]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add server side sanity checks of SNI/ALPN for use with early_data
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13
14 /*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
19 {
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51 }
52
53 /*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
78 {
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
96 *
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
99 */
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
104 return 0;
105 }
106
107 if (!s->hit) {
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
110 return 0;
111 }
112
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
115 return 0;
116 }
117
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
122 return 0;
123 }
124
125 s->servername_done = 1;
126 } else {
127 /*
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
130 */
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
134
135 if (!s->servername_done && s->session->ext.hostname != NULL)
136 s->ext.early_data_ok = 0;
137 }
138
139 return 1;
140 }
141
142 #ifndef OPENSSL_NO_SRP
143 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
144 size_t chainidx, int *al)
145 {
146 PACKET srp_I;
147
148 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
149 || PACKET_contains_zero_byte(&srp_I)) {
150 *al = SSL_AD_DECODE_ERROR;
151 return 0;
152 }
153
154 /*
155 * TODO(openssl-team): currently, we re-authenticate the user
156 * upon resumption. Instead, we MUST ignore the login.
157 */
158 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
159 *al = SSL_AD_INTERNAL_ERROR;
160 return 0;
161 }
162
163 return 1;
164 }
165 #endif
166
167 #ifndef OPENSSL_NO_EC
168 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
169 X509 *x, size_t chainidx, int *al)
170 {
171 PACKET ec_point_format_list;
172
173 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
174 || PACKET_remaining(&ec_point_format_list) == 0) {
175 *al = SSL_AD_DECODE_ERROR;
176 return 0;
177 }
178
179 if (!s->hit) {
180 if (!PACKET_memdup(&ec_point_format_list,
181 &s->session->ext.ecpointformats,
182 &s->session->ext.ecpointformats_len)) {
183 *al = SSL_AD_INTERNAL_ERROR;
184 return 0;
185 }
186 }
187
188 return 1;
189 }
190 #endif /* OPENSSL_NO_EC */
191
192 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
193 X509 *x, size_t chainidx, int *al)
194 {
195 if (s->ext.session_ticket_cb &&
196 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
197 PACKET_remaining(pkt),
198 s->ext.session_ticket_cb_arg)) {
199 *al = SSL_AD_INTERNAL_ERROR;
200 return 0;
201 }
202
203 return 1;
204 }
205
206 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
207 size_t chainidx, int *al)
208 {
209 PACKET supported_sig_algs;
210
211 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
212 || PACKET_remaining(&supported_sig_algs) == 0) {
213 *al = SSL_AD_DECODE_ERROR;
214 return 0;
215 }
216
217 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
218 *al = SSL_AD_DECODE_ERROR;
219 return 0;
220 }
221
222 return 1;
223 }
224
225 #ifndef OPENSSL_NO_OCSP
226 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
227 X509 *x, size_t chainidx, int *al)
228 {
229 PACKET responder_id_list, exts;
230
231 /* Not defined if we get one of these in a client Certificate */
232 if (x != NULL)
233 return 1;
234
235 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
236 *al = SSL_AD_DECODE_ERROR;
237 return 0;
238 }
239
240 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
241 /*
242 * We don't know what to do with any other type so ignore it.
243 */
244 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
245 return 1;
246 }
247
248 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
249 *al = SSL_AD_DECODE_ERROR;
250 return 0;
251 }
252
253 /*
254 * We remove any OCSP_RESPIDs from a previous handshake
255 * to prevent unbounded memory growth - CVE-2016-6304
256 */
257 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
258 if (PACKET_remaining(&responder_id_list) > 0) {
259 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
260 if (s->ext.ocsp.ids == NULL) {
261 *al = SSL_AD_INTERNAL_ERROR;
262 return 0;
263 }
264 } else {
265 s->ext.ocsp.ids = NULL;
266 }
267
268 while (PACKET_remaining(&responder_id_list) > 0) {
269 OCSP_RESPID *id;
270 PACKET responder_id;
271 const unsigned char *id_data;
272
273 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
274 || PACKET_remaining(&responder_id) == 0) {
275 *al = SSL_AD_DECODE_ERROR;
276 return 0;
277 }
278
279 id_data = PACKET_data(&responder_id);
280 /* TODO(size_t): Convert d2i_* to size_t */
281 id = d2i_OCSP_RESPID(NULL, &id_data,
282 (int)PACKET_remaining(&responder_id));
283 if (id == NULL) {
284 *al = SSL_AD_DECODE_ERROR;
285 return 0;
286 }
287
288 if (id_data != PACKET_end(&responder_id)) {
289 OCSP_RESPID_free(id);
290 *al = SSL_AD_DECODE_ERROR;
291 return 0;
292 }
293
294 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
295 OCSP_RESPID_free(id);
296 *al = SSL_AD_INTERNAL_ERROR;
297 return 0;
298 }
299 }
300
301 /* Read in request_extensions */
302 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
303 *al = SSL_AD_DECODE_ERROR;
304 return 0;
305 }
306
307 if (PACKET_remaining(&exts) > 0) {
308 const unsigned char *ext_data = PACKET_data(&exts);
309
310 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
311 X509_EXTENSION_free);
312 s->ext.ocsp.exts =
313 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
314 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
315 *al = SSL_AD_DECODE_ERROR;
316 return 0;
317 }
318 }
319
320 return 1;
321 }
322 #endif
323
324 #ifndef OPENSSL_NO_NEXTPROTONEG
325 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
326 size_t chainidx, int *al)
327 {
328 /*
329 * We shouldn't accept this extension on a
330 * renegotiation.
331 */
332 if (SSL_IS_FIRST_HANDSHAKE(s))
333 s->s3->npn_seen = 1;
334
335 return 1;
336 }
337 #endif
338
339 /*
340 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
341 * extension, not including type and length. |al| is a pointer to the alert
342 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
343 */
344 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
345 size_t chainidx, int *al)
346 {
347 PACKET protocol_list, save_protocol_list, protocol;
348
349 if (!SSL_IS_FIRST_HANDSHAKE(s))
350 return 1;
351
352 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
353 || PACKET_remaining(&protocol_list) < 2) {
354 *al = SSL_AD_DECODE_ERROR;
355 return 0;
356 }
357
358 save_protocol_list = protocol_list;
359 do {
360 /* Protocol names can't be empty. */
361 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
362 || PACKET_remaining(&protocol) == 0) {
363 *al = SSL_AD_DECODE_ERROR;
364 return 0;
365 }
366 } while (PACKET_remaining(&protocol_list) != 0);
367
368 OPENSSL_free(s->s3->alpn_proposed);
369 s->s3->alpn_proposed = NULL;
370 s->s3->alpn_proposed_len = 0;
371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
373 *al = SSL_AD_INTERNAL_ERROR;
374 return 0;
375 }
376
377 return 1;
378 }
379
380 #ifndef OPENSSL_NO_SRTP
381 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
382 size_t chainidx, int *al)
383 {
384 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
385 unsigned int ct, mki_len, id;
386 int i, srtp_pref;
387 PACKET subpkt;
388
389 /* Ignore this if we have no SRTP profiles */
390 if (SSL_get_srtp_profiles(s) == NULL)
391 return 1;
392
393 /* Pull off the length of the cipher suite list and check it is even */
394 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
395 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
396 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
397 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
398 *al = SSL_AD_DECODE_ERROR;
399 return 0;
400 }
401
402 srvr = SSL_get_srtp_profiles(s);
403 s->srtp_profile = NULL;
404 /* Search all profiles for a match initially */
405 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
406
407 while (PACKET_remaining(&subpkt)) {
408 if (!PACKET_get_net_2(&subpkt, &id)) {
409 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
410 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
411 *al = SSL_AD_DECODE_ERROR;
412 return 0;
413 }
414
415 /*
416 * Only look for match in profiles of higher preference than
417 * current match.
418 * If no profiles have been have been configured then this
419 * does nothing.
420 */
421 for (i = 0; i < srtp_pref; i++) {
422 SRTP_PROTECTION_PROFILE *sprof =
423 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
424
425 if (sprof->id == id) {
426 s->srtp_profile = sprof;
427 srtp_pref = i;
428 break;
429 }
430 }
431 }
432
433 /* Now extract the MKI value as a sanity check, but discard it for now */
434 if (!PACKET_get_1(pkt, &mki_len)) {
435 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
436 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
437 *al = SSL_AD_DECODE_ERROR;
438 return 0;
439 }
440
441 if (!PACKET_forward(pkt, mki_len)
442 || PACKET_remaining(pkt)) {
443 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
444 *al = SSL_AD_DECODE_ERROR;
445 return 0;
446 }
447
448 return 1;
449 }
450 #endif
451
452 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 size_t chainidx, int *al)
454 {
455 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
456 s->ext.use_etm = 1;
457
458 return 1;
459 }
460
461 /*
462 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
463 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
464 * If a failure occurs then |*al| is set to an appropriate alert value.
465 */
466 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
467 X509 *x, size_t chainidx, int *al)
468 {
469 #ifndef OPENSSL_NO_TLS1_3
470 PACKET psk_kex_modes;
471 unsigned int mode;
472
473 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
474 || PACKET_remaining(&psk_kex_modes) == 0) {
475 *al = SSL_AD_DECODE_ERROR;
476 return 0;
477 }
478
479 while (PACKET_get_1(&psk_kex_modes, &mode)) {
480 if (mode == TLSEXT_KEX_MODE_KE_DHE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
482 else if (mode == TLSEXT_KEX_MODE_KE
483 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
484 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
485 }
486 #endif
487
488 return 1;
489 }
490
491 /*
492 * Process a key_share extension received in the ClientHello. |pkt| contains
493 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
494 * If a failure occurs then |*al| is set to an appropriate alert value.
495 */
496 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
497 size_t chainidx, int *al)
498 {
499 #ifndef OPENSSL_NO_TLS1_3
500 unsigned int group_id;
501 PACKET key_share_list, encoded_pt;
502 const unsigned char *clntcurves, *srvrcurves;
503 size_t clnt_num_curves, srvr_num_curves;
504 int group_nid, found = 0;
505 unsigned int curve_flags;
506
507 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
508 return 1;
509
510 /* Sanity check */
511 if (s->s3->peer_tmp != NULL) {
512 *al = SSL_AD_INTERNAL_ERROR;
513 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
514 return 0;
515 }
516
517 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
518 *al = SSL_AD_DECODE_ERROR;
519 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
520 return 0;
521 }
522
523 /* Get our list of supported curves */
524 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
525 *al = SSL_AD_INTERNAL_ERROR;
526 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
527 return 0;
528 }
529
530 /* Get the clients list of supported curves. */
531 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
532 *al = SSL_AD_INTERNAL_ERROR;
533 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
534 return 0;
535 }
536 if (clnt_num_curves == 0) {
537 /*
538 * This can only happen if the supported_groups extension was not sent,
539 * because we verify that the length is non-zero when we process that
540 * extension.
541 */
542 *al = SSL_AD_MISSING_EXTENSION;
543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
544 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
545 return 0;
546 }
547
548 while (PACKET_remaining(&key_share_list) > 0) {
549 if (!PACKET_get_net_2(&key_share_list, &group_id)
550 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
551 || PACKET_remaining(&encoded_pt) == 0) {
552 *al = SSL_AD_DECODE_ERROR;
553 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
554 SSL_R_LENGTH_MISMATCH);
555 return 0;
556 }
557
558 /*
559 * If we already found a suitable key_share we loop through the
560 * rest to verify the structure, but don't process them.
561 */
562 if (found)
563 continue;
564
565 /* Check if this share is in supported_groups sent from client */
566 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
567 *al = SSL_AD_ILLEGAL_PARAMETER;
568 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
569 return 0;
570 }
571
572 /* Check if this share is for a group we can use */
573 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
574 /* Share not suitable */
575 continue;
576 }
577
578 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
579
580 if (group_nid == 0) {
581 *al = SSL_AD_INTERNAL_ERROR;
582 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
583 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
584 return 0;
585 }
586
587 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
588 /* Can happen for some curves, e.g. X25519 */
589 EVP_PKEY *key = EVP_PKEY_new();
590
591 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
592 *al = SSL_AD_INTERNAL_ERROR;
593 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
594 EVP_PKEY_free(key);
595 return 0;
596 }
597 s->s3->peer_tmp = key;
598 } else {
599 /* Set up EVP_PKEY with named curve as parameters */
600 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
601
602 if (pctx == NULL
603 || EVP_PKEY_paramgen_init(pctx) <= 0
604 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
605 group_nid) <= 0
606 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
607 *al = SSL_AD_INTERNAL_ERROR;
608 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
609 EVP_PKEY_CTX_free(pctx);
610 return 0;
611 }
612 EVP_PKEY_CTX_free(pctx);
613 pctx = NULL;
614 }
615 s->s3->group_id = group_id;
616
617 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
618 PACKET_data(&encoded_pt),
619 PACKET_remaining(&encoded_pt))) {
620 *al = SSL_AD_ILLEGAL_PARAMETER;
621 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
622 return 0;
623 }
624
625 found = 1;
626 }
627 #endif
628
629 return 1;
630 }
631
632 #ifndef OPENSSL_NO_EC
633 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
634 X509 *x, size_t chainidx, int *al)
635 {
636 PACKET supported_groups_list;
637
638 /* Each group is 2 bytes and we must have at least 1. */
639 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
640 || PACKET_remaining(&supported_groups_list) == 0
641 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
642 *al = SSL_AD_DECODE_ERROR;
643 return 0;
644 }
645
646 if (!s->hit || SSL_IS_TLS13(s)) {
647 OPENSSL_free(s->session->ext.supportedgroups);
648 s->session->ext.supportedgroups = NULL;
649 s->session->ext.supportedgroups_len = 0;
650 if (!PACKET_memdup(&supported_groups_list,
651 &s->session->ext.supportedgroups,
652 &s->session->ext.supportedgroups_len)) {
653 *al = SSL_AD_INTERNAL_ERROR;
654 return 0;
655 }
656 }
657
658 return 1;
659 }
660 #endif
661
662 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
663 size_t chainidx, int *al)
664 {
665 /* The extension must always be empty */
666 if (PACKET_remaining(pkt) != 0) {
667 *al = SSL_AD_DECODE_ERROR;
668 return 0;
669 }
670
671 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
672
673 return 1;
674 }
675
676
677 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
678 X509 *x, size_t chainidx, int *al)
679 {
680 if (PACKET_remaining(pkt) != 0) {
681 *al = SSL_AD_DECODE_ERROR;
682 return 0;
683 }
684
685 if (s->hello_retry_request) {
686 *al = SSL_AD_ILLEGAL_PARAMETER;
687 return 0;
688 }
689
690 return 1;
691 }
692
693 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
694 size_t chainidx, int *al)
695 {
696 PACKET identities, binders, binder;
697 size_t binderoffset, hashsize;
698 SSL_SESSION *sess = NULL;
699 unsigned int id, i, ext = 0;
700 const EVP_MD *md = NULL;
701
702 /*
703 * If we have no PSK kex mode that we recognise then we can't resume so
704 * ignore this extension
705 */
706 if ((s->ext.psk_kex_mode
707 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
708 return 1;
709
710 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
711 *al = SSL_AD_DECODE_ERROR;
712 return 0;
713 }
714
715 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
716 PACKET identity;
717 unsigned long ticket_agel;
718
719 if (!PACKET_get_length_prefixed_2(&identities, &identity)
720 || !PACKET_get_net_4(&identities, &ticket_agel)) {
721 *al = SSL_AD_DECODE_ERROR;
722 return 0;
723 }
724
725 if (s->psk_find_session_cb != NULL
726 && !s->psk_find_session_cb(s, PACKET_data(&identity),
727 PACKET_remaining(&identity),
728 &sess)) {
729 *al = SSL_AD_INTERNAL_ERROR;
730 return 0;
731 }
732
733 if (sess != NULL) {
734 /* We found a PSK */
735 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
736
737 if (sesstmp == NULL) {
738 *al = SSL_AD_INTERNAL_ERROR;
739 return 0;
740 }
741 SSL_SESSION_free(sess);
742 sess = sesstmp;
743
744 /*
745 * We've just been told to use this session for this context so
746 * make sure the sid_ctx matches up.
747 */
748 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
749 sess->sid_ctx_length = s->sid_ctx_length;
750 ext = 1;
751 if (id == 0)
752 s->ext.early_data_ok = 1;
753 } else {
754 uint32_t ticket_age = 0, now, agesec, agems;
755 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
756 PACKET_remaining(&identity), NULL, 0,
757 &sess);
758
759 if (ret == TICKET_FATAL_ERR_MALLOC
760 || ret == TICKET_FATAL_ERR_OTHER) {
761 *al = SSL_AD_INTERNAL_ERROR;
762 return 0;
763 }
764 if (ret == TICKET_NO_DECRYPT)
765 continue;
766
767 ticket_age = (uint32_t)ticket_agel;
768 now = (uint32_t)time(NULL);
769 agesec = now - (uint32_t)sess->time;
770 agems = agesec * (uint32_t)1000;
771 ticket_age -= sess->ext.tick_age_add;
772
773 /*
774 * For simplicity we do our age calculations in seconds. If the
775 * client does it in ms then it could appear that their ticket age
776 * is longer than ours (our ticket age calculation should always be
777 * slightly longer than the client's due to the network latency).
778 * Therefore we add 1000ms to our age calculation to adjust for
779 * rounding errors.
780 */
781 if (id == 0
782 && sess->timeout >= (long)agesec
783 && agems / (uint32_t)1000 == agesec
784 && ticket_age <= agems + 1000
785 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
786 /*
787 * Ticket age is within tolerance and not expired. We allow it
788 * for early data
789 */
790 s->ext.early_data_ok = 1;
791 }
792 }
793
794 md = ssl_md(sess->cipher->algorithm2);
795 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
796 /* The ciphersuite is not compatible with this session. */
797 SSL_SESSION_free(sess);
798 sess = NULL;
799 s->ext.early_data_ok = 0;
800 continue;
801 }
802 break;
803 }
804
805 if (sess == NULL)
806 return 1;
807
808 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
809 hashsize = EVP_MD_size(md);
810
811 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
812 *al = SSL_AD_DECODE_ERROR;
813 goto err;
814 }
815
816 for (i = 0; i <= id; i++) {
817 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
818 *al = SSL_AD_DECODE_ERROR;
819 goto err;
820 }
821 }
822
823 if (PACKET_remaining(&binder) != hashsize
824 || tls_psk_do_binder(s, md,
825 (const unsigned char *)s->init_buf->data,
826 binderoffset, PACKET_data(&binder), NULL,
827 sess, 0, ext) != 1) {
828 *al = SSL_AD_DECODE_ERROR;
829 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
830 goto err;
831 }
832
833 sess->ext.tick_identity = id;
834
835 SSL_SESSION_free(s->session);
836 s->session = sess;
837 return 1;
838 err:
839 SSL_SESSION_free(sess);
840 return 0;
841 }
842
843 /*
844 * Add the server's renegotiation binding
845 */
846 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
847 unsigned int context, X509 *x,
848 size_t chainidx, int *al)
849 {
850 if (!s->s3->send_connection_binding)
851 return EXT_RETURN_NOT_SENT;
852
853 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
854 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
855 || !WPACKET_start_sub_packet_u16(pkt)
856 || !WPACKET_start_sub_packet_u8(pkt)
857 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
858 s->s3->previous_client_finished_len)
859 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
860 s->s3->previous_server_finished_len)
861 || !WPACKET_close(pkt)
862 || !WPACKET_close(pkt)) {
863 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
864 return EXT_RETURN_FAIL;
865 }
866
867 return EXT_RETURN_SENT;
868 }
869
870 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
871 unsigned int context, X509 *x,
872 size_t chainidx, int *al)
873 {
874 if (s->hit || s->servername_done != 1
875 || s->session->ext.hostname == NULL)
876 return EXT_RETURN_NOT_SENT;
877
878 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
879 || !WPACKET_put_bytes_u16(pkt, 0)) {
880 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
881 return EXT_RETURN_FAIL;
882 }
883
884 return EXT_RETURN_SENT;
885 }
886
887 #ifndef OPENSSL_NO_EC
888 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
889 unsigned int context, X509 *x,
890 size_t chainidx, int *al)
891 {
892 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
893 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
894 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
895 && (s->session->ext.ecpointformats != NULL);
896 const unsigned char *plist;
897 size_t plistlen;
898
899 if (!using_ecc)
900 return EXT_RETURN_NOT_SENT;
901
902 tls1_get_formatlist(s, &plist, &plistlen);
903 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
904 || !WPACKET_start_sub_packet_u16(pkt)
905 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
906 || !WPACKET_close(pkt)) {
907 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
908 return EXT_RETURN_FAIL;
909 }
910
911 return EXT_RETURN_SENT;
912 }
913 #endif
914
915 #ifndef OPENSSL_NO_EC
916 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
917 unsigned int context, X509 *x,
918 size_t chainidx, int *al)
919 {
920 const unsigned char *groups;
921 size_t numgroups, i, first = 1;
922
923 /* s->s3->group_id is non zero if we accepted a key_share */
924 if (s->s3->group_id == 0)
925 return EXT_RETURN_NOT_SENT;
926
927 /* Get our list of supported groups */
928 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
929 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
930 return EXT_RETURN_FAIL;
931 }
932
933 /* Copy group ID if supported */
934 for (i = 0; i < numgroups; i++, groups += 2) {
935 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
936 if (first) {
937 /*
938 * Check if the client is already using our preferred group. If
939 * so we don't need to add this extension
940 */
941 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
942 return EXT_RETURN_NOT_SENT;
943
944 /* Add extension header */
945 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
946 /* Sub-packet for supported_groups extension */
947 || !WPACKET_start_sub_packet_u16(pkt)
948 || !WPACKET_start_sub_packet_u16(pkt)) {
949 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
950 ERR_R_INTERNAL_ERROR);
951 return EXT_RETURN_FAIL;
952 }
953
954 first = 0;
955 }
956 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
957 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
958 ERR_R_INTERNAL_ERROR);
959 return EXT_RETURN_FAIL;
960 }
961 }
962 }
963
964 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
965 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
966 return EXT_RETURN_FAIL;
967 }
968
969 return EXT_RETURN_SENT;
970 }
971 #endif
972
973 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
974 unsigned int context, X509 *x,
975 size_t chainidx, int *al)
976 {
977 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
978 s->ext.ticket_expected = 0;
979 return EXT_RETURN_NOT_SENT;
980 }
981
982 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
983 || !WPACKET_put_bytes_u16(pkt, 0)) {
984 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
985 return EXT_RETURN_FAIL;
986 }
987
988 return EXT_RETURN_SENT;
989 }
990
991 #ifndef OPENSSL_NO_OCSP
992 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
993 unsigned int context, X509 *x,
994 size_t chainidx, int *al)
995 {
996 if (!s->ext.status_expected)
997 return EXT_RETURN_NOT_SENT;
998
999 if (SSL_IS_TLS13(s) && chainidx != 0)
1000 return EXT_RETURN_NOT_SENT;
1001
1002 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1003 || !WPACKET_start_sub_packet_u16(pkt)) {
1004 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1005 return EXT_RETURN_FAIL;
1006 }
1007
1008 /*
1009 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1010 * send back an empty extension, with the certificate status appearing as a
1011 * separate message
1012 */
1013 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1014 || !WPACKET_close(pkt)) {
1015 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1016 return EXT_RETURN_FAIL;
1017 }
1018
1019 return EXT_RETURN_SENT;
1020 }
1021 #endif
1022
1023 #ifndef OPENSSL_NO_NEXTPROTONEG
1024 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1025 unsigned int context, X509 *x,
1026 size_t chainidx, int *al)
1027 {
1028 const unsigned char *npa;
1029 unsigned int npalen;
1030 int ret;
1031 int npn_seen = s->s3->npn_seen;
1032
1033 s->s3->npn_seen = 0;
1034 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1035 return EXT_RETURN_NOT_SENT;
1036
1037 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1038 s->ctx->ext.npn_advertised_cb_arg);
1039 if (ret == SSL_TLSEXT_ERR_OK) {
1040 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1041 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1042 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1043 ERR_R_INTERNAL_ERROR);
1044 return EXT_RETURN_FAIL;
1045 }
1046 s->s3->npn_seen = 1;
1047 }
1048
1049 return EXT_RETURN_SENT;
1050 }
1051 #endif
1052
1053 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1054 X509 *x, size_t chainidx, int *al)
1055 {
1056 if (s->s3->alpn_selected == NULL)
1057 return EXT_RETURN_NOT_SENT;
1058
1059 if (!WPACKET_put_bytes_u16(pkt,
1060 TLSEXT_TYPE_application_layer_protocol_negotiation)
1061 || !WPACKET_start_sub_packet_u16(pkt)
1062 || !WPACKET_start_sub_packet_u16(pkt)
1063 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1064 s->s3->alpn_selected_len)
1065 || !WPACKET_close(pkt)
1066 || !WPACKET_close(pkt)) {
1067 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1068 return EXT_RETURN_FAIL;
1069 }
1070
1071 return EXT_RETURN_SENT;
1072 }
1073
1074 #ifndef OPENSSL_NO_SRTP
1075 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1076 unsigned int context, X509 *x,
1077 size_t chainidx, int *al)
1078 {
1079 if (s->srtp_profile == NULL)
1080 return EXT_RETURN_NOT_SENT;
1081
1082 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1083 || !WPACKET_start_sub_packet_u16(pkt)
1084 || !WPACKET_put_bytes_u16(pkt, 2)
1085 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1086 || !WPACKET_put_bytes_u8(pkt, 0)
1087 || !WPACKET_close(pkt)) {
1088 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1089 return EXT_RETURN_FAIL;
1090 }
1091
1092 return EXT_RETURN_SENT;
1093 }
1094 #endif
1095
1096 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1097 X509 *x, size_t chainidx, int *al)
1098 {
1099 if (!s->ext.use_etm)
1100 return EXT_RETURN_NOT_SENT;
1101
1102 /*
1103 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1104 * for other cases too.
1105 */
1106 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1107 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1108 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1109 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1110 s->ext.use_etm = 0;
1111 return EXT_RETURN_NOT_SENT;
1112 }
1113
1114 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1115 || !WPACKET_put_bytes_u16(pkt, 0)) {
1116 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1117 return EXT_RETURN_FAIL;
1118 }
1119
1120 return EXT_RETURN_SENT;
1121 }
1122
1123 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1124 X509 *x, size_t chainidx, int *al)
1125 {
1126 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1127 return EXT_RETURN_NOT_SENT;
1128
1129 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1130 || !WPACKET_put_bytes_u16(pkt, 0)) {
1131 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1132 return EXT_RETURN_FAIL;
1133 }
1134
1135 return EXT_RETURN_SENT;
1136 }
1137
1138 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1139 unsigned int context, X509 *x,
1140 size_t chainidx, int *al)
1141 {
1142 #ifndef OPENSSL_NO_TLS1_3
1143 unsigned char *encodedPoint;
1144 size_t encoded_pt_len = 0;
1145 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1146
1147 if (ckey == NULL) {
1148 /* No key_share received from client */
1149 if (s->hello_retry_request) {
1150 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1151 || !WPACKET_start_sub_packet_u16(pkt)
1152 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1153 || !WPACKET_close(pkt)) {
1154 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1155 ERR_R_INTERNAL_ERROR);
1156 return EXT_RETURN_FAIL;
1157 }
1158
1159 return EXT_RETURN_SENT;
1160 }
1161
1162 /* Must be resuming. */
1163 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1164 *al = SSL_AD_INTERNAL_ERROR;
1165 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1166 return EXT_RETURN_FAIL;
1167 }
1168 return EXT_RETURN_NOT_SENT;
1169 }
1170
1171 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1172 || !WPACKET_start_sub_packet_u16(pkt)
1173 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1174 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1175 return EXT_RETURN_FAIL;
1176 }
1177
1178 skey = ssl_generate_pkey(ckey);
1179 if (skey == NULL) {
1180 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1181 return EXT_RETURN_FAIL;
1182 }
1183
1184 /* Generate encoding of server key */
1185 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1186 if (encoded_pt_len == 0) {
1187 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1188 EVP_PKEY_free(skey);
1189 return EXT_RETURN_FAIL;
1190 }
1191
1192 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1193 || !WPACKET_close(pkt)) {
1194 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1195 EVP_PKEY_free(skey);
1196 OPENSSL_free(encodedPoint);
1197 return EXT_RETURN_FAIL;
1198 }
1199 OPENSSL_free(encodedPoint);
1200
1201 /* This causes the crypto state to be updated based on the derived keys */
1202 s->s3->tmp.pkey = skey;
1203 if (ssl_derive(s, skey, ckey, 1) == 0) {
1204 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1205 return EXT_RETURN_FAIL;
1206 }
1207 #endif
1208
1209 return EXT_RETURN_SENT;
1210 }
1211
1212 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1213 unsigned int context, X509 *x,
1214 size_t chainidx, int *al)
1215 {
1216 const unsigned char cryptopro_ext[36] = {
1217 0xfd, 0xe8, /* 65000 */
1218 0x00, 0x20, /* 32 bytes length */
1219 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1220 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1221 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1222 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1223 };
1224
1225 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1226 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1227 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1228 return EXT_RETURN_NOT_SENT;
1229
1230 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1231 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1232 return EXT_RETURN_FAIL;
1233 }
1234
1235 return EXT_RETURN_SENT;
1236 }
1237
1238 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1239 unsigned int context, X509 *x,
1240 size_t chainidx, int *al)
1241 {
1242 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1243 if (s->max_early_data == 0)
1244 return EXT_RETURN_NOT_SENT;
1245
1246 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1247 || !WPACKET_start_sub_packet_u16(pkt)
1248 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1249 || !WPACKET_close(pkt)) {
1250 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1251 return EXT_RETURN_FAIL;
1252 }
1253
1254 return EXT_RETURN_SENT;
1255 }
1256
1257 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1258 return EXT_RETURN_NOT_SENT;
1259
1260 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1261 || !WPACKET_start_sub_packet_u16(pkt)
1262 || !WPACKET_close(pkt)) {
1263 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1264 return EXT_RETURN_FAIL;
1265 }
1266
1267 return EXT_RETURN_SENT;
1268 }
1269
1270 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1271 X509 *x, size_t chainidx, int *al)
1272 {
1273 if (!s->hit)
1274 return EXT_RETURN_NOT_SENT;
1275
1276 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1277 || !WPACKET_start_sub_packet_u16(pkt)
1278 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1279 || !WPACKET_close(pkt)) {
1280 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1281 return EXT_RETURN_FAIL;
1282 }
1283
1284 return EXT_RETURN_SENT;
1285 }
A mirror of the official openssl repository