]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
New Russian TLS 1.2 implementation
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14
15 DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
16 DEFINE_STACK_OF(OCSP_RESPID)
17 DEFINE_STACK_OF(X509_EXTENSION)
18
19 #define COOKIE_STATE_FORMAT_VERSION 0
20
21 /*
22 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
23 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
24 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
25 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
26 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
27 */
28 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
29 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
30
31 /*
32 * Message header + 2 bytes for protocol version + number of random bytes +
33 * + 1 byte for legacy session id length + number of bytes in legacy session id
34 * + 2 bytes for ciphersuite + 1 byte for legacy compression
35 * + 2 bytes for extension block length + 6 bytes for key_share extension
36 * + 4 bytes for cookie extension header + the number of bytes in the cookie
37 */
38 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
39 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
40 + MAX_COOKIE_SIZE)
41
42 /*
43 * Parse the client's renegotiation binding and abort if it's not right
44 */
45 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
46 X509 *x, size_t chainidx)
47 {
48 unsigned int ilen;
49 const unsigned char *data;
50
51 /* Parse the length byte */
52 if (!PACKET_get_1(pkt, &ilen)
53 || !PACKET_get_bytes(pkt, &data, ilen)) {
54 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
55 SSL_R_RENEGOTIATION_ENCODING_ERR);
56 return 0;
57 }
58
59 /* Check that the extension matches */
60 if (ilen != s->s3.previous_client_finished_len) {
61 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
62 SSL_R_RENEGOTIATION_MISMATCH);
63 return 0;
64 }
65
66 if (memcmp(data, s->s3.previous_client_finished,
67 s->s3.previous_client_finished_len)) {
68 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
69 SSL_R_RENEGOTIATION_MISMATCH);
70 return 0;
71 }
72
73 s->s3.send_connection_binding = 1;
74
75 return 1;
76 }
77
78 /*-
79 * The servername extension is treated as follows:
80 *
81 * - Only the hostname type is supported with a maximum length of 255.
82 * - The servername is rejected if too long or if it contains zeros,
83 * in which case an fatal alert is generated.
84 * - The servername field is maintained together with the session cache.
85 * - When a session is resumed, the servername call back invoked in order
86 * to allow the application to position itself to the right context.
87 * - The servername is acknowledged if it is new for a session or when
88 * it is identical to a previously used for the same session.
89 * Applications can control the behaviour. They can at any time
90 * set a 'desirable' servername for a new SSL object. This can be the
91 * case for example with HTTPS when a Host: header field is received and
92 * a renegotiation is requested. In this case, a possible servername
93 * presented in the new client hello is only acknowledged if it matches
94 * the value of the Host: field.
95 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
96 * if they provide for changing an explicit servername context for the
97 * session, i.e. when the session has been established with a servername
98 * extension.
99 * - On session reconnect, the servername extension may be absent.
100 */
101 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
102 X509 *x, size_t chainidx)
103 {
104 unsigned int servname_type;
105 PACKET sni, hostname;
106
107 if (!PACKET_as_length_prefixed_2(pkt, &sni)
108 /* ServerNameList must be at least 1 byte long. */
109 || PACKET_remaining(&sni) == 0) {
110 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
111 SSL_R_BAD_EXTENSION);
112 return 0;
113 }
114
115 /*
116 * Although the intent was for server_name to be extensible, RFC 4366
117 * was not clear about it; and so OpenSSL among other implementations,
118 * always and only allows a 'host_name' name types.
119 * RFC 6066 corrected the mistake but adding new name types
120 * is nevertheless no longer feasible, so act as if no other
121 * SNI types can exist, to simplify parsing.
122 *
123 * Also note that the RFC permits only one SNI value per type,
124 * i.e., we can only have a single hostname.
125 */
126 if (!PACKET_get_1(&sni, &servname_type)
127 || servname_type != TLSEXT_NAMETYPE_host_name
128 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
129 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
130 SSL_R_BAD_EXTENSION);
131 return 0;
132 }
133
134 /*
135 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
136 * we always use the SNI value from the handshake.
137 */
138 if (!s->hit || SSL_IS_TLS13(s)) {
139 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
140 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
141 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
142 SSL_R_BAD_EXTENSION);
143 return 0;
144 }
145
146 if (PACKET_contains_zero_byte(&hostname)) {
147 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
148 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 SSL_R_BAD_EXTENSION);
150 return 0;
151 }
152
153 /*
154 * Store the requested SNI in the SSL as temporary storage.
155 * If we accept it, it will get stored in the SSL_SESSION as well.
156 */
157 OPENSSL_free(s->ext.hostname);
158 s->ext.hostname = NULL;
159 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
161 ERR_R_INTERNAL_ERROR);
162 return 0;
163 }
164
165 s->servername_done = 1;
166 } else {
167 /*
168 * In TLSv1.2 and below we should check if the SNI is consistent between
169 * the initial handshake and the resumption. In TLSv1.3 SNI is not
170 * associated with the session.
171 */
172 /*
173 * TODO(openssl-team): if the SNI doesn't match, we MUST
174 * fall back to a full handshake.
175 */
176 s->servername_done = (s->session->ext.hostname != NULL)
177 && PACKET_equal(&hostname, s->session->ext.hostname,
178 strlen(s->session->ext.hostname));
179 }
180
181 return 1;
182 }
183
184 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
185 X509 *x, size_t chainidx)
186 {
187 unsigned int value;
188
189 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
190 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
191 SSL_R_BAD_EXTENSION);
192 return 0;
193 }
194
195 /* Received |value| should be a valid max-fragment-length code. */
196 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
197 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
198 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
199 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
200 return 0;
201 }
202
203 /*
204 * RFC 6066: The negotiated length applies for the duration of the session
205 * including session resumptions.
206 * We should receive the same code as in resumed session !
207 */
208 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
209 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
210 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
211 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
212 return 0;
213 }
214
215 /*
216 * Store it in session, so it'll become binding for us
217 * and we'll include it in a next Server Hello.
218 */
219 s->session->ext.max_fragment_len_mode = value;
220 return 1;
221 }
222
223 #ifndef OPENSSL_NO_SRP
224 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
225 size_t chainidx)
226 {
227 PACKET srp_I;
228
229 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
230 || PACKET_contains_zero_byte(&srp_I)) {
231 SSLfatal(s, SSL_AD_DECODE_ERROR,
232 SSL_F_TLS_PARSE_CTOS_SRP,
233 SSL_R_BAD_EXTENSION);
234 return 0;
235 }
236
237 /*
238 * TODO(openssl-team): currently, we re-authenticate the user
239 * upon resumption. Instead, we MUST ignore the login.
240 */
241 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
243 ERR_R_INTERNAL_ERROR);
244 return 0;
245 }
246
247 return 1;
248 }
249 #endif
250
251 #ifndef OPENSSL_NO_EC
252 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
253 X509 *x, size_t chainidx)
254 {
255 PACKET ec_point_format_list;
256
257 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
258 || PACKET_remaining(&ec_point_format_list) == 0) {
259 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
260 SSL_R_BAD_EXTENSION);
261 return 0;
262 }
263
264 if (!s->hit) {
265 if (!PACKET_memdup(&ec_point_format_list,
266 &s->ext.peer_ecpointformats,
267 &s->ext.peer_ecpointformats_len)) {
268 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
269 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
270 return 0;
271 }
272 }
273
274 return 1;
275 }
276 #endif /* OPENSSL_NO_EC */
277
278 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
279 X509 *x, size_t chainidx)
280 {
281 if (s->ext.session_ticket_cb &&
282 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
283 PACKET_remaining(pkt),
284 s->ext.session_ticket_cb_arg)) {
285 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
286 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
287 return 0;
288 }
289
290 return 1;
291 }
292
293 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
294 X509 *x, size_t chainidx)
295 {
296 PACKET supported_sig_algs;
297
298 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
299 || PACKET_remaining(&supported_sig_algs) == 0) {
300 SSLfatal(s, SSL_AD_DECODE_ERROR,
301 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
302 return 0;
303 }
304
305 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
306 SSLfatal(s, SSL_AD_DECODE_ERROR,
307 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
308 return 0;
309 }
310
311 return 1;
312 }
313
314 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
315 size_t chainidx)
316 {
317 PACKET supported_sig_algs;
318
319 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
320 || PACKET_remaining(&supported_sig_algs) == 0) {
321 SSLfatal(s, SSL_AD_DECODE_ERROR,
322 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
323 return 0;
324 }
325
326 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
327 SSLfatal(s, SSL_AD_DECODE_ERROR,
328 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
329 return 0;
330 }
331
332 return 1;
333 }
334
335 #ifndef OPENSSL_NO_OCSP
336 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
337 X509 *x, size_t chainidx)
338 {
339 PACKET responder_id_list, exts;
340
341 /* We ignore this in a resumption handshake */
342 if (s->hit)
343 return 1;
344
345 /* Not defined if we get one of these in a client Certificate */
346 if (x != NULL)
347 return 1;
348
349 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
350 SSLfatal(s, SSL_AD_DECODE_ERROR,
351 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
352 return 0;
353 }
354
355 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
356 /*
357 * We don't know what to do with any other type so ignore it.
358 */
359 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
360 return 1;
361 }
362
363 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
364 SSLfatal(s, SSL_AD_DECODE_ERROR,
365 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
366 return 0;
367 }
368
369 /*
370 * We remove any OCSP_RESPIDs from a previous handshake
371 * to prevent unbounded memory growth - CVE-2016-6304
372 */
373 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
374 if (PACKET_remaining(&responder_id_list) > 0) {
375 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
376 if (s->ext.ocsp.ids == NULL) {
377 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
378 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
379 return 0;
380 }
381 } else {
382 s->ext.ocsp.ids = NULL;
383 }
384
385 while (PACKET_remaining(&responder_id_list) > 0) {
386 OCSP_RESPID *id;
387 PACKET responder_id;
388 const unsigned char *id_data;
389
390 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
391 || PACKET_remaining(&responder_id) == 0) {
392 SSLfatal(s, SSL_AD_DECODE_ERROR,
393 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
394 return 0;
395 }
396
397 id_data = PACKET_data(&responder_id);
398 /* TODO(size_t): Convert d2i_* to size_t */
399 id = d2i_OCSP_RESPID(NULL, &id_data,
400 (int)PACKET_remaining(&responder_id));
401 if (id == NULL) {
402 SSLfatal(s, SSL_AD_DECODE_ERROR,
403 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
404 return 0;
405 }
406
407 if (id_data != PACKET_end(&responder_id)) {
408 OCSP_RESPID_free(id);
409 SSLfatal(s, SSL_AD_DECODE_ERROR,
410 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
411
412 return 0;
413 }
414
415 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
416 OCSP_RESPID_free(id);
417 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
418 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
419
420 return 0;
421 }
422 }
423
424 /* Read in request_extensions */
425 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
426 SSLfatal(s, SSL_AD_DECODE_ERROR,
427 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
428 return 0;
429 }
430
431 if (PACKET_remaining(&exts) > 0) {
432 const unsigned char *ext_data = PACKET_data(&exts);
433
434 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
435 X509_EXTENSION_free);
436 s->ext.ocsp.exts =
437 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
438 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
439 SSLfatal(s, SSL_AD_DECODE_ERROR,
440 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
441 return 0;
442 }
443 }
444
445 return 1;
446 }
447 #endif
448
449 #ifndef OPENSSL_NO_NEXTPROTONEG
450 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx)
452 {
453 /*
454 * We shouldn't accept this extension on a
455 * renegotiation.
456 */
457 if (SSL_IS_FIRST_HANDSHAKE(s))
458 s->s3.npn_seen = 1;
459
460 return 1;
461 }
462 #endif
463
464 /*
465 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
466 * extension, not including type and length. Returns: 1 on success, 0 on error.
467 */
468 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
469 size_t chainidx)
470 {
471 PACKET protocol_list, save_protocol_list, protocol;
472
473 if (!SSL_IS_FIRST_HANDSHAKE(s))
474 return 1;
475
476 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
477 || PACKET_remaining(&protocol_list) < 2) {
478 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
479 SSL_R_BAD_EXTENSION);
480 return 0;
481 }
482
483 save_protocol_list = protocol_list;
484 do {
485 /* Protocol names can't be empty. */
486 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
487 || PACKET_remaining(&protocol) == 0) {
488 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
489 SSL_R_BAD_EXTENSION);
490 return 0;
491 }
492 } while (PACKET_remaining(&protocol_list) != 0);
493
494 OPENSSL_free(s->s3.alpn_proposed);
495 s->s3.alpn_proposed = NULL;
496 s->s3.alpn_proposed_len = 0;
497 if (!PACKET_memdup(&save_protocol_list,
498 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
500 ERR_R_INTERNAL_ERROR);
501 return 0;
502 }
503
504 return 1;
505 }
506
507 #ifndef OPENSSL_NO_SRTP
508 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
509 size_t chainidx)
510 {
511 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
512 unsigned int ct, mki_len, id;
513 int i, srtp_pref;
514 PACKET subpkt;
515
516 /* Ignore this if we have no SRTP profiles */
517 if (SSL_get_srtp_profiles(s) == NULL)
518 return 1;
519
520 /* Pull off the length of the cipher suite list and check it is even */
521 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
522 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
523 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
524 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
525 return 0;
526 }
527
528 srvr = SSL_get_srtp_profiles(s);
529 s->srtp_profile = NULL;
530 /* Search all profiles for a match initially */
531 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
532
533 while (PACKET_remaining(&subpkt)) {
534 if (!PACKET_get_net_2(&subpkt, &id)) {
535 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
536 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
537 return 0;
538 }
539
540 /*
541 * Only look for match in profiles of higher preference than
542 * current match.
543 * If no profiles have been have been configured then this
544 * does nothing.
545 */
546 for (i = 0; i < srtp_pref; i++) {
547 SRTP_PROTECTION_PROFILE *sprof =
548 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
549
550 if (sprof->id == id) {
551 s->srtp_profile = sprof;
552 srtp_pref = i;
553 break;
554 }
555 }
556 }
557
558 /* Now extract the MKI value as a sanity check, but discard it for now */
559 if (!PACKET_get_1(pkt, &mki_len)) {
560 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
561 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
562 return 0;
563 }
564
565 if (!PACKET_forward(pkt, mki_len)
566 || PACKET_remaining(pkt)) {
567 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
568 SSL_R_BAD_SRTP_MKI_VALUE);
569 return 0;
570 }
571
572 return 1;
573 }
574 #endif
575
576 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
577 size_t chainidx)
578 {
579 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
580 s->ext.use_etm = 1;
581
582 return 1;
583 }
584
585 /*
586 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
587 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
588 */
589 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
590 X509 *x, size_t chainidx)
591 {
592 #ifndef OPENSSL_NO_TLS1_3
593 PACKET psk_kex_modes;
594 unsigned int mode;
595
596 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
597 || PACKET_remaining(&psk_kex_modes) == 0) {
598 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
599 SSL_R_BAD_EXTENSION);
600 return 0;
601 }
602
603 while (PACKET_get_1(&psk_kex_modes, &mode)) {
604 if (mode == TLSEXT_KEX_MODE_KE_DHE)
605 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
606 else if (mode == TLSEXT_KEX_MODE_KE
607 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
608 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
609 }
610 #endif
611
612 return 1;
613 }
614
615 /*
616 * Process a key_share extension received in the ClientHello. |pkt| contains
617 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
618 */
619 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
620 size_t chainidx)
621 {
622 #ifndef OPENSSL_NO_TLS1_3
623 unsigned int group_id;
624 PACKET key_share_list, encoded_pt;
625 const uint16_t *clntgroups, *srvrgroups;
626 size_t clnt_num_groups, srvr_num_groups;
627 int found = 0;
628
629 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
630 return 1;
631
632 /* Sanity check */
633 if (s->s3.peer_tmp != NULL) {
634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
635 ERR_R_INTERNAL_ERROR);
636 return 0;
637 }
638
639 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
640 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
641 SSL_R_LENGTH_MISMATCH);
642 return 0;
643 }
644
645 /* Get our list of supported groups */
646 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
647 /* Get the clients list of supported groups. */
648 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
649 if (clnt_num_groups == 0) {
650 /*
651 * This can only happen if the supported_groups extension was not sent,
652 * because we verify that the length is non-zero when we process that
653 * extension.
654 */
655 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
656 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
657 return 0;
658 }
659
660 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
661 /*
662 * If we set a group_id already, then we must have sent an HRR
663 * requesting a new key_share. If we haven't got one then that is an
664 * error
665 */
666 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
667 SSL_R_BAD_KEY_SHARE);
668 return 0;
669 }
670
671 while (PACKET_remaining(&key_share_list) > 0) {
672 if (!PACKET_get_net_2(&key_share_list, &group_id)
673 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
674 || PACKET_remaining(&encoded_pt) == 0) {
675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
676 SSL_R_LENGTH_MISMATCH);
677 return 0;
678 }
679
680 /*
681 * If we already found a suitable key_share we loop through the
682 * rest to verify the structure, but don't process them.
683 */
684 if (found)
685 continue;
686
687 /*
688 * If we sent an HRR then the key_share sent back MUST be for the group
689 * we requested, and must be the only key_share sent.
690 */
691 if (s->s3.group_id != 0
692 && (group_id != s->s3.group_id
693 || PACKET_remaining(&key_share_list) != 0)) {
694 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
695 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
696 return 0;
697 }
698
699 /* Check if this share is in supported_groups sent from client */
700 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
701 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
702 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
703 return 0;
704 }
705
706 /* Check if this share is for a group we can use */
707 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
708 /* Share not suitable */
709 continue;
710 }
711
712 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
714 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
715 return 0;
716 }
717
718 /*
719 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
720 * knows how to get a key from an encoded point with the help of
721 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
722 * downgrades an EVP_PKEY to contain a legacy key.
723 *
724 * THIS IS TEMPORARY
725 */
726 EVP_PKEY_get0(s->s3.peer_tmp);
727 if (EVP_PKEY_id(s->s3.peer_tmp) == EVP_PKEY_NONE) {
728 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
729 ERR_R_INTERNAL_ERROR);
730 return 0;
731 }
732
733 s->s3.group_id = group_id;
734
735 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
736 PACKET_data(&encoded_pt),
737 PACKET_remaining(&encoded_pt))) {
738 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
739 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
740 return 0;
741 }
742
743 found = 1;
744 }
745 #endif
746
747 return 1;
748 }
749
750 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
751 size_t chainidx)
752 {
753 #ifndef OPENSSL_NO_TLS1_3
754 unsigned int format, version, key_share, group_id;
755 EVP_MD_CTX *hctx;
756 EVP_PKEY *pkey;
757 PACKET cookie, raw, chhash, appcookie;
758 WPACKET hrrpkt;
759 const unsigned char *data, *mdin, *ciphdata;
760 unsigned char hmac[SHA256_DIGEST_LENGTH];
761 unsigned char hrr[MAX_HRR_SIZE];
762 size_t rawlen, hmaclen, hrrlen, ciphlen;
763 unsigned long tm, now;
764
765 /* Ignore any cookie if we're not set up to verify it */
766 if (s->ctx->verify_stateless_cookie_cb == NULL
767 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
768 return 1;
769
770 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
771 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
772 SSL_R_LENGTH_MISMATCH);
773 return 0;
774 }
775
776 raw = cookie;
777 data = PACKET_data(&raw);
778 rawlen = PACKET_remaining(&raw);
779 if (rawlen < SHA256_DIGEST_LENGTH
780 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
781 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
782 SSL_R_LENGTH_MISMATCH);
783 return 0;
784 }
785 mdin = PACKET_data(&raw);
786
787 /* Verify the HMAC of the cookie */
788 hctx = EVP_MD_CTX_create();
789 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
790 s->session_ctx->ext.cookie_hmac_key,
791 sizeof(s->session_ctx->ext
792 .cookie_hmac_key));
793 if (hctx == NULL || pkey == NULL) {
794 EVP_MD_CTX_free(hctx);
795 EVP_PKEY_free(pkey);
796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
797 ERR_R_MALLOC_FAILURE);
798 return 0;
799 }
800
801 hmaclen = SHA256_DIGEST_LENGTH;
802 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
803 s->ctx->libctx) <= 0
804 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
805 rawlen - SHA256_DIGEST_LENGTH) <= 0
806 || hmaclen != SHA256_DIGEST_LENGTH) {
807 EVP_MD_CTX_free(hctx);
808 EVP_PKEY_free(pkey);
809 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
810 ERR_R_INTERNAL_ERROR);
811 return 0;
812 }
813
814 EVP_MD_CTX_free(hctx);
815 EVP_PKEY_free(pkey);
816
817 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
818 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
819 SSL_R_COOKIE_MISMATCH);
820 return 0;
821 }
822
823 if (!PACKET_get_net_2(&cookie, &format)) {
824 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
825 SSL_R_LENGTH_MISMATCH);
826 return 0;
827 }
828 /* Check the cookie format is something we recognise. Ignore it if not */
829 if (format != COOKIE_STATE_FORMAT_VERSION)
830 return 1;
831
832 /*
833 * The rest of these checks really shouldn't fail since we have verified the
834 * HMAC above.
835 */
836
837 /* Check the version number is sane */
838 if (!PACKET_get_net_2(&cookie, &version)) {
839 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
840 SSL_R_LENGTH_MISMATCH);
841 return 0;
842 }
843 if (version != TLS1_3_VERSION) {
844 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
845 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
846 return 0;
847 }
848
849 if (!PACKET_get_net_2(&cookie, &group_id)) {
850 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
851 SSL_R_LENGTH_MISMATCH);
852 return 0;
853 }
854
855 ciphdata = PACKET_data(&cookie);
856 if (!PACKET_forward(&cookie, 2)) {
857 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
858 SSL_R_LENGTH_MISMATCH);
859 return 0;
860 }
861 if (group_id != s->s3.group_id
862 || s->s3.tmp.new_cipher
863 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
864 /*
865 * We chose a different cipher or group id this time around to what is
866 * in the cookie. Something must have changed.
867 */
868 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 SSL_R_BAD_CIPHER);
870 return 0;
871 }
872
873 if (!PACKET_get_1(&cookie, &key_share)
874 || !PACKET_get_net_4(&cookie, &tm)
875 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
876 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
877 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
878 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
879 SSL_R_LENGTH_MISMATCH);
880 return 0;
881 }
882
883 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
884 now = (unsigned long)time(NULL);
885 if (tm > now || (now - tm) > 600) {
886 /* Cookie is stale. Ignore it */
887 return 1;
888 }
889
890 /* Verify the app cookie */
891 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
892 PACKET_remaining(&appcookie)) == 0) {
893 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
894 SSL_R_COOKIE_MISMATCH);
895 return 0;
896 }
897
898 /*
899 * Reconstruct the HRR that we would have sent in response to the original
900 * ClientHello so we can add it to the transcript hash.
901 * Note: This won't work with custom HRR extensions
902 */
903 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
905 ERR_R_INTERNAL_ERROR);
906 return 0;
907 }
908 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
909 || !WPACKET_start_sub_packet_u24(&hrrpkt)
910 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
911 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
912 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
913 s->tmp_session_id_len)
914 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
915 &ciphlen)
916 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
917 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
918 WPACKET_cleanup(&hrrpkt);
919 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
920 ERR_R_INTERNAL_ERROR);
921 return 0;
922 }
923 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
924 || !WPACKET_start_sub_packet_u16(&hrrpkt)
925 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
926 || !WPACKET_close(&hrrpkt)) {
927 WPACKET_cleanup(&hrrpkt);
928 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
929 ERR_R_INTERNAL_ERROR);
930 return 0;
931 }
932 if (key_share) {
933 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
934 || !WPACKET_start_sub_packet_u16(&hrrpkt)
935 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
936 || !WPACKET_close(&hrrpkt)) {
937 WPACKET_cleanup(&hrrpkt);
938 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
939 ERR_R_INTERNAL_ERROR);
940 return 0;
941 }
942 }
943 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
944 || !WPACKET_start_sub_packet_u16(&hrrpkt)
945 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
946 || !WPACKET_close(&hrrpkt) /* cookie extension */
947 || !WPACKET_close(&hrrpkt) /* extension block */
948 || !WPACKET_close(&hrrpkt) /* message */
949 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
950 || !WPACKET_finish(&hrrpkt)) {
951 WPACKET_cleanup(&hrrpkt);
952 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
953 ERR_R_INTERNAL_ERROR);
954 return 0;
955 }
956
957 /* Reconstruct the transcript hash */
958 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
959 PACKET_remaining(&chhash), hrr,
960 hrrlen)) {
961 /* SSLfatal() already called */
962 return 0;
963 }
964
965 /* Act as if this ClientHello came after a HelloRetryRequest */
966 s->hello_retry_request = 1;
967
968 s->ext.cookieok = 1;
969 #endif
970
971 return 1;
972 }
973
974 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
975 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
976 X509 *x, size_t chainidx)
977 {
978 PACKET supported_groups_list;
979
980 /* Each group is 2 bytes and we must have at least 1. */
981 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
982 || PACKET_remaining(&supported_groups_list) == 0
983 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
984 SSLfatal(s, SSL_AD_DECODE_ERROR,
985 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
986 return 0;
987 }
988
989 if (!s->hit || SSL_IS_TLS13(s)) {
990 OPENSSL_free(s->ext.peer_supportedgroups);
991 s->ext.peer_supportedgroups = NULL;
992 s->ext.peer_supportedgroups_len = 0;
993 if (!tls1_save_u16(&supported_groups_list,
994 &s->ext.peer_supportedgroups,
995 &s->ext.peer_supportedgroups_len)) {
996 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
997 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
998 ERR_R_INTERNAL_ERROR);
999 return 0;
1000 }
1001 }
1002
1003 return 1;
1004 }
1005 #endif
1006
1007 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1008 size_t chainidx)
1009 {
1010 /* The extension must always be empty */
1011 if (PACKET_remaining(pkt) != 0) {
1012 SSLfatal(s, SSL_AD_DECODE_ERROR,
1013 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
1014 return 0;
1015 }
1016
1017 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1018 return 1;
1019
1020 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1021
1022 return 1;
1023 }
1024
1025
1026 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
1027 X509 *x, size_t chainidx)
1028 {
1029 if (PACKET_remaining(pkt) != 0) {
1030 SSLfatal(s, SSL_AD_DECODE_ERROR,
1031 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1032 return 0;
1033 }
1034
1035 if (s->hello_retry_request != SSL_HRR_NONE) {
1036 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1037 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1038 return 0;
1039 }
1040
1041 return 1;
1042 }
1043
1044 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1045 SSL_SESSION **sess)
1046 {
1047 SSL_SESSION *tmpsess = NULL;
1048
1049 s->ext.ticket_expected = 1;
1050
1051 switch (PACKET_remaining(tick)) {
1052 case 0:
1053 return SSL_TICKET_EMPTY;
1054
1055 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1056 break;
1057
1058 default:
1059 return SSL_TICKET_NO_DECRYPT;
1060 }
1061
1062 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1063 SSL_MAX_SSL_SESSION_ID_LENGTH);
1064
1065 if (tmpsess == NULL)
1066 return SSL_TICKET_NO_DECRYPT;
1067
1068 *sess = tmpsess;
1069 return SSL_TICKET_SUCCESS;
1070 }
1071
1072 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1073 size_t chainidx)
1074 {
1075 PACKET identities, binders, binder;
1076 size_t binderoffset, hashsize;
1077 SSL_SESSION *sess = NULL;
1078 unsigned int id, i, ext = 0;
1079 const EVP_MD *md = NULL;
1080
1081 /*
1082 * If we have no PSK kex mode that we recognise then we can't resume so
1083 * ignore this extension
1084 */
1085 if ((s->ext.psk_kex_mode
1086 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1087 return 1;
1088
1089 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1090 SSLfatal(s, SSL_AD_DECODE_ERROR,
1091 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1092 return 0;
1093 }
1094
1095 s->ext.ticket_expected = 0;
1096 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1097 PACKET identity;
1098 unsigned long ticket_agel;
1099 size_t idlen;
1100
1101 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1102 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1103 SSLfatal(s, SSL_AD_DECODE_ERROR,
1104 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1105 return 0;
1106 }
1107
1108 idlen = PACKET_remaining(&identity);
1109 if (s->psk_find_session_cb != NULL
1110 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1111 &sess)) {
1112 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1113 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1114 return 0;
1115 }
1116
1117 #ifndef OPENSSL_NO_PSK
1118 if(sess == NULL
1119 && s->psk_server_callback != NULL
1120 && idlen <= PSK_MAX_IDENTITY_LEN) {
1121 char *pskid = NULL;
1122 unsigned char pskdata[PSK_MAX_PSK_LEN];
1123 unsigned int pskdatalen;
1124
1125 if (!PACKET_strndup(&identity, &pskid)) {
1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1127 ERR_R_INTERNAL_ERROR);
1128 return 0;
1129 }
1130 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1131 sizeof(pskdata));
1132 OPENSSL_free(pskid);
1133 if (pskdatalen > PSK_MAX_PSK_LEN) {
1134 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1135 ERR_R_INTERNAL_ERROR);
1136 return 0;
1137 } else if (pskdatalen > 0) {
1138 const SSL_CIPHER *cipher;
1139 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1140
1141 /*
1142 * We found a PSK using an old style callback. We don't know
1143 * the digest so we default to SHA256 as per the TLSv1.3 spec
1144 */
1145 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1146 if (cipher == NULL) {
1147 OPENSSL_cleanse(pskdata, pskdatalen);
1148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1149 ERR_R_INTERNAL_ERROR);
1150 return 0;
1151 }
1152
1153 sess = SSL_SESSION_new();
1154 if (sess == NULL
1155 || !SSL_SESSION_set1_master_key(sess, pskdata,
1156 pskdatalen)
1157 || !SSL_SESSION_set_cipher(sess, cipher)
1158 || !SSL_SESSION_set_protocol_version(sess,
1159 TLS1_3_VERSION)) {
1160 OPENSSL_cleanse(pskdata, pskdatalen);
1161 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1162 ERR_R_INTERNAL_ERROR);
1163 goto err;
1164 }
1165 OPENSSL_cleanse(pskdata, pskdatalen);
1166 }
1167 }
1168 #endif /* OPENSSL_NO_PSK */
1169
1170 if (sess != NULL) {
1171 /* We found a PSK */
1172 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1173
1174 if (sesstmp == NULL) {
1175 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1176 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1177 return 0;
1178 }
1179 SSL_SESSION_free(sess);
1180 sess = sesstmp;
1181
1182 /*
1183 * We've just been told to use this session for this context so
1184 * make sure the sid_ctx matches up.
1185 */
1186 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1187 sess->sid_ctx_length = s->sid_ctx_length;
1188 ext = 1;
1189 if (id == 0)
1190 s->ext.early_data_ok = 1;
1191 s->ext.ticket_expected = 1;
1192 } else {
1193 uint32_t ticket_age = 0, now, agesec, agems;
1194 int ret;
1195
1196 /*
1197 * If we are using anti-replay protection then we behave as if
1198 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1199 * is no point in using full stateless tickets.
1200 */
1201 if ((s->options & SSL_OP_NO_TICKET) != 0
1202 || (s->max_early_data > 0
1203 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1204 ret = tls_get_stateful_ticket(s, &identity, &sess);
1205 else
1206 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1207 PACKET_remaining(&identity), NULL, 0,
1208 &sess);
1209
1210 if (ret == SSL_TICKET_EMPTY) {
1211 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1212 SSL_R_BAD_EXTENSION);
1213 return 0;
1214 }
1215
1216 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1217 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1218 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1219 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1220 return 0;
1221 }
1222 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1223 continue;
1224
1225 /* Check for replay */
1226 if (s->max_early_data > 0
1227 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1228 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1229 SSL_SESSION_free(sess);
1230 sess = NULL;
1231 continue;
1232 }
1233
1234 ticket_age = (uint32_t)ticket_agel;
1235 now = (uint32_t)time(NULL);
1236 agesec = now - (uint32_t)sess->time;
1237 agems = agesec * (uint32_t)1000;
1238 ticket_age -= sess->ext.tick_age_add;
1239
1240 /*
1241 * For simplicity we do our age calculations in seconds. If the
1242 * client does it in ms then it could appear that their ticket age
1243 * is longer than ours (our ticket age calculation should always be
1244 * slightly longer than the client's due to the network latency).
1245 * Therefore we add 1000ms to our age calculation to adjust for
1246 * rounding errors.
1247 */
1248 if (id == 0
1249 && sess->timeout >= (long)agesec
1250 && agems / (uint32_t)1000 == agesec
1251 && ticket_age <= agems + 1000
1252 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1253 /*
1254 * Ticket age is within tolerance and not expired. We allow it
1255 * for early data
1256 */
1257 s->ext.early_data_ok = 1;
1258 }
1259 }
1260
1261 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1262 if (!EVP_MD_is_a(md,
1263 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
1264 /* The ciphersuite is not compatible with this session. */
1265 SSL_SESSION_free(sess);
1266 sess = NULL;
1267 s->ext.early_data_ok = 0;
1268 s->ext.ticket_expected = 0;
1269 continue;
1270 }
1271 break;
1272 }
1273
1274 if (sess == NULL)
1275 return 1;
1276
1277 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1278 hashsize = EVP_MD_size(md);
1279
1280 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1281 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1282 SSL_R_BAD_EXTENSION);
1283 goto err;
1284 }
1285
1286 for (i = 0; i <= id; i++) {
1287 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1288 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1289 SSL_R_BAD_EXTENSION);
1290 goto err;
1291 }
1292 }
1293
1294 if (PACKET_remaining(&binder) != hashsize) {
1295 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1296 SSL_R_BAD_EXTENSION);
1297 goto err;
1298 }
1299 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1300 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1301 ext) != 1) {
1302 /* SSLfatal() already called */
1303 goto err;
1304 }
1305
1306 s->ext.tick_identity = id;
1307
1308 SSL_SESSION_free(s->session);
1309 s->session = sess;
1310 return 1;
1311 err:
1312 SSL_SESSION_free(sess);
1313 return 0;
1314 }
1315
1316 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1317 X509 *x, size_t chainidx)
1318 {
1319 if (PACKET_remaining(pkt) != 0) {
1320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1321 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1322 return 0;
1323 }
1324
1325 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1326
1327 return 1;
1328 }
1329
1330 /*
1331 * Add the server's renegotiation binding
1332 */
1333 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1334 unsigned int context, X509 *x,
1335 size_t chainidx)
1336 {
1337 if (!s->s3.send_connection_binding)
1338 return EXT_RETURN_NOT_SENT;
1339
1340 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1341 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1342 || !WPACKET_start_sub_packet_u16(pkt)
1343 || !WPACKET_start_sub_packet_u8(pkt)
1344 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1345 s->s3.previous_client_finished_len)
1346 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1347 s->s3.previous_server_finished_len)
1348 || !WPACKET_close(pkt)
1349 || !WPACKET_close(pkt)) {
1350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1351 ERR_R_INTERNAL_ERROR);
1352 return EXT_RETURN_FAIL;
1353 }
1354
1355 return EXT_RETURN_SENT;
1356 }
1357
1358 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1359 unsigned int context, X509 *x,
1360 size_t chainidx)
1361 {
1362 if (s->servername_done != 1)
1363 return EXT_RETURN_NOT_SENT;
1364
1365 /*
1366 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1367 * We just use the servername from the initial handshake.
1368 */
1369 if (s->hit && !SSL_IS_TLS13(s))
1370 return EXT_RETURN_NOT_SENT;
1371
1372 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1373 || !WPACKET_put_bytes_u16(pkt, 0)) {
1374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1375 ERR_R_INTERNAL_ERROR);
1376 return EXT_RETURN_FAIL;
1377 }
1378
1379 return EXT_RETURN_SENT;
1380 }
1381
1382 /* Add/include the server's max fragment len extension into ServerHello */
1383 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1384 unsigned int context, X509 *x,
1385 size_t chainidx)
1386 {
1387 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1388 return EXT_RETURN_NOT_SENT;
1389
1390 /*-
1391 * 4 bytes for this extension type and extension length
1392 * 1 byte for the Max Fragment Length code value.
1393 */
1394 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1395 || !WPACKET_start_sub_packet_u16(pkt)
1396 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1397 || !WPACKET_close(pkt)) {
1398 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1399 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1400 return EXT_RETURN_FAIL;
1401 }
1402
1403 return EXT_RETURN_SENT;
1404 }
1405
1406 #ifndef OPENSSL_NO_EC
1407 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1408 unsigned int context, X509 *x,
1409 size_t chainidx)
1410 {
1411 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1412 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1413 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1414 && (s->ext.peer_ecpointformats != NULL);
1415 const unsigned char *plist;
1416 size_t plistlen;
1417
1418 if (!using_ecc)
1419 return EXT_RETURN_NOT_SENT;
1420
1421 tls1_get_formatlist(s, &plist, &plistlen);
1422 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1423 || !WPACKET_start_sub_packet_u16(pkt)
1424 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1425 || !WPACKET_close(pkt)) {
1426 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1427 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1428 return EXT_RETURN_FAIL;
1429 }
1430
1431 return EXT_RETURN_SENT;
1432 }
1433 #endif
1434
1435 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1436 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1437 unsigned int context, X509 *x,
1438 size_t chainidx)
1439 {
1440 const uint16_t *groups;
1441 size_t numgroups, i, first = 1;
1442
1443 /* s->s3.group_id is non zero if we accepted a key_share */
1444 if (s->s3.group_id == 0)
1445 return EXT_RETURN_NOT_SENT;
1446
1447 /* Get our list of supported groups */
1448 tls1_get_supported_groups(s, &groups, &numgroups);
1449 if (numgroups == 0) {
1450 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1451 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1452 return EXT_RETURN_FAIL;
1453 }
1454
1455 /* Copy group ID if supported */
1456 for (i = 0; i < numgroups; i++) {
1457 uint16_t group = groups[i];
1458
1459 if (tls_valid_group(s, group, SSL_version(s))
1460 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1461 if (first) {
1462 /*
1463 * Check if the client is already using our preferred group. If
1464 * so we don't need to add this extension
1465 */
1466 if (s->s3.group_id == group)
1467 return EXT_RETURN_NOT_SENT;
1468
1469 /* Add extension header */
1470 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1471 /* Sub-packet for supported_groups extension */
1472 || !WPACKET_start_sub_packet_u16(pkt)
1473 || !WPACKET_start_sub_packet_u16(pkt)) {
1474 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1475 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1476 ERR_R_INTERNAL_ERROR);
1477 return EXT_RETURN_FAIL;
1478 }
1479
1480 first = 0;
1481 }
1482 if (!WPACKET_put_bytes_u16(pkt, group)) {
1483 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1484 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1485 ERR_R_INTERNAL_ERROR);
1486 return EXT_RETURN_FAIL;
1487 }
1488 }
1489 }
1490
1491 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1492 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1493 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1494 ERR_R_INTERNAL_ERROR);
1495 return EXT_RETURN_FAIL;
1496 }
1497
1498 return EXT_RETURN_SENT;
1499 }
1500 #endif
1501
1502 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1503 unsigned int context, X509 *x,
1504 size_t chainidx)
1505 {
1506 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1507 s->ext.ticket_expected = 0;
1508 return EXT_RETURN_NOT_SENT;
1509 }
1510
1511 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1512 || !WPACKET_put_bytes_u16(pkt, 0)) {
1513 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1514 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1515 return EXT_RETURN_FAIL;
1516 }
1517
1518 return EXT_RETURN_SENT;
1519 }
1520
1521 #ifndef OPENSSL_NO_OCSP
1522 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1523 unsigned int context, X509 *x,
1524 size_t chainidx)
1525 {
1526 /* We don't currently support this extension inside a CertificateRequest */
1527 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1528 return EXT_RETURN_NOT_SENT;
1529
1530 if (!s->ext.status_expected)
1531 return EXT_RETURN_NOT_SENT;
1532
1533 if (SSL_IS_TLS13(s) && chainidx != 0)
1534 return EXT_RETURN_NOT_SENT;
1535
1536 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1537 || !WPACKET_start_sub_packet_u16(pkt)) {
1538 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1539 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1540 return EXT_RETURN_FAIL;
1541 }
1542
1543 /*
1544 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1545 * send back an empty extension, with the certificate status appearing as a
1546 * separate message
1547 */
1548 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1549 /* SSLfatal() already called */
1550 return EXT_RETURN_FAIL;
1551 }
1552 if (!WPACKET_close(pkt)) {
1553 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1554 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1555 return EXT_RETURN_FAIL;
1556 }
1557
1558 return EXT_RETURN_SENT;
1559 }
1560 #endif
1561
1562 #ifndef OPENSSL_NO_NEXTPROTONEG
1563 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1564 unsigned int context, X509 *x,
1565 size_t chainidx)
1566 {
1567 const unsigned char *npa;
1568 unsigned int npalen;
1569 int ret;
1570 int npn_seen = s->s3.npn_seen;
1571
1572 s->s3.npn_seen = 0;
1573 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1574 return EXT_RETURN_NOT_SENT;
1575
1576 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1577 s->ctx->ext.npn_advertised_cb_arg);
1578 if (ret == SSL_TLSEXT_ERR_OK) {
1579 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1580 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1581 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1582 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1583 ERR_R_INTERNAL_ERROR);
1584 return EXT_RETURN_FAIL;
1585 }
1586 s->s3.npn_seen = 1;
1587 }
1588
1589 return EXT_RETURN_SENT;
1590 }
1591 #endif
1592
1593 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1594 X509 *x, size_t chainidx)
1595 {
1596 if (s->s3.alpn_selected == NULL)
1597 return EXT_RETURN_NOT_SENT;
1598
1599 if (!WPACKET_put_bytes_u16(pkt,
1600 TLSEXT_TYPE_application_layer_protocol_negotiation)
1601 || !WPACKET_start_sub_packet_u16(pkt)
1602 || !WPACKET_start_sub_packet_u16(pkt)
1603 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1604 s->s3.alpn_selected_len)
1605 || !WPACKET_close(pkt)
1606 || !WPACKET_close(pkt)) {
1607 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1608 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1609 return EXT_RETURN_FAIL;
1610 }
1611
1612 return EXT_RETURN_SENT;
1613 }
1614
1615 #ifndef OPENSSL_NO_SRTP
1616 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1617 unsigned int context, X509 *x,
1618 size_t chainidx)
1619 {
1620 if (s->srtp_profile == NULL)
1621 return EXT_RETURN_NOT_SENT;
1622
1623 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1624 || !WPACKET_start_sub_packet_u16(pkt)
1625 || !WPACKET_put_bytes_u16(pkt, 2)
1626 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1627 || !WPACKET_put_bytes_u8(pkt, 0)
1628 || !WPACKET_close(pkt)) {
1629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1630 ERR_R_INTERNAL_ERROR);
1631 return EXT_RETURN_FAIL;
1632 }
1633
1634 return EXT_RETURN_SENT;
1635 }
1636 #endif
1637
1638 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1639 X509 *x, size_t chainidx)
1640 {
1641 if (!s->ext.use_etm)
1642 return EXT_RETURN_NOT_SENT;
1643
1644 /*
1645 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1646 * for other cases too.
1647 */
1648 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1649 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1650 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1651 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1652 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1653 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1654 s->ext.use_etm = 0;
1655 return EXT_RETURN_NOT_SENT;
1656 }
1657
1658 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1659 || !WPACKET_put_bytes_u16(pkt, 0)) {
1660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1661 ERR_R_INTERNAL_ERROR);
1662 return EXT_RETURN_FAIL;
1663 }
1664
1665 return EXT_RETURN_SENT;
1666 }
1667
1668 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1669 X509 *x, size_t chainidx)
1670 {
1671 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1672 return EXT_RETURN_NOT_SENT;
1673
1674 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1675 || !WPACKET_put_bytes_u16(pkt, 0)) {
1676 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1677 ERR_R_INTERNAL_ERROR);
1678 return EXT_RETURN_FAIL;
1679 }
1680
1681 return EXT_RETURN_SENT;
1682 }
1683
1684 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1685 unsigned int context, X509 *x,
1686 size_t chainidx)
1687 {
1688 if (!ossl_assert(SSL_IS_TLS13(s))) {
1689 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1690 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1691 ERR_R_INTERNAL_ERROR);
1692 return EXT_RETURN_FAIL;
1693 }
1694
1695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1696 || !WPACKET_start_sub_packet_u16(pkt)
1697 || !WPACKET_put_bytes_u16(pkt, s->version)
1698 || !WPACKET_close(pkt)) {
1699 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1700 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1701 ERR_R_INTERNAL_ERROR);
1702 return EXT_RETURN_FAIL;
1703 }
1704
1705 return EXT_RETURN_SENT;
1706 }
1707
1708 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1709 unsigned int context, X509 *x,
1710 size_t chainidx)
1711 {
1712 #ifndef OPENSSL_NO_TLS1_3
1713 unsigned char *encodedPoint;
1714 size_t encoded_pt_len = 0;
1715 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1716
1717 if (s->hello_retry_request == SSL_HRR_PENDING) {
1718 if (ckey != NULL) {
1719 /* Original key_share was acceptable so don't ask for another one */
1720 return EXT_RETURN_NOT_SENT;
1721 }
1722 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1723 || !WPACKET_start_sub_packet_u16(pkt)
1724 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1725 || !WPACKET_close(pkt)) {
1726 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1727 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1728 ERR_R_INTERNAL_ERROR);
1729 return EXT_RETURN_FAIL;
1730 }
1731
1732 return EXT_RETURN_SENT;
1733 }
1734
1735 if (ckey == NULL) {
1736 /* No key_share received from client - must be resuming */
1737 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1738 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1739 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1740 return EXT_RETURN_FAIL;
1741 }
1742 return EXT_RETURN_NOT_SENT;
1743 }
1744
1745 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1746 || !WPACKET_start_sub_packet_u16(pkt)
1747 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1748 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1749 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1750 return EXT_RETURN_FAIL;
1751 }
1752
1753 skey = ssl_generate_pkey(s, ckey);
1754 if (skey == NULL) {
1755 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1756 ERR_R_MALLOC_FAILURE);
1757 return EXT_RETURN_FAIL;
1758 }
1759
1760 /*
1761 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
1762 * knows how to get a key from an encoded point with the help of
1763 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
1764 * downgrades an EVP_PKEY to contain a legacy key.
1765 *
1766 * THIS IS TEMPORARY
1767 */
1768 EVP_PKEY_get0(skey);
1769 if (EVP_PKEY_id(skey) == EVP_PKEY_NONE) {
1770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1771 ERR_R_INTERNAL_ERROR);
1772 return EXT_RETURN_FAIL;
1773 }
1774
1775 /* Generate encoding of server key */
1776 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1777 if (encoded_pt_len == 0) {
1778 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1779 ERR_R_EC_LIB);
1780 EVP_PKEY_free(skey);
1781 return EXT_RETURN_FAIL;
1782 }
1783
1784 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1785 || !WPACKET_close(pkt)) {
1786 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1787 ERR_R_INTERNAL_ERROR);
1788 EVP_PKEY_free(skey);
1789 OPENSSL_free(encodedPoint);
1790 return EXT_RETURN_FAIL;
1791 }
1792 OPENSSL_free(encodedPoint);
1793
1794 /* This causes the crypto state to be updated based on the derived keys */
1795 s->s3.tmp.pkey = skey;
1796 if (ssl_derive(s, skey, ckey, 1) == 0) {
1797 /* SSLfatal() already called */
1798 return EXT_RETURN_FAIL;
1799 }
1800 return EXT_RETURN_SENT;
1801 #else
1802 return EXT_RETURN_FAIL;
1803 #endif
1804 }
1805
1806 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1807 X509 *x, size_t chainidx)
1808 {
1809 #ifndef OPENSSL_NO_TLS1_3
1810 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1811 unsigned char *hmac, *hmac2;
1812 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1813 EVP_MD_CTX *hctx;
1814 EVP_PKEY *pkey;
1815 int ret = EXT_RETURN_FAIL;
1816
1817 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1818 return EXT_RETURN_NOT_SENT;
1819
1820 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1821 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1822 SSL_R_NO_COOKIE_CALLBACK_SET);
1823 return EXT_RETURN_FAIL;
1824 }
1825
1826 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1827 || !WPACKET_start_sub_packet_u16(pkt)
1828 || !WPACKET_start_sub_packet_u16(pkt)
1829 || !WPACKET_get_total_written(pkt, &startlen)
1830 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1831 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1832 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1833 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1834 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1835 &ciphlen)
1836 /* Is there a key_share extension present in this HRR? */
1837 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1838 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1839 || !WPACKET_start_sub_packet_u16(pkt)
1840 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1842 ERR_R_INTERNAL_ERROR);
1843 return EXT_RETURN_FAIL;
1844 }
1845
1846 /*
1847 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1848 * on raw buffers, so we first reserve sufficient bytes (above) and then
1849 * subsequently allocate them (below)
1850 */
1851 if (!ssl3_digest_cached_records(s, 0)
1852 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1853 /* SSLfatal() already called */
1854 return EXT_RETURN_FAIL;
1855 }
1856
1857 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1858 || !ossl_assert(hashval1 == hashval2)
1859 || !WPACKET_close(pkt)
1860 || !WPACKET_start_sub_packet_u8(pkt)
1861 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1862 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1863 ERR_R_INTERNAL_ERROR);
1864 return EXT_RETURN_FAIL;
1865 }
1866
1867 /* Generate the application cookie */
1868 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1870 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1871 return EXT_RETURN_FAIL;
1872 }
1873
1874 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1875 || !ossl_assert(appcookie1 == appcookie2)
1876 || !WPACKET_close(pkt)
1877 || !WPACKET_get_total_written(pkt, &totcookielen)
1878 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1879 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1880 ERR_R_INTERNAL_ERROR);
1881 return EXT_RETURN_FAIL;
1882 }
1883 hmaclen = SHA256_DIGEST_LENGTH;
1884
1885 totcookielen -= startlen;
1886 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1888 ERR_R_INTERNAL_ERROR);
1889 return EXT_RETURN_FAIL;
1890 }
1891
1892 /* HMAC the cookie */
1893 hctx = EVP_MD_CTX_create();
1894 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
1895 s->session_ctx->ext.cookie_hmac_key,
1896 sizeof(s->session_ctx->ext
1897 .cookie_hmac_key));
1898 if (hctx == NULL || pkey == NULL) {
1899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1900 ERR_R_MALLOC_FAILURE);
1901 goto err;
1902 }
1903
1904 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
1905 s->ctx->libctx) <= 0
1906 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1907 totcookielen) <= 0) {
1908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1909 ERR_R_INTERNAL_ERROR);
1910 goto err;
1911 }
1912
1913 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1915 ERR_R_INTERNAL_ERROR);
1916 goto err;
1917 }
1918
1919 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1920 || !ossl_assert(hmac == hmac2)
1921 || !ossl_assert(cookie == hmac - totcookielen)
1922 || !WPACKET_close(pkt)
1923 || !WPACKET_close(pkt)) {
1924 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1925 ERR_R_INTERNAL_ERROR);
1926 goto err;
1927 }
1928
1929 ret = EXT_RETURN_SENT;
1930
1931 err:
1932 EVP_MD_CTX_free(hctx);
1933 EVP_PKEY_free(pkey);
1934 return ret;
1935 #else
1936 return EXT_RETURN_FAIL;
1937 #endif
1938 }
1939
1940 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1941 unsigned int context, X509 *x,
1942 size_t chainidx)
1943 {
1944 const unsigned char cryptopro_ext[36] = {
1945 0xfd, 0xe8, /* 65000 */
1946 0x00, 0x20, /* 32 bytes length */
1947 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1948 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1949 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1950 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1951 };
1952
1953 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1954 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1955 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1956 return EXT_RETURN_NOT_SENT;
1957
1958 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1959 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1960 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1961 return EXT_RETURN_FAIL;
1962 }
1963
1964 return EXT_RETURN_SENT;
1965 }
1966
1967 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1968 unsigned int context, X509 *x,
1969 size_t chainidx)
1970 {
1971 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1972 if (s->max_early_data == 0)
1973 return EXT_RETURN_NOT_SENT;
1974
1975 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1976 || !WPACKET_start_sub_packet_u16(pkt)
1977 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1978 || !WPACKET_close(pkt)) {
1979 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1980 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1981 return EXT_RETURN_FAIL;
1982 }
1983
1984 return EXT_RETURN_SENT;
1985 }
1986
1987 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1988 return EXT_RETURN_NOT_SENT;
1989
1990 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1991 || !WPACKET_start_sub_packet_u16(pkt)
1992 || !WPACKET_close(pkt)) {
1993 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1994 ERR_R_INTERNAL_ERROR);
1995 return EXT_RETURN_FAIL;
1996 }
1997
1998 return EXT_RETURN_SENT;
1999 }
2000
2001 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
2002 X509 *x, size_t chainidx)
2003 {
2004 if (!s->hit)
2005 return EXT_RETURN_NOT_SENT;
2006
2007 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
2008 || !WPACKET_start_sub_packet_u16(pkt)
2009 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
2010 || !WPACKET_close(pkt)) {
2011 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2012 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
2013 return EXT_RETURN_FAIL;
2014 }
2015
2016 return EXT_RETURN_SENT;
2017 }
A mirror of the official openssl repository