]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
25670f3e
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
15#define COOKIE_STATE_FORMAT_VERSION 0
16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
d0debc0a
MC		 20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
d0debc0a 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
61138358 41int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 42 X509 *x, size_t chainidx)
25670f3e
MC		 43{
44 unsigned int ilen;
45 const unsigned char *data;
46
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
f63a17d6
MC		 50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 52 return 0;
53 }
54
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
f63a17d6
MC		 57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 59 return 0;
60 }
61
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
f63a17d6
MC		 64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 66 return 0;
67 }
68
69 s->s3->send_connection_binding = 1;
70
71 return 1;
72}
73
1266eefd
MC		 74/*-
75 * The servername extension is treated as follows:
76 *
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
94 * extension.
95 * - On session reconnect, the servername extension may be absent.
96 */
61138358 97int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 98 X509 *x, size_t chainidx)
25670f3e
MC		 99{
100 unsigned int servname_type;
101 PACKET sni, hostname;
102
25670f3e
MC		 103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
f63a17d6
MC		 106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
25670f3e
MC		 108 return 0;
109 }
110
111 /*
44e69951
F		 112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
25670f3e
MC		 115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
118 *
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
121 */
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
f63a17d6
MC		 125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
25670f3e
MC		 127 return 0;
128 }
129
130 if (!s->hit) {
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
f63a17d6
MC		 132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
25670f3e
MC		 135 return 0;
136 }
137
138 if (PACKET_contains_zero_byte(&hostname)) {
f63a17d6
MC		 139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
25670f3e
MC		 142 return 0;
143 }
144
7d061fce
MC		 145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
aff8c126 147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
f63a17d6
MC		 148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 150 return 0;
151 }
152
153 s->servername_done = 1;
154 } else {
155 /*
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
158 */
aff8c126
RS		 159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
630369d9
MC		 162
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
25670f3e
MC		 165 }
166
167 return 1;
168}
169
cf72c757 170int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 171 X509 *x, size_t chainidx)
cf72c757
F		 172{
173 unsigned int value;
174
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
f63a17d6
MC		 176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
cf72c757
F		 178 return 0;
179 }
180
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6
MC		 183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 186 return 0;
187 }
188
189 /*
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
193 */
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6
MC		 195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 198 return 0;
199 }
200
201 /*
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
204 */
205 s->session->ext.max_fragment_len_mode = value;
206 return 1;
207}
208
25670f3e 209#ifndef OPENSSL_NO_SRP
61138358 210int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 211 size_t chainidx)
25670f3e
MC		 212{
213 PACKET srp_I;
214
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
f63a17d6
MC		 217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
25670f3e
MC		 220 return 0;
221 }
222
223 /*
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
226 */
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
f63a17d6
MC		 228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 230 return 0;
231 }
232
233 return 1;
234}
235#endif
236
237#ifndef OPENSSL_NO_EC
61138358 238int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 239 X509 *x, size_t chainidx)
25670f3e
MC		 240{
241 PACKET ec_point_format_list;
242
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
f63a17d6
MC		 245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
25670f3e
MC		 247 return 0;
248 }
249
250 if (!s->hit) {
251 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
f63a17d6
MC		 254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 256 return 0;
257 }
258 }
259
260 return 1;
261}
262#endif /* OPENSSL_NO_EC */
263
61138358 264int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 265 X509 *x, size_t chainidx)
25670f3e 266{
aff8c126
RS		 267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
f63a17d6
MC		 271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 273 return 0;
274 }
275
276 return 1;
277}
278
c589c34e
BK		 279int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
280 X509 *x, size_t chainidx)
281{
282 PACKET supported_sig_algs;
283
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
288 return 0;
289 }
290
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
294 return 0;
295 }
296
297 return 1;
298}
299
61138358 300int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 301 size_t chainidx)
25670f3e
MC		 302{
303 PACKET supported_sig_algs;
304
305 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 306 || PACKET_remaining(&supported_sig_algs) == 0) {
f63a17d6
MC		 307 SSLfatal(s, SSL_AD_DECODE_ERROR,
308 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 309 return 0;
310 }
311
c589c34e 312 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
f63a17d6
MC		 313 SSLfatal(s, SSL_AD_DECODE_ERROR,
314 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 315 return 0;
316 }
317
318 return 1;
319}
320
ab83e314 321#ifndef OPENSSL_NO_OCSP
61138358 322int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 323 X509 *x, size_t chainidx)
25670f3e 324{
1266eefd
MC		 325 PACKET responder_id_list, exts;
326
e96e0f8e
MC		 327 /* Not defined if we get one of these in a client Certificate */
328 if (x != NULL)
329 return 1;
330
aff8c126 331 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
f63a17d6
MC		 332 SSLfatal(s, SSL_AD_DECODE_ERROR,
333 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
25670f3e
MC		 334 return 0;
335 }
ab83e314 336
aff8c126 337 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 338 /*
1266eefd 339 * We don't know what to do with any other type so ignore it.
25670f3e 340 */
aff8c126 341 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 342 return 1;
343 }
25670f3e 344
1266eefd 345 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
f63a17d6
MC		 346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 348 return 0;
349 }
25670f3e 350
1266eefd
MC		 351 /*
352 * We remove any OCSP_RESPIDs from a previous handshake
353 * to prevent unbounded memory growth - CVE-2016-6304
354 */
aff8c126 355 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 356 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 357 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
358 if (s->ext.ocsp.ids == NULL) {
f63a17d6
MC		 359 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
360 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 361 return 0;
362 }
363 } else {
aff8c126 364 s->ext.ocsp.ids = NULL;
1266eefd 365 }
25670f3e 366
1266eefd
MC		 367 while (PACKET_remaining(&responder_id_list) > 0) {
368 OCSP_RESPID *id;
369 PACKET responder_id;
370 const unsigned char *id_data;
25670f3e 371
1266eefd
MC		 372 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
373 || PACKET_remaining(&responder_id) == 0) {
f63a17d6
MC		 374 SSLfatal(s, SSL_AD_DECODE_ERROR,
375 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 376 return 0;
377 }
25670f3e 378
1266eefd
MC		 379 id_data = PACKET_data(&responder_id);
380 /* TODO(size_t): Convert d2i_* to size_t */
381 id = d2i_OCSP_RESPID(NULL, &id_data,
382 (int)PACKET_remaining(&responder_id));
383 if (id == NULL) {
f63a17d6
MC		 384 SSLfatal(s, SSL_AD_DECODE_ERROR,
385 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd 386 return 0;
25670f3e
MC		 387 }
388
1266eefd
MC		 389 if (id_data != PACKET_end(&responder_id)) {
390 OCSP_RESPID_free(id);
f63a17d6
MC		 391 SSLfatal(s, SSL_AD_DECODE_ERROR,
392 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
393
25670f3e
MC		 394 return 0;
395 }
396
aff8c126 397 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 398 OCSP_RESPID_free(id);
f63a17d6
MC		 399 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
400 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
401
1266eefd
MC		 402 return 0;
403 }
404 }
405
406 /* Read in request_extensions */
407 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
f63a17d6
MC		 408 SSLfatal(s, SSL_AD_DECODE_ERROR,
409 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd
MC		 410 return 0;
411 }
412
413 if (PACKET_remaining(&exts) > 0) {
414 const unsigned char *ext_data = PACKET_data(&exts);
415
aff8c126 416 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 417 X509_EXTENSION_free);
aff8c126 418 s->ext.ocsp.exts =
1266eefd 419 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 420 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
f63a17d6
MC		 421 SSLfatal(s, SSL_AD_DECODE_ERROR,
422 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
1266eefd 423 return 0;
25670f3e 424 }
25670f3e
MC		 425 }
426
427 return 1;
428}
ab83e314 429#endif
25670f3e
MC		 430
431#ifndef OPENSSL_NO_NEXTPROTONEG
61138358 432int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 433 size_t chainidx)
25670f3e 434{
1266eefd
MC		 435 /*
436 * We shouldn't accept this extension on a
437 * renegotiation.
1266eefd 438 */
c7f47786 439 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 440 s->s3->npn_seen = 1;
25670f3e
MC		 441
442 return 1;
443}
444#endif
445
446/*
1266eefd 447 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 448 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 449 */
61138358 450int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 451 size_t chainidx)
25670f3e
MC		 452{
453 PACKET protocol_list, save_protocol_list, protocol;
454
c7f47786 455 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 456 return 1;
457
458 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
459 || PACKET_remaining(&protocol_list) < 2) {
f63a17d6
MC		 460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 SSL_R_BAD_EXTENSION);
25670f3e
MC		 462 return 0;
463 }
464
465 save_protocol_list = protocol_list;
466 do {
467 /* Protocol names can't be empty. */
468 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
469 || PACKET_remaining(&protocol) == 0) {
f63a17d6
MC		 470 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
471 SSL_R_BAD_EXTENSION);
25670f3e
MC		 472 return 0;
473 }
474 } while (PACKET_remaining(&protocol_list) != 0);
475
7d061fce
MC		 476 OPENSSL_free(s->s3->alpn_proposed);
477 s->s3->alpn_proposed = NULL;
478 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 479 if (!PACKET_memdup(&save_protocol_list,
480 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
f63a17d6
MC		 481 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
482 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 483 return 0;
484 }
485
486 return 1;
487}
488
489#ifndef OPENSSL_NO_SRTP
61138358 490int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 491 size_t chainidx)
25670f3e 492{
25670f3e
MC		 493 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
494 unsigned int ct, mki_len, id;
495 int i, srtp_pref;
496 PACKET subpkt;
497
498 /* Ignore this if we have no SRTP profiles */
499 if (SSL_get_srtp_profiles(s) == NULL)
500 return 1;
501
502 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 503 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
504 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
f63a17d6 505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e 506 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 507 return 0;
508 }
509
510 srvr = SSL_get_srtp_profiles(s);
511 s->srtp_profile = NULL;
512 /* Search all profiles for a match initially */
513 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
514
515 while (PACKET_remaining(&subpkt)) {
516 if (!PACKET_get_net_2(&subpkt, &id)) {
f63a17d6
MC		 517 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
518 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 519 return 0;
520 }
521
522 /*
523 * Only look for match in profiles of higher preference than
524 * current match.
525 * If no profiles have been have been configured then this
526 * does nothing.
527 */
528 for (i = 0; i < srtp_pref; i++) {
d270de32 529 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 530 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
531
25670f3e
MC		 532 if (sprof->id == id) {
533 s->srtp_profile = sprof;
534 srtp_pref = i;
535 break;
536 }
537 }
538 }
539
1266eefd 540 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 541 if (!PACKET_get_1(pkt, &mki_len)) {
f63a17d6
MC		 542 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
543 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 544 return 0;
545 }
546
547 if (!PACKET_forward(pkt, mki_len)
548 || PACKET_remaining(pkt)) {
f63a17d6
MC		 549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
550 SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 551 return 0;
552 }
553
554 return 1;
555}
556#endif
557
61138358 558int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 559 size_t chainidx)
25670f3e
MC		 560{
561 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 562 s->ext.use_etm = 1;
25670f3e
MC		 563
564 return 1;
565}
566
b2f7e8c0
MC		 567/*
568 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
569 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 570 */
61138358 571int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 572 X509 *x, size_t chainidx)
b2f7e8c0
MC		 573{
574#ifndef OPENSSL_NO_TLS1_3
575 PACKET psk_kex_modes;
576 unsigned int mode;
577
578 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
579 || PACKET_remaining(&psk_kex_modes) == 0) {
f63a17d6
MC		 580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
581 SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 582 return 0;
583 }
584
585 while (PACKET_get_1(&psk_kex_modes, &mode)) {
586 if (mode == TLSEXT_KEX_MODE_KE_DHE)
587 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 588 else if (mode == TLSEXT_KEX_MODE_KE
589 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 590 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
591 }
592#endif
593
594 return 1;
595}
596
25670f3e
MC		 597/*
598 * Process a key_share extension received in the ClientHello. |pkt| contains
599 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 600 */
61138358 601int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 602 size_t chainidx)
25670f3e 603{
3cf96e88 604#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 605 unsigned int group_id;
606 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 607 const uint16_t *clntgroups, *srvrgroups;
608 size_t clnt_num_groups, srvr_num_groups;
43b95d73 609 int found = 0;
25670f3e 610
f4bbb37c 611 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 612 return 1;
613
614 /* Sanity check */
615 if (s->s3->peer_tmp != NULL) {
f63a17d6
MC		 616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 ERR_R_INTERNAL_ERROR);
25670f3e
MC		 618 return 0;
619 }
620
621 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
f63a17d6
MC		 622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
623 SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 624 return 0;
625 }
626
f48d826e
DSH		 627 /* Get our list of supported groups */
628 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
629 /* Get the clients list of supported groups. */
630 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
631 if (clnt_num_groups == 0) {
b6fdc12d
MC		 632 /*
633 * This can only happen if the supported_groups extension was not sent,
634 * because we verify that the length is non-zero when we process that
635 * extension.
636 */
f63a17d6
MC		 637 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
638 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 639 return 0;
640 }
25670f3e 641
43054d3d
MC		 642 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
643 /*
644 * If we set a group_id already, then we must have sent an HRR
645 * requesting a new key_share. If we haven't got one then that is an
646 * error
647 */
648 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
649 SSL_R_BAD_KEY_SHARE);
650 return 0;
651 }
652
25670f3e
MC		 653 while (PACKET_remaining(&key_share_list) > 0) {
654 if (!PACKET_get_net_2(&key_share_list, &group_id)
655 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
656 || PACKET_remaining(&encoded_pt) == 0) {
f63a17d6
MC		 657 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
658 SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 659 return 0;
660 }
661
662 /*
663 * If we already found a suitable key_share we loop through the
664 * rest to verify the structure, but don't process them.
665 */
666 if (found)
667 continue;
668
43054d3d
MC		 669 /*
670 * If we sent an HRR then the key_share sent back MUST be for the group
671 * we requested, and must be the only key_share sent.
672 */
673 if (s->s3->group_id != 0
674 && (group_id != s->s3->group_id
675 || PACKET_remaining(&key_share_list) != 0)) {
676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
677 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
678 return 0;
679 }
680
25670f3e 681 /* Check if this share is in supported_groups sent from client */
f48d826e 682 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
f63a17d6
MC		 683 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
684 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 685 return 0;
686 }
687
688 /* Check if this share is for a group we can use */
f48d826e 689 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 690 /* Share not suitable */
691 continue;
692 }
693
612f9d22 694 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
f63a17d6 695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 696 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
697 return 0;
698 }
699
25670f3e
MC		 700 s->s3->group_id = group_id;
701
702 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
703 PACKET_data(&encoded_pt),
704 PACKET_remaining(&encoded_pt))) {
f63a17d6
MC		 705 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
706 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 707 return 0;
708 }
709
710 found = 1;
711 }
3cf96e88 712#endif
25670f3e
MC		 713
714 return 1;
715}
716
43054d3d
MC		 717int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
718 size_t chainidx)
719{
dd77962e 720 unsigned int format, version, key_share, group_id;
43054d3d
MC		 721 EVP_MD_CTX *hctx;
722 EVP_PKEY *pkey;
723 PACKET cookie, raw, chhash, appcookie;
724 WPACKET hrrpkt;
725 const unsigned char *data, *mdin, *ciphdata;
726 unsigned char hmac[SHA256_DIGEST_LENGTH];
727 unsigned char hrr[MAX_HRR_SIZE];
728 size_t rawlen, hmaclen, hrrlen, ciphlen;
d0debc0a 729 unsigned long tm, now;
43054d3d
MC		 730
731 /* Ignore any cookie if we're not set up to verify it */
732 if (s->ctx->app_verify_cookie_cb == NULL
733 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
734 return 1;
735
736 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
737 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
738 SSL_R_LENGTH_MISMATCH);
739 return 0;
740 }
741
742 raw = cookie;
743 data = PACKET_data(&raw);
744 rawlen = PACKET_remaining(&raw);
745 if (rawlen < SHA256_DIGEST_LENGTH
746 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
747 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
748 SSL_R_LENGTH_MISMATCH);
749 return 0;
750 }
751 mdin = PACKET_data(&raw);
752
753 /* Verify the HMAC of the cookie */
754 hctx = EVP_MD_CTX_create();
755 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
756 s->session_ctx->ext.cookie_hmac_key,
757 sizeof(s->session_ctx->ext.cookie_hmac_key));
758 if (hctx == NULL || pkey == NULL) {
759 EVP_MD_CTX_free(hctx);
760 EVP_PKEY_free(pkey);
761 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
762 ERR_R_MALLOC_FAILURE);
763 return 0;
764 }
765
97ea1e7f 766 hmaclen = SHA256_DIGEST_LENGTH;
43054d3d 767 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
97ea1e7f
MC		 768 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
769 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 770 || hmaclen != SHA256_DIGEST_LENGTH) {
771 EVP_MD_CTX_free(hctx);
772 EVP_PKEY_free(pkey);
773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
774 ERR_R_INTERNAL_ERROR);
775 return 0;
776 }
777
778 EVP_MD_CTX_free(hctx);
779 EVP_PKEY_free(pkey);
780
781 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
782 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
783 SSL_R_COOKIE_MISMATCH);
784 return 0;
785 }
786
787 if (!PACKET_get_net_2(&cookie, &format)) {
788 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
789 SSL_R_LENGTH_MISMATCH);
790 return 0;
791 }
792 /* Check the cookie format is something we recognise. Ignore it if not */
793 if (format != COOKIE_STATE_FORMAT_VERSION)
794 return 1;
795
796 /*
797 * The rest of these checks really shouldn't fail since we have verified the
798 * HMAC above.
799 */
800
801 /* Check the version number is sane */
802 if (!PACKET_get_net_2(&cookie, &version)) {
803 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
804 SSL_R_LENGTH_MISMATCH);
805 return 0;
806 }
807 if (version != TLS1_3_VERSION) {
808 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
809 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
810 return 0;
811 }
812
dd77962e 813 if (!PACKET_get_net_2(&cookie, &group_id)) {
43054d3d
MC		 814 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
815 SSL_R_LENGTH_MISMATCH);
816 return 0;
817 }
dd77962e 818
43054d3d
MC		 819 ciphdata = PACKET_data(&cookie);
820 if (!PACKET_forward(&cookie, 2)) {
821 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
822 SSL_R_LENGTH_MISMATCH);
823 return 0;
824 }
dd77962e
MC		 825 if (group_id != s->s3->group_id
826 || s->s3->tmp.new_cipher
827 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
828 /*
829 * We chose a different cipher or group id this time around to what is
830 * in the cookie. Something must have changed.
831 */
832 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
833 SSL_R_BAD_CIPHER);
43054d3d
MC		 834 return 0;
835 }
836
837 if (!PACKET_get_1(&cookie, &key_share)
d0debc0a 838 || !PACKET_get_net_4(&cookie, &tm)
43054d3d
MC		 839 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
840 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
841 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
842 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
843 SSL_R_LENGTH_MISMATCH);
844 return 0;
845 }
846
d0debc0a
MC		 847 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
848 now = (unsigned long)time(NULL);
849 if (tm > now || (now - tm) > 600) {
850 /* Cookie is stale. Ignore it */
851 return 1;
852 }
853
43054d3d
MC		 854 /* Verify the app cookie */
855 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
856 PACKET_remaining(&appcookie)) == 0) {
857 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
858 SSL_R_COOKIE_MISMATCH);
859 return 0;
860 }
861
862 /*
863 * Reconstruct the HRR that we would have sent in response to the original
864 * ClientHello so we can add it to the transcript hash.
865 * Note: This won't work with custom HRR extensions
866 */
867 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 ERR_R_INTERNAL_ERROR);
870 return 0;
871 }
872 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
873 || !WPACKET_start_sub_packet_u24(&hrrpkt)
874 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
875 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
876 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
877 s->tmp_session_id_len)
878 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
879 &ciphlen)
880 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
881 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
882 WPACKET_cleanup(&hrrpkt);
883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
884 ERR_R_INTERNAL_ERROR);
885 return 0;
886 }
887 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
888 || !WPACKET_start_sub_packet_u16(&hrrpkt)
889 /* TODO(TLS1.3): Fix this before release */
890 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
891 || !WPACKET_close(&hrrpkt)) {
892 WPACKET_cleanup(&hrrpkt);
893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
894 ERR_R_INTERNAL_ERROR);
895 return 0;
896 }
897 if (key_share) {
898 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
899 || !WPACKET_start_sub_packet_u16(&hrrpkt)
900 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
901 || !WPACKET_close(&hrrpkt)) {
902 WPACKET_cleanup(&hrrpkt);
903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
904 ERR_R_INTERNAL_ERROR);
905 return 0;
906 }
907 }
908 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
909 || !WPACKET_start_sub_packet_u16(&hrrpkt)
910 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
911 || !WPACKET_close(&hrrpkt) /* cookie extension */
912 || !WPACKET_close(&hrrpkt) /* extension block */
913 || !WPACKET_close(&hrrpkt) /* message */
914 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
915 || !WPACKET_finish(&hrrpkt)) {
916 WPACKET_cleanup(&hrrpkt);
917 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
918 ERR_R_INTERNAL_ERROR);
919 return 0;
920 }
921
922 /* Reconstruct the transcript hash */
923 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
924 PACKET_remaining(&chhash), hrr,
925 hrrlen)) {
926 /* SSLfatal() already called */
927 return 0;
928 }
929
930 /* Act as if this ClientHello came after a HelloRetryRequest */
931 s->hello_retry_request = 1;
932
c36001c3
MC		 933 s->ext.cookieok = 1;
934
43054d3d
MC		 935 return 1;
936}
937
25670f3e 938#ifndef OPENSSL_NO_EC
61138358 939int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 940 X509 *x, size_t chainidx)
25670f3e
MC		 941{
942 PACKET supported_groups_list;
943
944 /* Each group is 2 bytes and we must have at least 1. */
945 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
946 || PACKET_remaining(&supported_groups_list) == 0
947 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
f63a17d6
MC		 948 SSLfatal(s, SSL_AD_DECODE_ERROR,
949 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 950 return 0;
951 }
952
e3743355
BK		 953 if (!s->hit || SSL_IS_TLS13(s)) {
954 OPENSSL_free(s->session->ext.supportedgroups);
955 s->session->ext.supportedgroups = NULL;
956 s->session->ext.supportedgroups_len = 0;
9e84a42d 957 if (!tls1_save_u16(&supported_groups_list,
e3743355
BK		 958 &s->session->ext.supportedgroups,
959 &s->session->ext.supportedgroups_len)) {
f63a17d6
MC		 960 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
961 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
962 ERR_R_INTERNAL_ERROR);
e3743355
BK		 963 return 0;
964 }
25670f3e
MC		 965 }
966
967 return 1;
968}
969#endif
970
61138358 971int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 972 size_t chainidx)
25670f3e
MC		 973{
974 /* The extension must always be empty */
975 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 976 SSLfatal(s, SSL_AD_DECODE_ERROR,
977 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
25670f3e
MC		 978 return 0;
979 }
980
981 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
982
983 return 1;
984}
7da160b0 985
38df5a45
MC		 986
987int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 988 X509 *x, size_t chainidx)
38df5a45
MC		 989{
990 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 991 SSLfatal(s, SSL_AD_DECODE_ERROR,
992 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
38df5a45
MC		 993 return 0;
994 }
995
fc7129dc 996 if (s->hello_retry_request != SSL_HRR_NONE) {
f63a17d6
MC		 997 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
998 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 999 return 0;
1000 }
1001
38df5a45
MC		 1002 return 1;
1003}
1004
61138358 1005int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 1006 size_t chainidx)
1053a6e2
MC		 1007{
1008 PACKET identities, binders, binder;
1009 size_t binderoffset, hashsize;
1010 SSL_SESSION *sess = NULL;
3a7c56b2 1011 unsigned int id, i, ext = 0;
1053a6e2
MC		 1012 const EVP_MD *md = NULL;
1013
1a9f457c
MC		 1014 /*
1015 * If we have no PSK kex mode that we recognise then we can't resume so
1016 * ignore this extension
1017 */
1018 if ((s->ext.psk_kex_mode
1019 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1020 return 1;
1021
1053a6e2 1022 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
f63a17d6
MC		 1023 SSLfatal(s, SSL_AD_DECODE_ERROR,
1024 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1025 return 0;
1026 }
1027
1028 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1029 PACKET identity;
2c604cb9 1030 unsigned long ticket_agel;
1053a6e2
MC		 1031
1032 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1033 || !PACKET_get_net_4(&identities, &ticket_agel)) {
f63a17d6
MC		 1034 SSLfatal(s, SSL_AD_DECODE_ERROR,
1035 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1036 return 0;
1037 }
1038
3a7c56b2 1039 if (s->psk_find_session_cb != NULL
011d768a
MC		 1040 && !s->psk_find_session_cb(s, PACKET_data(&identity),
1041 PACKET_remaining(&identity),
1042 &sess)) {
f63a17d6
MC		 1043 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1044 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
011d768a
MC		 1045 return 0;
1046 }
1047
1048 if (sess != NULL) {
1049 /* We found a PSK */
3a7c56b2 1050 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1051
3a7c56b2 1052 if (sesstmp == NULL) {
f63a17d6
MC		 1053 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1054 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1055 return 0;
1056 }
1057 SSL_SESSION_free(sess);
1058 sess = sesstmp;
1059
1060 /*
1061 * We've just been told to use this session for this context so
1062 * make sure the sid_ctx matches up.
1063 */
1064 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1065 sess->sid_ctx_length = s->sid_ctx_length;
1066 ext = 1;
630369d9
MC		 1067 if (id == 0)
1068 s->ext.early_data_ok = 1;
3a7c56b2
MC		 1069 } else {
1070 uint32_t ticket_age = 0, now, agesec, agems;
1071 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1072 PACKET_remaining(&identity), NULL, 0,
1073 &sess);
1074
1075 if (ret == TICKET_FATAL_ERR_MALLOC
1076 || ret == TICKET_FATAL_ERR_OTHER) {
f63a17d6
MC		 1077 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1078 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1079 return 0;
1080 }
1081 if (ret == TICKET_NO_DECRYPT)
1082 continue;
1083
1084 ticket_age = (uint32_t)ticket_agel;
1085 now = (uint32_t)time(NULL);
1086 agesec = now - (uint32_t)sess->time;
1087 agems = agesec * (uint32_t)1000;
1088 ticket_age -= sess->ext.tick_age_add;
1089
1090 /*
1091 * For simplicity we do our age calculations in seconds. If the
1092 * client does it in ms then it could appear that their ticket age
1093 * is longer than ours (our ticket age calculation should always be
1094 * slightly longer than the client's due to the network latency).
1095 * Therefore we add 1000ms to our age calculation to adjust for
1096 * rounding errors.
1097 */
630369d9
MC		 1098 if (id == 0
1099 && sess->timeout >= (long)agesec
3a7c56b2
MC		 1100 && agems / (uint32_t)1000 == agesec
1101 && ticket_age <= agems + 1000
1102 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1103 /*
1104 * Ticket age is within tolerance and not expired. We allow it
1105 * for early data
1106 */
1107 s->ext.early_data_ok = 1;
1108 }
1053a6e2 1109 }
1053a6e2 1110
534a43ff 1111 md = ssl_md(sess->cipher->algorithm2);
0de6d66d
MC		 1112 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1113 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1114 SSL_SESSION_free(sess);
1115 sess = NULL;
630369d9 1116 s->ext.early_data_ok = 0;
1053a6e2
MC		 1117 continue;
1118 }
1053a6e2
MC		 1119 break;
1120 }
1121
1122 if (sess == NULL)
1123 return 1;
1124
1125 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 1126 hashsize = EVP_MD_size(md);
1127
1128 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
f63a17d6
MC		 1129 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1130 SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1131 goto err;
1132 }
1133
1134 for (i = 0; i <= id; i++) {
1135 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
f63a17d6
MC		 1136 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1137 SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1138 goto err;
1139 }
1140 }
1141
2894e9cb
MC		 1142 if (PACKET_remaining(&binder) != hashsize) {
1143 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1144 SSL_R_BAD_EXTENSION);
1145 goto err;
1146 }
1147 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1148 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1149 ext) != 1) {
635c8f77 1150 /* SSLfatal() already called */
1053a6e2
MC		 1151 goto err;
1152 }
1153
1154 sess->ext.tick_identity = id;
2c604cb9 1155
1053a6e2
MC		 1156 SSL_SESSION_free(s->session);
1157 s->session = sess;
1053a6e2
MC		 1158 return 1;
1159err:
312e9387 1160 SSL_SESSION_free(sess);
1053a6e2
MC		 1161 return 0;
1162}
1163
9d75dce3
TS		 1164int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1165 X509 *x, size_t chainidx)
1166{
1167 if (PACKET_remaining(pkt) != 0) {
1168 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1169 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1170 return 0;
1171 }
1172
1173 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1174
1175 return 1;
1176}
1177
1266eefd
MC		 1178/*
1179 * Add the server's renegotiation binding
1180 */
b186a592
MC		 1181EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1182 unsigned int context, X509 *x,
f63a17d6 1183 size_t chainidx)
7da160b0
MC		 1184{
1185 if (!s->s3->send_connection_binding)
b186a592 1186 return EXT_RETURN_NOT_SENT;
7da160b0 1187
db0f35dd 1188 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1189 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1190 || !WPACKET_start_sub_packet_u16(pkt)
1191 || !WPACKET_start_sub_packet_u8(pkt)
1192 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1193 s->s3->previous_client_finished_len)
1194 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1195 s->s3->previous_server_finished_len)
1196 || !WPACKET_close(pkt)
1197 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1198 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1199 ERR_R_INTERNAL_ERROR);
b186a592 1200 return EXT_RETURN_FAIL;
7da160b0
MC		 1201 }
1202
b186a592 1203 return EXT_RETURN_SENT;
7da160b0
MC		 1204}
1205
b186a592
MC		 1206EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1207 unsigned int context, X509 *x,
f63a17d6 1208 size_t chainidx)
7da160b0
MC		 1209{
1210 if (s->hit || s->servername_done != 1
aff8c126 1211 || s->session->ext.hostname == NULL)
b186a592 1212 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1213
1214 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1215 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1217 ERR_R_INTERNAL_ERROR);
b186a592 1218 return EXT_RETURN_FAIL;
7da160b0
MC		 1219 }
1220
b186a592 1221 return EXT_RETURN_SENT;
7da160b0
MC		 1222}
1223
cf72c757
F		 1224/* Add/include the server's max fragment len extension into ServerHello */
1225EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1226 unsigned int context, X509 *x,
f63a17d6 1227 size_t chainidx)
cf72c757
F		 1228{
1229 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1230 return EXT_RETURN_NOT_SENT;
1231
1232 /*-
1233 * 4 bytes for this extension type and extension length
1234 * 1 byte for the Max Fragment Length code value.
1235 */
1236 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1237 || !WPACKET_start_sub_packet_u16(pkt)
1238 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1239 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1240 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1241 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1242 return EXT_RETURN_FAIL;
1243 }
1244
1245 return EXT_RETURN_SENT;
1246}
1247
7da160b0 1248#ifndef OPENSSL_NO_EC
b186a592
MC		 1249EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1250 unsigned int context, X509 *x,
f63a17d6 1251 size_t chainidx)
7da160b0
MC		 1252{
1253 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1254 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 1255 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 1256 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 1257 const unsigned char *plist;
1258 size_t plistlen;
1259
1260 if (!using_ecc)
b186a592 1261 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1262
1263 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1264 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1265 || !WPACKET_start_sub_packet_u16(pkt)
1266 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1267 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1268 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1269 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
b186a592 1270 return EXT_RETURN_FAIL;
7da160b0
MC		 1271 }
1272
b186a592 1273 return EXT_RETURN_SENT;
7da160b0
MC		 1274}
1275#endif
1276
cf53cbea 1277#ifndef OPENSSL_NO_EC
b186a592
MC		 1278EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1279 unsigned int context, X509 *x,
f63a17d6 1280 size_t chainidx)
6af87546 1281{
9e84a42d 1282 const uint16_t *groups;
6af87546
MC		 1283 size_t numgroups, i, first = 1;
1284
1285 /* s->s3->group_id is non zero if we accepted a key_share */
1286 if (s->s3->group_id == 0)
b186a592 1287 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1288
1289 /* Get our list of supported groups */
ff6d20a6 1290 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1291 if (numgroups == 0) {
f63a17d6
MC		 1292 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1293 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
b186a592 1294 return EXT_RETURN_FAIL;
6af87546
MC		 1295 }
1296
1297 /* Copy group ID if supported */
9e84a42d
DSH		 1298 for (i = 0; i < numgroups; i++) {
1299 uint16_t group = groups[i];
1300
1301 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1302 if (first) {
1303 /*
1304 * Check if the client is already using our preferred group. If
1305 * so we don't need to add this extension
1306 */
9e84a42d 1307 if (s->s3->group_id == group)
b186a592 1308 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1309
1310 /* Add extension header */
1311 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1312 /* Sub-packet for supported_groups extension */
1313 || !WPACKET_start_sub_packet_u16(pkt)
1314 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1315 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1316 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1317 ERR_R_INTERNAL_ERROR);
b186a592 1318 return EXT_RETURN_FAIL;
6af87546
MC		 1319 }
1320
1321 first = 0;
1322 }
9e84a42d 1323 if (!WPACKET_put_bytes_u16(pkt, group)) {
f63a17d6
MC		 1324 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1325 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1326 ERR_R_INTERNAL_ERROR);
b186a592 1327 return EXT_RETURN_FAIL;
6af87546
MC		 1328 }
1329 }
1330 }
1331
1332 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
f63a17d6
MC		 1333 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1334 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1335 ERR_R_INTERNAL_ERROR);
b186a592 1336 return EXT_RETURN_FAIL;
6af87546
MC		 1337 }
1338
b186a592 1339 return EXT_RETURN_SENT;
6af87546 1340}
cf53cbea 1341#endif
6af87546 1342
b186a592
MC		 1343EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1344 unsigned int context, X509 *x,
f63a17d6 1345 size_t chainidx)
7da160b0 1346{
aff8c126
RS		 1347 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1348 s->ext.ticket_expected = 0;
b186a592 1349 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1350 }
1351
1352 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1353 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1355 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
b186a592 1356 return EXT_RETURN_FAIL;
7da160b0
MC		 1357 }
1358
b186a592 1359 return EXT_RETURN_SENT;
7da160b0
MC		 1360}
1361
ab83e314 1362#ifndef OPENSSL_NO_OCSP
b186a592
MC		 1363EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1364 unsigned int context, X509 *x,
f63a17d6 1365 size_t chainidx)
7da160b0 1366{
aff8c126 1367 if (!s->ext.status_expected)
b186a592 1368 return EXT_RETURN_NOT_SENT;
7da160b0 1369
8521ced6 1370 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 1371 return EXT_RETURN_NOT_SENT;
e96e0f8e 1372
7da160b0 1373 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1374 || !WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1375 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1376 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1377 return EXT_RETURN_FAIL;
f63e4288
MC		 1378 }
1379
1380 /*
1381 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1382 * send back an empty extension, with the certificate status appearing as a
1383 * separate message
1384 */
3ec8d113
MC		 1385 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1386 /* SSLfatal() already called */
56d36288 1387 return EXT_RETURN_FAIL;
3ec8d113
MC		 1388 }
1389 if (!WPACKET_close(pkt)) {
f63a17d6
MC		 1390 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1391 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
b186a592 1392 return EXT_RETURN_FAIL;
7da160b0
MC		 1393 }
1394
b186a592 1395 return EXT_RETURN_SENT;
7da160b0 1396}
ab83e314 1397#endif
7da160b0 1398
7da160b0 1399#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1400EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1401 unsigned int context, X509 *x,
f63a17d6 1402 size_t chainidx)
7da160b0
MC		 1403{
1404 const unsigned char *npa;
1405 unsigned int npalen;
1406 int ret;
aff8c126 1407 int npn_seen = s->s3->npn_seen;
7da160b0 1408
aff8c126
RS		 1409 s->s3->npn_seen = 0;
1410 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1411 return EXT_RETURN_NOT_SENT;
7da160b0 1412
aff8c126
RS		 1413 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1414 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1415 if (ret == SSL_TLSEXT_ERR_OK) {
1416 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1417 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
f63a17d6
MC		 1418 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1419 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1420 ERR_R_INTERNAL_ERROR);
b186a592 1421 return EXT_RETURN_FAIL;
7da160b0 1422 }
aff8c126 1423 s->s3->npn_seen = 1;
7da160b0
MC		 1424 }
1425
b186a592 1426 return EXT_RETURN_SENT;
7da160b0
MC		 1427}
1428#endif
1429
b186a592 1430EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1431 X509 *x, size_t chainidx)
7da160b0
MC		 1432{
1433 if (s->s3->alpn_selected == NULL)
b186a592 1434 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1435
1436 if (!WPACKET_put_bytes_u16(pkt,
1437 TLSEXT_TYPE_application_layer_protocol_negotiation)
1438 || !WPACKET_start_sub_packet_u16(pkt)
1439 || !WPACKET_start_sub_packet_u16(pkt)
1440 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1441 s->s3->alpn_selected_len)
1442 || !WPACKET_close(pkt)
1443 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1444 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1445 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
b186a592 1446 return EXT_RETURN_FAIL;
7da160b0
MC		 1447 }
1448
b186a592 1449 return EXT_RETURN_SENT;
7da160b0
MC		 1450}
1451
1452#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1453EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1454 unsigned int context, X509 *x,
f63a17d6 1455 size_t chainidx)
7da160b0
MC		 1456{
1457 if (s->srtp_profile == NULL)
b186a592 1458 return EXT_RETURN_NOT_SENT;
a1448c26 1459
7da160b0
MC		 1460 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1461 || !WPACKET_start_sub_packet_u16(pkt)
1462 || !WPACKET_put_bytes_u16(pkt, 2)
1463 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1464 || !WPACKET_put_bytes_u8(pkt, 0)
1465 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1467 ERR_R_INTERNAL_ERROR);
b186a592 1468 return EXT_RETURN_FAIL;
7da160b0
MC		 1469 }
1470
b186a592 1471 return EXT_RETURN_SENT;
7da160b0
MC		 1472}
1473#endif
1474
b186a592 1475EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1476 X509 *x, size_t chainidx)
7da160b0 1477{
28a31a0a 1478 if (!s->ext.use_etm)
b186a592 1479 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1480
1481 /*
1482 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1483 * for other cases too.
1484 */
1485 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1486 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1487 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1488 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1489 s->ext.use_etm = 0;
b186a592 1490 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1491 }
1492
1493 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1494 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1496 ERR_R_INTERNAL_ERROR);
b186a592 1497 return EXT_RETURN_FAIL;
7da160b0
MC		 1498 }
1499
b186a592 1500 return EXT_RETURN_SENT;
7da160b0
MC		 1501}
1502
b186a592 1503EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1504 X509 *x, size_t chainidx)
7da160b0
MC		 1505{
1506 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1507 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1508
1509 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1510 || !WPACKET_put_bytes_u16(pkt, 0)) {
f63a17d6
MC		 1511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1512 ERR_R_INTERNAL_ERROR);
b186a592 1513 return EXT_RETURN_FAIL;
7da160b0
MC		 1514 }
1515
b186a592 1516 return EXT_RETURN_SENT;
7da160b0
MC		 1517}
1518
88050dd1
MC		 1519EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1520 unsigned int context, X509 *x,
1521 size_t chainidx)
1522{
1523 if (!SSL_IS_TLS13(s))
1524 return EXT_RETURN_NOT_SENT;
1525
1526 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1527 || !WPACKET_start_sub_packet_u16(pkt)
1528 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1529 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1530 || !WPACKET_close(pkt)) {
1531 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1532 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1533 ERR_R_INTERNAL_ERROR);
1534 return EXT_RETURN_FAIL;
1535 }
1536
1537 return EXT_RETURN_SENT;
1538}
1539
b186a592
MC		 1540EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1541 unsigned int context, X509 *x,
f63a17d6 1542 size_t chainidx)
7da160b0 1543{
3cf96e88 1544#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1545 unsigned char *encodedPoint;
1546 size_t encoded_pt_len = 0;
1547 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1548
dd77962e
MC		 1549 if (s->hello_retry_request == SSL_HRR_PENDING) {
1550 if (ckey != NULL) {
1551 /* Original key_share was acceptable so don't ask for another one */
1552 return EXT_RETURN_NOT_SENT;
1553 }
1554 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1555 || !WPACKET_start_sub_packet_u16(pkt)
1556 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1557 || !WPACKET_close(pkt)) {
1558 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1559 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1560 ERR_R_INTERNAL_ERROR);
1561 return EXT_RETURN_FAIL;
7d061fce
MC		 1562 }
1563
dd77962e
MC		 1564 return EXT_RETURN_SENT;
1565 }
1566
1567 if (ckey == NULL) {
1568 /* No key_share received from client - must be resuming */
0247086d 1569 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
f63a17d6
MC		 1570 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1571 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1572 return EXT_RETURN_FAIL;
0247086d 1573 }
b186a592 1574 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1575 }
1576
1577 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1578 || !WPACKET_start_sub_packet_u16(pkt)
1579 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
f63a17d6
MC		 1580 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1581 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
b186a592 1582 return EXT_RETURN_FAIL;
7da160b0
MC		 1583 }
1584
1585 skey = ssl_generate_pkey(ckey);
1586 if (skey == NULL) {
f63a17d6
MC		 1587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1588 ERR_R_MALLOC_FAILURE);
b186a592 1589 return EXT_RETURN_FAIL;
7da160b0
MC		 1590 }
1591
1592 /* Generate encoding of server key */
1593 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1594 if (encoded_pt_len == 0) {
f63a17d6
MC		 1595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1596 ERR_R_EC_LIB);
7da160b0 1597 EVP_PKEY_free(skey);
b186a592 1598 return EXT_RETURN_FAIL;
7da160b0
MC		 1599 }
1600
1601 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1602 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1603 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1604 ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1605 EVP_PKEY_free(skey);
1606 OPENSSL_free(encodedPoint);
b186a592 1607 return EXT_RETURN_FAIL;
7da160b0
MC		 1608 }
1609 OPENSSL_free(encodedPoint);
1610
1611 /* This causes the crypto state to be updated based on the derived keys */
1612 s->s3->tmp.pkey = skey;
1613 if (ssl_derive(s, skey, ckey, 1) == 0) {
f63a17d6 1614 /* SSLfatal() already called */
b186a592 1615 return EXT_RETURN_FAIL;
7da160b0 1616 }
3cf96e88 1617#endif
7da160b0 1618
b186a592 1619 return EXT_RETURN_SENT;
7da160b0
MC		 1620}
1621
43054d3d
MC		 1622EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1623 X509 *x, size_t chainidx)
1624{
1625 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1626 unsigned char *hmac, *hmac2;
1627 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
1628 unsigned int appcookielen;
1629 EVP_MD_CTX *hctx;
1630 EVP_PKEY *pkey;
1631 int ret = EXT_RETURN_FAIL;
1632
1633 if (s->ctx->app_gen_cookie_cb == NULL
1634 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1635 return EXT_RETURN_NOT_SENT;
1636
1637 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1638 || !WPACKET_start_sub_packet_u16(pkt)
1639 || !WPACKET_start_sub_packet_u16(pkt)
1640 || !WPACKET_get_total_written(pkt, &startlen)
1641 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1642 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1643 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1644 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1645 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1646 &ciphlen)
1647 /* Is there a key_share extension present in this HRR? */
1648 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
d0debc0a 1649 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
43054d3d
MC		 1650 || !WPACKET_start_sub_packet_u16(pkt)
1651 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1653 ERR_R_INTERNAL_ERROR);
1654 return EXT_RETURN_FAIL;
1655 }
1656
1657 /*
1658 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1659 * on raw buffers, so we first reserve sufficient bytes (above) and then
1660 * subsequently allocate them (below)
1661 */
1662 if (!ssl3_digest_cached_records(s, 0)
1663 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1664 /* SSLfatal() already called */
1665 return EXT_RETURN_FAIL;
1666 }
1667
1668 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1669 || !ossl_assert(hashval1 == hashval2)
1670 || !WPACKET_close(pkt)
1671 || !WPACKET_start_sub_packet_u8(pkt)
1672 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1674 ERR_R_INTERNAL_ERROR);
1675 return EXT_RETURN_FAIL;
1676 }
1677
1678 /* Generate the application cookie */
1679 if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1681 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1682 return EXT_RETURN_FAIL;
1683 }
1684
1685 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1686 || !ossl_assert(appcookie1 == appcookie2)
1687 || !WPACKET_close(pkt)
1688 || !WPACKET_get_total_written(pkt, &totcookielen)
1689 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1690 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1691 ERR_R_INTERNAL_ERROR);
1692 return EXT_RETURN_FAIL;
1693 }
1694 hmaclen = SHA256_DIGEST_LENGTH;
1695
1696 totcookielen -= startlen;
1697 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1698 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1699 ERR_R_INTERNAL_ERROR);
1700 return EXT_RETURN_FAIL;
1701 }
1702
1703 /* HMAC the cookie */
1704 hctx = EVP_MD_CTX_create();
1705 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
1706 s->session_ctx->ext.cookie_hmac_key,
1707 sizeof(s->session_ctx->ext.cookie_hmac_key));
1708 if (hctx == NULL || pkey == NULL) {
1709 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1710 ERR_R_MALLOC_FAILURE);
1711 goto err;
1712 }
1713
1714 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1715 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1716 totcookielen) <= 0) {
1717 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1718 ERR_R_INTERNAL_ERROR);
1719 goto err;
1720 }
1721
1722 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1723 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1724 ERR_R_INTERNAL_ERROR);
1725 goto err;
1726 }
1727
1728 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1729 || !ossl_assert(hmac == hmac2)
1730 || !ossl_assert(cookie == hmac - totcookielen)
1731 || !WPACKET_close(pkt)
1732 || !WPACKET_close(pkt)) {
1733 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1734 ERR_R_INTERNAL_ERROR);
1735 goto err;
1736 }
1737
1738 ret = EXT_RETURN_SENT;
1739
1740 err:
1741 EVP_MD_CTX_free(hctx);
1742 EVP_PKEY_free(pkey);
1743 return ret;
1744}
1745
b186a592
MC		 1746EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1747 unsigned int context, X509 *x,
f63a17d6 1748 size_t chainidx)
7da160b0
MC		 1749{
1750 const unsigned char cryptopro_ext[36] = {
1751 0xfd, 0xe8, /* 65000 */
1752 0x00, 0x20, /* 32 bytes length */
1753 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1754 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1755 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1756 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1757 };
1758
1759 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1760 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1761 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1762 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1763
1764 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
f63a17d6
MC		 1765 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1766 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
b186a592 1767 return EXT_RETURN_FAIL;
7da160b0
MC		 1768 }
1769
b186a592 1770 return EXT_RETURN_SENT;
7da160b0 1771}
0247086d 1772
b186a592
MC		 1773EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1774 unsigned int context, X509 *x,
f63a17d6 1775 size_t chainidx)
38df5a45 1776{
fe874d27 1777 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1778 if (s->max_early_data == 0)
b186a592 1779 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1780
1781 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1782 || !WPACKET_start_sub_packet_u16(pkt)
1783 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1784 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1786 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
b186a592 1787 return EXT_RETURN_FAIL;
6594189f
MC		 1788 }
1789
b186a592 1790 return EXT_RETURN_SENT;
6594189f
MC		 1791 }
1792
38df5a45 1793 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1794 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1795
1796 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1797 || !WPACKET_start_sub_packet_u16(pkt)
1798 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1799 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1800 ERR_R_INTERNAL_ERROR);
b186a592 1801 return EXT_RETURN_FAIL;
38df5a45
MC		 1802 }
1803
b186a592 1804 return EXT_RETURN_SENT;
38df5a45
MC		 1805}
1806
b186a592 1807EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1808 X509 *x, size_t chainidx)
0247086d
MC		 1809{
1810 if (!s->hit)
b186a592 1811 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1812
1813 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1814 || !WPACKET_start_sub_packet_u16(pkt)
1815 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1816 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1817 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1818 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
b186a592 1819 return EXT_RETURN_FAIL;
0247086d
MC		 1820 }
1821
b186a592 1822 return EXT_RETURN_SENT;
0247086d 1823}
A mirror of the official openssl repository