]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Create Certificate messages in TLS1.3 format
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13
14 /*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain,
18 int *al)
19 {
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51 }
52
53 /*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain,
77 int *al)
78 {
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
119 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
121 return 0;
122 }
123
124 s->servername_done = 1;
125 } else {
126 /*
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
129 */
130 s->servername_done = s->session->tlsext_hostname
131 && PACKET_equal(&hostname, s->session->tlsext_hostname,
132 strlen(s->session->tlsext_hostname));
133 }
134
135 return 1;
136 }
137
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
140 {
141 PACKET srp_I;
142
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
146 return 0;
147 }
148
149 /*
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
152 */
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
155 return 0;
156 }
157
158 return 1;
159 }
160 #endif
161
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain,
164 int *al)
165 {
166 PACKET ec_point_format_list;
167
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
171 return 0;
172 }
173
174 if (!s->hit) {
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->tlsext_ecpointformatlist,
177 &s->session->tlsext_ecpointformatlist_length)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
179 return 0;
180 }
181 }
182
183 return 1;
184 }
185 #endif /* OPENSSL_NO_EC */
186
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain,
188 int *al)
189 {
190 if (s->tls_session_ticket_ext_cb &&
191 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->tls_session_ticket_ext_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
195 return 0;
196 }
197
198 return 1;
199 }
200
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
202 {
203 PACKET supported_sig_algs;
204
205 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
206 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
209 return 0;
210 }
211
212 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
213 PACKET_remaining(&supported_sig_algs))) {
214 *al = TLS1_AD_INTERNAL_ERROR;
215 return 0;
216 }
217
218 return 1;
219 }
220
221 #ifndef OPENSSL_NO_OCSP
222 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain,
223 int *al)
224 {
225 PACKET responder_id_list, exts;
226
227 /* Not defined if we get one of these in a client Certificate */
228 if (x != NULL)
229 return 1;
230
231 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
232 *al = SSL_AD_DECODE_ERROR;
233 return 0;
234 }
235
236 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
237 /*
238 * We don't know what to do with any other type so ignore it.
239 */
240 s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
241 return 1;
242 }
243
244 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
245 *al = SSL_AD_DECODE_ERROR;
246 return 0;
247 }
248
249 /*
250 * We remove any OCSP_RESPIDs from a previous handshake
251 * to prevent unbounded memory growth - CVE-2016-6304
252 */
253 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
254 if (PACKET_remaining(&responder_id_list) > 0) {
255 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
256 if (s->tlsext_ocsp_ids == NULL) {
257 *al = SSL_AD_INTERNAL_ERROR;
258 return 0;
259 }
260 } else {
261 s->tlsext_ocsp_ids = NULL;
262 }
263
264 while (PACKET_remaining(&responder_id_list) > 0) {
265 OCSP_RESPID *id;
266 PACKET responder_id;
267 const unsigned char *id_data;
268
269 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
270 || PACKET_remaining(&responder_id) == 0) {
271 *al = SSL_AD_DECODE_ERROR;
272 return 0;
273 }
274
275 id_data = PACKET_data(&responder_id);
276 /* TODO(size_t): Convert d2i_* to size_t */
277 id = d2i_OCSP_RESPID(NULL, &id_data,
278 (int)PACKET_remaining(&responder_id));
279 if (id == NULL) {
280 *al = SSL_AD_DECODE_ERROR;
281 return 0;
282 }
283
284 if (id_data != PACKET_end(&responder_id)) {
285 OCSP_RESPID_free(id);
286 *al = SSL_AD_DECODE_ERROR;
287 return 0;
288 }
289
290 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
291 OCSP_RESPID_free(id);
292 *al = SSL_AD_INTERNAL_ERROR;
293 return 0;
294 }
295 }
296
297 /* Read in request_extensions */
298 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
299 *al = SSL_AD_DECODE_ERROR;
300 return 0;
301 }
302
303 if (PACKET_remaining(&exts) > 0) {
304 const unsigned char *ext_data = PACKET_data(&exts);
305
306 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
307 X509_EXTENSION_free);
308 s->tlsext_ocsp_exts =
309 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
310 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
311 *al = SSL_AD_DECODE_ERROR;
312 return 0;
313 }
314 }
315
316 return 1;
317 }
318 #endif
319
320 #ifndef OPENSSL_NO_NEXTPROTONEG
321 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
322 {
323 /*
324 * We shouldn't accept this extension on a
325 * renegotiation.
326 *
327 * s->new_session will be set on renegotiation, but we
328 * probably shouldn't rely that it couldn't be set on
329 * the initial renegotiation too in certain cases (when
330 * there's some other reason to disallow resuming an
331 * earlier session -- the current code won't be doing
332 * anything like that, but this might change).
333 *
334 * A valid sign that there's been a previous handshake
335 * in this connection is if s->s3->tmp.finish_md_len >
336 * 0. (We are talking about a check that will happen
337 * in the Hello protocol round, well before a new
338 * Finished message could have been computed.)
339 */
340 if (s->s3->tmp.finish_md_len == 0)
341 s->s3->next_proto_neg_seen = 1;
342
343 return 1;
344 }
345 #endif
346
347 /*
348 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
349 * extension, not including type and length. |al| is a pointer to the alert
350 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
351 */
352 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
353 {
354 PACKET protocol_list, save_protocol_list, protocol;
355
356 if (s->s3->tmp.finish_md_len != 0)
357 return 1;
358
359 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
360 || PACKET_remaining(&protocol_list) < 2) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364
365 save_protocol_list = protocol_list;
366 do {
367 /* Protocol names can't be empty. */
368 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
369 || PACKET_remaining(&protocol) == 0) {
370 *al = SSL_AD_DECODE_ERROR;
371 return 0;
372 }
373 } while (PACKET_remaining(&protocol_list) != 0);
374
375 if (!PACKET_memdup(&save_protocol_list,
376 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
377 *al = TLS1_AD_INTERNAL_ERROR;
378 return 0;
379 }
380
381 return 1;
382 }
383
384 #ifndef OPENSSL_NO_SRTP
385 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
386 {
387 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
388 unsigned int ct, mki_len, id;
389 int i, srtp_pref;
390 PACKET subpkt;
391
392 /* Ignore this if we have no SRTP profiles */
393 if (SSL_get_srtp_profiles(s) == NULL)
394 return 1;
395
396 /* Pull off the length of the cipher suite list and check it is even */
397 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
398 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
399 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
400 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
401 *al = SSL_AD_DECODE_ERROR;
402 return 0;
403 }
404
405 srvr = SSL_get_srtp_profiles(s);
406 s->srtp_profile = NULL;
407 /* Search all profiles for a match initially */
408 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
409
410 while (PACKET_remaining(&subpkt)) {
411 if (!PACKET_get_net_2(&subpkt, &id)) {
412 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
413 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
414 *al = SSL_AD_DECODE_ERROR;
415 return 0;
416 }
417
418 /*
419 * Only look for match in profiles of higher preference than
420 * current match.
421 * If no profiles have been have been configured then this
422 * does nothing.
423 */
424 for (i = 0; i < srtp_pref; i++) {
425 SRTP_PROTECTION_PROFILE *sprof =
426 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
427
428 if (sprof->id == id) {
429 s->srtp_profile = sprof;
430 srtp_pref = i;
431 break;
432 }
433 }
434 }
435
436 /* Now extract the MKI value as a sanity check, but discard it for now */
437 if (!PACKET_get_1(pkt, &mki_len)) {
438 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
439 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
440 *al = SSL_AD_DECODE_ERROR;
441 return 0;
442 }
443
444 if (!PACKET_forward(pkt, mki_len)
445 || PACKET_remaining(pkt)) {
446 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
447 *al = SSL_AD_DECODE_ERROR;
448 return 0;
449 }
450
451 return 1;
452 }
453 #endif
454
455 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
456 {
457 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
458 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
459
460 return 1;
461 }
462
463 /*
464 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
465 * and |checkallow| is 1 then additionally check if the group is allowed to be
466 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
467 * 1) or 0 otherwise.
468 */
469 #ifndef OPENSSL_NO_TLS1_3
470 static int check_in_list(SSL *s, unsigned int group_id,
471 const unsigned char *groups, size_t num_groups,
472 int checkallow)
473 {
474 size_t i;
475
476 if (groups == NULL || num_groups == 0)
477 return 0;
478
479 for (i = 0; i < num_groups; i++, groups += 2) {
480 unsigned int share_id = (groups[0] << 8) | (groups[1]);
481
482 if (group_id == share_id
483 && (!checkallow
484 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
485 break;
486 }
487 }
488
489 /* If i == num_groups then not in the list */
490 return i < num_groups;
491 }
492 #endif
493
494 /*
495 * Process a key_share extension received in the ClientHello. |pkt| contains
496 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
497 * If a failure occurs then |*al| is set to an appropriate alert value.
498 */
499 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain,
500 int *al)
501 {
502 #ifndef OPENSSL_NO_TLS1_3
503 unsigned int group_id;
504 PACKET key_share_list, encoded_pt;
505 const unsigned char *clntcurves, *srvrcurves;
506 size_t clnt_num_curves, srvr_num_curves;
507 int group_nid, found = 0;
508 unsigned int curve_flags;
509
510 if (s->hit)
511 return 1;
512
513 /* Sanity check */
514 if (s->s3->peer_tmp != NULL) {
515 *al = SSL_AD_INTERNAL_ERROR;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
517 return 0;
518 }
519
520 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
521 *al = SSL_AD_HANDSHAKE_FAILURE;
522 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
523 return 0;
524 }
525
526 /* Get our list of supported curves */
527 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
528 *al = SSL_AD_INTERNAL_ERROR;
529 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
530 return 0;
531 }
532
533 /*
534 * Get the clients list of supported curves.
535 * TODO(TLS1.3): We should validate that we actually received
536 * supported_groups!
537 */
538 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
539 *al = SSL_AD_INTERNAL_ERROR;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
541 return 0;
542 }
543
544 while (PACKET_remaining(&key_share_list) > 0) {
545 if (!PACKET_get_net_2(&key_share_list, &group_id)
546 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
547 || PACKET_remaining(&encoded_pt) == 0) {
548 *al = SSL_AD_HANDSHAKE_FAILURE;
549 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
550 SSL_R_LENGTH_MISMATCH);
551 return 0;
552 }
553
554 /*
555 * If we already found a suitable key_share we loop through the
556 * rest to verify the structure, but don't process them.
557 */
558 if (found)
559 continue;
560
561 /* Check if this share is in supported_groups sent from client */
562 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
563 *al = SSL_AD_HANDSHAKE_FAILURE;
564 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
565 return 0;
566 }
567
568 /* Check if this share is for a group we can use */
569 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
570 /* Share not suitable */
571 continue;
572 }
573
574 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
575
576 if (group_nid == 0) {
577 *al = SSL_AD_INTERNAL_ERROR;
578 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
579 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
580 return 0;
581 }
582
583 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
584 /* Can happen for some curves, e.g. X25519 */
585 EVP_PKEY *key = EVP_PKEY_new();
586
587 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
588 *al = SSL_AD_INTERNAL_ERROR;
589 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
590 EVP_PKEY_free(key);
591 return 0;
592 }
593 s->s3->peer_tmp = key;
594 } else {
595 /* Set up EVP_PKEY with named curve as parameters */
596 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
597
598 if (pctx == NULL
599 || EVP_PKEY_paramgen_init(pctx) <= 0
600 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
601 group_nid) <= 0
602 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
603 *al = SSL_AD_INTERNAL_ERROR;
604 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
605 EVP_PKEY_CTX_free(pctx);
606 return 0;
607 }
608 EVP_PKEY_CTX_free(pctx);
609 pctx = NULL;
610 }
611 s->s3->group_id = group_id;
612
613 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
614 PACKET_data(&encoded_pt),
615 PACKET_remaining(&encoded_pt))) {
616 *al = SSL_AD_DECODE_ERROR;
617 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
618 return 0;
619 }
620
621 found = 1;
622 }
623 #endif
624
625 return 1;
626 }
627
628 #ifndef OPENSSL_NO_EC
629 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x, size_t chain,
630 int *al)
631 {
632 PACKET supported_groups_list;
633
634 /* Each group is 2 bytes and we must have at least 1. */
635 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
636 || PACKET_remaining(&supported_groups_list) == 0
637 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
638 *al = SSL_AD_DECODE_ERROR;
639 return 0;
640 }
641
642 if (!s->hit
643 && !PACKET_memdup(&supported_groups_list,
644 &s->session->tlsext_supportedgroupslist,
645 &s->session->tlsext_supportedgroupslist_length)) {
646 *al = SSL_AD_DECODE_ERROR;
647 return 0;
648 }
649
650 return 1;
651 }
652 #endif
653
654 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
655 {
656 /* The extension must always be empty */
657 if (PACKET_remaining(pkt) != 0) {
658 *al = SSL_AD_DECODE_ERROR;
659 return 0;
660 }
661
662 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
663
664 return 1;
665 }
666
667 /*
668 * Add the server's renegotiation binding
669 */
670 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
671 int *al)
672 {
673 if (!s->s3->send_connection_binding)
674 return 1;
675
676 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
677 || !WPACKET_start_sub_packet_u16(pkt)
678 || !WPACKET_start_sub_packet_u8(pkt)
679 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
680 s->s3->previous_client_finished_len)
681 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
682 s->s3->previous_server_finished_len)
683 || !WPACKET_close(pkt)
684 || !WPACKET_close(pkt)) {
685 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
686 return 0;
687 }
688
689 return 1;
690 }
691
692 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
693 int *al)
694 {
695 if (s->hit || s->servername_done != 1
696 || s->session->tlsext_hostname == NULL)
697 return 1;
698
699 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
700 || !WPACKET_put_bytes_u16(pkt, 0)) {
701 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
702 return 0;
703 }
704
705 return 1;
706 }
707
708 #ifndef OPENSSL_NO_EC
709 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
710 size_t chain, int *al)
711 {
712 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
713 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
714 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
715 && (s->session->tlsext_ecpointformatlist != NULL);
716 const unsigned char *plist;
717 size_t plistlen;
718
719 if (!using_ecc)
720 return 1;
721
722 tls1_get_formatlist(s, &plist, &plistlen);
723 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
724 || !WPACKET_start_sub_packet_u16(pkt)
725 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
726 || !WPACKET_close(pkt)) {
727 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
728 return 0;
729 }
730
731 return 1;
732 }
733 #endif
734
735 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
736 size_t chain, int *al)
737 {
738 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
739 s->tlsext_ticket_expected = 0;
740 return 1;
741 }
742
743 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
744 || !WPACKET_put_bytes_u16(pkt, 0)) {
745 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
746 return 0;
747 }
748
749 return 1;
750 }
751
752 #ifndef OPENSSL_NO_OCSP
753 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
754 size_t chain, int *al)
755 {
756 if (!s->tlsext_status_expected)
757 return 1;
758
759 if (SSL_IS_TLS13(s) && chain != 0)
760 return 1;
761
762 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
763 || !WPACKET_put_bytes_u16(pkt, 0)) {
764 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
765 return 0;
766 }
767
768 return 1;
769 }
770 #endif
771
772 #ifndef OPENSSL_NO_NEXTPROTONEG
773 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
774 size_t chain, int *al)
775 {
776 const unsigned char *npa;
777 unsigned int npalen;
778 int ret;
779 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
780
781 s->s3->next_proto_neg_seen = 0;
782 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
783 return 1;
784
785 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
786 s->ctx->next_protos_advertised_cb_arg);
787 if (ret == SSL_TLSEXT_ERR_OK) {
788 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
789 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
790 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
791 ERR_R_INTERNAL_ERROR);
792 return 0;
793 }
794 s->s3->next_proto_neg_seen = 1;
795 }
796
797 return 1;
798 }
799 #endif
800
801 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
802 int *al)
803 {
804 if (s->s3->alpn_selected == NULL)
805 return 1;
806
807 if (!WPACKET_put_bytes_u16(pkt,
808 TLSEXT_TYPE_application_layer_protocol_negotiation)
809 || !WPACKET_start_sub_packet_u16(pkt)
810 || !WPACKET_start_sub_packet_u16(pkt)
811 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
812 s->s3->alpn_selected_len)
813 || !WPACKET_close(pkt)
814 || !WPACKET_close(pkt)) {
815 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
816 return 0;
817 }
818
819 return 1;
820 }
821
822 #ifndef OPENSSL_NO_SRTP
823 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
824 int *al)
825 {
826 if (s->srtp_profile == NULL)
827 return 1;
828
829 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
830 || !WPACKET_start_sub_packet_u16(pkt)
831 || !WPACKET_put_bytes_u16(pkt, 2)
832 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
833 || !WPACKET_put_bytes_u8(pkt, 0)
834 || !WPACKET_close(pkt)) {
835 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
836 return 0;
837 }
838
839 return 1;
840 }
841 #endif
842
843 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
844 {
845 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
846 return 1;
847
848 /*
849 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
850 * for other cases too.
851 */
852 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
853 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
854 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
855 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
856 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
857 return 1;
858 }
859
860 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
861 || !WPACKET_put_bytes_u16(pkt, 0)) {
862 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
863 return 0;
864 }
865
866 return 1;
867 }
868
869 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
870 {
871 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
872 return 1;
873
874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
875 || !WPACKET_put_bytes_u16(pkt, 0)) {
876 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
877 return 0;
878 }
879
880 return 1;
881 }
882
883 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
884 int *al)
885 {
886 #ifndef OPENSSL_NO_TLS1_3
887 unsigned char *encodedPoint;
888 size_t encoded_pt_len = 0;
889 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
890
891 if (s->hit)
892 return 1;
893
894 if (ckey == NULL) {
895 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
896 return 0;
897 }
898
899 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
900 || !WPACKET_start_sub_packet_u16(pkt)
901 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
902 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
903 return 0;
904 }
905
906 skey = ssl_generate_pkey(ckey);
907 if (skey == NULL) {
908 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
909 return 0;
910 }
911
912 /* Generate encoding of server key */
913 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
914 if (encoded_pt_len == 0) {
915 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
916 EVP_PKEY_free(skey);
917 return 0;
918 }
919
920 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
921 || !WPACKET_close(pkt)) {
922 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
923 EVP_PKEY_free(skey);
924 OPENSSL_free(encodedPoint);
925 return 0;
926 }
927 OPENSSL_free(encodedPoint);
928
929 /* This causes the crypto state to be updated based on the derived keys */
930 s->s3->tmp.pkey = skey;
931 if (ssl_derive(s, skey, ckey, 1) == 0) {
932 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
933 return 0;
934 }
935 #endif
936
937 return 1;
938 }
939
940 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
941 size_t chain, int *al)
942 {
943 const unsigned char cryptopro_ext[36] = {
944 0xfd, 0xe8, /* 65000 */
945 0x00, 0x20, /* 32 bytes length */
946 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
947 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
948 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
949 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
950 };
951
952 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
953 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
954 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
955 return 1;
956
957 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
958 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
959 return 0;
960 }
961
962 return 1;
963 }
A mirror of the official openssl repository