2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL
*s
, PACKET
*pkt
, unsigned int context
,
42 X509
*x
, size_t chainidx
)
45 const unsigned char *data
;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt
, &ilen
)
49 || !PACKET_get_bytes(pkt
, &data
, ilen
)) {
50 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE
,
51 SSL_R_RENEGOTIATION_ENCODING_ERR
);
55 /* Check that the extension matches */
56 if (ilen
!= s
->s3
.previous_client_finished_len
) {
57 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE
,
58 SSL_R_RENEGOTIATION_MISMATCH
);
62 if (memcmp(data
, s
->s3
.previous_client_finished
,
63 s
->s3
.previous_client_finished_len
)) {
64 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE
,
65 SSL_R_RENEGOTIATION_MISMATCH
);
69 s
->s3
.send_connection_binding
= 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL
*s
, PACKET
*pkt
, unsigned int context
,
98 X509
*x
, size_t chainidx
)
100 unsigned int servname_type
;
101 PACKET sni
, hostname
;
103 if (!PACKET_as_length_prefixed_2(pkt
, &sni
)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni
) == 0) {
106 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
107 SSL_R_BAD_EXTENSION
);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni
, &servname_type
)
123 || servname_type
!= TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni
, &hostname
)) {
125 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
126 SSL_R_BAD_EXTENSION
);
131 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
132 * we always use the SNI value from the handshake.
134 if (!s
->hit
|| SSL_IS_TLS13(s
)) {
135 if (PACKET_remaining(&hostname
) > TLSEXT_MAXLEN_host_name
) {
136 SSLfatal(s
, SSL_AD_UNRECOGNIZED_NAME
,
137 SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
138 SSL_R_BAD_EXTENSION
);
142 if (PACKET_contains_zero_byte(&hostname
)) {
143 SSLfatal(s
, SSL_AD_UNRECOGNIZED_NAME
,
144 SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
145 SSL_R_BAD_EXTENSION
);
150 * Store the requested SNI in the SSL as temporary storage.
151 * If we accept it, it will get stored in the SSL_SESSION as well.
153 OPENSSL_free(s
->ext
.hostname
);
154 s
->ext
.hostname
= NULL
;
155 if (!PACKET_strndup(&hostname
, &s
->ext
.hostname
)) {
156 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_SERVER_NAME
,
157 ERR_R_INTERNAL_ERROR
);
161 s
->servername_done
= 1;
164 * In TLSv1.2 and below we should check if the SNI is consistent between
165 * the initial handshake and the resumption. In TLSv1.3 SNI is not
166 * associated with the session.
169 * TODO(openssl-team): if the SNI doesn't match, we MUST
170 * fall back to a full handshake.
172 s
->servername_done
= (s
->session
->ext
.hostname
!= NULL
)
173 && PACKET_equal(&hostname
, s
->session
->ext
.hostname
,
174 strlen(s
->session
->ext
.hostname
));
180 int tls_parse_ctos_maxfragmentlen(SSL
*s
, PACKET
*pkt
, unsigned int context
,
181 X509
*x
, size_t chainidx
)
185 if (PACKET_remaining(pkt
) != 1 || !PACKET_get_1(pkt
, &value
)) {
186 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN
,
187 SSL_R_BAD_EXTENSION
);
191 /* Received |value| should be a valid max-fragment-length code. */
192 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value
)) {
193 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
194 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN
,
195 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH
);
200 * RFC 6066: The negotiated length applies for the duration of the session
201 * including session resumptions.
202 * We should receive the same code as in resumed session !
204 if (s
->hit
&& s
->session
->ext
.max_fragment_len_mode
!= value
) {
205 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
206 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN
,
207 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH
);
212 * Store it in session, so it'll become binding for us
213 * and we'll include it in a next Server Hello.
215 s
->session
->ext
.max_fragment_len_mode
= value
;
219 #ifndef OPENSSL_NO_SRP
220 int tls_parse_ctos_srp(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
225 if (!PACKET_as_length_prefixed_1(pkt
, &srp_I
)
226 || PACKET_contains_zero_byte(&srp_I
)) {
227 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
228 SSL_F_TLS_PARSE_CTOS_SRP
,
229 SSL_R_BAD_EXTENSION
);
234 * TODO(openssl-team): currently, we re-authenticate the user
235 * upon resumption. Instead, we MUST ignore the login.
237 if (!PACKET_strndup(&srp_I
, &s
->srp_ctx
.login
)) {
238 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_SRP
,
239 ERR_R_INTERNAL_ERROR
);
247 #ifndef OPENSSL_NO_EC
248 int tls_parse_ctos_ec_pt_formats(SSL
*s
, PACKET
*pkt
, unsigned int context
,
249 X509
*x
, size_t chainidx
)
251 PACKET ec_point_format_list
;
253 if (!PACKET_as_length_prefixed_1(pkt
, &ec_point_format_list
)
254 || PACKET_remaining(&ec_point_format_list
) == 0) {
255 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS
,
256 SSL_R_BAD_EXTENSION
);
261 if (!PACKET_memdup(&ec_point_format_list
,
262 &s
->ext
.peer_ecpointformats
,
263 &s
->ext
.peer_ecpointformats_len
)) {
264 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
265 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS
, ERR_R_INTERNAL_ERROR
);
272 #endif /* OPENSSL_NO_EC */
274 int tls_parse_ctos_session_ticket(SSL
*s
, PACKET
*pkt
, unsigned int context
,
275 X509
*x
, size_t chainidx
)
277 if (s
->ext
.session_ticket_cb
&&
278 !s
->ext
.session_ticket_cb(s
, PACKET_data(pkt
),
279 PACKET_remaining(pkt
),
280 s
->ext
.session_ticket_cb_arg
)) {
281 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
282 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET
, ERR_R_INTERNAL_ERROR
);
289 int tls_parse_ctos_sig_algs_cert(SSL
*s
, PACKET
*pkt
, unsigned int context
,
290 X509
*x
, size_t chainidx
)
292 PACKET supported_sig_algs
;
294 if (!PACKET_as_length_prefixed_2(pkt
, &supported_sig_algs
)
295 || PACKET_remaining(&supported_sig_algs
) == 0) {
296 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
297 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT
, SSL_R_BAD_EXTENSION
);
301 if (!s
->hit
&& !tls1_save_sigalgs(s
, &supported_sig_algs
, 1)) {
302 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
303 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT
, SSL_R_BAD_EXTENSION
);
310 int tls_parse_ctos_sig_algs(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
313 PACKET supported_sig_algs
;
315 if (!PACKET_as_length_prefixed_2(pkt
, &supported_sig_algs
)
316 || PACKET_remaining(&supported_sig_algs
) == 0) {
317 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
318 SSL_F_TLS_PARSE_CTOS_SIG_ALGS
, SSL_R_BAD_EXTENSION
);
322 if (!s
->hit
&& !tls1_save_sigalgs(s
, &supported_sig_algs
, 0)) {
323 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
324 SSL_F_TLS_PARSE_CTOS_SIG_ALGS
, SSL_R_BAD_EXTENSION
);
331 #ifndef OPENSSL_NO_OCSP
332 int tls_parse_ctos_status_request(SSL
*s
, PACKET
*pkt
, unsigned int context
,
333 X509
*x
, size_t chainidx
)
335 PACKET responder_id_list
, exts
;
337 /* We ignore this in a resumption handshake */
341 /* Not defined if we get one of these in a client Certificate */
345 if (!PACKET_get_1(pkt
, (unsigned int *)&s
->ext
.status_type
)) {
346 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
351 if (s
->ext
.status_type
!= TLSEXT_STATUSTYPE_ocsp
) {
353 * We don't know what to do with any other type so ignore it.
355 s
->ext
.status_type
= TLSEXT_STATUSTYPE_nothing
;
359 if (!PACKET_get_length_prefixed_2 (pkt
, &responder_id_list
)) {
360 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
361 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
366 * We remove any OCSP_RESPIDs from a previous handshake
367 * to prevent unbounded memory growth - CVE-2016-6304
369 sk_OCSP_RESPID_pop_free(s
->ext
.ocsp
.ids
, OCSP_RESPID_free
);
370 if (PACKET_remaining(&responder_id_list
) > 0) {
371 s
->ext
.ocsp
.ids
= sk_OCSP_RESPID_new_null();
372 if (s
->ext
.ocsp
.ids
== NULL
) {
373 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
374 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, ERR_R_MALLOC_FAILURE
);
378 s
->ext
.ocsp
.ids
= NULL
;
381 while (PACKET_remaining(&responder_id_list
) > 0) {
384 const unsigned char *id_data
;
386 if (!PACKET_get_length_prefixed_2(&responder_id_list
, &responder_id
)
387 || PACKET_remaining(&responder_id
) == 0) {
388 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
389 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
393 id_data
= PACKET_data(&responder_id
);
394 /* TODO(size_t): Convert d2i_* to size_t */
395 id
= d2i_OCSP_RESPID(NULL
, &id_data
,
396 (int)PACKET_remaining(&responder_id
));
398 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
399 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
403 if (id_data
!= PACKET_end(&responder_id
)) {
404 OCSP_RESPID_free(id
);
405 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
406 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
411 if (!sk_OCSP_RESPID_push(s
->ext
.ocsp
.ids
, id
)) {
412 OCSP_RESPID_free(id
);
413 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
414 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, ERR_R_INTERNAL_ERROR
);
420 /* Read in request_extensions */
421 if (!PACKET_as_length_prefixed_2(pkt
, &exts
)) {
422 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
423 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
427 if (PACKET_remaining(&exts
) > 0) {
428 const unsigned char *ext_data
= PACKET_data(&exts
);
430 sk_X509_EXTENSION_pop_free(s
->ext
.ocsp
.exts
,
431 X509_EXTENSION_free
);
433 d2i_X509_EXTENSIONS(NULL
, &ext_data
, (int)PACKET_remaining(&exts
));
434 if (s
->ext
.ocsp
.exts
== NULL
|| ext_data
!= PACKET_end(&exts
)) {
435 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
436 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST
, SSL_R_BAD_EXTENSION
);
445 #ifndef OPENSSL_NO_NEXTPROTONEG
446 int tls_parse_ctos_npn(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
450 * We shouldn't accept this extension on a
453 if (SSL_IS_FIRST_HANDSHAKE(s
))
461 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
462 * extension, not including type and length. Returns: 1 on success, 0 on error.
464 int tls_parse_ctos_alpn(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
467 PACKET protocol_list
, save_protocol_list
, protocol
;
469 if (!SSL_IS_FIRST_HANDSHAKE(s
))
472 if (!PACKET_as_length_prefixed_2(pkt
, &protocol_list
)
473 || PACKET_remaining(&protocol_list
) < 2) {
474 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_ALPN
,
475 SSL_R_BAD_EXTENSION
);
479 save_protocol_list
= protocol_list
;
481 /* Protocol names can't be empty. */
482 if (!PACKET_get_length_prefixed_1(&protocol_list
, &protocol
)
483 || PACKET_remaining(&protocol
) == 0) {
484 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_ALPN
,
485 SSL_R_BAD_EXTENSION
);
488 } while (PACKET_remaining(&protocol_list
) != 0);
490 OPENSSL_free(s
->s3
.alpn_proposed
);
491 s
->s3
.alpn_proposed
= NULL
;
492 s
->s3
.alpn_proposed_len
= 0;
493 if (!PACKET_memdup(&save_protocol_list
,
494 &s
->s3
.alpn_proposed
, &s
->s3
.alpn_proposed_len
)) {
495 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_ALPN
,
496 ERR_R_INTERNAL_ERROR
);
503 #ifndef OPENSSL_NO_SRTP
504 int tls_parse_ctos_use_srtp(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
507 STACK_OF(SRTP_PROTECTION_PROFILE
) *srvr
;
508 unsigned int ct
, mki_len
, id
;
512 /* Ignore this if we have no SRTP profiles */
513 if (SSL_get_srtp_profiles(s
) == NULL
)
516 /* Pull off the length of the cipher suite list and check it is even */
517 if (!PACKET_get_net_2(pkt
, &ct
) || (ct
& 1) != 0
518 || !PACKET_get_sub_packet(pkt
, &subpkt
, ct
)) {
519 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
520 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
524 srvr
= SSL_get_srtp_profiles(s
);
525 s
->srtp_profile
= NULL
;
526 /* Search all profiles for a match initially */
527 srtp_pref
= sk_SRTP_PROTECTION_PROFILE_num(srvr
);
529 while (PACKET_remaining(&subpkt
)) {
530 if (!PACKET_get_net_2(&subpkt
, &id
)) {
531 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
532 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
537 * Only look for match in profiles of higher preference than
539 * If no profiles have been have been configured then this
542 for (i
= 0; i
< srtp_pref
; i
++) {
543 SRTP_PROTECTION_PROFILE
*sprof
=
544 sk_SRTP_PROTECTION_PROFILE_value(srvr
, i
);
546 if (sprof
->id
== id
) {
547 s
->srtp_profile
= sprof
;
554 /* Now extract the MKI value as a sanity check, but discard it for now */
555 if (!PACKET_get_1(pkt
, &mki_len
)) {
556 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
557 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST
);
561 if (!PACKET_forward(pkt
, mki_len
)
562 || PACKET_remaining(pkt
)) {
563 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_USE_SRTP
,
564 SSL_R_BAD_SRTP_MKI_VALUE
);
572 int tls_parse_ctos_etm(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
575 if (!(s
->options
& SSL_OP_NO_ENCRYPT_THEN_MAC
))
582 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
583 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
585 int tls_parse_ctos_psk_kex_modes(SSL
*s
, PACKET
*pkt
, unsigned int context
,
586 X509
*x
, size_t chainidx
)
588 #ifndef OPENSSL_NO_TLS1_3
589 PACKET psk_kex_modes
;
592 if (!PACKET_as_length_prefixed_1(pkt
, &psk_kex_modes
)
593 || PACKET_remaining(&psk_kex_modes
) == 0) {
594 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES
,
595 SSL_R_BAD_EXTENSION
);
599 while (PACKET_get_1(&psk_kex_modes
, &mode
)) {
600 if (mode
== TLSEXT_KEX_MODE_KE_DHE
)
601 s
->ext
.psk_kex_mode
|= TLSEXT_KEX_MODE_FLAG_KE_DHE
;
602 else if (mode
== TLSEXT_KEX_MODE_KE
603 && (s
->options
& SSL_OP_ALLOW_NO_DHE_KEX
) != 0)
604 s
->ext
.psk_kex_mode
|= TLSEXT_KEX_MODE_FLAG_KE
;
612 * Process a key_share extension received in the ClientHello. |pkt| contains
613 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
615 int tls_parse_ctos_key_share(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
618 #ifndef OPENSSL_NO_TLS1_3
619 unsigned int group_id
;
620 PACKET key_share_list
, encoded_pt
;
621 const uint16_t *clntgroups
, *srvrgroups
;
622 size_t clnt_num_groups
, srvr_num_groups
;
625 if (s
->hit
&& (s
->ext
.psk_kex_mode
& TLSEXT_KEX_MODE_FLAG_KE_DHE
) == 0)
629 if (s
->s3
.peer_tmp
!= NULL
) {
630 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
631 ERR_R_INTERNAL_ERROR
);
635 if (!PACKET_as_length_prefixed_2(pkt
, &key_share_list
)) {
636 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
637 SSL_R_LENGTH_MISMATCH
);
641 /* Get our list of supported groups */
642 tls1_get_supported_groups(s
, &srvrgroups
, &srvr_num_groups
);
643 /* Get the clients list of supported groups. */
644 tls1_get_peer_groups(s
, &clntgroups
, &clnt_num_groups
);
645 if (clnt_num_groups
== 0) {
647 * This can only happen if the supported_groups extension was not sent,
648 * because we verify that the length is non-zero when we process that
651 SSLfatal(s
, SSL_AD_MISSING_EXTENSION
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
652 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION
);
656 if (s
->s3
.group_id
!= 0 && PACKET_remaining(&key_share_list
) == 0) {
658 * If we set a group_id already, then we must have sent an HRR
659 * requesting a new key_share. If we haven't got one then that is an
662 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
663 SSL_R_BAD_KEY_SHARE
);
667 while (PACKET_remaining(&key_share_list
) > 0) {
668 if (!PACKET_get_net_2(&key_share_list
, &group_id
)
669 || !PACKET_get_length_prefixed_2(&key_share_list
, &encoded_pt
)
670 || PACKET_remaining(&encoded_pt
) == 0) {
671 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
672 SSL_R_LENGTH_MISMATCH
);
677 * If we already found a suitable key_share we loop through the
678 * rest to verify the structure, but don't process them.
684 * If we sent an HRR then the key_share sent back MUST be for the group
685 * we requested, and must be the only key_share sent.
687 if (s
->s3
.group_id
!= 0
688 && (group_id
!= s
->s3
.group_id
689 || PACKET_remaining(&key_share_list
) != 0)) {
690 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
691 SSL_F_TLS_PARSE_CTOS_KEY_SHARE
, SSL_R_BAD_KEY_SHARE
);
695 /* Check if this share is in supported_groups sent from client */
696 if (!check_in_list(s
, group_id
, clntgroups
, clnt_num_groups
, 0)) {
697 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
698 SSL_F_TLS_PARSE_CTOS_KEY_SHARE
, SSL_R_BAD_KEY_SHARE
);
702 /* Check if this share is for a group we can use */
703 if (!check_in_list(s
, group_id
, srvrgroups
, srvr_num_groups
, 1)) {
704 /* Share not suitable */
708 if ((s
->s3
.peer_tmp
= ssl_generate_param_group(s
, group_id
)) == NULL
) {
709 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_KEY_SHARE
,
710 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS
);
714 s
->s3
.group_id
= group_id
;
716 if (!EVP_PKEY_set1_tls_encodedpoint(s
->s3
.peer_tmp
,
717 PACKET_data(&encoded_pt
),
718 PACKET_remaining(&encoded_pt
))) {
719 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
720 SSL_F_TLS_PARSE_CTOS_KEY_SHARE
, SSL_R_BAD_ECPOINT
);
731 int tls_parse_ctos_cookie(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
734 #ifndef OPENSSL_NO_TLS1_3
735 unsigned int format
, version
, key_share
, group_id
;
738 PACKET cookie
, raw
, chhash
, appcookie
;
740 const unsigned char *data
, *mdin
, *ciphdata
;
741 unsigned char hmac
[SHA256_DIGEST_LENGTH
];
742 unsigned char hrr
[MAX_HRR_SIZE
];
743 size_t rawlen
, hmaclen
, hrrlen
, ciphlen
;
744 unsigned long tm
, now
;
746 /* Ignore any cookie if we're not set up to verify it */
747 if (s
->ctx
->verify_stateless_cookie_cb
== NULL
748 || (s
->s3
.flags
& TLS1_FLAGS_STATELESS
) == 0)
751 if (!PACKET_as_length_prefixed_2(pkt
, &cookie
)) {
752 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
753 SSL_R_LENGTH_MISMATCH
);
758 data
= PACKET_data(&raw
);
759 rawlen
= PACKET_remaining(&raw
);
760 if (rawlen
< SHA256_DIGEST_LENGTH
761 || !PACKET_forward(&raw
, rawlen
- SHA256_DIGEST_LENGTH
)) {
762 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
763 SSL_R_LENGTH_MISMATCH
);
766 mdin
= PACKET_data(&raw
);
768 /* Verify the HMAC of the cookie */
769 hctx
= EVP_MD_CTX_create();
770 pkey
= EVP_PKEY_new_raw_private_key_with_libctx(s
->ctx
->libctx
, "HMAC",
772 s
->session_ctx
->ext
.cookie_hmac_key
,
773 sizeof(s
->session_ctx
->ext
775 if (hctx
== NULL
|| pkey
== NULL
) {
776 EVP_MD_CTX_free(hctx
);
778 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
779 ERR_R_MALLOC_FAILURE
);
783 hmaclen
= SHA256_DIGEST_LENGTH
;
784 if (EVP_DigestSignInit_with_libctx(hctx
, NULL
, "SHA2-256",
785 s
->ctx
->libctx
, s
->ctx
->propq
, pkey
) <= 0
786 || EVP_DigestSign(hctx
, hmac
, &hmaclen
, data
,
787 rawlen
- SHA256_DIGEST_LENGTH
) <= 0
788 || hmaclen
!= SHA256_DIGEST_LENGTH
) {
789 EVP_MD_CTX_free(hctx
);
791 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
792 ERR_R_INTERNAL_ERROR
);
796 EVP_MD_CTX_free(hctx
);
799 if (CRYPTO_memcmp(hmac
, mdin
, SHA256_DIGEST_LENGTH
) != 0) {
800 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
801 SSL_R_COOKIE_MISMATCH
);
805 if (!PACKET_get_net_2(&cookie
, &format
)) {
806 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
807 SSL_R_LENGTH_MISMATCH
);
810 /* Check the cookie format is something we recognise. Ignore it if not */
811 if (format
!= COOKIE_STATE_FORMAT_VERSION
)
815 * The rest of these checks really shouldn't fail since we have verified the
819 /* Check the version number is sane */
820 if (!PACKET_get_net_2(&cookie
, &version
)) {
821 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
822 SSL_R_LENGTH_MISMATCH
);
825 if (version
!= TLS1_3_VERSION
) {
826 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
827 SSL_R_BAD_PROTOCOL_VERSION_NUMBER
);
831 if (!PACKET_get_net_2(&cookie
, &group_id
)) {
832 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
833 SSL_R_LENGTH_MISMATCH
);
837 ciphdata
= PACKET_data(&cookie
);
838 if (!PACKET_forward(&cookie
, 2)) {
839 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
840 SSL_R_LENGTH_MISMATCH
);
843 if (group_id
!= s
->s3
.group_id
844 || s
->s3
.tmp
.new_cipher
845 != ssl_get_cipher_by_char(s
, ciphdata
, 0)) {
847 * We chose a different cipher or group id this time around to what is
848 * in the cookie. Something must have changed.
850 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
855 if (!PACKET_get_1(&cookie
, &key_share
)
856 || !PACKET_get_net_4(&cookie
, &tm
)
857 || !PACKET_get_length_prefixed_2(&cookie
, &chhash
)
858 || !PACKET_get_length_prefixed_1(&cookie
, &appcookie
)
859 || PACKET_remaining(&cookie
) != SHA256_DIGEST_LENGTH
) {
860 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
861 SSL_R_LENGTH_MISMATCH
);
865 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
866 now
= (unsigned long)time(NULL
);
867 if (tm
> now
|| (now
- tm
) > 600) {
868 /* Cookie is stale. Ignore it */
872 /* Verify the app cookie */
873 if (s
->ctx
->verify_stateless_cookie_cb(s
, PACKET_data(&appcookie
),
874 PACKET_remaining(&appcookie
)) == 0) {
875 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
876 SSL_R_COOKIE_MISMATCH
);
881 * Reconstruct the HRR that we would have sent in response to the original
882 * ClientHello so we can add it to the transcript hash.
883 * Note: This won't work with custom HRR extensions
885 if (!WPACKET_init_static_len(&hrrpkt
, hrr
, sizeof(hrr
), 0)) {
886 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
887 ERR_R_INTERNAL_ERROR
);
890 if (!WPACKET_put_bytes_u8(&hrrpkt
, SSL3_MT_SERVER_HELLO
)
891 || !WPACKET_start_sub_packet_u24(&hrrpkt
)
892 || !WPACKET_put_bytes_u16(&hrrpkt
, TLS1_2_VERSION
)
893 || !WPACKET_memcpy(&hrrpkt
, hrrrandom
, SSL3_RANDOM_SIZE
)
894 || !WPACKET_sub_memcpy_u8(&hrrpkt
, s
->tmp_session_id
,
895 s
->tmp_session_id_len
)
896 || !s
->method
->put_cipher_by_char(s
->s3
.tmp
.new_cipher
, &hrrpkt
,
898 || !WPACKET_put_bytes_u8(&hrrpkt
, 0)
899 || !WPACKET_start_sub_packet_u16(&hrrpkt
)) {
900 WPACKET_cleanup(&hrrpkt
);
901 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
902 ERR_R_INTERNAL_ERROR
);
905 if (!WPACKET_put_bytes_u16(&hrrpkt
, TLSEXT_TYPE_supported_versions
)
906 || !WPACKET_start_sub_packet_u16(&hrrpkt
)
907 || !WPACKET_put_bytes_u16(&hrrpkt
, s
->version
)
908 || !WPACKET_close(&hrrpkt
)) {
909 WPACKET_cleanup(&hrrpkt
);
910 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
911 ERR_R_INTERNAL_ERROR
);
915 if (!WPACKET_put_bytes_u16(&hrrpkt
, TLSEXT_TYPE_key_share
)
916 || !WPACKET_start_sub_packet_u16(&hrrpkt
)
917 || !WPACKET_put_bytes_u16(&hrrpkt
, s
->s3
.group_id
)
918 || !WPACKET_close(&hrrpkt
)) {
919 WPACKET_cleanup(&hrrpkt
);
920 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
921 ERR_R_INTERNAL_ERROR
);
925 if (!WPACKET_put_bytes_u16(&hrrpkt
, TLSEXT_TYPE_cookie
)
926 || !WPACKET_start_sub_packet_u16(&hrrpkt
)
927 || !WPACKET_sub_memcpy_u16(&hrrpkt
, data
, rawlen
)
928 || !WPACKET_close(&hrrpkt
) /* cookie extension */
929 || !WPACKET_close(&hrrpkt
) /* extension block */
930 || !WPACKET_close(&hrrpkt
) /* message */
931 || !WPACKET_get_total_written(&hrrpkt
, &hrrlen
)
932 || !WPACKET_finish(&hrrpkt
)) {
933 WPACKET_cleanup(&hrrpkt
);
934 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_COOKIE
,
935 ERR_R_INTERNAL_ERROR
);
939 /* Reconstruct the transcript hash */
940 if (!create_synthetic_message_hash(s
, PACKET_data(&chhash
),
941 PACKET_remaining(&chhash
), hrr
,
943 /* SSLfatal() already called */
947 /* Act as if this ClientHello came after a HelloRetryRequest */
948 s
->hello_retry_request
= 1;
956 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
957 int tls_parse_ctos_supported_groups(SSL
*s
, PACKET
*pkt
, unsigned int context
,
958 X509
*x
, size_t chainidx
)
960 PACKET supported_groups_list
;
962 /* Each group is 2 bytes and we must have at least 1. */
963 if (!PACKET_as_length_prefixed_2(pkt
, &supported_groups_list
)
964 || PACKET_remaining(&supported_groups_list
) == 0
965 || (PACKET_remaining(&supported_groups_list
) % 2) != 0) {
966 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
967 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS
, SSL_R_BAD_EXTENSION
);
971 if (!s
->hit
|| SSL_IS_TLS13(s
)) {
972 OPENSSL_free(s
->ext
.peer_supportedgroups
);
973 s
->ext
.peer_supportedgroups
= NULL
;
974 s
->ext
.peer_supportedgroups_len
= 0;
975 if (!tls1_save_u16(&supported_groups_list
,
976 &s
->ext
.peer_supportedgroups
,
977 &s
->ext
.peer_supportedgroups_len
)) {
978 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
979 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS
,
980 ERR_R_INTERNAL_ERROR
);
989 int tls_parse_ctos_ems(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
992 /* The extension must always be empty */
993 if (PACKET_remaining(pkt
) != 0) {
994 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
995 SSL_F_TLS_PARSE_CTOS_EMS
, SSL_R_BAD_EXTENSION
);
999 if (s
->options
& SSL_OP_NO_EXTENDED_MASTER_SECRET
)
1002 s
->s3
.flags
|= TLS1_FLAGS_RECEIVED_EXTMS
;
1008 int tls_parse_ctos_early_data(SSL
*s
, PACKET
*pkt
, unsigned int context
,
1009 X509
*x
, size_t chainidx
)
1011 if (PACKET_remaining(pkt
) != 0) {
1012 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1013 SSL_F_TLS_PARSE_CTOS_EARLY_DATA
, SSL_R_BAD_EXTENSION
);
1017 if (s
->hello_retry_request
!= SSL_HRR_NONE
) {
1018 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1019 SSL_F_TLS_PARSE_CTOS_EARLY_DATA
, SSL_R_BAD_EXTENSION
);
1026 static SSL_TICKET_STATUS
tls_get_stateful_ticket(SSL
*s
, PACKET
*tick
,
1029 SSL_SESSION
*tmpsess
= NULL
;
1031 s
->ext
.ticket_expected
= 1;
1033 switch (PACKET_remaining(tick
)) {
1035 return SSL_TICKET_EMPTY
;
1037 case SSL_MAX_SSL_SESSION_ID_LENGTH
:
1041 return SSL_TICKET_NO_DECRYPT
;
1044 tmpsess
= lookup_sess_in_cache(s
, PACKET_data(tick
),
1045 SSL_MAX_SSL_SESSION_ID_LENGTH
);
1047 if (tmpsess
== NULL
)
1048 return SSL_TICKET_NO_DECRYPT
;
1051 return SSL_TICKET_SUCCESS
;
1054 int tls_parse_ctos_psk(SSL
*s
, PACKET
*pkt
, unsigned int context
, X509
*x
,
1057 PACKET identities
, binders
, binder
;
1058 size_t binderoffset
, hashsize
;
1059 SSL_SESSION
*sess
= NULL
;
1060 unsigned int id
, i
, ext
= 0;
1061 const EVP_MD
*md
= NULL
;
1064 * If we have no PSK kex mode that we recognise then we can't resume so
1065 * ignore this extension
1067 if ((s
->ext
.psk_kex_mode
1068 & (TLSEXT_KEX_MODE_FLAG_KE
| TLSEXT_KEX_MODE_FLAG_KE_DHE
)) == 0)
1071 if (!PACKET_get_length_prefixed_2(pkt
, &identities
)) {
1072 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1073 SSL_F_TLS_PARSE_CTOS_PSK
, SSL_R_BAD_EXTENSION
);
1077 s
->ext
.ticket_expected
= 0;
1078 for (id
= 0; PACKET_remaining(&identities
) != 0; id
++) {
1080 unsigned long ticket_agel
;
1083 if (!PACKET_get_length_prefixed_2(&identities
, &identity
)
1084 || !PACKET_get_net_4(&identities
, &ticket_agel
)) {
1085 SSLfatal(s
, SSL_AD_DECODE_ERROR
,
1086 SSL_F_TLS_PARSE_CTOS_PSK
, SSL_R_BAD_EXTENSION
);
1090 idlen
= PACKET_remaining(&identity
);
1091 if (s
->psk_find_session_cb
!= NULL
1092 && !s
->psk_find_session_cb(s
, PACKET_data(&identity
), idlen
,
1094 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1095 SSL_F_TLS_PARSE_CTOS_PSK
, SSL_R_BAD_EXTENSION
);
1099 #ifndef OPENSSL_NO_PSK
1101 && s
->psk_server_callback
!= NULL
1102 && idlen
<= PSK_MAX_IDENTITY_LEN
) {
1104 unsigned char pskdata
[PSK_MAX_PSK_LEN
];
1105 unsigned int pskdatalen
;
1107 if (!PACKET_strndup(&identity
, &pskid
)) {
1108 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1109 ERR_R_INTERNAL_ERROR
);
1112 pskdatalen
= s
->psk_server_callback(s
, pskid
, pskdata
,
1114 OPENSSL_free(pskid
);
1115 if (pskdatalen
> PSK_MAX_PSK_LEN
) {
1116 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1117 ERR_R_INTERNAL_ERROR
);
1119 } else if (pskdatalen
> 0) {
1120 const SSL_CIPHER
*cipher
;
1121 const unsigned char tls13_aes128gcmsha256_id
[] = { 0x13, 0x01 };
1124 * We found a PSK using an old style callback. We don't know
1125 * the digest so we default to SHA256 as per the TLSv1.3 spec
1127 cipher
= SSL_CIPHER_find(s
, tls13_aes128gcmsha256_id
);
1128 if (cipher
== NULL
) {
1129 OPENSSL_cleanse(pskdata
, pskdatalen
);
1130 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1131 ERR_R_INTERNAL_ERROR
);
1135 sess
= SSL_SESSION_new();
1137 || !SSL_SESSION_set1_master_key(sess
, pskdata
,
1139 || !SSL_SESSION_set_cipher(sess
, cipher
)
1140 || !SSL_SESSION_set_protocol_version(sess
,
1142 OPENSSL_cleanse(pskdata
, pskdatalen
);
1143 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1144 ERR_R_INTERNAL_ERROR
);
1147 OPENSSL_cleanse(pskdata
, pskdatalen
);
1150 #endif /* OPENSSL_NO_PSK */
1153 /* We found a PSK */
1154 SSL_SESSION
*sesstmp
= ssl_session_dup(sess
, 0);
1156 if (sesstmp
== NULL
) {
1157 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1158 SSL_F_TLS_PARSE_CTOS_PSK
, ERR_R_INTERNAL_ERROR
);
1161 SSL_SESSION_free(sess
);
1165 * We've just been told to use this session for this context so
1166 * make sure the sid_ctx matches up.
1168 memcpy(sess
->sid_ctx
, s
->sid_ctx
, s
->sid_ctx_length
);
1169 sess
->sid_ctx_length
= s
->sid_ctx_length
;
1172 s
->ext
.early_data_ok
= 1;
1173 s
->ext
.ticket_expected
= 1;
1175 uint32_t ticket_age
= 0, now
, agesec
, agems
;
1179 * If we are using anti-replay protection then we behave as if
1180 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1181 * is no point in using full stateless tickets.
1183 if ((s
->options
& SSL_OP_NO_TICKET
) != 0
1184 || (s
->max_early_data
> 0
1185 && (s
->options
& SSL_OP_NO_ANTI_REPLAY
) == 0))
1186 ret
= tls_get_stateful_ticket(s
, &identity
, &sess
);
1188 ret
= tls_decrypt_ticket(s
, PACKET_data(&identity
),
1189 PACKET_remaining(&identity
), NULL
, 0,
1192 if (ret
== SSL_TICKET_EMPTY
) {
1193 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1194 SSL_R_BAD_EXTENSION
);
1198 if (ret
== SSL_TICKET_FATAL_ERR_MALLOC
1199 || ret
== SSL_TICKET_FATAL_ERR_OTHER
) {
1200 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1201 SSL_F_TLS_PARSE_CTOS_PSK
, ERR_R_INTERNAL_ERROR
);
1204 if (ret
== SSL_TICKET_NONE
|| ret
== SSL_TICKET_NO_DECRYPT
)
1207 /* Check for replay */
1208 if (s
->max_early_data
> 0
1209 && (s
->options
& SSL_OP_NO_ANTI_REPLAY
) == 0
1210 && !SSL_CTX_remove_session(s
->session_ctx
, sess
)) {
1211 SSL_SESSION_free(sess
);
1216 ticket_age
= (uint32_t)ticket_agel
;
1217 now
= (uint32_t)time(NULL
);
1218 agesec
= now
- (uint32_t)sess
->time
;
1219 agems
= agesec
* (uint32_t)1000;
1220 ticket_age
-= sess
->ext
.tick_age_add
;
1223 * For simplicity we do our age calculations in seconds. If the
1224 * client does it in ms then it could appear that their ticket age
1225 * is longer than ours (our ticket age calculation should always be
1226 * slightly longer than the client's due to the network latency).
1227 * Therefore we add 1000ms to our age calculation to adjust for
1231 && sess
->timeout
>= (long)agesec
1232 && agems
/ (uint32_t)1000 == agesec
1233 && ticket_age
<= agems
+ 1000
1234 && ticket_age
+ TICKET_AGE_ALLOWANCE
>= agems
+ 1000) {
1236 * Ticket age is within tolerance and not expired. We allow it
1239 s
->ext
.early_data_ok
= 1;
1243 md
= ssl_md(s
->ctx
, sess
->cipher
->algorithm2
);
1244 if (!EVP_MD_is_a(md
,
1245 EVP_MD_name(ssl_md(s
->ctx
, s
->s3
.tmp
.new_cipher
->algorithm2
)))) {
1246 /* The ciphersuite is not compatible with this session. */
1247 SSL_SESSION_free(sess
);
1249 s
->ext
.early_data_ok
= 0;
1250 s
->ext
.ticket_expected
= 0;
1259 binderoffset
= PACKET_data(pkt
) - (const unsigned char *)s
->init_buf
->data
;
1260 hashsize
= EVP_MD_size(md
);
1262 if (!PACKET_get_length_prefixed_2(pkt
, &binders
)) {
1263 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1264 SSL_R_BAD_EXTENSION
);
1268 for (i
= 0; i
<= id
; i
++) {
1269 if (!PACKET_get_length_prefixed_1(&binders
, &binder
)) {
1270 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1271 SSL_R_BAD_EXTENSION
);
1276 if (PACKET_remaining(&binder
) != hashsize
) {
1277 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_PSK
,
1278 SSL_R_BAD_EXTENSION
);
1281 if (tls_psk_do_binder(s
, md
, (const unsigned char *)s
->init_buf
->data
,
1282 binderoffset
, PACKET_data(&binder
), NULL
, sess
, 0,
1284 /* SSLfatal() already called */
1288 s
->ext
.tick_identity
= id
;
1290 SSL_SESSION_free(s
->session
);
1294 SSL_SESSION_free(sess
);
1298 int tls_parse_ctos_post_handshake_auth(SSL
*s
, PACKET
*pkt
, unsigned int context
,
1299 X509
*x
, size_t chainidx
)
1301 if (PACKET_remaining(pkt
) != 0) {
1302 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH
,
1303 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR
);
1307 s
->post_handshake_auth
= SSL_PHA_EXT_RECEIVED
;
1313 * Add the server's renegotiation binding
1315 EXT_RETURN
tls_construct_stoc_renegotiate(SSL
*s
, WPACKET
*pkt
,
1316 unsigned int context
, X509
*x
,
1319 if (!s
->s3
.send_connection_binding
)
1320 return EXT_RETURN_NOT_SENT
;
1322 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1323 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_renegotiate
)
1324 || !WPACKET_start_sub_packet_u16(pkt
)
1325 || !WPACKET_start_sub_packet_u8(pkt
)
1326 || !WPACKET_memcpy(pkt
, s
->s3
.previous_client_finished
,
1327 s
->s3
.previous_client_finished_len
)
1328 || !WPACKET_memcpy(pkt
, s
->s3
.previous_server_finished
,
1329 s
->s3
.previous_server_finished_len
)
1330 || !WPACKET_close(pkt
)
1331 || !WPACKET_close(pkt
)) {
1332 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE
,
1333 ERR_R_INTERNAL_ERROR
);
1334 return EXT_RETURN_FAIL
;
1337 return EXT_RETURN_SENT
;
1340 EXT_RETURN
tls_construct_stoc_server_name(SSL
*s
, WPACKET
*pkt
,
1341 unsigned int context
, X509
*x
,
1344 if (s
->servername_done
!= 1)
1345 return EXT_RETURN_NOT_SENT
;
1348 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1349 * We just use the servername from the initial handshake.
1351 if (s
->hit
&& !SSL_IS_TLS13(s
))
1352 return EXT_RETURN_NOT_SENT
;
1354 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_server_name
)
1355 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1356 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME
,
1357 ERR_R_INTERNAL_ERROR
);
1358 return EXT_RETURN_FAIL
;
1361 return EXT_RETURN_SENT
;
1364 /* Add/include the server's max fragment len extension into ServerHello */
1365 EXT_RETURN
tls_construct_stoc_maxfragmentlen(SSL
*s
, WPACKET
*pkt
,
1366 unsigned int context
, X509
*x
,
1369 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s
->session
))
1370 return EXT_RETURN_NOT_SENT
;
1373 * 4 bytes for this extension type and extension length
1374 * 1 byte for the Max Fragment Length code value.
1376 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_max_fragment_length
)
1377 || !WPACKET_start_sub_packet_u16(pkt
)
1378 || !WPACKET_put_bytes_u8(pkt
, s
->session
->ext
.max_fragment_len_mode
)
1379 || !WPACKET_close(pkt
)) {
1380 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1381 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN
, ERR_R_INTERNAL_ERROR
);
1382 return EXT_RETURN_FAIL
;
1385 return EXT_RETURN_SENT
;
1388 #ifndef OPENSSL_NO_EC
1389 EXT_RETURN
tls_construct_stoc_ec_pt_formats(SSL
*s
, WPACKET
*pkt
,
1390 unsigned int context
, X509
*x
,
1393 unsigned long alg_k
= s
->s3
.tmp
.new_cipher
->algorithm_mkey
;
1394 unsigned long alg_a
= s
->s3
.tmp
.new_cipher
->algorithm_auth
;
1395 int using_ecc
= ((alg_k
& SSL_kECDHE
) || (alg_a
& SSL_aECDSA
))
1396 && (s
->ext
.peer_ecpointformats
!= NULL
);
1397 const unsigned char *plist
;
1401 return EXT_RETURN_NOT_SENT
;
1403 tls1_get_formatlist(s
, &plist
, &plistlen
);
1404 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_ec_point_formats
)
1405 || !WPACKET_start_sub_packet_u16(pkt
)
1406 || !WPACKET_sub_memcpy_u8(pkt
, plist
, plistlen
)
1407 || !WPACKET_close(pkt
)) {
1408 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1409 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS
, ERR_R_INTERNAL_ERROR
);
1410 return EXT_RETURN_FAIL
;
1413 return EXT_RETURN_SENT
;
1417 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1418 EXT_RETURN
tls_construct_stoc_supported_groups(SSL
*s
, WPACKET
*pkt
,
1419 unsigned int context
, X509
*x
,
1422 const uint16_t *groups
;
1423 size_t numgroups
, i
, first
= 1;
1426 /* s->s3.group_id is non zero if we accepted a key_share */
1427 if (s
->s3
.group_id
== 0)
1428 return EXT_RETURN_NOT_SENT
;
1430 /* Get our list of supported groups */
1431 tls1_get_supported_groups(s
, &groups
, &numgroups
);
1432 if (numgroups
== 0) {
1433 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1434 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
, ERR_R_INTERNAL_ERROR
);
1435 return EXT_RETURN_FAIL
;
1438 /* Copy group ID if supported */
1439 version
= SSL_version(s
);
1440 for (i
= 0; i
< numgroups
; i
++) {
1441 uint16_t group
= groups
[i
];
1443 if (tls_valid_group(s
, group
, version
, version
)
1444 && tls_group_allowed(s
, group
, SSL_SECOP_CURVE_SUPPORTED
)) {
1447 * Check if the client is already using our preferred group. If
1448 * so we don't need to add this extension
1450 if (s
->s3
.group_id
== group
)
1451 return EXT_RETURN_NOT_SENT
;
1453 /* Add extension header */
1454 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_supported_groups
)
1455 /* Sub-packet for supported_groups extension */
1456 || !WPACKET_start_sub_packet_u16(pkt
)
1457 || !WPACKET_start_sub_packet_u16(pkt
)) {
1458 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1459 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
,
1460 ERR_R_INTERNAL_ERROR
);
1461 return EXT_RETURN_FAIL
;
1466 if (!WPACKET_put_bytes_u16(pkt
, group
)) {
1467 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1468 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
,
1469 ERR_R_INTERNAL_ERROR
);
1470 return EXT_RETURN_FAIL
;
1475 if (!WPACKET_close(pkt
) || !WPACKET_close(pkt
)) {
1476 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1477 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS
,
1478 ERR_R_INTERNAL_ERROR
);
1479 return EXT_RETURN_FAIL
;
1482 return EXT_RETURN_SENT
;
1486 EXT_RETURN
tls_construct_stoc_session_ticket(SSL
*s
, WPACKET
*pkt
,
1487 unsigned int context
, X509
*x
,
1490 if (!s
->ext
.ticket_expected
|| !tls_use_ticket(s
)) {
1491 s
->ext
.ticket_expected
= 0;
1492 return EXT_RETURN_NOT_SENT
;
1495 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_session_ticket
)
1496 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1497 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1498 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET
, ERR_R_INTERNAL_ERROR
);
1499 return EXT_RETURN_FAIL
;
1502 return EXT_RETURN_SENT
;
1505 #ifndef OPENSSL_NO_OCSP
1506 EXT_RETURN
tls_construct_stoc_status_request(SSL
*s
, WPACKET
*pkt
,
1507 unsigned int context
, X509
*x
,
1510 /* We don't currently support this extension inside a CertificateRequest */
1511 if (context
== SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
)
1512 return EXT_RETURN_NOT_SENT
;
1514 if (!s
->ext
.status_expected
)
1515 return EXT_RETURN_NOT_SENT
;
1517 if (SSL_IS_TLS13(s
) && chainidx
!= 0)
1518 return EXT_RETURN_NOT_SENT
;
1520 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_status_request
)
1521 || !WPACKET_start_sub_packet_u16(pkt
)) {
1522 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1523 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST
, ERR_R_INTERNAL_ERROR
);
1524 return EXT_RETURN_FAIL
;
1528 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1529 * send back an empty extension, with the certificate status appearing as a
1532 if (SSL_IS_TLS13(s
) && !tls_construct_cert_status_body(s
, pkt
)) {
1533 /* SSLfatal() already called */
1534 return EXT_RETURN_FAIL
;
1536 if (!WPACKET_close(pkt
)) {
1537 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1538 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST
, ERR_R_INTERNAL_ERROR
);
1539 return EXT_RETURN_FAIL
;
1542 return EXT_RETURN_SENT
;
1546 #ifndef OPENSSL_NO_NEXTPROTONEG
1547 EXT_RETURN
tls_construct_stoc_next_proto_neg(SSL
*s
, WPACKET
*pkt
,
1548 unsigned int context
, X509
*x
,
1551 const unsigned char *npa
;
1552 unsigned int npalen
;
1554 int npn_seen
= s
->s3
.npn_seen
;
1557 if (!npn_seen
|| s
->ctx
->ext
.npn_advertised_cb
== NULL
)
1558 return EXT_RETURN_NOT_SENT
;
1560 ret
= s
->ctx
->ext
.npn_advertised_cb(s
, &npa
, &npalen
,
1561 s
->ctx
->ext
.npn_advertised_cb_arg
);
1562 if (ret
== SSL_TLSEXT_ERR_OK
) {
1563 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_next_proto_neg
)
1564 || !WPACKET_sub_memcpy_u16(pkt
, npa
, npalen
)) {
1565 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1566 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG
,
1567 ERR_R_INTERNAL_ERROR
);
1568 return EXT_RETURN_FAIL
;
1573 return EXT_RETURN_SENT
;
1577 EXT_RETURN
tls_construct_stoc_alpn(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1578 X509
*x
, size_t chainidx
)
1580 if (s
->s3
.alpn_selected
== NULL
)
1581 return EXT_RETURN_NOT_SENT
;
1583 if (!WPACKET_put_bytes_u16(pkt
,
1584 TLSEXT_TYPE_application_layer_protocol_negotiation
)
1585 || !WPACKET_start_sub_packet_u16(pkt
)
1586 || !WPACKET_start_sub_packet_u16(pkt
)
1587 || !WPACKET_sub_memcpy_u8(pkt
, s
->s3
.alpn_selected
,
1588 s
->s3
.alpn_selected_len
)
1589 || !WPACKET_close(pkt
)
1590 || !WPACKET_close(pkt
)) {
1591 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1592 SSL_F_TLS_CONSTRUCT_STOC_ALPN
, ERR_R_INTERNAL_ERROR
);
1593 return EXT_RETURN_FAIL
;
1596 return EXT_RETURN_SENT
;
1599 #ifndef OPENSSL_NO_SRTP
1600 EXT_RETURN
tls_construct_stoc_use_srtp(SSL
*s
, WPACKET
*pkt
,
1601 unsigned int context
, X509
*x
,
1604 if (s
->srtp_profile
== NULL
)
1605 return EXT_RETURN_NOT_SENT
;
1607 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_use_srtp
)
1608 || !WPACKET_start_sub_packet_u16(pkt
)
1609 || !WPACKET_put_bytes_u16(pkt
, 2)
1610 || !WPACKET_put_bytes_u16(pkt
, s
->srtp_profile
->id
)
1611 || !WPACKET_put_bytes_u8(pkt
, 0)
1612 || !WPACKET_close(pkt
)) {
1613 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP
,
1614 ERR_R_INTERNAL_ERROR
);
1615 return EXT_RETURN_FAIL
;
1618 return EXT_RETURN_SENT
;
1622 EXT_RETURN
tls_construct_stoc_etm(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1623 X509
*x
, size_t chainidx
)
1625 if (!s
->ext
.use_etm
)
1626 return EXT_RETURN_NOT_SENT
;
1629 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1630 * for other cases too.
1632 if (s
->s3
.tmp
.new_cipher
->algorithm_mac
== SSL_AEAD
1633 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_RC4
1634 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_eGOST2814789CNT
1635 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_eGOST2814789CNT12
1636 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_MAGMA
1637 || s
->s3
.tmp
.new_cipher
->algorithm_enc
== SSL_KUZNYECHIK
) {
1639 return EXT_RETURN_NOT_SENT
;
1642 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_encrypt_then_mac
)
1643 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1644 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_ETM
,
1645 ERR_R_INTERNAL_ERROR
);
1646 return EXT_RETURN_FAIL
;
1649 return EXT_RETURN_SENT
;
1652 EXT_RETURN
tls_construct_stoc_ems(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1653 X509
*x
, size_t chainidx
)
1655 if ((s
->s3
.flags
& TLS1_FLAGS_RECEIVED_EXTMS
) == 0)
1656 return EXT_RETURN_NOT_SENT
;
1658 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_extended_master_secret
)
1659 || !WPACKET_put_bytes_u16(pkt
, 0)) {
1660 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_EMS
,
1661 ERR_R_INTERNAL_ERROR
);
1662 return EXT_RETURN_FAIL
;
1665 return EXT_RETURN_SENT
;
1668 EXT_RETURN
tls_construct_stoc_supported_versions(SSL
*s
, WPACKET
*pkt
,
1669 unsigned int context
, X509
*x
,
1672 if (!ossl_assert(SSL_IS_TLS13(s
))) {
1673 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1674 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS
,
1675 ERR_R_INTERNAL_ERROR
);
1676 return EXT_RETURN_FAIL
;
1679 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_supported_versions
)
1680 || !WPACKET_start_sub_packet_u16(pkt
)
1681 || !WPACKET_put_bytes_u16(pkt
, s
->version
)
1682 || !WPACKET_close(pkt
)) {
1683 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1684 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS
,
1685 ERR_R_INTERNAL_ERROR
);
1686 return EXT_RETURN_FAIL
;
1689 return EXT_RETURN_SENT
;
1692 EXT_RETURN
tls_construct_stoc_key_share(SSL
*s
, WPACKET
*pkt
,
1693 unsigned int context
, X509
*x
,
1696 #ifndef OPENSSL_NO_TLS1_3
1697 unsigned char *encodedPoint
;
1698 size_t encoded_pt_len
= 0;
1699 EVP_PKEY
*ckey
= s
->s3
.peer_tmp
, *skey
= NULL
;
1701 if (s
->hello_retry_request
== SSL_HRR_PENDING
) {
1703 /* Original key_share was acceptable so don't ask for another one */
1704 return EXT_RETURN_NOT_SENT
;
1706 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_key_share
)
1707 || !WPACKET_start_sub_packet_u16(pkt
)
1708 || !WPACKET_put_bytes_u16(pkt
, s
->s3
.group_id
)
1709 || !WPACKET_close(pkt
)) {
1710 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1711 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1712 ERR_R_INTERNAL_ERROR
);
1713 return EXT_RETURN_FAIL
;
1716 return EXT_RETURN_SENT
;
1720 /* No key_share received from client - must be resuming */
1721 if (!s
->hit
|| !tls13_generate_handshake_secret(s
, NULL
, 0)) {
1722 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1723 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
, ERR_R_INTERNAL_ERROR
);
1724 return EXT_RETURN_FAIL
;
1726 return EXT_RETURN_NOT_SENT
;
1729 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_key_share
)
1730 || !WPACKET_start_sub_packet_u16(pkt
)
1731 || !WPACKET_put_bytes_u16(pkt
, s
->s3
.group_id
)) {
1732 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1733 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
, ERR_R_INTERNAL_ERROR
);
1734 return EXT_RETURN_FAIL
;
1737 skey
= ssl_generate_pkey(s
, ckey
);
1739 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1740 ERR_R_MALLOC_FAILURE
);
1741 return EXT_RETURN_FAIL
;
1744 /* Generate encoding of server key */
1745 encoded_pt_len
= EVP_PKEY_get1_tls_encodedpoint(skey
, &encodedPoint
);
1746 if (encoded_pt_len
== 0) {
1747 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1749 EVP_PKEY_free(skey
);
1750 return EXT_RETURN_FAIL
;
1753 if (!WPACKET_sub_memcpy_u16(pkt
, encodedPoint
, encoded_pt_len
)
1754 || !WPACKET_close(pkt
)) {
1755 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE
,
1756 ERR_R_INTERNAL_ERROR
);
1757 EVP_PKEY_free(skey
);
1758 OPENSSL_free(encodedPoint
);
1759 return EXT_RETURN_FAIL
;
1761 OPENSSL_free(encodedPoint
);
1763 /* This causes the crypto state to be updated based on the derived keys */
1764 s
->s3
.tmp
.pkey
= skey
;
1765 if (ssl_derive(s
, skey
, ckey
, 1) == 0) {
1766 /* SSLfatal() already called */
1767 return EXT_RETURN_FAIL
;
1769 return EXT_RETURN_SENT
;
1771 return EXT_RETURN_FAIL
;
1775 EXT_RETURN
tls_construct_stoc_cookie(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1776 X509
*x
, size_t chainidx
)
1778 #ifndef OPENSSL_NO_TLS1_3
1779 unsigned char *hashval1
, *hashval2
, *appcookie1
, *appcookie2
, *cookie
;
1780 unsigned char *hmac
, *hmac2
;
1781 size_t startlen
, ciphlen
, totcookielen
, hashlen
, hmaclen
, appcookielen
;
1784 int ret
= EXT_RETURN_FAIL
;
1786 if ((s
->s3
.flags
& TLS1_FLAGS_STATELESS
) == 0)
1787 return EXT_RETURN_NOT_SENT
;
1789 if (s
->ctx
->gen_stateless_cookie_cb
== NULL
) {
1790 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1791 SSL_R_NO_COOKIE_CALLBACK_SET
);
1792 return EXT_RETURN_FAIL
;
1795 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_cookie
)
1796 || !WPACKET_start_sub_packet_u16(pkt
)
1797 || !WPACKET_start_sub_packet_u16(pkt
)
1798 || !WPACKET_get_total_written(pkt
, &startlen
)
1799 || !WPACKET_reserve_bytes(pkt
, MAX_COOKIE_SIZE
, &cookie
)
1800 || !WPACKET_put_bytes_u16(pkt
, COOKIE_STATE_FORMAT_VERSION
)
1801 || !WPACKET_put_bytes_u16(pkt
, TLS1_3_VERSION
)
1802 || !WPACKET_put_bytes_u16(pkt
, s
->s3
.group_id
)
1803 || !s
->method
->put_cipher_by_char(s
->s3
.tmp
.new_cipher
, pkt
,
1805 /* Is there a key_share extension present in this HRR? */
1806 || !WPACKET_put_bytes_u8(pkt
, s
->s3
.peer_tmp
== NULL
)
1807 || !WPACKET_put_bytes_u32(pkt
, (unsigned int)time(NULL
))
1808 || !WPACKET_start_sub_packet_u16(pkt
)
1809 || !WPACKET_reserve_bytes(pkt
, EVP_MAX_MD_SIZE
, &hashval1
)) {
1810 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1811 ERR_R_INTERNAL_ERROR
);
1812 return EXT_RETURN_FAIL
;
1816 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1817 * on raw buffers, so we first reserve sufficient bytes (above) and then
1818 * subsequently allocate them (below)
1820 if (!ssl3_digest_cached_records(s
, 0)
1821 || !ssl_handshake_hash(s
, hashval1
, EVP_MAX_MD_SIZE
, &hashlen
)) {
1822 /* SSLfatal() already called */
1823 return EXT_RETURN_FAIL
;
1826 if (!WPACKET_allocate_bytes(pkt
, hashlen
, &hashval2
)
1827 || !ossl_assert(hashval1
== hashval2
)
1828 || !WPACKET_close(pkt
)
1829 || !WPACKET_start_sub_packet_u8(pkt
)
1830 || !WPACKET_reserve_bytes(pkt
, SSL_COOKIE_LENGTH
, &appcookie1
)) {
1831 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1832 ERR_R_INTERNAL_ERROR
);
1833 return EXT_RETURN_FAIL
;
1836 /* Generate the application cookie */
1837 if (s
->ctx
->gen_stateless_cookie_cb(s
, appcookie1
, &appcookielen
) == 0) {
1838 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1839 SSL_R_COOKIE_GEN_CALLBACK_FAILURE
);
1840 return EXT_RETURN_FAIL
;
1843 if (!WPACKET_allocate_bytes(pkt
, appcookielen
, &appcookie2
)
1844 || !ossl_assert(appcookie1
== appcookie2
)
1845 || !WPACKET_close(pkt
)
1846 || !WPACKET_get_total_written(pkt
, &totcookielen
)
1847 || !WPACKET_reserve_bytes(pkt
, SHA256_DIGEST_LENGTH
, &hmac
)) {
1848 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1849 ERR_R_INTERNAL_ERROR
);
1850 return EXT_RETURN_FAIL
;
1852 hmaclen
= SHA256_DIGEST_LENGTH
;
1854 totcookielen
-= startlen
;
1855 if (!ossl_assert(totcookielen
<= MAX_COOKIE_SIZE
- SHA256_DIGEST_LENGTH
)) {
1856 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1857 ERR_R_INTERNAL_ERROR
);
1858 return EXT_RETURN_FAIL
;
1861 /* HMAC the cookie */
1862 hctx
= EVP_MD_CTX_create();
1863 pkey
= EVP_PKEY_new_raw_private_key_with_libctx(s
->ctx
->libctx
, "HMAC",
1865 s
->session_ctx
->ext
.cookie_hmac_key
,
1866 sizeof(s
->session_ctx
->ext
1868 if (hctx
== NULL
|| pkey
== NULL
) {
1869 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1870 ERR_R_MALLOC_FAILURE
);
1874 if (EVP_DigestSignInit_with_libctx(hctx
, NULL
, "SHA2-256",
1875 s
->ctx
->libctx
, s
->ctx
->propq
,
1877 || EVP_DigestSign(hctx
, hmac
, &hmaclen
, cookie
,
1878 totcookielen
) <= 0) {
1879 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1880 ERR_R_INTERNAL_ERROR
);
1884 if (!ossl_assert(totcookielen
+ hmaclen
<= MAX_COOKIE_SIZE
)) {
1885 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1886 ERR_R_INTERNAL_ERROR
);
1890 if (!WPACKET_allocate_bytes(pkt
, hmaclen
, &hmac2
)
1891 || !ossl_assert(hmac
== hmac2
)
1892 || !ossl_assert(cookie
== hmac
- totcookielen
)
1893 || !WPACKET_close(pkt
)
1894 || !WPACKET_close(pkt
)) {
1895 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_COOKIE
,
1896 ERR_R_INTERNAL_ERROR
);
1900 ret
= EXT_RETURN_SENT
;
1903 EVP_MD_CTX_free(hctx
);
1904 EVP_PKEY_free(pkey
);
1907 return EXT_RETURN_FAIL
;
1911 EXT_RETURN
tls_construct_stoc_cryptopro_bug(SSL
*s
, WPACKET
*pkt
,
1912 unsigned int context
, X509
*x
,
1915 const unsigned char cryptopro_ext
[36] = {
1916 0xfd, 0xe8, /* 65000 */
1917 0x00, 0x20, /* 32 bytes length */
1918 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1919 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1920 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1921 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1924 if (((s
->s3
.tmp
.new_cipher
->id
& 0xFFFF) != 0x80
1925 && (s
->s3
.tmp
.new_cipher
->id
& 0xFFFF) != 0x81)
1926 || (SSL_get_options(s
) & SSL_OP_CRYPTOPRO_TLSEXT_BUG
) == 0)
1927 return EXT_RETURN_NOT_SENT
;
1929 if (!WPACKET_memcpy(pkt
, cryptopro_ext
, sizeof(cryptopro_ext
))) {
1930 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1931 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG
, ERR_R_INTERNAL_ERROR
);
1932 return EXT_RETURN_FAIL
;
1935 return EXT_RETURN_SENT
;
1938 EXT_RETURN
tls_construct_stoc_early_data(SSL
*s
, WPACKET
*pkt
,
1939 unsigned int context
, X509
*x
,
1942 if (context
== SSL_EXT_TLS1_3_NEW_SESSION_TICKET
) {
1943 if (s
->max_early_data
== 0)
1944 return EXT_RETURN_NOT_SENT
;
1946 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_early_data
)
1947 || !WPACKET_start_sub_packet_u16(pkt
)
1948 || !WPACKET_put_bytes_u32(pkt
, s
->max_early_data
)
1949 || !WPACKET_close(pkt
)) {
1950 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1951 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA
, ERR_R_INTERNAL_ERROR
);
1952 return EXT_RETURN_FAIL
;
1955 return EXT_RETURN_SENT
;
1958 if (s
->ext
.early_data
!= SSL_EARLY_DATA_ACCEPTED
)
1959 return EXT_RETURN_NOT_SENT
;
1961 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_early_data
)
1962 || !WPACKET_start_sub_packet_u16(pkt
)
1963 || !WPACKET_close(pkt
)) {
1964 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA
,
1965 ERR_R_INTERNAL_ERROR
);
1966 return EXT_RETURN_FAIL
;
1969 return EXT_RETURN_SENT
;
1972 EXT_RETURN
tls_construct_stoc_psk(SSL
*s
, WPACKET
*pkt
, unsigned int context
,
1973 X509
*x
, size_t chainidx
)
1976 return EXT_RETURN_NOT_SENT
;
1978 if (!WPACKET_put_bytes_u16(pkt
, TLSEXT_TYPE_psk
)
1979 || !WPACKET_start_sub_packet_u16(pkt
)
1980 || !WPACKET_put_bytes_u16(pkt
, s
->ext
.tick_identity
)
1981 || !WPACKET_close(pkt
)) {
1982 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
1983 SSL_F_TLS_CONSTRUCT_STOC_PSK
, ERR_R_INTERNAL_ERROR
);
1984 return EXT_RETURN_FAIL
;
1987 return EXT_RETURN_SENT
;