
1919
1920 EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1921 unsigned int context,
1922 X509 *x, size_t chainidx)
1923 {
1924 if (!s->hit)
1925 return EXT_RETURN_NOT_SENT;
1926
1927 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1928 || !WPACKET_start_sub_packet_u16(pkt)
1929 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1930 || !WPACKET_close(pkt)) {
1931 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1932 return EXT_RETURN_FAIL;
1933 }
1934
1935 return EXT_RETURN_SENT;
1936 }
A mirror of the official openssl repository