]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix up a few places in the state machine that got missed with SSLfatal()
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13
14 /*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx)
19 {
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 return 0;
29 }
30
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
33 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
34 SSL_R_RENEGOTIATION_MISMATCH);
35 return 0;
36 }
37
38 if (memcmp(data, s->s3->previous_client_finished,
39 s->s3->previous_client_finished_len)) {
40 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
41 SSL_R_RENEGOTIATION_MISMATCH);
42 return 0;
43 }
44
45 s->s3->send_connection_binding = 1;
46
47 return 1;
48 }
49
50 /*-
51 * The servername extension is treated as follows:
52 *
53 * - Only the hostname type is supported with a maximum length of 255.
54 * - The servername is rejected if too long or if it contains zeros,
55 * in which case an fatal alert is generated.
56 * - The servername field is maintained together with the session cache.
57 * - When a session is resumed, the servername call back invoked in order
58 * to allow the application to position itself to the right context.
59 * - The servername is acknowledged if it is new for a session or when
60 * it is identical to a previously used for the same session.
61 * Applications can control the behaviour. They can at any time
62 * set a 'desirable' servername for a new SSL object. This can be the
63 * case for example with HTTPS when a Host: header field is received and
64 * a renegotiation is requested. In this case, a possible servername
65 * presented in the new client hello is only acknowledged if it matches
66 * the value of the Host: field.
67 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
68 * if they provide for changing an explicit servername context for the
69 * session, i.e. when the session has been established with a servername
70 * extension.
71 * - On session reconnect, the servername extension may be absent.
72 */
73 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
74 X509 *x, size_t chainidx)
75 {
76 unsigned int servname_type;
77 PACKET sni, hostname;
78
79 if (!PACKET_as_length_prefixed_2(pkt, &sni)
80 /* ServerNameList must be at least 1 byte long. */
81 || PACKET_remaining(&sni) == 0) {
82 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
83 SSL_R_BAD_EXTENSION);
84 return 0;
85 }
86
87 /*
88 * Although the intent was for server_name to be extensible, RFC 4366
89 * was not clear about it; and so OpenSSL among other implementations,
90 * always and only allows a 'host_name' name types.
91 * RFC 6066 corrected the mistake but adding new name types
92 * is nevertheless no longer feasible, so act as if no other
93 * SNI types can exist, to simplify parsing.
94 *
95 * Also note that the RFC permits only one SNI value per type,
96 * i.e., we can only have a single hostname.
97 */
98 if (!PACKET_get_1(&sni, &servname_type)
99 || servname_type != TLSEXT_NAMETYPE_host_name
100 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
101 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
102 SSL_R_BAD_EXTENSION);
103 return 0;
104 }
105
106 if (!s->hit) {
107 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
108 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
109 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
110 SSL_R_BAD_EXTENSION);
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
116 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
117 SSL_R_BAD_EXTENSION);
118 return 0;
119 }
120
121 OPENSSL_free(s->session->ext.hostname);
122 s->session->ext.hostname = NULL;
123 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
125 ERR_R_INTERNAL_ERROR);
126 return 0;
127 }
128
129 s->servername_done = 1;
130 } else {
131 /*
132 * TODO(openssl-team): if the SNI doesn't match, we MUST
133 * fall back to a full handshake.
134 */
135 s->servername_done = s->session->ext.hostname
136 && PACKET_equal(&hostname, s->session->ext.hostname,
137 strlen(s->session->ext.hostname));
138
139 if (!s->servername_done && s->session->ext.hostname != NULL)
140 s->ext.early_data_ok = 0;
141 }
142
143 return 1;
144 }
145
146 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
147 X509 *x, size_t chainidx)
148 {
149 unsigned int value;
150
151 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
152 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
153 SSL_R_BAD_EXTENSION);
154 return 0;
155 }
156
157 /* Received |value| should be a valid max-fragment-length code. */
158 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
160 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
161 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
162 return 0;
163 }
164
165 /*
166 * RFC 6066: The negotiated length applies for the duration of the session
167 * including session resumptions.
168 * We should receive the same code as in resumed session !
169 */
170 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
171 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
172 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
173 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
174 return 0;
175 }
176
177 /*
178 * Store it in session, so it'll become binding for us
179 * and we'll include it in a next Server Hello.
180 */
181 s->session->ext.max_fragment_len_mode = value;
182 return 1;
183 }
184
185 #ifndef OPENSSL_NO_SRP
186 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
187 size_t chainidx)
188 {
189 PACKET srp_I;
190
191 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
192 || PACKET_contains_zero_byte(&srp_I)) {
193 SSLfatal(s, SSL_AD_DECODE_ERROR,
194 SSL_F_TLS_PARSE_CTOS_SRP,
195 SSL_R_BAD_EXTENSION);
196 return 0;
197 }
198
199 /*
200 * TODO(openssl-team): currently, we re-authenticate the user
201 * upon resumption. Instead, we MUST ignore the login.
202 */
203 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
205 ERR_R_INTERNAL_ERROR);
206 return 0;
207 }
208
209 return 1;
210 }
211 #endif
212
213 #ifndef OPENSSL_NO_EC
214 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx)
216 {
217 PACKET ec_point_format_list;
218
219 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
220 || PACKET_remaining(&ec_point_format_list) == 0) {
221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
222 SSL_R_BAD_EXTENSION);
223 return 0;
224 }
225
226 if (!s->hit) {
227 if (!PACKET_memdup(&ec_point_format_list,
228 &s->session->ext.ecpointformats,
229 &s->session->ext.ecpointformats_len)) {
230 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
231 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
232 return 0;
233 }
234 }
235
236 return 1;
237 }
238 #endif /* OPENSSL_NO_EC */
239
240 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
241 X509 *x, size_t chainidx)
242 {
243 if (s->ext.session_ticket_cb &&
244 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
245 PACKET_remaining(pkt),
246 s->ext.session_ticket_cb_arg)) {
247 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
248 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
249 return 0;
250 }
251
252 return 1;
253 }
254
255 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
256 size_t chainidx)
257 {
258 PACKET supported_sig_algs;
259
260 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
261 || PACKET_remaining(&supported_sig_algs) == 0) {
262 SSLfatal(s, SSL_AD_DECODE_ERROR,
263 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
264 return 0;
265 }
266
267 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
268 SSLfatal(s, SSL_AD_DECODE_ERROR,
269 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
270 return 0;
271 }
272
273 return 1;
274 }
275
276 #ifndef OPENSSL_NO_OCSP
277 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
278 X509 *x, size_t chainidx)
279 {
280 PACKET responder_id_list, exts;
281
282 /* Not defined if we get one of these in a client Certificate */
283 if (x != NULL)
284 return 1;
285
286 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
287 SSLfatal(s, SSL_AD_DECODE_ERROR,
288 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
289 return 0;
290 }
291
292 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
293 /*
294 * We don't know what to do with any other type so ignore it.
295 */
296 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
297 return 1;
298 }
299
300 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
301 SSLfatal(s, SSL_AD_DECODE_ERROR,
302 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
303 return 0;
304 }
305
306 /*
307 * We remove any OCSP_RESPIDs from a previous handshake
308 * to prevent unbounded memory growth - CVE-2016-6304
309 */
310 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
311 if (PACKET_remaining(&responder_id_list) > 0) {
312 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
313 if (s->ext.ocsp.ids == NULL) {
314 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
315 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
316 return 0;
317 }
318 } else {
319 s->ext.ocsp.ids = NULL;
320 }
321
322 while (PACKET_remaining(&responder_id_list) > 0) {
323 OCSP_RESPID *id;
324 PACKET responder_id;
325 const unsigned char *id_data;
326
327 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
328 || PACKET_remaining(&responder_id) == 0) {
329 SSLfatal(s, SSL_AD_DECODE_ERROR,
330 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
331 return 0;
332 }
333
334 id_data = PACKET_data(&responder_id);
335 /* TODO(size_t): Convert d2i_* to size_t */
336 id = d2i_OCSP_RESPID(NULL, &id_data,
337 (int)PACKET_remaining(&responder_id));
338 if (id == NULL) {
339 SSLfatal(s, SSL_AD_DECODE_ERROR,
340 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
341 return 0;
342 }
343
344 if (id_data != PACKET_end(&responder_id)) {
345 OCSP_RESPID_free(id);
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
348
349 return 0;
350 }
351
352 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
353 OCSP_RESPID_free(id);
354 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
355 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
356
357 return 0;
358 }
359 }
360
361 /* Read in request_extensions */
362 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
365 return 0;
366 }
367
368 if (PACKET_remaining(&exts) > 0) {
369 const unsigned char *ext_data = PACKET_data(&exts);
370
371 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
372 X509_EXTENSION_free);
373 s->ext.ocsp.exts =
374 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
375 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
376 SSLfatal(s, SSL_AD_DECODE_ERROR,
377 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
378 return 0;
379 }
380 }
381
382 return 1;
383 }
384 #endif
385
386 #ifndef OPENSSL_NO_NEXTPROTONEG
387 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
388 size_t chainidx)
389 {
390 /*
391 * We shouldn't accept this extension on a
392 * renegotiation.
393 */
394 if (SSL_IS_FIRST_HANDSHAKE(s))
395 s->s3->npn_seen = 1;
396
397 return 1;
398 }
399 #endif
400
401 /*
402 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
403 * extension, not including type and length. |al| is a pointer to the alert
404 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
405 */
406 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
407 size_t chainidx)
408 {
409 PACKET protocol_list, save_protocol_list, protocol;
410
411 if (!SSL_IS_FIRST_HANDSHAKE(s))
412 return 1;
413
414 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
415 || PACKET_remaining(&protocol_list) < 2) {
416 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
417 SSL_R_BAD_EXTENSION);
418 return 0;
419 }
420
421 save_protocol_list = protocol_list;
422 do {
423 /* Protocol names can't be empty. */
424 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
425 || PACKET_remaining(&protocol) == 0) {
426 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
427 SSL_R_BAD_EXTENSION);
428 return 0;
429 }
430 } while (PACKET_remaining(&protocol_list) != 0);
431
432 OPENSSL_free(s->s3->alpn_proposed);
433 s->s3->alpn_proposed = NULL;
434 s->s3->alpn_proposed_len = 0;
435 if (!PACKET_memdup(&save_protocol_list,
436 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
437 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
438 ERR_R_INTERNAL_ERROR);
439 return 0;
440 }
441
442 return 1;
443 }
444
445 #ifndef OPENSSL_NO_SRTP
446 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
447 size_t chainidx)
448 {
449 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
450 unsigned int ct, mki_len, id;
451 int i, srtp_pref;
452 PACKET subpkt;
453
454 /* Ignore this if we have no SRTP profiles */
455 if (SSL_get_srtp_profiles(s) == NULL)
456 return 1;
457
458 /* Pull off the length of the cipher suite list and check it is even */
459 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
460 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
461 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
462 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
463 return 0;
464 }
465
466 srvr = SSL_get_srtp_profiles(s);
467 s->srtp_profile = NULL;
468 /* Search all profiles for a match initially */
469 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
470
471 while (PACKET_remaining(&subpkt)) {
472 if (!PACKET_get_net_2(&subpkt, &id)) {
473 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
474 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
475 return 0;
476 }
477
478 /*
479 * Only look for match in profiles of higher preference than
480 * current match.
481 * If no profiles have been have been configured then this
482 * does nothing.
483 */
484 for (i = 0; i < srtp_pref; i++) {
485 SRTP_PROTECTION_PROFILE *sprof =
486 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
487
488 if (sprof->id == id) {
489 s->srtp_profile = sprof;
490 srtp_pref = i;
491 break;
492 }
493 }
494 }
495
496 /* Now extract the MKI value as a sanity check, but discard it for now */
497 if (!PACKET_get_1(pkt, &mki_len)) {
498 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
499 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
500 return 0;
501 }
502
503 if (!PACKET_forward(pkt, mki_len)
504 || PACKET_remaining(pkt)) {
505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
506 SSL_R_BAD_SRTP_MKI_VALUE);
507 return 0;
508 }
509
510 return 1;
511 }
512 #endif
513
514 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
515 size_t chainidx)
516 {
517 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
518 s->ext.use_etm = 1;
519
520 return 1;
521 }
522
523 /*
524 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
525 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
526 * If a failure occurs then |*al| is set to an appropriate alert value.
527 */
528 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
529 X509 *x, size_t chainidx)
530 {
531 #ifndef OPENSSL_NO_TLS1_3
532 PACKET psk_kex_modes;
533 unsigned int mode;
534
535 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
536 || PACKET_remaining(&psk_kex_modes) == 0) {
537 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
538 SSL_R_BAD_EXTENSION);
539 return 0;
540 }
541
542 while (PACKET_get_1(&psk_kex_modes, &mode)) {
543 if (mode == TLSEXT_KEX_MODE_KE_DHE)
544 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
545 else if (mode == TLSEXT_KEX_MODE_KE
546 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
547 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
548 }
549 #endif
550
551 return 1;
552 }
553
554 /*
555 * Process a key_share extension received in the ClientHello. |pkt| contains
556 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
557 * If a failure occurs then |*al| is set to an appropriate alert value.
558 */
559 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
560 size_t chainidx)
561 {
562 #ifndef OPENSSL_NO_TLS1_3
563 unsigned int group_id;
564 PACKET key_share_list, encoded_pt;
565 const uint16_t *clntgroups, *srvrgroups;
566 size_t clnt_num_groups, srvr_num_groups;
567 int found = 0;
568
569 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
570 return 1;
571
572 /* Sanity check */
573 if (s->s3->peer_tmp != NULL) {
574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
575 ERR_R_INTERNAL_ERROR);
576 return 0;
577 }
578
579 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
581 SSL_R_LENGTH_MISMATCH);
582 return 0;
583 }
584
585 /* Get our list of supported groups */
586 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
587 /* Get the clients list of supported groups. */
588 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
589 if (clnt_num_groups == 0) {
590 /*
591 * This can only happen if the supported_groups extension was not sent,
592 * because we verify that the length is non-zero when we process that
593 * extension.
594 */
595 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
597 return 0;
598 }
599
600 while (PACKET_remaining(&key_share_list) > 0) {
601 if (!PACKET_get_net_2(&key_share_list, &group_id)
602 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
603 || PACKET_remaining(&encoded_pt) == 0) {
604 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
605 SSL_R_LENGTH_MISMATCH);
606 return 0;
607 }
608
609 /*
610 * If we already found a suitable key_share we loop through the
611 * rest to verify the structure, but don't process them.
612 */
613 if (found)
614 continue;
615
616 /* Check if this share is in supported_groups sent from client */
617 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
618 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
619 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
620 return 0;
621 }
622
623 /* Check if this share is for a group we can use */
624 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
625 /* Share not suitable */
626 continue;
627 }
628
629 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
631 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
632 return 0;
633 }
634
635 s->s3->group_id = group_id;
636
637 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
638 PACKET_data(&encoded_pt),
639 PACKET_remaining(&encoded_pt))) {
640 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
641 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
642 return 0;
643 }
644
645 found = 1;
646 }
647 #endif
648
649 return 1;
650 }
651
652 #ifndef OPENSSL_NO_EC
653 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
654 X509 *x, size_t chainidx)
655 {
656 PACKET supported_groups_list;
657
658 /* Each group is 2 bytes and we must have at least 1. */
659 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
660 || PACKET_remaining(&supported_groups_list) == 0
661 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
662 SSLfatal(s, SSL_AD_DECODE_ERROR,
663 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
664 return 0;
665 }
666
667 if (!s->hit || SSL_IS_TLS13(s)) {
668 OPENSSL_free(s->session->ext.supportedgroups);
669 s->session->ext.supportedgroups = NULL;
670 s->session->ext.supportedgroups_len = 0;
671 if (!tls1_save_u16(&supported_groups_list,
672 &s->session->ext.supportedgroups,
673 &s->session->ext.supportedgroups_len)) {
674 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
675 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
676 ERR_R_INTERNAL_ERROR);
677 return 0;
678 }
679 }
680
681 return 1;
682 }
683 #endif
684
685 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
686 size_t chainidx)
687 {
688 /* The extension must always be empty */
689 if (PACKET_remaining(pkt) != 0) {
690 SSLfatal(s, SSL_AD_DECODE_ERROR,
691 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
692 return 0;
693 }
694
695 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
696
697 return 1;
698 }
699
700
701 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
702 X509 *x, size_t chainidx)
703 {
704 if (PACKET_remaining(pkt) != 0) {
705 SSLfatal(s, SSL_AD_DECODE_ERROR,
706 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
707 return 0;
708 }
709
710 if (s->hello_retry_request) {
711 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
712 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
713 return 0;
714 }
715
716 return 1;
717 }
718
719 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
720 size_t chainidx)
721 {
722 PACKET identities, binders, binder;
723 size_t binderoffset, hashsize;
724 SSL_SESSION *sess = NULL;
725 unsigned int id, i, ext = 0;
726 const EVP_MD *md = NULL;
727
728 /*
729 * If we have no PSK kex mode that we recognise then we can't resume so
730 * ignore this extension
731 */
732 if ((s->ext.psk_kex_mode
733 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
734 return 1;
735
736 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
737 SSLfatal(s, SSL_AD_DECODE_ERROR,
738 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
739 return 0;
740 }
741
742 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
743 PACKET identity;
744 unsigned long ticket_agel;
745
746 if (!PACKET_get_length_prefixed_2(&identities, &identity)
747 || !PACKET_get_net_4(&identities, &ticket_agel)) {
748 SSLfatal(s, SSL_AD_DECODE_ERROR,
749 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
750 return 0;
751 }
752
753 if (s->psk_find_session_cb != NULL
754 && !s->psk_find_session_cb(s, PACKET_data(&identity),
755 PACKET_remaining(&identity),
756 &sess)) {
757 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
758 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
759 return 0;
760 }
761
762 if (sess != NULL) {
763 /* We found a PSK */
764 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
765
766 if (sesstmp == NULL) {
767 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
768 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
769 return 0;
770 }
771 SSL_SESSION_free(sess);
772 sess = sesstmp;
773
774 /*
775 * We've just been told to use this session for this context so
776 * make sure the sid_ctx matches up.
777 */
778 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
779 sess->sid_ctx_length = s->sid_ctx_length;
780 ext = 1;
781 if (id == 0)
782 s->ext.early_data_ok = 1;
783 } else {
784 uint32_t ticket_age = 0, now, agesec, agems;
785 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
786 PACKET_remaining(&identity), NULL, 0,
787 &sess);
788
789 if (ret == TICKET_FATAL_ERR_MALLOC
790 || ret == TICKET_FATAL_ERR_OTHER) {
791 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
792 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
793 return 0;
794 }
795 if (ret == TICKET_NO_DECRYPT)
796 continue;
797
798 ticket_age = (uint32_t)ticket_agel;
799 now = (uint32_t)time(NULL);
800 agesec = now - (uint32_t)sess->time;
801 agems = agesec * (uint32_t)1000;
802 ticket_age -= sess->ext.tick_age_add;
803
804 /*
805 * For simplicity we do our age calculations in seconds. If the
806 * client does it in ms then it could appear that their ticket age
807 * is longer than ours (our ticket age calculation should always be
808 * slightly longer than the client's due to the network latency).
809 * Therefore we add 1000ms to our age calculation to adjust for
810 * rounding errors.
811 */
812 if (id == 0
813 && sess->timeout >= (long)agesec
814 && agems / (uint32_t)1000 == agesec
815 && ticket_age <= agems + 1000
816 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
817 /*
818 * Ticket age is within tolerance and not expired. We allow it
819 * for early data
820 */
821 s->ext.early_data_ok = 1;
822 }
823 }
824
825 md = ssl_md(sess->cipher->algorithm2);
826 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
827 /* The ciphersuite is not compatible with this session. */
828 SSL_SESSION_free(sess);
829 sess = NULL;
830 s->ext.early_data_ok = 0;
831 continue;
832 }
833 break;
834 }
835
836 if (sess == NULL)
837 return 1;
838
839 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
840 hashsize = EVP_MD_size(md);
841
842 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
843 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
844 SSL_R_BAD_EXTENSION);
845 goto err;
846 }
847
848 for (i = 0; i <= id; i++) {
849 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
850 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
851 SSL_R_BAD_EXTENSION);
852 goto err;
853 }
854 }
855
856 if (PACKET_remaining(&binder) != hashsize
857 || tls_psk_do_binder(s, md,
858 (const unsigned char *)s->init_buf->data,
859 binderoffset, PACKET_data(&binder), NULL,
860 sess, 0, ext) != 1) {
861 /* SSLfatal() already called */
862 goto err;
863 }
864
865 sess->ext.tick_identity = id;
866
867 SSL_SESSION_free(s->session);
868 s->session = sess;
869 return 1;
870 err:
871 SSL_SESSION_free(sess);
872 return 0;
873 }
874
875 /*
876 * Add the server's renegotiation binding
877 */
878 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
879 unsigned int context, X509 *x,
880 size_t chainidx)
881 {
882 if (!s->s3->send_connection_binding)
883 return EXT_RETURN_NOT_SENT;
884
885 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
886 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
887 || !WPACKET_start_sub_packet_u16(pkt)
888 || !WPACKET_start_sub_packet_u8(pkt)
889 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
890 s->s3->previous_client_finished_len)
891 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
892 s->s3->previous_server_finished_len)
893 || !WPACKET_close(pkt)
894 || !WPACKET_close(pkt)) {
895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
896 ERR_R_INTERNAL_ERROR);
897 return EXT_RETURN_FAIL;
898 }
899
900 return EXT_RETURN_SENT;
901 }
902
903 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
904 unsigned int context, X509 *x,
905 size_t chainidx)
906 {
907 if (s->hit || s->servername_done != 1
908 || s->session->ext.hostname == NULL)
909 return EXT_RETURN_NOT_SENT;
910
911 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
912 || !WPACKET_put_bytes_u16(pkt, 0)) {
913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
914 ERR_R_INTERNAL_ERROR);
915 return EXT_RETURN_FAIL;
916 }
917
918 return EXT_RETURN_SENT;
919 }
920
921 /* Add/include the server's max fragment len extension into ServerHello */
922 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
923 unsigned int context, X509 *x,
924 size_t chainidx)
925 {
926 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
927 return EXT_RETURN_NOT_SENT;
928
929 /*-
930 * 4 bytes for this extension type and extension length
931 * 1 byte for the Max Fragment Length code value.
932 */
933 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
934 || !WPACKET_start_sub_packet_u16(pkt)
935 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
936 || !WPACKET_close(pkt)) {
937 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
938 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
939 return EXT_RETURN_FAIL;
940 }
941
942 return EXT_RETURN_SENT;
943 }
944
945 #ifndef OPENSSL_NO_EC
946 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
947 unsigned int context, X509 *x,
948 size_t chainidx)
949 {
950 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
951 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
952 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
953 && (s->session->ext.ecpointformats != NULL);
954 const unsigned char *plist;
955 size_t plistlen;
956
957 if (!using_ecc)
958 return EXT_RETURN_NOT_SENT;
959
960 tls1_get_formatlist(s, &plist, &plistlen);
961 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
962 || !WPACKET_start_sub_packet_u16(pkt)
963 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
964 || !WPACKET_close(pkt)) {
965 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
966 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
967 return EXT_RETURN_FAIL;
968 }
969
970 return EXT_RETURN_SENT;
971 }
972 #endif
973
974 #ifndef OPENSSL_NO_EC
975 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
976 unsigned int context, X509 *x,
977 size_t chainidx)
978 {
979 const uint16_t *groups;
980 size_t numgroups, i, first = 1;
981
982 /* s->s3->group_id is non zero if we accepted a key_share */
983 if (s->s3->group_id == 0)
984 return EXT_RETURN_NOT_SENT;
985
986 /* Get our list of supported groups */
987 tls1_get_supported_groups(s, &groups, &numgroups);
988 if (numgroups == 0) {
989 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
990 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
991 return EXT_RETURN_FAIL;
992 }
993
994 /* Copy group ID if supported */
995 for (i = 0; i < numgroups; i++) {
996 uint16_t group = groups[i];
997
998 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
999 if (first) {
1000 /*
1001 * Check if the client is already using our preferred group. If
1002 * so we don't need to add this extension
1003 */
1004 if (s->s3->group_id == group)
1005 return EXT_RETURN_NOT_SENT;
1006
1007 /* Add extension header */
1008 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1009 /* Sub-packet for supported_groups extension */
1010 || !WPACKET_start_sub_packet_u16(pkt)
1011 || !WPACKET_start_sub_packet_u16(pkt)) {
1012 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1013 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1014 ERR_R_INTERNAL_ERROR);
1015 return EXT_RETURN_FAIL;
1016 }
1017
1018 first = 0;
1019 }
1020 if (!WPACKET_put_bytes_u16(pkt, group)) {
1021 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1022 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1023 ERR_R_INTERNAL_ERROR);
1024 return EXT_RETURN_FAIL;
1025 }
1026 }
1027 }
1028
1029 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1031 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1032 ERR_R_INTERNAL_ERROR);
1033 return EXT_RETURN_FAIL;
1034 }
1035
1036 return EXT_RETURN_SENT;
1037 }
1038 #endif
1039
1040 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1041 unsigned int context, X509 *x,
1042 size_t chainidx)
1043 {
1044 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1045 s->ext.ticket_expected = 0;
1046 return EXT_RETURN_NOT_SENT;
1047 }
1048
1049 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1050 || !WPACKET_put_bytes_u16(pkt, 0)) {
1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1052 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1053 return EXT_RETURN_FAIL;
1054 }
1055
1056 return EXT_RETURN_SENT;
1057 }
1058
1059 #ifndef OPENSSL_NO_OCSP
1060 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1061 unsigned int context, X509 *x,
1062 size_t chainidx)
1063 {
1064 if (!s->ext.status_expected)
1065 return EXT_RETURN_NOT_SENT;
1066
1067 if (SSL_IS_TLS13(s) && chainidx != 0)
1068 return EXT_RETURN_NOT_SENT;
1069
1070 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1071 || !WPACKET_start_sub_packet_u16(pkt)) {
1072 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1073 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1074 return EXT_RETURN_FAIL;
1075 }
1076
1077 /*
1078 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1079 * send back an empty extension, with the certificate status appearing as a
1080 * separate message
1081 */
1082 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1083 /* SSLfatal() already called */
1084 return EXT_RETURN_FAIL;
1085 }
1086 if (!WPACKET_close(pkt)) {
1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1088 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1089 return EXT_RETURN_FAIL;
1090 }
1091
1092 return EXT_RETURN_SENT;
1093 }
1094 #endif
1095
1096 #ifndef OPENSSL_NO_NEXTPROTONEG
1097 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1098 unsigned int context, X509 *x,
1099 size_t chainidx)
1100 {
1101 const unsigned char *npa;
1102 unsigned int npalen;
1103 int ret;
1104 int npn_seen = s->s3->npn_seen;
1105
1106 s->s3->npn_seen = 0;
1107 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1108 return EXT_RETURN_NOT_SENT;
1109
1110 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1111 s->ctx->ext.npn_advertised_cb_arg);
1112 if (ret == SSL_TLSEXT_ERR_OK) {
1113 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1114 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1115 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1116 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1117 ERR_R_INTERNAL_ERROR);
1118 return EXT_RETURN_FAIL;
1119 }
1120 s->s3->npn_seen = 1;
1121 }
1122
1123 return EXT_RETURN_SENT;
1124 }
1125 #endif
1126
1127 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1128 X509 *x, size_t chainidx)
1129 {
1130 if (s->s3->alpn_selected == NULL)
1131 return EXT_RETURN_NOT_SENT;
1132
1133 if (!WPACKET_put_bytes_u16(pkt,
1134 TLSEXT_TYPE_application_layer_protocol_negotiation)
1135 || !WPACKET_start_sub_packet_u16(pkt)
1136 || !WPACKET_start_sub_packet_u16(pkt)
1137 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1138 s->s3->alpn_selected_len)
1139 || !WPACKET_close(pkt)
1140 || !WPACKET_close(pkt)) {
1141 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1142 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1143 return EXT_RETURN_FAIL;
1144 }
1145
1146 return EXT_RETURN_SENT;
1147 }
1148
1149 #ifndef OPENSSL_NO_SRTP
1150 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1151 unsigned int context, X509 *x,
1152 size_t chainidx)
1153 {
1154 if (s->srtp_profile == NULL)
1155 return EXT_RETURN_NOT_SENT;
1156
1157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1158 || !WPACKET_start_sub_packet_u16(pkt)
1159 || !WPACKET_put_bytes_u16(pkt, 2)
1160 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1161 || !WPACKET_put_bytes_u8(pkt, 0)
1162 || !WPACKET_close(pkt)) {
1163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1164 ERR_R_INTERNAL_ERROR);
1165 return EXT_RETURN_FAIL;
1166 }
1167
1168 return EXT_RETURN_SENT;
1169 }
1170 #endif
1171
1172 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1173 X509 *x, size_t chainidx)
1174 {
1175 if (!s->ext.use_etm)
1176 return EXT_RETURN_NOT_SENT;
1177
1178 /*
1179 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1180 * for other cases too.
1181 */
1182 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1183 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1184 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1185 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1186 s->ext.use_etm = 0;
1187 return EXT_RETURN_NOT_SENT;
1188 }
1189
1190 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1191 || !WPACKET_put_bytes_u16(pkt, 0)) {
1192 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1193 ERR_R_INTERNAL_ERROR);
1194 return EXT_RETURN_FAIL;
1195 }
1196
1197 return EXT_RETURN_SENT;
1198 }
1199
1200 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1201 X509 *x, size_t chainidx)
1202 {
1203 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1204 return EXT_RETURN_NOT_SENT;
1205
1206 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1207 || !WPACKET_put_bytes_u16(pkt, 0)) {
1208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1209 ERR_R_INTERNAL_ERROR);
1210 return EXT_RETURN_FAIL;
1211 }
1212
1213 return EXT_RETURN_SENT;
1214 }
1215
1216 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1217 unsigned int context, X509 *x,
1218 size_t chainidx)
1219 {
1220 #ifndef OPENSSL_NO_TLS1_3
1221 unsigned char *encodedPoint;
1222 size_t encoded_pt_len = 0;
1223 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1224
1225 if (ckey == NULL) {
1226 /* No key_share received from client */
1227 if (s->hello_retry_request) {
1228 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1229 || !WPACKET_start_sub_packet_u16(pkt)
1230 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1231 || !WPACKET_close(pkt)) {
1232 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1233 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1234 ERR_R_INTERNAL_ERROR);
1235 return EXT_RETURN_FAIL;
1236 }
1237
1238 return EXT_RETURN_SENT;
1239 }
1240
1241 /* Must be resuming. */
1242 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1243 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1244 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1245 return EXT_RETURN_FAIL;
1246 }
1247 return EXT_RETURN_NOT_SENT;
1248 }
1249
1250 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1251 || !WPACKET_start_sub_packet_u16(pkt)
1252 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1253 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1254 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1255 return EXT_RETURN_FAIL;
1256 }
1257
1258 skey = ssl_generate_pkey(ckey);
1259 if (skey == NULL) {
1260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1261 ERR_R_MALLOC_FAILURE);
1262 return EXT_RETURN_FAIL;
1263 }
1264
1265 /* Generate encoding of server key */
1266 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1267 if (encoded_pt_len == 0) {
1268 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1269 ERR_R_EC_LIB);
1270 EVP_PKEY_free(skey);
1271 return EXT_RETURN_FAIL;
1272 }
1273
1274 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1275 || !WPACKET_close(pkt)) {
1276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1277 ERR_R_INTERNAL_ERROR);
1278 EVP_PKEY_free(skey);
1279 OPENSSL_free(encodedPoint);
1280 return EXT_RETURN_FAIL;
1281 }
1282 OPENSSL_free(encodedPoint);
1283
1284 /* This causes the crypto state to be updated based on the derived keys */
1285 s->s3->tmp.pkey = skey;
1286 if (ssl_derive(s, skey, ckey, 1) == 0) {
1287 /* SSLfatal() already called */
1288 return EXT_RETURN_FAIL;
1289 }
1290 #endif
1291
1292 return EXT_RETURN_SENT;
1293 }
1294
1295 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1296 unsigned int context, X509 *x,
1297 size_t chainidx)
1298 {
1299 const unsigned char cryptopro_ext[36] = {
1300 0xfd, 0xe8, /* 65000 */
1301 0x00, 0x20, /* 32 bytes length */
1302 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1303 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1304 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1305 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1306 };
1307
1308 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1309 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1310 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1311 return EXT_RETURN_NOT_SENT;
1312
1313 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1314 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1315 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1316 return EXT_RETURN_FAIL;
1317 }
1318
1319 return EXT_RETURN_SENT;
1320 }
1321
1322 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1323 unsigned int context, X509 *x,
1324 size_t chainidx)
1325 {
1326 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1327 if (s->max_early_data == 0)
1328 return EXT_RETURN_NOT_SENT;
1329
1330 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1331 || !WPACKET_start_sub_packet_u16(pkt)
1332 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1333 || !WPACKET_close(pkt)) {
1334 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1335 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1336 return EXT_RETURN_FAIL;
1337 }
1338
1339 return EXT_RETURN_SENT;
1340 }
1341
1342 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1343 return EXT_RETURN_NOT_SENT;
1344
1345 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1346 || !WPACKET_start_sub_packet_u16(pkt)
1347 || !WPACKET_close(pkt)) {
1348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1349 ERR_R_INTERNAL_ERROR);
1350 return EXT_RETURN_FAIL;
1351 }
1352
1353 return EXT_RETURN_SENT;
1354 }
1355
1356 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1357 X509 *x, size_t chainidx)
1358 {
1359 if (!s->hit)
1360 return EXT_RETURN_NOT_SENT;
1361
1362 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1363 || !WPACKET_start_sub_packet_u16(pkt)
1364 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1365 || !WPACKET_close(pkt)) {
1366 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1367 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1368 return EXT_RETURN_FAIL;
1369 }
1370
1371 return EXT_RETURN_SENT;
1372 }
A mirror of the official openssl repository