]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add support for the psk_key_exchange_modes extension
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13
14 /*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
18 int *al)
19 {
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51 }
52
53 /*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
77 int *al)
78 {
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
119 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
121 return 0;
122 }
123
124 s->servername_done = 1;
125 } else {
126 /*
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
129 */
130 s->servername_done = s->session->ext.hostname
131 && PACKET_equal(&hostname, s->session->ext.hostname,
132 strlen(s->session->ext.hostname));
133 }
134
135 return 1;
136 }
137
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
140 {
141 PACKET srp_I;
142
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
146 return 0;
147 }
148
149 /*
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
152 */
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
155 return 0;
156 }
157
158 return 1;
159 }
160 #endif
161
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
164 int *al)
165 {
166 PACKET ec_point_format_list;
167
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
171 return 0;
172 }
173
174 if (!s->hit) {
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->ext.ecpointformats,
177 &s->session->ext.ecpointformats_len)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
179 return 0;
180 }
181 }
182
183 return 1;
184 }
185 #endif /* OPENSSL_NO_EC */
186
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
188 int *al)
189 {
190 if (s->ext.session_ticket_cb &&
191 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->ext.session_ticket_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
195 return 0;
196 }
197
198 return 1;
199 }
200
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
202 int *al)
203 {
204 PACKET supported_sig_algs;
205
206 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
209 return 0;
210 }
211
212 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
213 *al = TLS1_AD_DECODE_ERROR;
214 return 0;
215 }
216
217 return 1;
218 }
219
220 #ifndef OPENSSL_NO_OCSP
221 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
222 int *al)
223 {
224 PACKET responder_id_list, exts;
225
226 /* Not defined if we get one of these in a client Certificate */
227 if (x != NULL)
228 return 1;
229
230 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
231 *al = SSL_AD_DECODE_ERROR;
232 return 0;
233 }
234
235 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
236 /*
237 * We don't know what to do with any other type so ignore it.
238 */
239 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
240 return 1;
241 }
242
243 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
244 *al = SSL_AD_DECODE_ERROR;
245 return 0;
246 }
247
248 /*
249 * We remove any OCSP_RESPIDs from a previous handshake
250 * to prevent unbounded memory growth - CVE-2016-6304
251 */
252 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
253 if (PACKET_remaining(&responder_id_list) > 0) {
254 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
255 if (s->ext.ocsp.ids == NULL) {
256 *al = SSL_AD_INTERNAL_ERROR;
257 return 0;
258 }
259 } else {
260 s->ext.ocsp.ids = NULL;
261 }
262
263 while (PACKET_remaining(&responder_id_list) > 0) {
264 OCSP_RESPID *id;
265 PACKET responder_id;
266 const unsigned char *id_data;
267
268 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
269 || PACKET_remaining(&responder_id) == 0) {
270 *al = SSL_AD_DECODE_ERROR;
271 return 0;
272 }
273
274 id_data = PACKET_data(&responder_id);
275 /* TODO(size_t): Convert d2i_* to size_t */
276 id = d2i_OCSP_RESPID(NULL, &id_data,
277 (int)PACKET_remaining(&responder_id));
278 if (id == NULL) {
279 *al = SSL_AD_DECODE_ERROR;
280 return 0;
281 }
282
283 if (id_data != PACKET_end(&responder_id)) {
284 OCSP_RESPID_free(id);
285 *al = SSL_AD_DECODE_ERROR;
286 return 0;
287 }
288
289 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
290 OCSP_RESPID_free(id);
291 *al = SSL_AD_INTERNAL_ERROR;
292 return 0;
293 }
294 }
295
296 /* Read in request_extensions */
297 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
298 *al = SSL_AD_DECODE_ERROR;
299 return 0;
300 }
301
302 if (PACKET_remaining(&exts) > 0) {
303 const unsigned char *ext_data = PACKET_data(&exts);
304
305 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
306 X509_EXTENSION_free);
307 s->ext.ocsp.exts =
308 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
309 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
310 *al = SSL_AD_DECODE_ERROR;
311 return 0;
312 }
313 }
314
315 return 1;
316 }
317 #endif
318
319 #ifndef OPENSSL_NO_NEXTPROTONEG
320 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
321 {
322 /*
323 * We shouldn't accept this extension on a
324 * renegotiation.
325 */
326 if (SSL_IS_FIRST_HANDSHAKE(s))
327 s->s3->npn_seen = 1;
328
329 return 1;
330 }
331 #endif
332
333 /*
334 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
335 * extension, not including type and length. |al| is a pointer to the alert
336 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
337 */
338 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
339 {
340 PACKET protocol_list, save_protocol_list, protocol;
341
342 if (!SSL_IS_FIRST_HANDSHAKE(s))
343 return 1;
344
345 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
346 || PACKET_remaining(&protocol_list) < 2) {
347 *al = SSL_AD_DECODE_ERROR;
348 return 0;
349 }
350
351 save_protocol_list = protocol_list;
352 do {
353 /* Protocol names can't be empty. */
354 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
355 || PACKET_remaining(&protocol) == 0) {
356 *al = SSL_AD_DECODE_ERROR;
357 return 0;
358 }
359 } while (PACKET_remaining(&protocol_list) != 0);
360
361 if (!PACKET_memdup(&save_protocol_list,
362 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
363 *al = TLS1_AD_INTERNAL_ERROR;
364 return 0;
365 }
366
367 return 1;
368 }
369
370 #ifndef OPENSSL_NO_SRTP
371 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
372 int *al)
373 {
374 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
375 unsigned int ct, mki_len, id;
376 int i, srtp_pref;
377 PACKET subpkt;
378
379 /* Ignore this if we have no SRTP profiles */
380 if (SSL_get_srtp_profiles(s) == NULL)
381 return 1;
382
383 /* Pull off the length of the cipher suite list and check it is even */
384 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
385 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
386 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
387 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
388 *al = SSL_AD_DECODE_ERROR;
389 return 0;
390 }
391
392 srvr = SSL_get_srtp_profiles(s);
393 s->srtp_profile = NULL;
394 /* Search all profiles for a match initially */
395 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
396
397 while (PACKET_remaining(&subpkt)) {
398 if (!PACKET_get_net_2(&subpkt, &id)) {
399 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
400 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
401 *al = SSL_AD_DECODE_ERROR;
402 return 0;
403 }
404
405 /*
406 * Only look for match in profiles of higher preference than
407 * current match.
408 * If no profiles have been have been configured then this
409 * does nothing.
410 */
411 for (i = 0; i < srtp_pref; i++) {
412 SRTP_PROTECTION_PROFILE *sprof =
413 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
414
415 if (sprof->id == id) {
416 s->srtp_profile = sprof;
417 srtp_pref = i;
418 break;
419 }
420 }
421 }
422
423 /* Now extract the MKI value as a sanity check, but discard it for now */
424 if (!PACKET_get_1(pkt, &mki_len)) {
425 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
426 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
427 *al = SSL_AD_DECODE_ERROR;
428 return 0;
429 }
430
431 if (!PACKET_forward(pkt, mki_len)
432 || PACKET_remaining(pkt)) {
433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
434 *al = SSL_AD_DECODE_ERROR;
435 return 0;
436 }
437
438 return 1;
439 }
440 #endif
441
442 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
443 {
444 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
445 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
446
447 return 1;
448 }
449
450 /*
451 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
452 * and |checkallow| is 1 then additionally check if the group is allowed to be
453 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
454 * 1) or 0 otherwise.
455 */
456 #ifndef OPENSSL_NO_TLS1_3
457 static int check_in_list(SSL *s, unsigned int group_id,
458 const unsigned char *groups, size_t num_groups,
459 int checkallow)
460 {
461 size_t i;
462
463 if (groups == NULL || num_groups == 0)
464 return 0;
465
466 for (i = 0; i < num_groups; i++, groups += 2) {
467 unsigned int share_id = (groups[0] << 8) | (groups[1]);
468
469 if (group_id == share_id
470 && (!checkallow
471 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
472 break;
473 }
474 }
475
476 /* If i == num_groups then not in the list */
477 return i < num_groups;
478 }
479 #endif
480
481 /*
482 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
483 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
484 * If a failure occurs then |*al| is set to an appropriate alert value.
485 */
486 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
487 int *al)
488 {
489 #ifndef OPENSSL_NO_TLS1_3
490 PACKET psk_kex_modes;
491 unsigned int mode;
492
493 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
494 || PACKET_remaining(&psk_kex_modes) == 0) {
495 *al = SSL_AD_DECODE_ERROR;
496 return 0;
497 }
498
499 while (PACKET_get_1(&psk_kex_modes, &mode)) {
500 if (mode == TLSEXT_KEX_MODE_KE_DHE)
501 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
502 else if (mode == TLSEXT_KEX_MODE_KE)
503 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
504 }
505 #endif
506
507 return 1;
508 }
509
510 /*
511 * Process a key_share extension received in the ClientHello. |pkt| contains
512 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
513 * If a failure occurs then |*al| is set to an appropriate alert value.
514 */
515 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
516 int *al)
517 {
518 #ifndef OPENSSL_NO_TLS1_3
519 unsigned int group_id;
520 PACKET key_share_list, encoded_pt;
521 const unsigned char *clntcurves, *srvrcurves;
522 size_t clnt_num_curves, srvr_num_curves;
523 int group_nid, found = 0;
524 unsigned int curve_flags;
525
526 if (s->hit)
527 return 1;
528
529 /* Sanity check */
530 if (s->s3->peer_tmp != NULL) {
531 *al = SSL_AD_INTERNAL_ERROR;
532 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
533 return 0;
534 }
535
536 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
537 *al = SSL_AD_HANDSHAKE_FAILURE;
538 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
539 return 0;
540 }
541
542 /* Get our list of supported curves */
543 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
544 *al = SSL_AD_INTERNAL_ERROR;
545 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
546 return 0;
547 }
548
549 /*
550 * Get the clients list of supported curves.
551 * TODO(TLS1.3): We should validate that we actually received
552 * supported_groups!
553 */
554 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
555 *al = SSL_AD_INTERNAL_ERROR;
556 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
557 return 0;
558 }
559
560 while (PACKET_remaining(&key_share_list) > 0) {
561 if (!PACKET_get_net_2(&key_share_list, &group_id)
562 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
563 || PACKET_remaining(&encoded_pt) == 0) {
564 *al = SSL_AD_HANDSHAKE_FAILURE;
565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
566 SSL_R_LENGTH_MISMATCH);
567 return 0;
568 }
569
570 /*
571 * If we already found a suitable key_share we loop through the
572 * rest to verify the structure, but don't process them.
573 */
574 if (found)
575 continue;
576
577 /* Check if this share is in supported_groups sent from client */
578 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
579 *al = SSL_AD_HANDSHAKE_FAILURE;
580 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
581 return 0;
582 }
583
584 /* Check if this share is for a group we can use */
585 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
586 /* Share not suitable */
587 continue;
588 }
589
590 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
591
592 if (group_nid == 0) {
593 *al = SSL_AD_INTERNAL_ERROR;
594 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
595 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
596 return 0;
597 }
598
599 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
600 /* Can happen for some curves, e.g. X25519 */
601 EVP_PKEY *key = EVP_PKEY_new();
602
603 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
604 *al = SSL_AD_INTERNAL_ERROR;
605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
606 EVP_PKEY_free(key);
607 return 0;
608 }
609 s->s3->peer_tmp = key;
610 } else {
611 /* Set up EVP_PKEY with named curve as parameters */
612 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
613
614 if (pctx == NULL
615 || EVP_PKEY_paramgen_init(pctx) <= 0
616 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
617 group_nid) <= 0
618 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
619 *al = SSL_AD_INTERNAL_ERROR;
620 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
621 EVP_PKEY_CTX_free(pctx);
622 return 0;
623 }
624 EVP_PKEY_CTX_free(pctx);
625 pctx = NULL;
626 }
627 s->s3->group_id = group_id;
628
629 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
630 PACKET_data(&encoded_pt),
631 PACKET_remaining(&encoded_pt))) {
632 *al = SSL_AD_DECODE_ERROR;
633 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
634 return 0;
635 }
636
637 found = 1;
638 }
639 #endif
640
641 return 1;
642 }
643
644 #ifndef OPENSSL_NO_EC
645 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
646 size_t chainidx, int *al)
647 {
648 PACKET supported_groups_list;
649
650 /* Each group is 2 bytes and we must have at least 1. */
651 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
652 || PACKET_remaining(&supported_groups_list) == 0
653 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
654 *al = SSL_AD_DECODE_ERROR;
655 return 0;
656 }
657
658 if (!s->hit
659 && !PACKET_memdup(&supported_groups_list,
660 &s->session->ext.supportedgroups,
661 &s->session->ext.supportedgroups_len)) {
662 *al = SSL_AD_DECODE_ERROR;
663 return 0;
664 }
665
666 return 1;
667 }
668 #endif
669
670 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
671 {
672 /* The extension must always be empty */
673 if (PACKET_remaining(pkt) != 0) {
674 *al = SSL_AD_DECODE_ERROR;
675 return 0;
676 }
677
678 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
679
680 return 1;
681 }
682
683 /*
684 * Add the server's renegotiation binding
685 */
686 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
687 chainidx, int *al)
688 {
689 if (!s->s3->send_connection_binding)
690 return 1;
691
692 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
693 || !WPACKET_start_sub_packet_u16(pkt)
694 || !WPACKET_start_sub_packet_u8(pkt)
695 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
696 s->s3->previous_client_finished_len)
697 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
698 s->s3->previous_server_finished_len)
699 || !WPACKET_close(pkt)
700 || !WPACKET_close(pkt)) {
701 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
702 return 0;
703 }
704
705 return 1;
706 }
707
708 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
709 size_t chainidx, int *al)
710 {
711 if (s->hit || s->servername_done != 1
712 || s->session->ext.hostname == NULL)
713 return 1;
714
715 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
716 || !WPACKET_put_bytes_u16(pkt, 0)) {
717 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
718 return 0;
719 }
720
721 return 1;
722 }
723
724 #ifndef OPENSSL_NO_EC
725 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
726 size_t chainidx, int *al)
727 {
728 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
729 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
730 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
731 && (s->session->ext.ecpointformats != NULL);
732 const unsigned char *plist;
733 size_t plistlen;
734
735 if (!using_ecc)
736 return 1;
737
738 tls1_get_formatlist(s, &plist, &plistlen);
739 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
740 || !WPACKET_start_sub_packet_u16(pkt)
741 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
742 || !WPACKET_close(pkt)) {
743 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
744 return 0;
745 }
746
747 return 1;
748 }
749 #endif
750
751 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
752 size_t chainidx, int *al)
753 {
754 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
755 s->ext.ticket_expected = 0;
756 return 1;
757 }
758
759 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
760 || !WPACKET_put_bytes_u16(pkt, 0)) {
761 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
762 return 0;
763 }
764
765 return 1;
766 }
767
768 #ifndef OPENSSL_NO_OCSP
769 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
770 size_t chainidx, int *al)
771 {
772 if (!s->ext.status_expected)
773 return 1;
774
775 if (SSL_IS_TLS13(s) && chainidx != 0)
776 return 1;
777
778 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
779 || !WPACKET_start_sub_packet_u16(pkt)) {
780 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
781 return 0;
782 }
783
784 /*
785 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
786 * send back an empty extension, with the certificate status appearing as a
787 * separate message
788 */
789 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
790 || !WPACKET_close(pkt)) {
791 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
792 return 0;
793 }
794
795 return 1;
796 }
797 #endif
798
799 #ifndef OPENSSL_NO_NEXTPROTONEG
800 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
801 size_t chainidx, int *al)
802 {
803 const unsigned char *npa;
804 unsigned int npalen;
805 int ret;
806 int npn_seen = s->s3->npn_seen;
807
808 s->s3->npn_seen = 0;
809 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
810 return 1;
811
812 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
813 s->ctx->ext.npn_advertised_cb_arg);
814 if (ret == SSL_TLSEXT_ERR_OK) {
815 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
816 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
817 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
818 ERR_R_INTERNAL_ERROR);
819 return 0;
820 }
821 s->s3->npn_seen = 1;
822 }
823
824 return 1;
825 }
826 #endif
827
828 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
829 int *al)
830 {
831 if (s->s3->alpn_selected == NULL)
832 return 1;
833
834 if (!WPACKET_put_bytes_u16(pkt,
835 TLSEXT_TYPE_application_layer_protocol_negotiation)
836 || !WPACKET_start_sub_packet_u16(pkt)
837 || !WPACKET_start_sub_packet_u16(pkt)
838 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
839 s->s3->alpn_selected_len)
840 || !WPACKET_close(pkt)
841 || !WPACKET_close(pkt)) {
842 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
843 return 0;
844 }
845
846 return 1;
847 }
848
849 #ifndef OPENSSL_NO_SRTP
850 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
851 int *al)
852 {
853 if (s->srtp_profile == NULL)
854 return 1;
855
856 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
857 || !WPACKET_start_sub_packet_u16(pkt)
858 || !WPACKET_put_bytes_u16(pkt, 2)
859 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
860 || !WPACKET_put_bytes_u8(pkt, 0)
861 || !WPACKET_close(pkt)) {
862 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
863 return 0;
864 }
865
866 return 1;
867 }
868 #endif
869
870 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
871 int *al)
872 {
873 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
874 return 1;
875
876 /*
877 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
878 * for other cases too.
879 */
880 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
881 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
882 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
883 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
884 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
885 return 1;
886 }
887
888 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
889 || !WPACKET_put_bytes_u16(pkt, 0)) {
890 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
891 return 0;
892 }
893
894 return 1;
895 }
896
897 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
898 int *al)
899 {
900 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
901 return 1;
902
903 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
904 || !WPACKET_put_bytes_u16(pkt, 0)) {
905 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
906 return 0;
907 }
908
909 return 1;
910 }
911
912 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
913 int *al)
914 {
915 #ifndef OPENSSL_NO_TLS1_3
916 unsigned char *encodedPoint;
917 size_t encoded_pt_len = 0;
918 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
919
920 if (s->hit)
921 return 1;
922
923 if (ckey == NULL) {
924 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
925 return 0;
926 }
927
928 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
929 || !WPACKET_start_sub_packet_u16(pkt)
930 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
931 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
932 return 0;
933 }
934
935 skey = ssl_generate_pkey(ckey);
936 if (skey == NULL) {
937 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
938 return 0;
939 }
940
941 /* Generate encoding of server key */
942 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
943 if (encoded_pt_len == 0) {
944 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
945 EVP_PKEY_free(skey);
946 return 0;
947 }
948
949 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
950 || !WPACKET_close(pkt)) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
952 EVP_PKEY_free(skey);
953 OPENSSL_free(encodedPoint);
954 return 0;
955 }
956 OPENSSL_free(encodedPoint);
957
958 /* This causes the crypto state to be updated based on the derived keys */
959 s->s3->tmp.pkey = skey;
960 if (ssl_derive(s, skey, ckey, 1) == 0) {
961 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
962 return 0;
963 }
964 #endif
965
966 return 1;
967 }
968
969 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
970 size_t chainidx, int *al)
971 {
972 const unsigned char cryptopro_ext[36] = {
973 0xfd, 0xe8, /* 65000 */
974 0x00, 0x20, /* 32 bytes length */
975 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
976 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
977 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
978 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
979 };
980
981 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
982 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
983 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
984 return 1;
985
986 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
987 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
988 return 0;
989 }
990
991 return 1;
992 }
A mirror of the official openssl repository