2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
15 DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE
)
16 DEFINE_STACK_OF(OCSP_RESPID
)
17 DEFINE_STACK_OF(X509_EXTENSION
)
19 #define COOKIE_STATE_FORMAT_VERSION 0
22 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
23 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
24 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
25 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
26 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
28 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
29 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
32 * Message header + 2 bytes for protocol version + number of random bytes +
33 * + 1 byte for legacy session id length + number of bytes in legacy session id
34 * + 2 bytes for ciphersuite + 1 byte for legacy compression
35 * + 2 bytes for extension block length + 6 bytes for key_share extension
36 * + 4 bytes for cookie extension header + the number of bytes in the cookie
38 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
39 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
43 * Parse the client's renegotiation binding and abort if it's not right
45 int tls_parse_ctos_renegotiate(SSL
*s
, PACKET
*pkt
, unsigned int context
,
46 X509
*x
, size_t chainidx
)
49 const unsigned char *data
;
51 /* Parse the length byte */
52 if (!PACKET_get_1(pkt
, &ilen
)
53 || !PACKET_get_bytes(pkt
, &data
, ilen
)) {
54 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE
,
55 SSL_R_RENEGOTIATION_ENCODING_ERR
);
59 /* Check that the extension matches */
60 if (ilen
!= s
->s3
.previous_client_finished_len
) {
61 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE
,
62 SSL_R_RENEGOTIATION_MISMATCH
);
66 if (memcmp(data
, s
->s3
.previous_client_finished
,
67 s
->s3
.previous_client_finished_len
)) {
68 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE
,
69 SSL_R_RENEGOTIATION_MISMATCH
);
73 s
->s3
.send_connection_binding
= 1;
79 * The servername extension is treated as follows:
81 * - Only the hostname type is supported with a maximum length of 255.
82 * - The servername is rejected if too long or if it contains zeros,
83 * in which case an fatal alert is generated.
84 * - The servername field is maintained together with the session cache.
85 * - When a session is resumed, the servername call back invoked in order
86 * to allow the application to position itself to the right context.
87 * - The servername is acknowledged if it is new for a session or when
88 * it is identical to a previously used for the same session.
89 * Applications can control the behaviour. They can at any time
90 * set a 'desirable' servername for a new SSL object. This can be the
91 * case for example with HTTPS when a Host: header field is received and
92 * a renegotiation is requested. In this case, a possible servername
93 * presented in the new client hello is only acknowledged if it matches
94 * the value of the Host: field.
95 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
96 * if they provide for changing an explicit servername context for the
97 * session, i.e. when the session has been established with a servername
99 * - On session reconnect, the servername extension may be absent.
101 int tls_parse_ctos_server_name(SSL
*s
, PACKET
*pkt
, unsigned int context
,
102 X509
*x
, size_t chainidx
)
104 unsigned int servname_type
;
105 PACKET sni
, hostname
;
107 if (!PACKET_as_length_prefixed_2(pkt
, &sni
)
108 /* ServerNameList must be at least 1 byte long. */
109 || PACKET_remaining(&sni
) == 0) {
110 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
111 SSL_R_BAD_EXTENSION
);
116 * Although the intent was for server_name to be extensible, RFC 4366
117 * was not clear about it; and so OpenSSL among other implementations,
118 * always and only allows a 'host_name' name types.
119 * RFC 6066 corrected the mistake but adding new name types
120 * is nevertheless no longer feasible, so act as if no other
121 * SNI types can exist, to simplify parsing.
123 * Also note that the RFC permits only one SNI value per type,
124 * i.e., we can only have a single hostname.
126 if (!PACKET_get_1(&sni
, &servname_type
)
127 || servname_type
!= TLSEXT_NAMETYPE_host_name
128 || !PACKET_as_length_prefixed_2(&sni
, &hostname
)) {
129 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
130 SSL_R_BAD_EXTENSION
);
135 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
136 * we always use the SNI value from the handshake.
138 if (!s
->hit
|| SSL_IS_TLS13(s
)) {
139 if (PACKET_remaining(&hostname
) > TLSEXT_MAXLEN_host_name
) {
140 SSLfatal(s
, SSL_AD_UNRECOGNIZED_NAME
,
141 SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
142 SSL_R_BAD_EXTENSION
);
146 if (PACKET_contains_zero_byte(&hostname
)) {
147 SSLfatal(s
, SSL_AD_UNRECOGNIZED_NAME
,
148 SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
149 SSL_R_BAD_EXTENSION
);
154 * Store the requested SNI in the SSL as temporary storage.
155 * If we accept it, it will get stored in the SSL_SESSION as well.
157 OPENSSL_free(s
->ext
.hostname
);
158 s
->ext
.hostname
= NULL
;
159 if (!PACKET_strndup(&hostname
, &s
->ext
.hostname
)) {
160 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
161 ERR_R_INTERNAL_ERROR
);
165 s
->servername_done
= 1;
168 * In TLSv1.2 and below we should check if the SNI is consistent between
169 * the initial handshake and the resumption. In TLSv1.3 SNI is not
170 * associated with the session.
173 * TODO(openssl-team): if the SNI doesn't match, we MUST
174 * fall back to a full handshake.
176 s
->servername_done
= (s
->session
->ext
.hostname
!= NULL
)
177 && PACKET_equal(&hostname
, s
->session
->ext
.hostname
,
178 strlen(s
->session
->ext
.hostname
));
184 int tls_parse_ctos_maxfragmentlen(SSL
*s
, PACKET
*pkt
, unsigned int context
,
185 X509
*x
, size_t chainidx
)
189 if (PACKET_remaining(pkt
) != 1 || !PACKET_get_1(pkt
, &value
)) {
190 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN
,
191 SSL_R_BAD_EXTENSION
);
195 /* Received |value| should be a valid max-fragment-length code. */
196 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value
)) {
197 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
198 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN
,
199 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH
);
204 * RFC 6066: The negotiated length applies for the duration of the session
205 * including session resumptions.
206 * We should receive the same code as in resumed session !
208 if (s
->hit
&& s
->session
->ext
.max_fragment_len_mode
!= value
) {
209 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
210 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN
,
211 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH
);
216 * Store it in session, so it'll become binding for us
217 * and we'll include it in a next Server Hello.
219 s
->session
->ext
.max_fragment_len_mode
= value
;
223 #ifndef OPENSSL_NO_SRP
224 int tls_parse_ctos_srp(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
229 if (!PACKET_as_length_prefixed_1(pkt
, &srp_I
)
230 || PACKET_contains_zero_byte(&srp_I
)) {
231 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
232 SSL_F_TLS_PARSE_CTOS_SRP
,
233 SSL_R_BAD_EXTENSION
);
238 * TODO(openssl-team): currently, we re-authenticate the user
239 * upon resumption. Instead, we MUST ignore the login.
241 if (!PACKET_strndup(&srp_I
, &s
->srp_ctx
.login
)) {
242 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_SRP
,
243 ERR_R_INTERNAL_ERROR
);
251 #ifndef OPENSSL_NO_EC
252 int tls_parse_ctos_ec_pt_formats(SSL
*s
, PACKET
*pkt
, unsigned int context
,
253 X509
*x
, size_t chainidx
)
255 PACKET ec_point_format_list
;
257 if (!PACKET_as_length_prefixed_1(pkt
, &ec_point_format_list
)
258 || PACKET_remaining(&ec_point_format_list
) == 0) {
259 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS
,
260 SSL_R_BAD_EXTENSION
);
265 if (!PACKET_memdup(&ec_point_format_list
,
266 &s
->ext
.peer_ecpointformats
,
267 &s
->ext
.peer_ecpointformats_len
)) {
268 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
269 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS
, ERR_R_INTERNAL_ERROR
);
276 #endif /* OPENSSL_NO_EC */
278 int tls_parse_ctos_session_ticket(SSL
*s
, PACKET
*pkt
, unsigned int context
,
279 X509
*x
, size_t chainidx
)
281 if (s
->ext
.session_ticket_cb
&&
282 !s
->ext
.session_ticket_cb(s
, PACKET_data(pkt
),
283 PACKET_remaining(pkt
),
284 s
->ext
.session_ticket_cb_arg
)) {
285 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
286 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET
, ERR_R_INTERNAL_ERROR
);
293 int tls_parse_ctos_sig_algs_cert(SSL
*s
, PACKET
*pkt
, unsigned int context
,
294 X509
*x
, size_t chainidx
)
296 PACKET supported_sig_algs
;
298 if (!PACKET_as_length_prefixed_2(pkt
, &supported_sig_algs
)
299 || PACKET_remaining(&supported_sig_algs
) == 0) {
300 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
301 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT
, SSL_R_BAD_EXTENSION
);
305 if (!s
->hit
&& !tls1_save_sigalgs(s
, &supported_sig_algs
, 1)) {
306 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
307 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT
, SSL_R_BAD_EXTENSION
);
314 int tls_parse_ctos_sig_algs(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
317 PACKET supported_sig_algs
;
319 if (!PACKET_as_length_prefixed_2(pkt
, &supported_sig_algs
)
320 || PACKET_remaining(&supported_sig_algs
) == 0) {
321 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
322 SSL_F_TLS_PARSE_CTOS_SIG_ALGS
, SSL_R_BAD_EXTENSION
);
326 if (!s
->hit
&& !tls1_save_sigalgs(s
, &supported_sig_algs
, 0)) {
327 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
328 SSL_F_TLS_PARSE_CTOS_SIG_ALGS
, SSL_R_BAD_EXTENSION
);
335 #ifndef OPENSSL_NO_OCSP
336 int tls_parse_ctos_status_request(SSL
*s
, PACKET
*pkt
, unsigned int context
,
337 X509
*x
, size_t chainidx
)
339 PACKET responder_id_list
, exts
;
341 /* We ignore this in a resumption handshake */
345 /* Not defined if we get one of these in a client Certificate */
349 if (!PACKET_get_1(pkt
, (unsigned int *)&s
->ext
.status_type
)) {
350 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
351 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
355 if (s
->ext
.status_type
!= TLSEXT_STATUSTYPE_ocsp
) {
357 * We don't know what to do with any other type so ignore it.
359 s
->ext
.status_type
= TLSEXT_STATUSTYPE_nothing
;
363 if (!PACKET_get_length_prefixed_2 (pkt
, &responder_id_list
)) {
364 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
365 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
370 * We remove any OCSP_RESPIDs from a previous handshake
371 * to prevent unbounded memory growth - CVE-2016-6304
373 sk_OCSP_RESPID_pop_free(s
->ext
.ocsp
.ids
, OCSP_RESPID_free
);
374 if (PACKET_remaining(&responder_id_list
) > 0) {
375 s
->ext
.ocsp
.ids
= sk_OCSP_RESPID_new_null();
376 if (s
->ext
.ocsp
.ids
== NULL
) {
377 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
378 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, ERR_R_MALLOC_FAILURE
);
382 s
->ext
.ocsp
.ids
= NULL
;
385 while (PACKET_remaining(&responder_id_list
) > 0) {
388 const unsigned char *id_data
;
390 if (!PACKET_get_length_prefixed_2(&responder_id_list
, &responder_id
)
391 || PACKET_remaining(&responder_id
) == 0) {
392 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
393 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
397 id_data
= PACKET_data(&responder_id
);
398 /* TODO(size_t): Convert d2i_* to size_t */
399 id
= d2i_OCSP_RESPID(NULL
, &id_data
,
400 (int)PACKET_remaining(&responder_id
));
402 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
403 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
407 if (id_data
!= PACKET_end(&responder_id
)) {
408 OCSP_RESPID_free(id
);
409 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
410 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
415 if (!sk_OCSP_RESPID_push(s
->ext
.ocsp
.ids
, id
)) {
416 OCSP_RESPID_free(id
);
417 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
418 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, ERR_R_INTERNAL_ERROR
);
424 /* Read in request_extensions */
425 if (!PACKET_as_length_prefixed_2(pkt
, &exts
)) {
426 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
427 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
431 if (PACKET_remaining(&exts
) > 0) {
432 const unsigned char *ext_data
= PACKET_data(&exts
);
434 sk_X509_EXTENSION_pop_free(s
->ext
.ocsp
.exts
,
435 X509_EXTENSION_free
);
437 d2i_X509_EXTENSIONS(NULL
, &ext_data
, (int)PACKET_remaining(&exts
));
438 if (s
->ext
.ocsp
.exts
== NULL
|| ext_data
!= PACKET_end(&exts
)) {
439 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
440 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
449 #ifndef OPENSSL_NO_NEXTPROTONEG
450 int tls_parse_ctos_npn(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
454 * We shouldn't accept this extension on a
457 if (SSL_IS_FIRST_HANDSHAKE(s
))
465 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
466 * extension, not including type and length. Returns: 1 on success, 0 on error.
468 int tls_parse_ctos_alpn(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
471 PACKET protocol_list
, save_protocol_list
, protocol
;
473 if (!SSL_IS_FIRST_HANDSHAKE(s
))
476 if (!PACKET_as_length_prefixed_2(pkt
, &protocol_list
)
477 || PACKET_remaining(&protocol_list
) < 2) {
478 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_ALPN
,
479 SSL_R_BAD_EXTENSION
);
483 save_protocol_list
= protocol_list
;
485 /* Protocol names can't be empty. */
486 if (!PACKET_get_length_prefixed_1(&protocol_list
, &protocol
)
487 || PACKET_remaining(&protocol
) == 0) {
488 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_ALPN
,
489 SSL_R_BAD_EXTENSION
);
492 } while (PACKET_remaining(&protocol_list
) != 0);
494 OPENSSL_free(s
->s3
.alpn_proposed
);
495 s
->s3
.alpn_proposed
= NULL
;
496 s
->s3
.alpn_proposed_len
= 0;
497 if (!PACKET_memdup(&save_protocol_list
,
498 &s
->s3
.alpn_proposed
, &s
->s3
.alpn_proposed_len
)) {
499 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_ALPN
,
500 ERR_R_INTERNAL_ERROR
);
507 #ifndef OPENSSL_NO_SRTP
508 int tls_parse_ctos_use_srtp(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
511 STACK_OF(SRTP_PROTECTION_PROFILE
) *srvr
;
512 unsigned int ct
, mki_len
, id
;
516 /* Ignore this if we have no SRTP profiles */
517 if (SSL_get_srtp_profiles(s
) == NULL
)
520 /* Pull off the length of the cipher suite list and check it is even */
521 if (!PACKET_get_net_2(pkt
, &ct
) || (ct
& 1) != 0
522 || !PACKET_get_sub_packet(pkt
, &subpkt
, ct
)) {
523 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
524 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
528 srvr
= SSL_get_srtp_profiles(s
);
529 s
->srtp_profile
= NULL
;
530 /* Search all profiles for a match initially */
531 srtp_pref
= sk_SRTP_PROTECTION_PROFILE_num(srvr
);
533 while (PACKET_remaining(&subpkt
)) {
534 if (!PACKET_get_net_2(&subpkt
, &id
)) {
535 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
536 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
541 * Only look for match in profiles of higher preference than
543 * If no profiles have been have been configured then this
546 for (i
= 0; i
< srtp_pref
; i
++) {
547 SRTP_PROTECTION_PROFILE
*sprof
=
548 sk_SRTP_PROTECTION_PROFILE_value(srvr
, i
);
550 if (sprof
->id
== id
) {
551 s
->srtp_profile
= sprof
;
558 /* Now extract the MKI value as a sanity check, but discard it for now */
559 if (!PACKET_get_1(pkt
, &mki_len
)) {
560 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
561 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
565 if (!PACKET_forward(pkt
, mki_len
)
566 || PACKET_remaining(pkt
)) {
567 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
568 SSL_R_BAD_SRTP_MKI_VALUE
);
576 int tls_parse_ctos_etm(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
579 if (!(s
->options
& SSL_OP_NO_ENCRYPT_THEN_MAC
))
586 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
587 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
589 int tls_parse_ctos_psk_kex_modes(SSL
*s
, PACKET
*pkt
, unsigned int context
,
590 X509
*x
, size_t chainidx
)
592 #ifndef OPENSSL_NO_TLS1_3
593 PACKET psk_kex_modes
;
596 if (!PACKET_as_length_prefixed_1(pkt
, &psk_kex_modes
)
597 || PACKET_remaining(&psk_kex_modes
) == 0) {
598 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES
,
599 SSL_R_BAD_EXTENSION
);
603 while (PACKET_get_1(&psk_kex_modes
, &mode
)) {
604 if (mode
== TLSEXT_KEX_MODE_KE_DHE
)
605 s
->ext
.psk_kex_mode
|= TLSEXT_KEX_MODE_FLAG_KE_DHE
;
606 else if (mode
== TLSEXT_KEX_MODE_KE
607 && (s
->options
& SSL_OP_ALLOW_NO_DHE_KEX
) != 0)
608 s
->ext
.psk_kex_mode
|= TLSEXT_KEX_MODE_FLAG_KE
;
616 * Process a key_share extension received in the ClientHello. |pkt| contains
617 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
619 int tls_parse_ctos_key_share(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
622 #ifndef OPENSSL_NO_TLS1_3
623 unsigned int group_id
;
624 PACKET key_share_list
, encoded_pt
;
625 const uint16_t *clntgroups
, *srvrgroups
;
626 size_t clnt_num_groups
, srvr_num_groups
;
629 if (s
->hit
&& (s
->ext
.psk_kex_mode
& TLSEXT_KEX_MODE_FLAG_KE_DHE
) == 0)
633 if (s
->s3
.peer_tmp
!= NULL
) {
634 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
635 ERR_R_INTERNAL_ERROR
);
639 if (!PACKET_as_length_prefixed_2(pkt
, &key_share_list
)) {
640 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
641 SSL_R_LENGTH_MISMATCH
);
645 /* Get our list of supported groups */
646 tls1_get_supported_groups(s
, &srvrgroups
, &srvr_num_groups
);
647 /* Get the clients list of supported groups. */
648 tls1_get_peer_groups(s
, &clntgroups
, &clnt_num_groups
);
649 if (clnt_num_groups
== 0) {
651 * This can only happen if the supported_groups extension was not sent,
652 * because we verify that the length is non-zero when we process that
655 SSLfatal(s
, SSL_AD_MISSING_EXTENSION
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
656 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION
);
660 if (s
->s3
.group_id
!= 0 && PACKET_remaining(&key_share_list
) == 0) {
662 * If we set a group_id already, then we must have sent an HRR
663 * requesting a new key_share. If we haven't got one then that is an
666 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
667 SSL_R_BAD_KEY_SHARE
);
671 while (PACKET_remaining(&key_share_list
) > 0) {
672 if (!PACKET_get_net_2(&key_share_list
, &group_id
)
673 || !PACKET_get_length_prefixed_2(&key_share_list
, &encoded_pt
)
674 || PACKET_remaining(&encoded_pt
) == 0) {
675 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
676 SSL_R_LENGTH_MISMATCH
);
681 * If we already found a suitable key_share we loop through the
682 * rest to verify the structure, but don't process them.
688 * If we sent an HRR then the key_share sent back MUST be for the group
689 * we requested, and must be the only key_share sent.
691 if (s
->s3
.group_id
!= 0
692 && (group_id
!= s
->s3
.group_id
693 || PACKET_remaining(&key_share_list
) != 0)) {
694 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
695 SSL_F_TLS_PARSE_CTOS_KEY_SHARE
, SSL_R_BAD_KEY_SHARE
);
699 /* Check if this share is in supported_groups sent from client */
700 if (!check_in_list(s
, group_id
, clntgroups
, clnt_num_groups
, 0)) {
701 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
702 SSL_F_TLS_PARSE_CTOS_KEY_SHARE
, SSL_R_BAD_KEY_SHARE
);
706 /* Check if this share is for a group we can use */
707 if (!check_in_list(s
, group_id
, srvrgroups
, srvr_num_groups
, 1)) {
708 /* Share not suitable */
712 if ((s
->s3
.peer_tmp
= ssl_generate_param_group(s
, group_id
)) == NULL
) {
713 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
714 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS
);
719 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
720 * knows how to get a key from an encoded point with the help of
721 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
722 * downgrades an EVP_PKEY to contain a legacy key.
726 EVP_PKEY_get0(s
->s3
.peer_tmp
);
727 if (EVP_PKEY_id(s
->s3
.peer_tmp
) == EVP_PKEY_NONE
) {
728 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
729 ERR_R_INTERNAL_ERROR
);
733 s
->s3
.group_id
= group_id
;
735 if (!EVP_PKEY_set1_tls_encodedpoint(s
->s3
.peer_tmp
,
736 PACKET_data(&encoded_pt
),
737 PACKET_remaining(&encoded_pt
))) {
738 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
739 SSL_F_TLS_PARSE_CTOS_KEY_SHARE
, SSL_R_BAD_ECPOINT
);
750 int tls_parse_ctos_cookie(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
753 #ifndef OPENSSL_NO_TLS1_3
754 unsigned int format
, version
, key_share
, group_id
;
757 PACKET cookie
, raw
, chhash
, appcookie
;
759 const unsigned char *data
, *mdin
, *ciphdata
;
760 unsigned char hmac
[SHA256_DIGEST_LENGTH
];
761 unsigned char hrr
[MAX_HRR_SIZE
];
762 size_t rawlen
, hmaclen
, hrrlen
, ciphlen
;
763 unsigned long tm
, now
;
765 /* Ignore any cookie if we're not set up to verify it */
766 if (s
->ctx
->verify_stateless_cookie_cb
== NULL
767 || (s
->s3
.flags
& TLS1_FLAGS_STATELESS
) == 0)
770 if (!PACKET_as_length_prefixed_2(pkt
, &cookie
)) {
771 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
772 SSL_R_LENGTH_MISMATCH
);
777 data
= PACKET_data(&raw
);
778 rawlen
= PACKET_remaining(&raw
);
779 if (rawlen
< SHA256_DIGEST_LENGTH
780 || !PACKET_forward(&raw
, rawlen
- SHA256_DIGEST_LENGTH
)) {
781 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
782 SSL_R_LENGTH_MISMATCH
);
785 mdin
= PACKET_data(&raw
);
787 /* Verify the HMAC of the cookie */
788 hctx
= EVP_MD_CTX_create();
789 pkey
= EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC
, NULL
,
790 s
->session_ctx
->ext
.cookie_hmac_key
,
791 sizeof(s
->session_ctx
->ext
793 if (hctx
== NULL
|| pkey
== NULL
) {
794 EVP_MD_CTX_free(hctx
);
796 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
797 ERR_R_MALLOC_FAILURE
);
801 hmaclen
= SHA256_DIGEST_LENGTH
;
802 if (EVP_DigestSignInit_ex(hctx
, NULL
, "SHA2-256", s
->ctx
->propq
, pkey
,
804 || EVP_DigestSign(hctx
, hmac
, &hmaclen
, data
,
805 rawlen
- SHA256_DIGEST_LENGTH
) <= 0
806 || hmaclen
!= SHA256_DIGEST_LENGTH
) {
807 EVP_MD_CTX_free(hctx
);
809 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
810 ERR_R_INTERNAL_ERROR
);
814 EVP_MD_CTX_free(hctx
);
817 if (CRYPTO_memcmp(hmac
, mdin
, SHA256_DIGEST_LENGTH
) != 0) {
818 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
819 SSL_R_COOKIE_MISMATCH
);
823 if (!PACKET_get_net_2(&cookie
, &format
)) {
824 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
825 SSL_R_LENGTH_MISMATCH
);
828 /* Check the cookie format is something we recognise. Ignore it if not */
829 if (format
!= COOKIE_STATE_FORMAT_VERSION
)
833 * The rest of these checks really shouldn't fail since we have verified the
837 /* Check the version number is sane */
838 if (!PACKET_get_net_2(&cookie
, &version
)) {
839 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
840 SSL_R_LENGTH_MISMATCH
);
843 if (version
!= TLS1_3_VERSION
) {
844 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
845 SSL_R_BAD_PROTOCOL_VERSION_NUMBER
);
849 if (!PACKET_get_net_2(&cookie
, &group_id
)) {
850 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
851 SSL_R_LENGTH_MISMATCH
);
855 ciphdata
= PACKET_data(&cookie
);
856 if (!PACKET_forward(&cookie
, 2)) {
857 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
858 SSL_R_LENGTH_MISMATCH
);
861 if (group_id
!= s
->s3
.group_id
862 || s
->s3
.tmp
.new_cipher
863 != ssl_get_cipher_by_char(s
, ciphdata
, 0)) {
865 * We chose a different cipher or group id this time around to what is
866 * in the cookie. Something must have changed.
868 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
873 if (!PACKET_get_1(&cookie
, &key_share
)
874 || !PACKET_get_net_4(&cookie
, &tm
)
875 || !PACKET_get_length_prefixed_2(&cookie
, &chhash
)
876 || !PACKET_get_length_prefixed_1(&cookie
, &appcookie
)
877 || PACKET_remaining(&cookie
) != SHA256_DIGEST_LENGTH
) {
878 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
879 SSL_R_LENGTH_MISMATCH
);
883 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
884 now
= (unsigned long)time(NULL
);
885 if (tm
> now
|| (now
- tm
) > 600) {
886 /* Cookie is stale. Ignore it */
890 /* Verify the app cookie */
891 if (s
->ctx
->verify_stateless_cookie_cb(s
, PACKET_data(&appcookie
),
892 PACKET_remaining(&appcookie
)) == 0) {
893 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
894 SSL_R_COOKIE_MISMATCH
);
899 * Reconstruct the HRR that we would have sent in response to the original
900 * ClientHello so we can add it to the transcript hash.
901 * Note: This won't work with custom HRR extensions
903 if (!WPACKET_init_static_len(&hrrpkt
, hrr
, sizeof(hrr
), 0)) {
904 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
905 ERR_R_INTERNAL_ERROR
);
908 if (!WPACKET_put_bytes_u8(&hrrpkt
, SSL3_MT_SERVER_HELLO
)
909 || !WPACKET_start_sub_packet_u24(&hrrpkt
)
910 || !WPACKET_put_bytes_u16(&hrrpkt
, TLS1_2_VERSION
)
911 || !WPACKET_memcpy(&hrrpkt
, hrrrandom
, SSL3_RANDOM_SIZE
)
912 || !WPACKET_sub_memcpy_u8(&hrrpkt
, s
->tmp_session_id
,
913 s
->tmp_session_id_len
)
914 || !s
->method
->put_cipher_by_char(s
->s3
.tmp
.new_cipher
, &hrrpkt
,
916 || !WPACKET_put_bytes_u8(&hrrpkt
, 0)
917 || !WPACKET_start_sub_packet_u16(&hrrpkt
)) {
918 WPACKET_cleanup(&hrrpkt
);
919 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
920 ERR_R_INTERNAL_ERROR
);
923 if (!WPACKET_put_bytes_u16(&hrrpkt
, TLSEXT_TYPE_supported_versions
)
924 || !WPACKET_start_sub_packet_u16(&hrrpkt
)
925 || !WPACKET_put_bytes_u16(&hrrpkt
, s
->version
)
926 || !WPACKET_close(&hrrpkt
)) {
927 WPACKET_cleanup(&hrrpkt
);
928 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
929 ERR_R_INTERNAL_ERROR
);
933 if (!WPACKET_put_bytes_u16(&hrrpkt
, TLSEXT_TYPE_key_share
)
934 || !WPACKET_start_sub_packet_u16(&hrrpkt
)
935 || !WPACKET_put_bytes_u16(&hrrpkt
, s
->s3
.group_id
)
936 || !WPACKET_close(&hrrpkt
)) {
937 WPACKET_cleanup(&hrrpkt
);
938 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
939 ERR_R_INTERNAL_ERROR
);
943 if (!WPACKET_put_bytes_u16(&hrrpkt
, TLSEXT_TYPE_cookie
)
944 || !WPACKET_start_sub_packet_u16(&hrrpkt
)
945 || !WPACKET_sub_memcpy_u16(&hrrpkt
, data
, rawlen
)
946 || !WPACKET_close(&hrrpkt
) /* cookie extension */
947 || !WPACKET_close(&hrrpkt
) /* extension block */
948 || !WPACKET_close(&hrrpkt
) /* message */
949 || !WPACKET_get_total_written(&hrrpkt
, &hrrlen
)
950 || !WPACKET_finish(&hrrpkt
)) {
951 WPACKET_cleanup(&hrrpkt
);
952 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
953 ERR_R_INTERNAL_ERROR
);
957 /* Reconstruct the transcript hash */
958 if (!create_synthetic_message_hash(s
, PACKET_data(&chhash
),
959 PACKET_remaining(&chhash
), hrr
,
961 /* SSLfatal() already called */
965 /* Act as if this ClientHello came after a HelloRetryRequest */
966 s
->hello_retry_request
= 1;
974 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
975 int tls_parse_ctos_supported_groups(SSL
*s
, PACKET
*pkt
, unsigned int context
,
976 X509
*x
, size_t chainidx
)
978 PACKET supported_groups_list
;
980 /* Each group is 2 bytes and we must have at least 1. */
981 if (!PACKET_as_length_prefixed_2(pkt
, &supported_groups_list
)
982 || PACKET_remaining(&supported_groups_list
) == 0
983 || (PACKET_remaining(&supported_groups_list
) % 2) != 0) {
984 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
985 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS
, SSL_R_BAD_EXTENSION
);
989 if (!s
->hit
|| SSL_IS_TLS13(s
)) {
990 OPENSSL_free(s
->ext
.peer_supportedgroups
);
991 s
->ext
.peer_supportedgroups
= NULL
;
992 s
->ext
.peer_supportedgroups_len
= 0;
993 if (!tls1_save_u16(&supported_groups_list
,
994 &s
->ext
.peer_supportedgroups
,
995 &s
->ext
.peer_supportedgroups_len
)) {
996 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
997 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS
,
998 ERR_R_INTERNAL_ERROR
);
1007 int tls_parse_ctos_ems(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
1010 /* The extension must always be empty */
1011 if (PACKET_remaining(pkt
) != 0) {
1012 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1013 SSL_F_TLS_PARSE_CTOS_EMS
, SSL_R_BAD_EXTENSION
);
1017 if (s
->options
& SSL_OP_NO_EXTENDED_MASTER_SECRET
)
1020 s
->s3
.flags
|= TLS1_FLAGS_RECEIVED_EXTMS
;
1026 int tls_parse_ctos_early_data(SSL
*s
, PACKET
*pkt
, unsigned int context
,
1027 X509
*x
, size_t chainidx
)
1029 if (PACKET_remaining(pkt
) != 0) {
1030 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1031 SSL_F_TLS_PARSE_CTOS_EARLY_DATA
, SSL_R_BAD_EXTENSION
);
1035 if (s
->hello_retry_request
!= SSL_HRR_NONE
) {
1036 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1037 SSL_F_TLS_PARSE_CTOS_EARLY_DATA
, SSL_R_BAD_EXTENSION
);
1044 static SSL_TICKET_STATUS
tls_get_stateful_ticket(SSL
*s
, PACKET
*tick
,
1047 SSL_SESSION
*tmpsess
= NULL
;
1049 s
->ext
.ticket_expected
= 1;
1051 switch (PACKET_remaining(tick
)) {
1053 return SSL_TICKET_EMPTY
;
1055 case SSL_MAX_SSL_SESSION_ID_LENGTH
:
1059 return SSL_TICKET_NO_DECRYPT
;
1062 tmpsess
= lookup_sess_in_cache(s
, PACKET_data(tick
),
1063 SSL_MAX_SSL_SESSION_ID_LENGTH
);
1065 if (tmpsess
== NULL
)
1066 return SSL_TICKET_NO_DECRYPT
;
1069 return SSL_TICKET_SUCCESS
;
1072 int tls_parse_ctos_psk(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
1075 PACKET identities
, binders
, binder
;
1076 size_t binderoffset
, hashsize
;
1077 SSL_SESSION
*sess
= NULL
;
1078 unsigned int id
, i
, ext
= 0;
1079 const EVP_MD
*md
= NULL
;
1082 * If we have no PSK kex mode that we recognise then we can't resume so
1083 * ignore this extension
1085 if ((s
->ext
.psk_kex_mode
1086 & (TLSEXT_KEX_MODE_FLAG_KE
| TLSEXT_KEX_MODE_FLAG_KE_DHE
)) == 0)
1089 if (!PACKET_get_length_prefixed_2(pkt
, &identities
)) {
1090 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1091 SSL_F_TLS_PARSE_CTOS_PSK
, SSL_R_BAD_EXTENSION
);
1095 s
->ext
.ticket_expected
= 0;
1096 for (id
= 0; PACKET_remaining(&identities
) != 0; id
++) {
1098 unsigned long ticket_agel
;
1101 if (!PACKET_get_length_prefixed_2(&identities
, &identity
)
1102 || !PACKET_get_net_4(&identities
, &ticket_agel
)) {
1103 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1104 SSL_F_TLS_PARSE_CTOS_PSK
, SSL_R_BAD_EXTENSION
);
1108 idlen
= PACKET_remaining(&identity
);
1109 if (s
->psk_find_session_cb
!= NULL
1110 && !s
->psk_find_session_cb(s
, PACKET_data(&identity
), idlen
,
1112 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1113 SSL_F_TLS_PARSE_CTOS_PSK
, SSL_R_BAD_EXTENSION
);
1117 #ifndef OPENSSL_NO_PSK
1119 && s
->psk_server_callback
!= NULL
1120 && idlen
<= PSK_MAX_IDENTITY_LEN
) {
1122 unsigned char pskdata
[PSK_MAX_PSK_LEN
];
1123 unsigned int pskdatalen
;
1125 if (!PACKET_strndup(&identity
, &pskid
)) {
1126 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1127 ERR_R_INTERNAL_ERROR
);
1130 pskdatalen
= s
->psk_server_callback(s
, pskid
, pskdata
,
1132 OPENSSL_free(pskid
);
1133 if (pskdatalen
> PSK_MAX_PSK_LEN
) {
1134 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1135 ERR_R_INTERNAL_ERROR
);
1137 } else if (pskdatalen
> 0) {
1138 const SSL_CIPHER
*cipher
;
1139 const unsigned char tls13_aes128gcmsha256_id
[] = { 0x13, 0x01 };
1142 * We found a PSK using an old style callback. We don't know
1143 * the digest so we default to SHA256 as per the TLSv1.3 spec
1145 cipher
= SSL_CIPHER_find(s
, tls13_aes128gcmsha256_id
);
1146 if (cipher
== NULL
) {
1147 OPENSSL_cleanse(pskdata
, pskdatalen
);
1148 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1149 ERR_R_INTERNAL_ERROR
);
1153 sess
= SSL_SESSION_new();
1155 || !SSL_SESSION_set1_master_key(sess
, pskdata
,
1157 || !SSL_SESSION_set_cipher(sess
, cipher
)
1158 || !SSL_SESSION_set_protocol_version(sess
,
1160 OPENSSL_cleanse(pskdata
, pskdatalen
);
1161 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1162 ERR_R_INTERNAL_ERROR
);
1165 OPENSSL_cleanse(pskdata
, pskdatalen
);
1168 #endif /* OPENSSL_NO_PSK */
1171 /* We found a PSK */
1172 SSL_SESSION
*sesstmp
= ssl_session_dup(sess
, 0);
1174 if (sesstmp
== NULL
) {
1175 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1176 SSL_F_TLS_PARSE_CTOS_PSK
, ERR_R_INTERNAL_ERROR
);
1179 SSL_SESSION_free(sess
);
1183 * We've just been told to use this session for this context so
1184 * make sure the sid_ctx matches up.
1186 memcpy(sess
->sid_ctx
, s
->sid_ctx
, s
->sid_ctx_length
);
1187 sess
->sid_ctx_length
= s
->sid_ctx_length
;
1190 s
->ext
.early_data_ok
= 1;
1191 s
->ext
.ticket_expected
= 1;
1193 uint32_t ticket_age
= 0, now
, agesec
, agems
;
1197 * If we are using anti-replay protection then we behave as if
1198 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1199 * is no point in using full stateless tickets.
1201 if ((s
->options
& SSL_OP_NO_TICKET
) != 0
1202 || (s
->max_early_data
> 0
1203 && (s
->options
& SSL_OP_NO_ANTI_REPLAY
) == 0))
1204 ret
= tls_get_stateful_ticket(s
, &identity
, &sess
);
1206 ret
= tls_decrypt_ticket(s
, PACKET_data(&identity
),
1207 PACKET_remaining(&identity
), NULL
, 0,
1210 if (ret
== SSL_TICKET_EMPTY
) {
1211 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1212 SSL_R_BAD_EXTENSION
);
1216 if (ret
== SSL_TICKET_FATAL_ERR_MALLOC
1217 || ret
== SSL_TICKET_FATAL_ERR_OTHER
) {
1218 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1219 SSL_F_TLS_PARSE_CTOS_PSK
, ERR_R_INTERNAL_ERROR
);
1222 if (ret
== SSL_TICKET_NONE
|| ret
== SSL_TICKET_NO_DECRYPT
)
1225 /* Check for replay */
1226 if (s
->max_early_data
> 0
1227 && (s
->options
& SSL_OP_NO_ANTI_REPLAY
) == 0
1228 && !SSL_CTX_remove_session(s
->session_ctx
, sess
)) {
1229 SSL_SESSION_free(sess
);
1234 ticket_age
= (uint32_t)ticket_agel
;
1235 now
= (uint32_t)time(NULL
);
1236 agesec
= now
- (uint32_t)sess
->time
;
1237 agems
= agesec
* (uint32_t)1000;
1238 ticket_age
-= sess
->ext
.tick_age_add
;
1241 * For simplicity we do our age calculations in seconds. If the
1242 * client does it in ms then it could appear that their ticket age
1243 * is longer than ours (our ticket age calculation should always be
1244 * slightly longer than the client's due to the network latency).
1245 * Therefore we add 1000ms to our age calculation to adjust for
1249 && sess
->timeout
>= (long)agesec
1250 && agems
/ (uint32_t)1000 == agesec
1251 && ticket_age
<= agems
+ 1000
1252 && ticket_age
+ TICKET_AGE_ALLOWANCE
>= agems
+ 1000) {
1254 * Ticket age is within tolerance and not expired. We allow it
1257 s
->ext
.early_data_ok
= 1;
1261 md
= ssl_md(s
->ctx
, sess
->cipher
->algorithm2
);
1262 if (!EVP_MD_is_a(md
,
1263 EVP_MD_name(ssl_md(s
->ctx
, s
->s3
.tmp
.new_cipher
->algorithm2
)))) {
1264 /* The ciphersuite is not compatible with this session. */
1265 SSL_SESSION_free(sess
);
1267 s
->ext
.early_data_ok
= 0;
1268 s
->ext
.ticket_expected
= 0;
1277 binderoffset
= PACKET_data(pkt
) - (const unsigned char *)s
->init_buf
->data
;
1278 hashsize
= EVP_MD_size(md
);
1280 if (!PACKET_get_length_prefixed_2(pkt
, &binders
)) {
1281 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1282 SSL_R_BAD_EXTENSION
);
1286 for (i
= 0; i
<= id
; i
++) {
1287 if (!PACKET_get_length_prefixed_1(&binders
, &binder
)) {
1288 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1289 SSL_R_BAD_EXTENSION
);
1294 if (PACKET_remaining(&binder
) != hashsize
) {
1295 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1296 SSL_R_BAD_EXTENSION
);
1299 if (tls_psk_do_binder(s
, md
, (const unsigned char *)s
->init_buf
->data
,
1300 binderoffset
, PACKET_data(&binder
), NULL
, sess
, 0,
1302 /* SSLfatal() already called */
1306 s
->ext
.tick_identity
= id
;
1308 SSL_SESSION_free(s
->session
);
1312 SSL_SESSION_free(sess
);
1316 int tls_parse_ctos_post_handshake_auth(SSL
*s
, PACKET
*pkt
, unsigned int context
,
1317 X509
*x
, size_t chainidx
)
1319 if (PACKET_remaining(pkt
) != 0) {
1320 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH
,
1321 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR
);
1325 s
->post_handshake_auth
= SSL_PHA_EXT_RECEIVED
;
1331 * Add the server's renegotiation binding
1333 EXT_RETURN
tls_construct_stoc_renegotiate(SSL
*s
, WPACKET
*pkt
,
1334 unsigned int context
, X509
*x
,
1337 if (!s
->s3
.send_connection_binding
)
1338 return EXT_RETURN_NOT_SENT
;
1340 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1341 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_renegotiate
)
1342 || !WPACKET_start_sub_packet_u16(pkt
)
1343 || !WPACKET_start_sub_packet_u8(pkt
)
1344 || !WPACKET_memcpy(pkt
, s
->s3
.previous_client_finished
,
1345 s
->s3
.previous_client_finished_len
)
1346 || !WPACKET_memcpy(pkt
, s
->s3
.previous_server_finished
,
1347 s
->s3
.previous_server_finished_len
)
1348 || !WPACKET_close(pkt
)
1349 || !WPACKET_close(pkt
)) {
1350 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE
,
1351 ERR_R_INTERNAL_ERROR
);
1352 return EXT_RETURN_FAIL
;
1355 return EXT_RETURN_SENT
;
1358 EXT_RETURN
tls_construct_stoc_server_name(SSL
*s
, WPACKET
*pkt
,
1359 unsigned int context
, X509
*x
,
1362 if (s
->servername_done
!= 1)
1363 return EXT_RETURN_NOT_SENT
;
1366 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1367 * We just use the servername from the initial handshake.
1369 if (s
->hit
&& !SSL_IS_TLS13(s
))
1370 return EXT_RETURN_NOT_SENT
;
1372 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_server_name
)
1373 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1374 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME
,
1375 ERR_R_INTERNAL_ERROR
);
1376 return EXT_RETURN_FAIL
;
1379 return EXT_RETURN_SENT
;
1382 /* Add/include the server's max fragment len extension into ServerHello */
1383 EXT_RETURN
tls_construct_stoc_maxfragmentlen(SSL
*s
, WPACKET
*pkt
,
1384 unsigned int context
, X509
*x
,
1387 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s
->session
))
1388 return EXT_RETURN_NOT_SENT
;
1391 * 4 bytes for this extension type and extension length
1392 * 1 byte for the Max Fragment Length code value.
1394 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_max_fragment_length
)
1395 || !WPACKET_start_sub_packet_u16(pkt
)
1396 || !WPACKET_put_bytes_u8(pkt
, s
->session
->ext
.max_fragment_len_mode
)
1397 || !WPACKET_close(pkt
)) {
1398 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1399 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN
, ERR_R_INTERNAL_ERROR
);
1400 return EXT_RETURN_FAIL
;
1403 return EXT_RETURN_SENT
;
1406 #ifndef OPENSSL_NO_EC
1407 EXT_RETURN
tls_construct_stoc_ec_pt_formats(SSL
*s
, WPACKET
*pkt
,
1408 unsigned int context
, X509
*x
,
1411 unsigned long alg_k
= s
->s3
.tmp
.new_cipher
->algorithm_mkey
;
1412 unsigned long alg_a
= s
->s3
.tmp
.new_cipher
->algorithm_auth
;
1413 int using_ecc
= ((alg_k
& SSL_kECDHE
) || (alg_a
& SSL_aECDSA
))
1414 && (s
->ext
.peer_ecpointformats
!= NULL
);
1415 const unsigned char *plist
;
1419 return EXT_RETURN_NOT_SENT
;
1421 tls1_get_formatlist(s
, &plist
, &plistlen
);
1422 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_ec_point_formats
)
1423 || !WPACKET_start_sub_packet_u16(pkt
)
1424 || !WPACKET_sub_memcpy_u8(pkt
, plist
, plistlen
)
1425 || !WPACKET_close(pkt
)) {
1426 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1427 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS
, ERR_R_INTERNAL_ERROR
);
1428 return EXT_RETURN_FAIL
;
1431 return EXT_RETURN_SENT
;
1435 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1436 EXT_RETURN
tls_construct_stoc_supported_groups(SSL
*s
, WPACKET
*pkt
,
1437 unsigned int context
, X509
*x
,
1440 const uint16_t *groups
;
1441 size_t numgroups
, i
, first
= 1;
1443 /* s->s3.group_id is non zero if we accepted a key_share */
1444 if (s
->s3
.group_id
== 0)
1445 return EXT_RETURN_NOT_SENT
;
1447 /* Get our list of supported groups */
1448 tls1_get_supported_groups(s
, &groups
, &numgroups
);
1449 if (numgroups
== 0) {
1450 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1451 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
, ERR_R_INTERNAL_ERROR
);
1452 return EXT_RETURN_FAIL
;
1455 /* Copy group ID if supported */
1456 for (i
= 0; i
< numgroups
; i
++) {
1457 uint16_t group
= groups
[i
];
1459 if (tls_valid_group(s
, group
, SSL_version(s
))
1460 && tls_group_allowed(s
, group
, SSL_SECOP_CURVE_SUPPORTED
)) {
1463 * Check if the client is already using our preferred group. If
1464 * so we don't need to add this extension
1466 if (s
->s3
.group_id
== group
)
1467 return EXT_RETURN_NOT_SENT
;
1469 /* Add extension header */
1470 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_supported_groups
)
1471 /* Sub-packet for supported_groups extension */
1472 || !WPACKET_start_sub_packet_u16(pkt
)
1473 || !WPACKET_start_sub_packet_u16(pkt
)) {
1474 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1475 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
,
1476 ERR_R_INTERNAL_ERROR
);
1477 return EXT_RETURN_FAIL
;
1482 if (!WPACKET_put_bytes_u16(pkt
, group
)) {
1483 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1484 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
,
1485 ERR_R_INTERNAL_ERROR
);
1486 return EXT_RETURN_FAIL
;
1491 if (!WPACKET_close(pkt
) || !WPACKET_close(pkt
)) {
1492 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1493 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
,
1494 ERR_R_INTERNAL_ERROR
);
1495 return EXT_RETURN_FAIL
;
1498 return EXT_RETURN_SENT
;
1502 EXT_RETURN
tls_construct_stoc_session_ticket(SSL
*s
, WPACKET
*pkt
,
1503 unsigned int context
, X509
*x
,
1506 if (!s
->ext
.ticket_expected
|| !tls_use_ticket(s
)) {
1507 s
->ext
.ticket_expected
= 0;
1508 return EXT_RETURN_NOT_SENT
;
1511 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_session_ticket
)
1512 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1513 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1514 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET
, ERR_R_INTERNAL_ERROR
);
1515 return EXT_RETURN_FAIL
;
1518 return EXT_RETURN_SENT
;
1521 #ifndef OPENSSL_NO_OCSP
1522 EXT_RETURN
tls_construct_stoc_status_request(SSL
*s
, WPACKET
*pkt
,
1523 unsigned int context
, X509
*x
,
1526 /* We don't currently support this extension inside a CertificateRequest */
1527 if (context
== SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
)
1528 return EXT_RETURN_NOT_SENT
;
1530 if (!s
->ext
.status_expected
)
1531 return EXT_RETURN_NOT_SENT
;
1533 if (SSL_IS_TLS13(s
) && chainidx
!= 0)
1534 return EXT_RETURN_NOT_SENT
;
1536 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_status_request
)
1537 || !WPACKET_start_sub_packet_u16(pkt
)) {
1538 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1539 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST
, ERR_R_INTERNAL_ERROR
);
1540 return EXT_RETURN_FAIL
;
1544 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1545 * send back an empty extension, with the certificate status appearing as a
1548 if (SSL_IS_TLS13(s
) && !tls_construct_cert_status_body(s
, pkt
)) {
1549 /* SSLfatal() already called */
1550 return EXT_RETURN_FAIL
;
1552 if (!WPACKET_close(pkt
)) {
1553 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1554 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST
, ERR_R_INTERNAL_ERROR
);
1555 return EXT_RETURN_FAIL
;
1558 return EXT_RETURN_SENT
;
1562 #ifndef OPENSSL_NO_NEXTPROTONEG
1563 EXT_RETURN
tls_construct_stoc_next_proto_neg(SSL
*s
, WPACKET
*pkt
,
1564 unsigned int context
, X509
*x
,
1567 const unsigned char *npa
;
1568 unsigned int npalen
;
1570 int npn_seen
= s
->s3
.npn_seen
;
1573 if (!npn_seen
|| s
->ctx
->ext
.npn_advertised_cb
== NULL
)
1574 return EXT_RETURN_NOT_SENT
;
1576 ret
= s
->ctx
->ext
.npn_advertised_cb(s
, &npa
, &npalen
,
1577 s
->ctx
->ext
.npn_advertised_cb_arg
);
1578 if (ret
== SSL_TLSEXT_ERR_OK
) {
1579 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_next_proto_neg
)
1580 || !WPACKET_sub_memcpy_u16(pkt
, npa
, npalen
)) {
1581 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1582 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG
,
1583 ERR_R_INTERNAL_ERROR
);
1584 return EXT_RETURN_FAIL
;
1589 return EXT_RETURN_SENT
;
1593 EXT_RETURN
tls_construct_stoc_alpn(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1594 X509
*x
, size_t chainidx
)
1596 if (s
->s3
.alpn_selected
== NULL
)
1597 return EXT_RETURN_NOT_SENT
;
1599 if (!WPACKET_put_bytes_u16(pkt
,
1600 TLSEXT_TYPE_application_layer_protocol_negotiation
)
1601 || !WPACKET_start_sub_packet_u16(pkt
)
1602 || !WPACKET_start_sub_packet_u16(pkt
)
1603 || !WPACKET_sub_memcpy_u8(pkt
, s
->s3
.alpn_selected
,
1604 s
->s3
.alpn_selected_len
)
1605 || !WPACKET_close(pkt
)
1606 || !WPACKET_close(pkt
)) {
1607 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1608 SSL_F_TLS_CONSTRUCT_STOC_ALPN
, ERR_R_INTERNAL_ERROR
);
1609 return EXT_RETURN_FAIL
;
1612 return EXT_RETURN_SENT
;
1615 #ifndef OPENSSL_NO_SRTP
1616 EXT_RETURN
tls_construct_stoc_use_srtp(SSL
*s
, WPACKET
*pkt
,
1617 unsigned int context
, X509
*x
,
1620 if (s
->srtp_profile
== NULL
)
1621 return EXT_RETURN_NOT_SENT
;
1623 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_use_srtp
)
1624 || !WPACKET_start_sub_packet_u16(pkt
)
1625 || !WPACKET_put_bytes_u16(pkt
, 2)
1626 || !WPACKET_put_bytes_u16(pkt
, s
->srtp_profile
->id
)
1627 || !WPACKET_put_bytes_u8(pkt
, 0)
1628 || !WPACKET_close(pkt
)) {
1629 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP
,
1630 ERR_R_INTERNAL_ERROR
);
1631 return EXT_RETURN_FAIL
;
1634 return EXT_RETURN_SENT
;
1638 EXT_RETURN
tls_construct_stoc_etm(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1639 X509
*x
, size_t chainidx
)
1641 if (!s
->ext
.use_etm
)
1642 return EXT_RETURN_NOT_SENT
;
1645 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1646 * for other cases too.
1648 if (s
->s3
.tmp
.new_cipher
->algorithm_mac
== SSL_AEAD
1649 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_RC4
1650 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_eGOST2814789CNT
1651 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_eGOST2814789CNT12
1652 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_MAGMA
1653 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_KUZNYECHIK
) {
1655 return EXT_RETURN_NOT_SENT
;
1658 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_encrypt_then_mac
)
1659 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1660 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_ETM
,
1661 ERR_R_INTERNAL_ERROR
);
1662 return EXT_RETURN_FAIL
;
1665 return EXT_RETURN_SENT
;
1668 EXT_RETURN
tls_construct_stoc_ems(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1669 X509
*x
, size_t chainidx
)
1671 if ((s
->s3
.flags
& TLS1_FLAGS_RECEIVED_EXTMS
) == 0)
1672 return EXT_RETURN_NOT_SENT
;
1674 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_extended_master_secret
)
1675 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1676 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_EMS
,
1677 ERR_R_INTERNAL_ERROR
);
1678 return EXT_RETURN_FAIL
;
1681 return EXT_RETURN_SENT
;
1684 EXT_RETURN
tls_construct_stoc_supported_versions(SSL
*s
, WPACKET
*pkt
,
1685 unsigned int context
, X509
*x
,
1688 if (!ossl_assert(SSL_IS_TLS13(s
))) {
1689 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1690 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS
,
1691 ERR_R_INTERNAL_ERROR
);
1692 return EXT_RETURN_FAIL
;
1695 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_supported_versions
)
1696 || !WPACKET_start_sub_packet_u16(pkt
)
1697 || !WPACKET_put_bytes_u16(pkt
, s
->version
)
1698 || !WPACKET_close(pkt
)) {
1699 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1700 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS
,
1701 ERR_R_INTERNAL_ERROR
);
1702 return EXT_RETURN_FAIL
;
1705 return EXT_RETURN_SENT
;
1708 EXT_RETURN
tls_construct_stoc_key_share(SSL
*s
, WPACKET
*pkt
,
1709 unsigned int context
, X509
*x
,
1712 #ifndef OPENSSL_NO_TLS1_3
1713 unsigned char *encodedPoint
;
1714 size_t encoded_pt_len
= 0;
1715 EVP_PKEY
*ckey
= s
->s3
.peer_tmp
, *skey
= NULL
;
1717 if (s
->hello_retry_request
== SSL_HRR_PENDING
) {
1719 /* Original key_share was acceptable so don't ask for another one */
1720 return EXT_RETURN_NOT_SENT
;
1722 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_key_share
)
1723 || !WPACKET_start_sub_packet_u16(pkt
)
1724 || !WPACKET_put_bytes_u16(pkt
, s
->s3
.group_id
)
1725 || !WPACKET_close(pkt
)) {
1726 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1727 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1728 ERR_R_INTERNAL_ERROR
);
1729 return EXT_RETURN_FAIL
;
1732 return EXT_RETURN_SENT
;
1736 /* No key_share received from client - must be resuming */
1737 if (!s
->hit
|| !tls13_generate_handshake_secret(s
, NULL
, 0)) {
1738 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1739 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
, ERR_R_INTERNAL_ERROR
);
1740 return EXT_RETURN_FAIL
;
1742 return EXT_RETURN_NOT_SENT
;
1745 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_key_share
)
1746 || !WPACKET_start_sub_packet_u16(pkt
)
1747 || !WPACKET_put_bytes_u16(pkt
, s
->s3
.group_id
)) {
1748 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1749 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
, ERR_R_INTERNAL_ERROR
);
1750 return EXT_RETURN_FAIL
;
1753 skey
= ssl_generate_pkey(s
, ckey
);
1755 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1756 ERR_R_MALLOC_FAILURE
);
1757 return EXT_RETURN_FAIL
;
1761 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
1762 * knows how to get a key from an encoded point with the help of
1763 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
1764 * downgrades an EVP_PKEY to contain a legacy key.
1768 EVP_PKEY_get0(skey
);
1769 if (EVP_PKEY_id(skey
) == EVP_PKEY_NONE
) {
1770 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1771 ERR_R_INTERNAL_ERROR
);
1772 return EXT_RETURN_FAIL
;
1775 /* Generate encoding of server key */
1776 encoded_pt_len
= EVP_PKEY_get1_tls_encodedpoint(skey
, &encodedPoint
);
1777 if (encoded_pt_len
== 0) {
1778 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1780 EVP_PKEY_free(skey
);
1781 return EXT_RETURN_FAIL
;
1784 if (!WPACKET_sub_memcpy_u16(pkt
, encodedPoint
, encoded_pt_len
)
1785 || !WPACKET_close(pkt
)) {
1786 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1787 ERR_R_INTERNAL_ERROR
);
1788 EVP_PKEY_free(skey
);
1789 OPENSSL_free(encodedPoint
);
1790 return EXT_RETURN_FAIL
;
1792 OPENSSL_free(encodedPoint
);
1794 /* This causes the crypto state to be updated based on the derived keys */
1795 s
->s3
.tmp
.pkey
= skey
;
1796 if (ssl_derive(s
, skey
, ckey
, 1) == 0) {
1797 /* SSLfatal() already called */
1798 return EXT_RETURN_FAIL
;
1800 return EXT_RETURN_SENT
;
1802 return EXT_RETURN_FAIL
;
1806 EXT_RETURN
tls_construct_stoc_cookie(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1807 X509
*x
, size_t chainidx
)
1809 #ifndef OPENSSL_NO_TLS1_3
1810 unsigned char *hashval1
, *hashval2
, *appcookie1
, *appcookie2
, *cookie
;
1811 unsigned char *hmac
, *hmac2
;
1812 size_t startlen
, ciphlen
, totcookielen
, hashlen
, hmaclen
, appcookielen
;
1815 int ret
= EXT_RETURN_FAIL
;
1817 if ((s
->s3
.flags
& TLS1_FLAGS_STATELESS
) == 0)
1818 return EXT_RETURN_NOT_SENT
;
1820 if (s
->ctx
->gen_stateless_cookie_cb
== NULL
) {
1821 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1822 SSL_R_NO_COOKIE_CALLBACK_SET
);
1823 return EXT_RETURN_FAIL
;
1826 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_cookie
)
1827 || !WPACKET_start_sub_packet_u16(pkt
)
1828 || !WPACKET_start_sub_packet_u16(pkt
)
1829 || !WPACKET_get_total_written(pkt
, &startlen
)
1830 || !WPACKET_reserve_bytes(pkt
, MAX_COOKIE_SIZE
, &cookie
)
1831 || !WPACKET_put_bytes_u16(pkt
, COOKIE_STATE_FORMAT_VERSION
)
1832 || !WPACKET_put_bytes_u16(pkt
, TLS1_3_VERSION
)
1833 || !WPACKET_put_bytes_u16(pkt
, s
->s3
.group_id
)
1834 || !s
->method
->put_cipher_by_char(s
->s3
.tmp
.new_cipher
, pkt
,
1836 /* Is there a key_share extension present in this HRR? */
1837 || !WPACKET_put_bytes_u8(pkt
, s
->s3
.peer_tmp
== NULL
)
1838 || !WPACKET_put_bytes_u32(pkt
, (unsigned int)time(NULL
))
1839 || !WPACKET_start_sub_packet_u16(pkt
)
1840 || !WPACKET_reserve_bytes(pkt
, EVP_MAX_MD_SIZE
, &hashval1
)) {
1841 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1842 ERR_R_INTERNAL_ERROR
);
1843 return EXT_RETURN_FAIL
;
1847 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1848 * on raw buffers, so we first reserve sufficient bytes (above) and then
1849 * subsequently allocate them (below)
1851 if (!ssl3_digest_cached_records(s
, 0)
1852 || !ssl_handshake_hash(s
, hashval1
, EVP_MAX_MD_SIZE
, &hashlen
)) {
1853 /* SSLfatal() already called */
1854 return EXT_RETURN_FAIL
;
1857 if (!WPACKET_allocate_bytes(pkt
, hashlen
, &hashval2
)
1858 || !ossl_assert(hashval1
== hashval2
)
1859 || !WPACKET_close(pkt
)
1860 || !WPACKET_start_sub_packet_u8(pkt
)
1861 || !WPACKET_reserve_bytes(pkt
, SSL_COOKIE_LENGTH
, &appcookie1
)) {
1862 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1863 ERR_R_INTERNAL_ERROR
);
1864 return EXT_RETURN_FAIL
;
1867 /* Generate the application cookie */
1868 if (s
->ctx
->gen_stateless_cookie_cb(s
, appcookie1
, &appcookielen
) == 0) {
1869 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1870 SSL_R_COOKIE_GEN_CALLBACK_FAILURE
);
1871 return EXT_RETURN_FAIL
;
1874 if (!WPACKET_allocate_bytes(pkt
, appcookielen
, &appcookie2
)
1875 || !ossl_assert(appcookie1
== appcookie2
)
1876 || !WPACKET_close(pkt
)
1877 || !WPACKET_get_total_written(pkt
, &totcookielen
)
1878 || !WPACKET_reserve_bytes(pkt
, SHA256_DIGEST_LENGTH
, &hmac
)) {
1879 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1880 ERR_R_INTERNAL_ERROR
);
1881 return EXT_RETURN_FAIL
;
1883 hmaclen
= SHA256_DIGEST_LENGTH
;
1885 totcookielen
-= startlen
;
1886 if (!ossl_assert(totcookielen
<= MAX_COOKIE_SIZE
- SHA256_DIGEST_LENGTH
)) {
1887 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1888 ERR_R_INTERNAL_ERROR
);
1889 return EXT_RETURN_FAIL
;
1892 /* HMAC the cookie */
1893 hctx
= EVP_MD_CTX_create();
1894 pkey
= EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC
, NULL
,
1895 s
->session_ctx
->ext
.cookie_hmac_key
,
1896 sizeof(s
->session_ctx
->ext
1898 if (hctx
== NULL
|| pkey
== NULL
) {
1899 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1900 ERR_R_MALLOC_FAILURE
);
1904 if (EVP_DigestSignInit_ex(hctx
, NULL
, "SHA2-256", s
->ctx
->propq
, pkey
,
1905 s
->ctx
->libctx
) <= 0
1906 || EVP_DigestSign(hctx
, hmac
, &hmaclen
, cookie
,
1907 totcookielen
) <= 0) {
1908 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1909 ERR_R_INTERNAL_ERROR
);
1913 if (!ossl_assert(totcookielen
+ hmaclen
<= MAX_COOKIE_SIZE
)) {
1914 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1915 ERR_R_INTERNAL_ERROR
);
1919 if (!WPACKET_allocate_bytes(pkt
, hmaclen
, &hmac2
)
1920 || !ossl_assert(hmac
== hmac2
)
1921 || !ossl_assert(cookie
== hmac
- totcookielen
)
1922 || !WPACKET_close(pkt
)
1923 || !WPACKET_close(pkt
)) {
1924 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1925 ERR_R_INTERNAL_ERROR
);
1929 ret
= EXT_RETURN_SENT
;
1932 EVP_MD_CTX_free(hctx
);
1933 EVP_PKEY_free(pkey
);
1936 return EXT_RETURN_FAIL
;
1940 EXT_RETURN
tls_construct_stoc_cryptopro_bug(SSL
*s
, WPACKET
*pkt
,
1941 unsigned int context
, X509
*x
,
1944 const unsigned char cryptopro_ext
[36] = {
1945 0xfd, 0xe8, /* 65000 */
1946 0x00, 0x20, /* 32 bytes length */
1947 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1948 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1949 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1950 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1953 if (((s
->s3
.tmp
.new_cipher
->id
& 0xFFFF) != 0x80
1954 && (s
->s3
.tmp
.new_cipher
->id
& 0xFFFF) != 0x81)
1955 || (SSL_get_options(s
) & SSL_OP_CRYPTOPRO_TLSEXT_BUG
) == 0)
1956 return EXT_RETURN_NOT_SENT
;
1958 if (!WPACKET_memcpy(pkt
, cryptopro_ext
, sizeof(cryptopro_ext
))) {
1959 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1960 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG
, ERR_R_INTERNAL_ERROR
);
1961 return EXT_RETURN_FAIL
;
1964 return EXT_RETURN_SENT
;
1967 EXT_RETURN
tls_construct_stoc_early_data(SSL
*s
, WPACKET
*pkt
,
1968 unsigned int context
, X509
*x
,
1971 if (context
== SSL_EXT_TLS1_3_NEW_SESSION_TICKET
) {
1972 if (s
->max_early_data
== 0)
1973 return EXT_RETURN_NOT_SENT
;
1975 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_early_data
)
1976 || !WPACKET_start_sub_packet_u16(pkt
)
1977 || !WPACKET_put_bytes_u32(pkt
, s
->max_early_data
)
1978 || !WPACKET_close(pkt
)) {
1979 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1980 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA
, ERR_R_INTERNAL_ERROR
);
1981 return EXT_RETURN_FAIL
;
1984 return EXT_RETURN_SENT
;
1987 if (s
->ext
.early_data
!= SSL_EARLY_DATA_ACCEPTED
)
1988 return EXT_RETURN_NOT_SENT
;
1990 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_early_data
)
1991 || !WPACKET_start_sub_packet_u16(pkt
)
1992 || !WPACKET_close(pkt
)) {
1993 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA
,
1994 ERR_R_INTERNAL_ERROR
);
1995 return EXT_RETURN_FAIL
;
1998 return EXT_RETURN_SENT
;
2001 EXT_RETURN
tls_construct_stoc_psk(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
2002 X509
*x
, size_t chainidx
)
2005 return EXT_RETURN_NOT_SENT
;
2007 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_psk
)
2008 || !WPACKET_start_sub_packet_u16(pkt
)
2009 || !WPACKET_put_bytes_u16(pkt
, s
->ext
.tick_identity
)
2010 || !WPACKET_close(pkt
)) {
2011 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2012 SSL_F_TLS_CONSTRUCT_STOC_PSK
, ERR_R_INTERNAL_ERROR
);
2013 return EXT_RETURN_FAIL
;
2016 return EXT_RETURN_SENT
;