]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove notification settings from appveyor.yml
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
61138358
MC		 17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
7fe97c07 26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
7fe97c07 34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
7fe97c07 42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
25670f3e
MC		 43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
1266eefd
MC		 53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
61138358
MC		 76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
25670f3e
MC		 82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
1266eefd 92 * syntax inextensibly and OpenSSL 1.0.x parses it as
25670f3e
MC		 93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
7d061fce
MC		 119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
aff8c126 121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
25670f3e
MC		 122 *al = TLS1_AD_INTERNAL_ERROR;
123 return 0;
124 }
125
126 s->servername_done = 1;
127 } else {
128 /*
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
131 */
aff8c126
RS		 132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
25670f3e
MC		 135 }
136
137 return 1;
138}
139
140#ifndef OPENSSL_NO_SRP
61138358
MC		 141int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
25670f3e
MC		 143{
144 PACKET srp_I;
145
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
149 return 0;
150 }
151
152 /*
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
155 */
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = TLS1_AD_INTERNAL_ERROR;
158 return 0;
159 }
160
161 return 1;
162}
163#endif
164
165#ifndef OPENSSL_NO_EC
61138358
MC		 166int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 168{
169 PACKET ec_point_format_list;
170
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
174 return 0;
175 }
176
177 if (!s->hit) {
178 if (!PACKET_memdup(&ec_point_format_list,
aff8c126
RS		 179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
25670f3e
MC		 181 *al = TLS1_AD_INTERNAL_ERROR;
182 return 0;
183 }
184 }
185
186 return 1;
187}
188#endif /* OPENSSL_NO_EC */
189
61138358
MC		 190int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
25670f3e 192{
aff8c126
RS		 193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
25670f3e
MC		 197 *al = TLS1_AD_INTERNAL_ERROR;
198 return 0;
199 }
200
201 return 1;
202}
203
61138358
MC		 204int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
25670f3e
MC		 206{
207 PACKET supported_sig_algs;
208
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e
MC		 210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
212 return 0;
213 }
214
703bcee0
MC		 215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
216 *al = TLS1_AD_DECODE_ERROR;
25670f3e
MC		 217 return 0;
218 }
219
220 return 1;
221}
222
ab83e314 223#ifndef OPENSSL_NO_OCSP
61138358
MC		 224int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
25670f3e 226{
1266eefd
MC		 227 PACKET responder_id_list, exts;
228
e96e0f8e
MC		 229 /* Not defined if we get one of these in a client Certificate */
230 if (x != NULL)
231 return 1;
232
aff8c126 233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
25670f3e
MC		 234 *al = SSL_AD_DECODE_ERROR;
235 return 0;
236 }
ab83e314 237
aff8c126 238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 239 /*
1266eefd 240 * We don't know what to do with any other type so ignore it.
25670f3e 241 */
aff8c126 242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 243 return 1;
244 }
25670f3e 245
1266eefd
MC		 246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
248 return 0;
249 }
25670f3e 250
1266eefd
MC		 251 /*
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
254 */
aff8c126 255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 256 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
1266eefd
MC		 259 *al = SSL_AD_INTERNAL_ERROR;
260 return 0;
261 }
262 } else {
aff8c126 263 s->ext.ocsp.ids = NULL;
1266eefd 264 }
25670f3e 265
1266eefd
MC		 266 while (PACKET_remaining(&responder_id_list) > 0) {
267 OCSP_RESPID *id;
268 PACKET responder_id;
269 const unsigned char *id_data;
25670f3e 270
1266eefd
MC		 271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
274 return 0;
275 }
25670f3e 276
1266eefd
MC		 277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
281 if (id == NULL) {
282 *al = SSL_AD_DECODE_ERROR;
283 return 0;
25670f3e
MC		 284 }
285
1266eefd
MC		 286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
25670f3e
MC		 288 *al = SSL_AD_DECODE_ERROR;
289 return 0;
290 }
291
aff8c126 292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd
MC		 293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
295 return 0;
296 }
297 }
298
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
302 return 0;
303 }
304
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
307
aff8c126 308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 309 X509_EXTENSION_free);
aff8c126 310 s->ext.ocsp.exts =
1266eefd 311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
1266eefd
MC		 313 *al = SSL_AD_DECODE_ERROR;
314 return 0;
25670f3e 315 }
25670f3e
MC		 316 }
317
318 return 1;
319}
ab83e314 320#endif
25670f3e
MC		 321
322#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 323int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
25670f3e 325{
1266eefd
MC		 326 /*
327 * We shouldn't accept this extension on a
328 * renegotiation.
1266eefd 329 */
c7f47786 330 if (SSL_IS_FIRST_HANDSHAKE(s))
aff8c126 331 s->s3->npn_seen = 1;
25670f3e
MC		 332
333 return 1;
334}
335#endif
336
337/*
1266eefd
MC		 338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
25670f3e 341 */
61138358
MC		 342int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
25670f3e
MC		 344{
345 PACKET protocol_list, save_protocol_list, protocol;
346
c7f47786 347 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 348 return 1;
349
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
353 return 0;
354 }
355
356 save_protocol_list = protocol_list;
357 do {
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364 } while (PACKET_remaining(&protocol_list) != 0);
365
7d061fce
MC		 366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
25670f3e
MC		 369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = TLS1_AD_INTERNAL_ERROR;
372 return 0;
373 }
374
375 return 1;
376}
377
378#ifndef OPENSSL_NO_SRTP
61138358
MC		 379int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
25670f3e 381{
25670f3e
MC		 382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
384 int i, srtp_pref;
385 PACKET subpkt;
386
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
389 return 1;
390
391 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
7fe97c07 394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
397 return 0;
398 }
399
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
7fe97c07 407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
410 return 0;
411 }
412
413 /*
414 * Only look for match in profiles of higher preference than
415 * current match.
416 * If no profiles have been have been configured then this
417 * does nothing.
418 */
419 for (i = 0; i < srtp_pref; i++) {
d270de32 420 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422
25670f3e
MC		 423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
425 srtp_pref = i;
426 break;
427 }
428 }
429 }
430
1266eefd 431 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 432 if (!PACKET_get_1(pkt, &mki_len)) {
7fe97c07 433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
25670f3e
MC		 434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
7fe97c07 441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 return 1;
447}
448#endif
449
61138358
MC		 450int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
25670f3e
MC		 452{
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 454 s->ext.use_etm = 1;
25670f3e
MC		 455
456 return 1;
457}
458
b2f7e8c0
MC		 459/*
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
463 */
61138358
MC		 464int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
b2f7e8c0
MC		 466{
467#ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
469 unsigned int mode;
470
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
474 return 0;
475 }
476
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
482 }
483#endif
484
485 return 1;
486}
487
25670f3e
MC		 488/*
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
492 */
61138358
MC		 493int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
25670f3e 495{
3cf96e88 496#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
503
f4bbb37c 504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 505 return 1;
506
507 /* Sanity check */
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 511 return 0;
512 }
513
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
721586ea 515 *al = SSL_AD_DECODE_ERROR;
7fe97c07 516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 517 return 0;
518 }
519
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 524 return 0;
525 }
526
b6fdc12d 527 /* Get the clients list of supported curves. */
25670f3e
MC		 528 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
529 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 530 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 531 return 0;
532 }
b6fdc12d
MC		 533 if (clnt_num_curves == 0) {
534 /*
535 * This can only happen if the supported_groups extension was not sent,
536 * because we verify that the length is non-zero when we process that
537 * extension.
538 */
539 *al = SSL_AD_MISSING_EXTENSION;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
541 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
542 return 0;
543 }
25670f3e
MC		 544
545 while (PACKET_remaining(&key_share_list) > 0) {
546 if (!PACKET_get_net_2(&key_share_list, &group_id)
547 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
548 || PACKET_remaining(&encoded_pt) == 0) {
721586ea 549 *al = SSL_AD_DECODE_ERROR;
7fe97c07 550 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 551 SSL_R_LENGTH_MISMATCH);
552 return 0;
553 }
554
555 /*
556 * If we already found a suitable key_share we loop through the
557 * rest to verify the structure, but don't process them.
558 */
559 if (found)
560 continue;
561
562 /* Check if this share is in supported_groups sent from client */
563 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
721586ea 564 *al = SSL_AD_ILLEGAL_PARAMETER;
7fe97c07 565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 566 return 0;
567 }
568
569 /* Check if this share is for a group we can use */
570 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
571 /* Share not suitable */
572 continue;
573 }
574
575 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
576
577 if (group_nid == 0) {
578 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
25670f3e
MC		 580 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
581 return 0;
582 }
583
584 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
585 /* Can happen for some curves, e.g. X25519 */
586 EVP_PKEY *key = EVP_PKEY_new();
587
588 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
589 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 590 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 591 EVP_PKEY_free(key);
592 return 0;
593 }
594 s->s3->peer_tmp = key;
595 } else {
596 /* Set up EVP_PKEY with named curve as parameters */
597 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1266eefd 598
25670f3e
MC		 599 if (pctx == NULL
600 || EVP_PKEY_paramgen_init(pctx) <= 0
601 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
602 group_nid) <= 0
603 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
604 *al = SSL_AD_INTERNAL_ERROR;
7fe97c07 605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
25670f3e
MC		 606 EVP_PKEY_CTX_free(pctx);
607 return 0;
608 }
609 EVP_PKEY_CTX_free(pctx);
610 pctx = NULL;
611 }
612 s->s3->group_id = group_id;
613
614 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
615 PACKET_data(&encoded_pt),
616 PACKET_remaining(&encoded_pt))) {
617 *al = SSL_AD_DECODE_ERROR;
7fe97c07 618 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
25670f3e
MC		 619 return 0;
620 }
621
622 found = 1;
623 }
3cf96e88 624#endif
25670f3e
MC		 625
626 return 1;
627}
628
629#ifndef OPENSSL_NO_EC
61138358
MC		 630int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
631 X509 *x, size_t chainidx, int *al)
25670f3e
MC		 632{
633 PACKET supported_groups_list;
634
635 /* Each group is 2 bytes and we must have at least 1. */
636 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
637 || PACKET_remaining(&supported_groups_list) == 0
638 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
639 *al = SSL_AD_DECODE_ERROR;
640 return 0;
641 }
642
7d061fce
MC		 643 OPENSSL_free(s->session->ext.supportedgroups);
644 s->session->ext.supportedgroups = NULL;
645 s->session->ext.supportedgroups_len = 0;
1053a6e2
MC		 646 if (!PACKET_memdup(&supported_groups_list,
647 &s->session->ext.supportedgroups,
648 &s->session->ext.supportedgroups_len)) {
25670f3e
MC		 649 *al = SSL_AD_DECODE_ERROR;
650 return 0;
651 }
652
653 return 1;
654}
655#endif
656
61138358
MC		 657int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
658 size_t chainidx, int *al)
25670f3e
MC		 659{
660 /* The extension must always be empty */
661 if (PACKET_remaining(pkt) != 0) {
662 *al = SSL_AD_DECODE_ERROR;
663 return 0;
664 }
665
666 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
667
668 return 1;
669}
7da160b0 670
38df5a45
MC		 671
672int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
673 X509 *x, size_t chainidx, int *al)
674{
675 if (PACKET_remaining(pkt) != 0) {
676 *al = SSL_AD_DECODE_ERROR;
677 return 0;
678 }
679
680 return 1;
681}
682
61138358
MC		 683int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
684 size_t chainidx, int *al)
1053a6e2
MC		 685{
686 PACKET identities, binders, binder;
687 size_t binderoffset, hashsize;
688 SSL_SESSION *sess = NULL;
689 unsigned int id, i;
690 const EVP_MD *md = NULL;
30d1bab1 691 uint32_t ticket_age = 0, now, agesec, agems;
1053a6e2 692
1a9f457c
MC		 693 /*
694 * If we have no PSK kex mode that we recognise then we can't resume so
695 * ignore this extension
696 */
697 if ((s->ext.psk_kex_mode
698 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
699 return 1;
700
1053a6e2
MC		 701 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
702 *al = SSL_AD_DECODE_ERROR;
703 return 0;
704 }
705
706 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
707 PACKET identity;
2c604cb9 708 unsigned long ticket_agel;
1053a6e2
MC		 709 int ret;
710
711 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 712 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1053a6e2
MC		 713 *al = SSL_AD_DECODE_ERROR;
714 return 0;
715 }
716
2c604cb9 717 ticket_age = (uint32_t)ticket_agel;
1b8bacff 718
1053a6e2
MC		 719 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
720 PACKET_remaining(&identity), NULL, 0, &sess);
721 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
722 *al = SSL_AD_INTERNAL_ERROR;
723 return 0;
724 }
725 if (ret == TICKET_NO_DECRYPT)
726 continue;
727
534a43ff 728 md = ssl_md(sess->cipher->algorithm2);
1053a6e2
MC		 729 if (md == NULL) {
730 /*
731 * Don't recognise this cipher so we can't use the session.
732 * Ignore it
733 */
734 SSL_SESSION_free(sess);
735 sess = NULL;
736 continue;
737 }
738
739 /*
740 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
741 * Ignored for now
742 */
743
744 break;
745 }
746
747 if (sess == NULL)
748 return 1;
749
750 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1053a6e2
MC		 751 hashsize = EVP_MD_size(md);
752
753 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
754 *al = SSL_AD_DECODE_ERROR;
755 goto err;
756 }
757
758 for (i = 0; i <= id; i++) {
759 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
760 *al = SSL_AD_DECODE_ERROR;
761 goto err;
762 }
763 }
764
765 if (PACKET_remaining(&binder) != hashsize
766 || tls_psk_do_binder(s, md,
767 (const unsigned char *)s->init_buf->data,
768 binderoffset, PACKET_data(&binder), NULL,
769 sess, 0) != 1) {
770 *al = SSL_AD_DECODE_ERROR;
771 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
772 goto err;
773 }
774
775 sess->ext.tick_identity = id;
2c604cb9
MC		 776
777 now = (uint32_t)time(NULL);
778 agesec = now - (uint32_t)sess->time;
779 agems = agesec * (uint32_t)1000;
780 ticket_age -= sess->ext.tick_age_add;
781
782
783 /*
784 * For simplicity we do our age calculations in seconds. If the client does
785 * it in ms then it could appear that their ticket age is longer than ours
786 * (our ticket age calculation should always be slightly longer than the
787 * client's due to the network latency). Therefore we add 1000ms to our age
788 * calculation to adjust for rounding errors.
789 */
d1186c30 790 if (sess->timeout >= (long)agesec
2c604cb9
MC		 791 && agems / (uint32_t)1000 == agesec
792 && ticket_age <= agems + 1000
793 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
794 /*
795 * Ticket age is within tolerance and not expired. We allow it for early
796 * data
797 */
798 s->ext.early_data_ok = 1;
799 }
800
801
1053a6e2
MC		 802 SSL_SESSION_free(s->session);
803 s->session = sess;
1053a6e2
MC		 804 return 1;
805err:
312e9387 806 SSL_SESSION_free(sess);
1053a6e2
MC		 807 return 0;
808}
809
1266eefd
MC		 810/*
811 * Add the server's renegotiation binding
812 */
61138358
MC		 813int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
814 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 815{
816 if (!s->s3->send_connection_binding)
817 return 1;
818
819 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
820 || !WPACKET_start_sub_packet_u16(pkt)
821 || !WPACKET_start_sub_packet_u8(pkt)
822 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
823 s->s3->previous_client_finished_len)
824 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
825 s->s3->previous_server_finished_len)
826 || !WPACKET_close(pkt)
827 || !WPACKET_close(pkt)) {
7fe97c07 828 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 829 return 0;
830 }
831
832 return 1;
833}
834
61138358
MC		 835int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
836 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 837{
838 if (s->hit || s->servername_done != 1
aff8c126 839 || s->session->ext.hostname == NULL)
7da160b0
MC		 840 return 1;
841
842 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
843 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 844 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 845 return 0;
846 }
847
848 return 1;
849}
850
851#ifndef OPENSSL_NO_EC
61138358
MC		 852int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
853 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 854{
855 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
856 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
89247375 857 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
aff8c126 858 && (s->session->ext.ecpointformats != NULL);
7da160b0
MC		 859 const unsigned char *plist;
860 size_t plistlen;
861
862 if (!using_ecc)
863 return 1;
864
865 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 866 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
867 || !WPACKET_start_sub_packet_u16(pkt)
868 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
869 || !WPACKET_close(pkt)) {
7fe97c07 870 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 871 return 0;
872 }
873
874 return 1;
875}
876#endif
877
cf53cbea 878#ifndef OPENSSL_NO_EC
6af87546
MC		 879int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
880 unsigned int context, X509 *x,
881 size_t chainidx, int *al)
882{
883 const unsigned char *groups;
884 size_t numgroups, i, first = 1;
885
886 /* s->s3->group_id is non zero if we accepted a key_share */
887 if (s->s3->group_id == 0)
888 return 1;
889
890 /* Get our list of supported groups */
891 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
892 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
893 return 0;
894 }
895
896 /* Copy group ID if supported */
897 for (i = 0; i < numgroups; i++, groups += 2) {
898 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
899 if (first) {
900 /*
901 * Check if the client is already using our preferred group. If
902 * so we don't need to add this extension
903 */
904 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
905 return 1;
906
907 /* Add extension header */
908 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
909 /* Sub-packet for supported_groups extension */
910 || !WPACKET_start_sub_packet_u16(pkt)
911 || !WPACKET_start_sub_packet_u16(pkt)) {
912 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
913 ERR_R_INTERNAL_ERROR);
914 return 0;
915 }
916
917 first = 0;
918 }
12635aa0 919 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
6af87546
MC		 920 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
921 ERR_R_INTERNAL_ERROR);
922 return 0;
923 }
924 }
925 }
926
927 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
928 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
929 return 0;
930 }
931
932 return 1;
933}
cf53cbea 934#endif
6af87546 935
61138358
MC		 936int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
937 unsigned int context, X509 *x,
8521ced6 938 size_t chainidx, int *al)
7da160b0 939{
aff8c126
RS		 940 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
941 s->ext.ticket_expected = 0;
7da160b0
MC		 942 return 1;
943 }
944
945 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
946 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 947 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 948 return 0;
949 }
950
951 return 1;
952}
953
ab83e314 954#ifndef OPENSSL_NO_OCSP
61138358
MC		 955int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
956 unsigned int context, X509 *x,
957 size_t chainidx, int *al)
7da160b0 958{
aff8c126 959 if (!s->ext.status_expected)
7da160b0
MC		 960 return 1;
961
8521ced6 962 if (SSL_IS_TLS13(s) && chainidx != 0)
e96e0f8e
MC		 963 return 1;
964
7da160b0 965 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288
MC		 966 || !WPACKET_start_sub_packet_u16(pkt)) {
967 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
968 return 0;
969 }
970
971 /*
972 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
973 * send back an empty extension, with the certificate status appearing as a
974 * separate message
975 */
976 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
977 || !WPACKET_close(pkt)) {
7fe97c07 978 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 979 return 0;
980 }
981
982 return 1;
983}
ab83e314 984#endif
7da160b0 985
7da160b0 986#ifndef OPENSSL_NO_NEXTPROTONEG
61138358
MC		 987int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
988 unsigned int context, X509 *x,
8521ced6 989 size_t chainidx, int *al)
7da160b0
MC		 990{
991 const unsigned char *npa;
992 unsigned int npalen;
993 int ret;
aff8c126 994 int npn_seen = s->s3->npn_seen;
7da160b0 995
aff8c126
RS		 996 s->s3->npn_seen = 0;
997 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
7da160b0
MC		 998 return 1;
999
aff8c126
RS		 1000 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1001 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1002 if (ret == SSL_TLSEXT_ERR_OK) {
1003 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1004 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
7fe97c07 1005 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
7da160b0
MC		 1006 ERR_R_INTERNAL_ERROR);
1007 return 0;
1008 }
aff8c126 1009 s->s3->npn_seen = 1;
7da160b0
MC		 1010 }
1011
1012 return 1;
1013}
1014#endif
1015
61138358
MC		 1016int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1017 size_t chainidx, int *al)
7da160b0
MC		 1018{
1019 if (s->s3->alpn_selected == NULL)
1020 return 1;
1021
1022 if (!WPACKET_put_bytes_u16(pkt,
1023 TLSEXT_TYPE_application_layer_protocol_negotiation)
1024 || !WPACKET_start_sub_packet_u16(pkt)
1025 || !WPACKET_start_sub_packet_u16(pkt)
1026 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1027 s->s3->alpn_selected_len)
1028 || !WPACKET_close(pkt)
1029 || !WPACKET_close(pkt)) {
7fe97c07 1030 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1031 return 0;
1032 }
1033
1034 return 1;
1035}
1036
1037#ifndef OPENSSL_NO_SRTP
61138358
MC		 1038int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
1039 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1040{
1041 if (s->srtp_profile == NULL)
1042 return 1;
a1448c26 1043
7da160b0
MC		 1044 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1045 || !WPACKET_start_sub_packet_u16(pkt)
1046 || !WPACKET_put_bytes_u16(pkt, 2)
1047 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1048 || !WPACKET_put_bytes_u8(pkt, 0)
1049 || !WPACKET_close(pkt)) {
7fe97c07 1050 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1051 return 0;
1052 }
1053
1054 return 1;
1055}
1056#endif
1057
61138358
MC		 1058int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1059 size_t chainidx, int *al)
7da160b0 1060{
28a31a0a 1061 if (!s->ext.use_etm)
7da160b0
MC		 1062 return 1;
1063
1064 /*
1065 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1066 * for other cases too.
1067 */
1068 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1069 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1070 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1071 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
28a31a0a 1072 s->ext.use_etm = 0;
7da160b0
MC		 1073 return 1;
1074 }
1075
1076 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1077 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1078 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1079 return 0;
1080 }
1081
1082 return 1;
1083}
1084
61138358
MC		 1085int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1086 size_t chainidx, int *al)
7da160b0
MC		 1087{
1088 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1089 return 1;
1090
1091 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1092 || !WPACKET_put_bytes_u16(pkt, 0)) {
7fe97c07 1093 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1094 return 0;
1095 }
1096
1097 return 1;
1098}
1099
61138358
MC		 1100int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
1101 X509 *x, size_t chainidx, int *al)
7da160b0 1102{
3cf96e88 1103#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1104 unsigned char *encodedPoint;
1105 size_t encoded_pt_len = 0;
1106 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1107
7da160b0 1108 if (ckey == NULL) {
7d061fce
MC		 1109 /* No key_share received from client */
1110 if (s->hello_retry_request) {
7d061fce 1111 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
aff9929b
MC		 1112 || !WPACKET_start_sub_packet_u16(pkt)
1113 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1114 || !WPACKET_close(pkt)) {
7d061fce
MC		 1115 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1116 ERR_R_INTERNAL_ERROR);
1117 return 0;
1118 }
1119
1120 return 1;
1121 }
1122
1123 /* Must be resuming. */
0247086d
MC		 1124 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1125 *al = SSL_AD_INTERNAL_ERROR;
1126 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1127 return 0;
1128 }
1129 return 1;
7da160b0
MC		 1130 }
1131
1132 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1133 || !WPACKET_start_sub_packet_u16(pkt)
1134 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
7fe97c07 1135 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1136 return 0;
1137 }
1138
1139 skey = ssl_generate_pkey(ckey);
1140 if (skey == NULL) {
7fe97c07 1141 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
7da160b0
MC		 1142 return 0;
1143 }
1144
1145 /* Generate encoding of server key */
1146 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1147 if (encoded_pt_len == 0) {
7fe97c07 1148 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
7da160b0
MC		 1149 EVP_PKEY_free(skey);
1150 return 0;
1151 }
1152
1153 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1154 || !WPACKET_close(pkt)) {
7fe97c07 1155 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1156 EVP_PKEY_free(skey);
1157 OPENSSL_free(encodedPoint);
1158 return 0;
1159 }
1160 OPENSSL_free(encodedPoint);
1161
1162 /* This causes the crypto state to be updated based on the derived keys */
1163 s->s3->tmp.pkey = skey;
1164 if (ssl_derive(s, skey, ckey, 1) == 0) {
7fe97c07 1165 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1166 return 0;
1167 }
3cf96e88 1168#endif
7da160b0
MC		 1169
1170 return 1;
1171}
1172
61138358
MC		 1173int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
1174 X509 *x, size_t chainidx, int *al)
7da160b0
MC		 1175{
1176 const unsigned char cryptopro_ext[36] = {
1177 0xfd, 0xe8, /* 65000 */
1178 0x00, 0x20, /* 32 bytes length */
1179 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1180 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1181 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1182 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1183 };
1184
1185 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1186 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1187 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1188 return 1;
1189
1190 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
7fe97c07 1191 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
7da160b0
MC		 1192 return 0;
1193 }
1194
1195 return 1;
1196}
0247086d 1197
38df5a45
MC		 1198int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
1199 X509 *x, size_t chainidx, int *al)
1200{
fe874d27 1201 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f
MC		 1202 if (s->max_early_data == 0)
1203 return 1;
1204
1205 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1206 || !WPACKET_start_sub_packet_u16(pkt)
1207 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1208 || !WPACKET_close(pkt)) {
1209 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1210 return 0;
1211 }
1212
1213 return 1;
1214 }
1215
38df5a45
MC		 1216 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1217 return 1;
1218
1219 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1220 || !WPACKET_start_sub_packet_u16(pkt)
1221 || !WPACKET_close(pkt)) {
1222 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1223 return 0;
1224 }
1225
1226 return 1;
1227}
1228
61138358
MC		 1229int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1230 size_t chainidx, int *al)
0247086d
MC		 1231{
1232 if (!s->hit)
1233 return 1;
1234
1235 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1236 || !WPACKET_start_sub_packet_u16(pkt)
1237 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1238 || !WPACKET_close(pkt)) {
1239 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1240 return 0;
1241 }
1242
1243 return 1;
1244}
A mirror of the official openssl repository