]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix safestack issues in ocsp.h
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14
15 #define COOKIE_STATE_FORMAT_VERSION 0
16
17 /*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23 */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27 /*
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
33 */
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
37
38 /*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
43 {
44 unsigned int ilen;
45 const unsigned char *data;
46
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
52 return 0;
53 }
54
55 /* Check that the extension matches */
56 if (ilen != s->s3.previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
59 return 0;
60 }
61
62 if (memcmp(data, s->s3.previous_client_finished,
63 s->s3.previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
66 return 0;
67 }
68
69 s->s3.send_connection_binding = 1;
70
71 return 1;
72 }
73
74 /*-
75 * The servername extension is treated as follows:
76 *
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
94 * extension.
95 * - On session reconnect, the servername extension may be absent.
96 */
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
99 {
100 unsigned int servname_type;
101 PACKET sni, hostname;
102
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
108 return 0;
109 }
110
111 /*
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
118 *
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
121 */
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
127 return 0;
128 }
129
130 /*
131 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
132 * we always use the SNI value from the handshake.
133 */
134 if (!s->hit || SSL_IS_TLS13(s)) {
135 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
137 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
138 SSL_R_BAD_EXTENSION);
139 return 0;
140 }
141
142 if (PACKET_contains_zero_byte(&hostname)) {
143 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
144 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
145 SSL_R_BAD_EXTENSION);
146 return 0;
147 }
148
149 /*
150 * Store the requested SNI in the SSL as temporary storage.
151 * If we accept it, it will get stored in the SSL_SESSION as well.
152 */
153 OPENSSL_free(s->ext.hostname);
154 s->ext.hostname = NULL;
155 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
156 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
157 ERR_R_INTERNAL_ERROR);
158 return 0;
159 }
160
161 s->servername_done = 1;
162 } else {
163 /*
164 * In TLSv1.2 and below we should check if the SNI is consistent between
165 * the initial handshake and the resumption. In TLSv1.3 SNI is not
166 * associated with the session.
167 */
168 /*
169 * TODO(openssl-team): if the SNI doesn't match, we MUST
170 * fall back to a full handshake.
171 */
172 s->servername_done = (s->session->ext.hostname != NULL)
173 && PACKET_equal(&hostname, s->session->ext.hostname,
174 strlen(s->session->ext.hostname));
175 }
176
177 return 1;
178 }
179
180 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
181 X509 *x, size_t chainidx)
182 {
183 unsigned int value;
184
185 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
186 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
187 SSL_R_BAD_EXTENSION);
188 return 0;
189 }
190
191 /* Received |value| should be a valid max-fragment-length code. */
192 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
193 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
194 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
195 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
196 return 0;
197 }
198
199 /*
200 * RFC 6066: The negotiated length applies for the duration of the session
201 * including session resumptions.
202 * We should receive the same code as in resumed session !
203 */
204 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
205 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
206 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
207 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
208 return 0;
209 }
210
211 /*
212 * Store it in session, so it'll become binding for us
213 * and we'll include it in a next Server Hello.
214 */
215 s->session->ext.max_fragment_len_mode = value;
216 return 1;
217 }
218
219 #ifndef OPENSSL_NO_SRP
220 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
221 size_t chainidx)
222 {
223 PACKET srp_I;
224
225 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
226 || PACKET_contains_zero_byte(&srp_I)) {
227 SSLfatal(s, SSL_AD_DECODE_ERROR,
228 SSL_F_TLS_PARSE_CTOS_SRP,
229 SSL_R_BAD_EXTENSION);
230 return 0;
231 }
232
233 /*
234 * TODO(openssl-team): currently, we re-authenticate the user
235 * upon resumption. Instead, we MUST ignore the login.
236 */
237 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
238 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
239 ERR_R_INTERNAL_ERROR);
240 return 0;
241 }
242
243 return 1;
244 }
245 #endif
246
247 #ifndef OPENSSL_NO_EC
248 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
249 X509 *x, size_t chainidx)
250 {
251 PACKET ec_point_format_list;
252
253 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
254 || PACKET_remaining(&ec_point_format_list) == 0) {
255 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
256 SSL_R_BAD_EXTENSION);
257 return 0;
258 }
259
260 if (!s->hit) {
261 if (!PACKET_memdup(&ec_point_format_list,
262 &s->ext.peer_ecpointformats,
263 &s->ext.peer_ecpointformats_len)) {
264 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
265 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
266 return 0;
267 }
268 }
269
270 return 1;
271 }
272 #endif /* OPENSSL_NO_EC */
273
274 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
275 X509 *x, size_t chainidx)
276 {
277 if (s->ext.session_ticket_cb &&
278 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
279 PACKET_remaining(pkt),
280 s->ext.session_ticket_cb_arg)) {
281 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
282 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
283 return 0;
284 }
285
286 return 1;
287 }
288
289 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
290 X509 *x, size_t chainidx)
291 {
292 PACKET supported_sig_algs;
293
294 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
295 || PACKET_remaining(&supported_sig_algs) == 0) {
296 SSLfatal(s, SSL_AD_DECODE_ERROR,
297 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
298 return 0;
299 }
300
301 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
302 SSLfatal(s, SSL_AD_DECODE_ERROR,
303 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
304 return 0;
305 }
306
307 return 1;
308 }
309
310 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
311 size_t chainidx)
312 {
313 PACKET supported_sig_algs;
314
315 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
316 || PACKET_remaining(&supported_sig_algs) == 0) {
317 SSLfatal(s, SSL_AD_DECODE_ERROR,
318 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
319 return 0;
320 }
321
322 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
323 SSLfatal(s, SSL_AD_DECODE_ERROR,
324 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
325 return 0;
326 }
327
328 return 1;
329 }
330
331 #ifndef OPENSSL_NO_OCSP
332 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
333 X509 *x, size_t chainidx)
334 {
335 PACKET responder_id_list, exts;
336
337 /* We ignore this in a resumption handshake */
338 if (s->hit)
339 return 1;
340
341 /* Not defined if we get one of these in a client Certificate */
342 if (x != NULL)
343 return 1;
344
345 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
348 return 0;
349 }
350
351 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
352 /*
353 * We don't know what to do with any other type so ignore it.
354 */
355 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
356 return 1;
357 }
358
359 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
360 SSLfatal(s, SSL_AD_DECODE_ERROR,
361 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
362 return 0;
363 }
364
365 /*
366 * We remove any OCSP_RESPIDs from a previous handshake
367 * to prevent unbounded memory growth - CVE-2016-6304
368 */
369 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
370 if (PACKET_remaining(&responder_id_list) > 0) {
371 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
372 if (s->ext.ocsp.ids == NULL) {
373 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
374 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
375 return 0;
376 }
377 } else {
378 s->ext.ocsp.ids = NULL;
379 }
380
381 while (PACKET_remaining(&responder_id_list) > 0) {
382 OCSP_RESPID *id;
383 PACKET responder_id;
384 const unsigned char *id_data;
385
386 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
387 || PACKET_remaining(&responder_id) == 0) {
388 SSLfatal(s, SSL_AD_DECODE_ERROR,
389 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
390 return 0;
391 }
392
393 id_data = PACKET_data(&responder_id);
394 /* TODO(size_t): Convert d2i_* to size_t */
395 id = d2i_OCSP_RESPID(NULL, &id_data,
396 (int)PACKET_remaining(&responder_id));
397 if (id == NULL) {
398 SSLfatal(s, SSL_AD_DECODE_ERROR,
399 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
400 return 0;
401 }
402
403 if (id_data != PACKET_end(&responder_id)) {
404 OCSP_RESPID_free(id);
405 SSLfatal(s, SSL_AD_DECODE_ERROR,
406 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
407
408 return 0;
409 }
410
411 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
412 OCSP_RESPID_free(id);
413 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
414 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
415
416 return 0;
417 }
418 }
419
420 /* Read in request_extensions */
421 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
422 SSLfatal(s, SSL_AD_DECODE_ERROR,
423 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
424 return 0;
425 }
426
427 if (PACKET_remaining(&exts) > 0) {
428 const unsigned char *ext_data = PACKET_data(&exts);
429
430 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
431 X509_EXTENSION_free);
432 s->ext.ocsp.exts =
433 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
434 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
435 SSLfatal(s, SSL_AD_DECODE_ERROR,
436 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
437 return 0;
438 }
439 }
440
441 return 1;
442 }
443 #endif
444
445 #ifndef OPENSSL_NO_NEXTPROTONEG
446 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
447 size_t chainidx)
448 {
449 /*
450 * We shouldn't accept this extension on a
451 * renegotiation.
452 */
453 if (SSL_IS_FIRST_HANDSHAKE(s))
454 s->s3.npn_seen = 1;
455
456 return 1;
457 }
458 #endif
459
460 /*
461 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
462 * extension, not including type and length. Returns: 1 on success, 0 on error.
463 */
464 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
465 size_t chainidx)
466 {
467 PACKET protocol_list, save_protocol_list, protocol;
468
469 if (!SSL_IS_FIRST_HANDSHAKE(s))
470 return 1;
471
472 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
473 || PACKET_remaining(&protocol_list) < 2) {
474 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
475 SSL_R_BAD_EXTENSION);
476 return 0;
477 }
478
479 save_protocol_list = protocol_list;
480 do {
481 /* Protocol names can't be empty. */
482 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
483 || PACKET_remaining(&protocol) == 0) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
485 SSL_R_BAD_EXTENSION);
486 return 0;
487 }
488 } while (PACKET_remaining(&protocol_list) != 0);
489
490 OPENSSL_free(s->s3.alpn_proposed);
491 s->s3.alpn_proposed = NULL;
492 s->s3.alpn_proposed_len = 0;
493 if (!PACKET_memdup(&save_protocol_list,
494 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
496 ERR_R_INTERNAL_ERROR);
497 return 0;
498 }
499
500 return 1;
501 }
502
503 #ifndef OPENSSL_NO_SRTP
504 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
505 size_t chainidx)
506 {
507 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
508 unsigned int ct, mki_len, id;
509 int i, srtp_pref;
510 PACKET subpkt;
511
512 /* Ignore this if we have no SRTP profiles */
513 if (SSL_get_srtp_profiles(s) == NULL)
514 return 1;
515
516 /* Pull off the length of the cipher suite list and check it is even */
517 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
518 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
520 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
521 return 0;
522 }
523
524 srvr = SSL_get_srtp_profiles(s);
525 s->srtp_profile = NULL;
526 /* Search all profiles for a match initially */
527 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
528
529 while (PACKET_remaining(&subpkt)) {
530 if (!PACKET_get_net_2(&subpkt, &id)) {
531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
532 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
533 return 0;
534 }
535
536 /*
537 * Only look for match in profiles of higher preference than
538 * current match.
539 * If no profiles have been have been configured then this
540 * does nothing.
541 */
542 for (i = 0; i < srtp_pref; i++) {
543 SRTP_PROTECTION_PROFILE *sprof =
544 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
545
546 if (sprof->id == id) {
547 s->srtp_profile = sprof;
548 srtp_pref = i;
549 break;
550 }
551 }
552 }
553
554 /* Now extract the MKI value as a sanity check, but discard it for now */
555 if (!PACKET_get_1(pkt, &mki_len)) {
556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
557 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
558 return 0;
559 }
560
561 if (!PACKET_forward(pkt, mki_len)
562 || PACKET_remaining(pkt)) {
563 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
564 SSL_R_BAD_SRTP_MKI_VALUE);
565 return 0;
566 }
567
568 return 1;
569 }
570 #endif
571
572 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
573 size_t chainidx)
574 {
575 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
576 s->ext.use_etm = 1;
577
578 return 1;
579 }
580
581 /*
582 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
583 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
584 */
585 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
586 X509 *x, size_t chainidx)
587 {
588 #ifndef OPENSSL_NO_TLS1_3
589 PACKET psk_kex_modes;
590 unsigned int mode;
591
592 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
593 || PACKET_remaining(&psk_kex_modes) == 0) {
594 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
595 SSL_R_BAD_EXTENSION);
596 return 0;
597 }
598
599 while (PACKET_get_1(&psk_kex_modes, &mode)) {
600 if (mode == TLSEXT_KEX_MODE_KE_DHE)
601 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
602 else if (mode == TLSEXT_KEX_MODE_KE
603 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
604 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
605 }
606 #endif
607
608 return 1;
609 }
610
611 /*
612 * Process a key_share extension received in the ClientHello. |pkt| contains
613 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
614 */
615 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
616 size_t chainidx)
617 {
618 #ifndef OPENSSL_NO_TLS1_3
619 unsigned int group_id;
620 PACKET key_share_list, encoded_pt;
621 const uint16_t *clntgroups, *srvrgroups;
622 size_t clnt_num_groups, srvr_num_groups;
623 int found = 0;
624
625 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
626 return 1;
627
628 /* Sanity check */
629 if (s->s3.peer_tmp != NULL) {
630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
631 ERR_R_INTERNAL_ERROR);
632 return 0;
633 }
634
635 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637 SSL_R_LENGTH_MISMATCH);
638 return 0;
639 }
640
641 /* Get our list of supported groups */
642 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
643 /* Get the clients list of supported groups. */
644 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
645 if (clnt_num_groups == 0) {
646 /*
647 * This can only happen if the supported_groups extension was not sent,
648 * because we verify that the length is non-zero when we process that
649 * extension.
650 */
651 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
652 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
653 return 0;
654 }
655
656 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
657 /*
658 * If we set a group_id already, then we must have sent an HRR
659 * requesting a new key_share. If we haven't got one then that is an
660 * error
661 */
662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
663 SSL_R_BAD_KEY_SHARE);
664 return 0;
665 }
666
667 while (PACKET_remaining(&key_share_list) > 0) {
668 if (!PACKET_get_net_2(&key_share_list, &group_id)
669 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
670 || PACKET_remaining(&encoded_pt) == 0) {
671 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
672 SSL_R_LENGTH_MISMATCH);
673 return 0;
674 }
675
676 /*
677 * If we already found a suitable key_share we loop through the
678 * rest to verify the structure, but don't process them.
679 */
680 if (found)
681 continue;
682
683 /*
684 * If we sent an HRR then the key_share sent back MUST be for the group
685 * we requested, and must be the only key_share sent.
686 */
687 if (s->s3.group_id != 0
688 && (group_id != s->s3.group_id
689 || PACKET_remaining(&key_share_list) != 0)) {
690 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
691 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
692 return 0;
693 }
694
695 /* Check if this share is in supported_groups sent from client */
696 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
697 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
698 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
699 return 0;
700 }
701
702 /* Check if this share is for a group we can use */
703 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
704 /* Share not suitable */
705 continue;
706 }
707
708 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
709 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
710 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
711 return 0;
712 }
713
714 s->s3.group_id = group_id;
715
716 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
717 PACKET_data(&encoded_pt),
718 PACKET_remaining(&encoded_pt))) {
719 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
720 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
721 return 0;
722 }
723
724 found = 1;
725 }
726 #endif
727
728 return 1;
729 }
730
731 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
732 size_t chainidx)
733 {
734 #ifndef OPENSSL_NO_TLS1_3
735 unsigned int format, version, key_share, group_id;
736 EVP_MD_CTX *hctx;
737 EVP_PKEY *pkey;
738 PACKET cookie, raw, chhash, appcookie;
739 WPACKET hrrpkt;
740 const unsigned char *data, *mdin, *ciphdata;
741 unsigned char hmac[SHA256_DIGEST_LENGTH];
742 unsigned char hrr[MAX_HRR_SIZE];
743 size_t rawlen, hmaclen, hrrlen, ciphlen;
744 unsigned long tm, now;
745
746 /* Ignore any cookie if we're not set up to verify it */
747 if (s->ctx->verify_stateless_cookie_cb == NULL
748 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
749 return 1;
750
751 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
752 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
753 SSL_R_LENGTH_MISMATCH);
754 return 0;
755 }
756
757 raw = cookie;
758 data = PACKET_data(&raw);
759 rawlen = PACKET_remaining(&raw);
760 if (rawlen < SHA256_DIGEST_LENGTH
761 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
762 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
763 SSL_R_LENGTH_MISMATCH);
764 return 0;
765 }
766 mdin = PACKET_data(&raw);
767
768 /* Verify the HMAC of the cookie */
769 hctx = EVP_MD_CTX_create();
770 pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
771 s->ctx->propq,
772 s->session_ctx->ext.cookie_hmac_key,
773 sizeof(s->session_ctx->ext
774 .cookie_hmac_key));
775 if (hctx == NULL || pkey == NULL) {
776 EVP_MD_CTX_free(hctx);
777 EVP_PKEY_free(pkey);
778 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
779 ERR_R_MALLOC_FAILURE);
780 return 0;
781 }
782
783 hmaclen = SHA256_DIGEST_LENGTH;
784 if (EVP_DigestSignInit_with_libctx(hctx, NULL, "SHA2-256",
785 s->ctx->libctx, s->ctx->propq, pkey) <= 0
786 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
787 rawlen - SHA256_DIGEST_LENGTH) <= 0
788 || hmaclen != SHA256_DIGEST_LENGTH) {
789 EVP_MD_CTX_free(hctx);
790 EVP_PKEY_free(pkey);
791 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
792 ERR_R_INTERNAL_ERROR);
793 return 0;
794 }
795
796 EVP_MD_CTX_free(hctx);
797 EVP_PKEY_free(pkey);
798
799 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
800 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
801 SSL_R_COOKIE_MISMATCH);
802 return 0;
803 }
804
805 if (!PACKET_get_net_2(&cookie, &format)) {
806 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
807 SSL_R_LENGTH_MISMATCH);
808 return 0;
809 }
810 /* Check the cookie format is something we recognise. Ignore it if not */
811 if (format != COOKIE_STATE_FORMAT_VERSION)
812 return 1;
813
814 /*
815 * The rest of these checks really shouldn't fail since we have verified the
816 * HMAC above.
817 */
818
819 /* Check the version number is sane */
820 if (!PACKET_get_net_2(&cookie, &version)) {
821 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
822 SSL_R_LENGTH_MISMATCH);
823 return 0;
824 }
825 if (version != TLS1_3_VERSION) {
826 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
827 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
828 return 0;
829 }
830
831 if (!PACKET_get_net_2(&cookie, &group_id)) {
832 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
833 SSL_R_LENGTH_MISMATCH);
834 return 0;
835 }
836
837 ciphdata = PACKET_data(&cookie);
838 if (!PACKET_forward(&cookie, 2)) {
839 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
840 SSL_R_LENGTH_MISMATCH);
841 return 0;
842 }
843 if (group_id != s->s3.group_id
844 || s->s3.tmp.new_cipher
845 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
846 /*
847 * We chose a different cipher or group id this time around to what is
848 * in the cookie. Something must have changed.
849 */
850 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
851 SSL_R_BAD_CIPHER);
852 return 0;
853 }
854
855 if (!PACKET_get_1(&cookie, &key_share)
856 || !PACKET_get_net_4(&cookie, &tm)
857 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
858 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
859 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
860 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
861 SSL_R_LENGTH_MISMATCH);
862 return 0;
863 }
864
865 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
866 now = (unsigned long)time(NULL);
867 if (tm > now || (now - tm) > 600) {
868 /* Cookie is stale. Ignore it */
869 return 1;
870 }
871
872 /* Verify the app cookie */
873 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
874 PACKET_remaining(&appcookie)) == 0) {
875 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
876 SSL_R_COOKIE_MISMATCH);
877 return 0;
878 }
879
880 /*
881 * Reconstruct the HRR that we would have sent in response to the original
882 * ClientHello so we can add it to the transcript hash.
883 * Note: This won't work with custom HRR extensions
884 */
885 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
886 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
887 ERR_R_INTERNAL_ERROR);
888 return 0;
889 }
890 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
891 || !WPACKET_start_sub_packet_u24(&hrrpkt)
892 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
893 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
894 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
895 s->tmp_session_id_len)
896 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
897 &ciphlen)
898 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
899 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
900 WPACKET_cleanup(&hrrpkt);
901 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
902 ERR_R_INTERNAL_ERROR);
903 return 0;
904 }
905 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
906 || !WPACKET_start_sub_packet_u16(&hrrpkt)
907 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
908 || !WPACKET_close(&hrrpkt)) {
909 WPACKET_cleanup(&hrrpkt);
910 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
911 ERR_R_INTERNAL_ERROR);
912 return 0;
913 }
914 if (key_share) {
915 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
916 || !WPACKET_start_sub_packet_u16(&hrrpkt)
917 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
918 || !WPACKET_close(&hrrpkt)) {
919 WPACKET_cleanup(&hrrpkt);
920 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
921 ERR_R_INTERNAL_ERROR);
922 return 0;
923 }
924 }
925 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
926 || !WPACKET_start_sub_packet_u16(&hrrpkt)
927 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
928 || !WPACKET_close(&hrrpkt) /* cookie extension */
929 || !WPACKET_close(&hrrpkt) /* extension block */
930 || !WPACKET_close(&hrrpkt) /* message */
931 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
932 || !WPACKET_finish(&hrrpkt)) {
933 WPACKET_cleanup(&hrrpkt);
934 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
935 ERR_R_INTERNAL_ERROR);
936 return 0;
937 }
938
939 /* Reconstruct the transcript hash */
940 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
941 PACKET_remaining(&chhash), hrr,
942 hrrlen)) {
943 /* SSLfatal() already called */
944 return 0;
945 }
946
947 /* Act as if this ClientHello came after a HelloRetryRequest */
948 s->hello_retry_request = 1;
949
950 s->ext.cookieok = 1;
951 #endif
952
953 return 1;
954 }
955
956 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
957 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
958 X509 *x, size_t chainidx)
959 {
960 PACKET supported_groups_list;
961
962 /* Each group is 2 bytes and we must have at least 1. */
963 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
964 || PACKET_remaining(&supported_groups_list) == 0
965 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
966 SSLfatal(s, SSL_AD_DECODE_ERROR,
967 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
968 return 0;
969 }
970
971 if (!s->hit || SSL_IS_TLS13(s)) {
972 OPENSSL_free(s->ext.peer_supportedgroups);
973 s->ext.peer_supportedgroups = NULL;
974 s->ext.peer_supportedgroups_len = 0;
975 if (!tls1_save_u16(&supported_groups_list,
976 &s->ext.peer_supportedgroups,
977 &s->ext.peer_supportedgroups_len)) {
978 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
979 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
980 ERR_R_INTERNAL_ERROR);
981 return 0;
982 }
983 }
984
985 return 1;
986 }
987 #endif
988
989 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
990 size_t chainidx)
991 {
992 /* The extension must always be empty */
993 if (PACKET_remaining(pkt) != 0) {
994 SSLfatal(s, SSL_AD_DECODE_ERROR,
995 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
996 return 0;
997 }
998
999 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1000 return 1;
1001
1002 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1003
1004 return 1;
1005 }
1006
1007
1008 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
1009 X509 *x, size_t chainidx)
1010 {
1011 if (PACKET_remaining(pkt) != 0) {
1012 SSLfatal(s, SSL_AD_DECODE_ERROR,
1013 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1014 return 0;
1015 }
1016
1017 if (s->hello_retry_request != SSL_HRR_NONE) {
1018 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1019 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1020 return 0;
1021 }
1022
1023 return 1;
1024 }
1025
1026 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1027 SSL_SESSION **sess)
1028 {
1029 SSL_SESSION *tmpsess = NULL;
1030
1031 s->ext.ticket_expected = 1;
1032
1033 switch (PACKET_remaining(tick)) {
1034 case 0:
1035 return SSL_TICKET_EMPTY;
1036
1037 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1038 break;
1039
1040 default:
1041 return SSL_TICKET_NO_DECRYPT;
1042 }
1043
1044 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1045 SSL_MAX_SSL_SESSION_ID_LENGTH);
1046
1047 if (tmpsess == NULL)
1048 return SSL_TICKET_NO_DECRYPT;
1049
1050 *sess = tmpsess;
1051 return SSL_TICKET_SUCCESS;
1052 }
1053
1054 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1055 size_t chainidx)
1056 {
1057 PACKET identities, binders, binder;
1058 size_t binderoffset, hashsize;
1059 SSL_SESSION *sess = NULL;
1060 unsigned int id, i, ext = 0;
1061 const EVP_MD *md = NULL;
1062
1063 /*
1064 * If we have no PSK kex mode that we recognise then we can't resume so
1065 * ignore this extension
1066 */
1067 if ((s->ext.psk_kex_mode
1068 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1069 return 1;
1070
1071 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1072 SSLfatal(s, SSL_AD_DECODE_ERROR,
1073 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1074 return 0;
1075 }
1076
1077 s->ext.ticket_expected = 0;
1078 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1079 PACKET identity;
1080 unsigned long ticket_agel;
1081 size_t idlen;
1082
1083 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1084 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1085 SSLfatal(s, SSL_AD_DECODE_ERROR,
1086 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1087 return 0;
1088 }
1089
1090 idlen = PACKET_remaining(&identity);
1091 if (s->psk_find_session_cb != NULL
1092 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1093 &sess)) {
1094 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1095 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1096 return 0;
1097 }
1098
1099 #ifndef OPENSSL_NO_PSK
1100 if(sess == NULL
1101 && s->psk_server_callback != NULL
1102 && idlen <= PSK_MAX_IDENTITY_LEN) {
1103 char *pskid = NULL;
1104 unsigned char pskdata[PSK_MAX_PSK_LEN];
1105 unsigned int pskdatalen;
1106
1107 if (!PACKET_strndup(&identity, &pskid)) {
1108 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1109 ERR_R_INTERNAL_ERROR);
1110 return 0;
1111 }
1112 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1113 sizeof(pskdata));
1114 OPENSSL_free(pskid);
1115 if (pskdatalen > PSK_MAX_PSK_LEN) {
1116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1117 ERR_R_INTERNAL_ERROR);
1118 return 0;
1119 } else if (pskdatalen > 0) {
1120 const SSL_CIPHER *cipher;
1121 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1122
1123 /*
1124 * We found a PSK using an old style callback. We don't know
1125 * the digest so we default to SHA256 as per the TLSv1.3 spec
1126 */
1127 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1128 if (cipher == NULL) {
1129 OPENSSL_cleanse(pskdata, pskdatalen);
1130 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1131 ERR_R_INTERNAL_ERROR);
1132 return 0;
1133 }
1134
1135 sess = SSL_SESSION_new();
1136 if (sess == NULL
1137 || !SSL_SESSION_set1_master_key(sess, pskdata,
1138 pskdatalen)
1139 || !SSL_SESSION_set_cipher(sess, cipher)
1140 || !SSL_SESSION_set_protocol_version(sess,
1141 TLS1_3_VERSION)) {
1142 OPENSSL_cleanse(pskdata, pskdatalen);
1143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1144 ERR_R_INTERNAL_ERROR);
1145 goto err;
1146 }
1147 OPENSSL_cleanse(pskdata, pskdatalen);
1148 }
1149 }
1150 #endif /* OPENSSL_NO_PSK */
1151
1152 if (sess != NULL) {
1153 /* We found a PSK */
1154 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1155
1156 if (sesstmp == NULL) {
1157 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1158 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1159 return 0;
1160 }
1161 SSL_SESSION_free(sess);
1162 sess = sesstmp;
1163
1164 /*
1165 * We've just been told to use this session for this context so
1166 * make sure the sid_ctx matches up.
1167 */
1168 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1169 sess->sid_ctx_length = s->sid_ctx_length;
1170 ext = 1;
1171 if (id == 0)
1172 s->ext.early_data_ok = 1;
1173 s->ext.ticket_expected = 1;
1174 } else {
1175 uint32_t ticket_age = 0, now, agesec, agems;
1176 int ret;
1177
1178 /*
1179 * If we are using anti-replay protection then we behave as if
1180 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1181 * is no point in using full stateless tickets.
1182 */
1183 if ((s->options & SSL_OP_NO_TICKET) != 0
1184 || (s->max_early_data > 0
1185 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1186 ret = tls_get_stateful_ticket(s, &identity, &sess);
1187 else
1188 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1189 PACKET_remaining(&identity), NULL, 0,
1190 &sess);
1191
1192 if (ret == SSL_TICKET_EMPTY) {
1193 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1194 SSL_R_BAD_EXTENSION);
1195 return 0;
1196 }
1197
1198 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1199 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1200 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1201 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1202 return 0;
1203 }
1204 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1205 continue;
1206
1207 /* Check for replay */
1208 if (s->max_early_data > 0
1209 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1210 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1211 SSL_SESSION_free(sess);
1212 sess = NULL;
1213 continue;
1214 }
1215
1216 ticket_age = (uint32_t)ticket_agel;
1217 now = (uint32_t)time(NULL);
1218 agesec = now - (uint32_t)sess->time;
1219 agems = agesec * (uint32_t)1000;
1220 ticket_age -= sess->ext.tick_age_add;
1221
1222 /*
1223 * For simplicity we do our age calculations in seconds. If the
1224 * client does it in ms then it could appear that their ticket age
1225 * is longer than ours (our ticket age calculation should always be
1226 * slightly longer than the client's due to the network latency).
1227 * Therefore we add 1000ms to our age calculation to adjust for
1228 * rounding errors.
1229 */
1230 if (id == 0
1231 && sess->timeout >= (long)agesec
1232 && agems / (uint32_t)1000 == agesec
1233 && ticket_age <= agems + 1000
1234 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1235 /*
1236 * Ticket age is within tolerance and not expired. We allow it
1237 * for early data
1238 */
1239 s->ext.early_data_ok = 1;
1240 }
1241 }
1242
1243 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1244 if (!EVP_MD_is_a(md,
1245 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
1246 /* The ciphersuite is not compatible with this session. */
1247 SSL_SESSION_free(sess);
1248 sess = NULL;
1249 s->ext.early_data_ok = 0;
1250 s->ext.ticket_expected = 0;
1251 continue;
1252 }
1253 break;
1254 }
1255
1256 if (sess == NULL)
1257 return 1;
1258
1259 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1260 hashsize = EVP_MD_size(md);
1261
1262 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1263 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1264 SSL_R_BAD_EXTENSION);
1265 goto err;
1266 }
1267
1268 for (i = 0; i <= id; i++) {
1269 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1270 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1271 SSL_R_BAD_EXTENSION);
1272 goto err;
1273 }
1274 }
1275
1276 if (PACKET_remaining(&binder) != hashsize) {
1277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1278 SSL_R_BAD_EXTENSION);
1279 goto err;
1280 }
1281 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1282 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1283 ext) != 1) {
1284 /* SSLfatal() already called */
1285 goto err;
1286 }
1287
1288 s->ext.tick_identity = id;
1289
1290 SSL_SESSION_free(s->session);
1291 s->session = sess;
1292 return 1;
1293 err:
1294 SSL_SESSION_free(sess);
1295 return 0;
1296 }
1297
1298 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1299 X509 *x, size_t chainidx)
1300 {
1301 if (PACKET_remaining(pkt) != 0) {
1302 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1303 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1304 return 0;
1305 }
1306
1307 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1308
1309 return 1;
1310 }
1311
1312 /*
1313 * Add the server's renegotiation binding
1314 */
1315 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1316 unsigned int context, X509 *x,
1317 size_t chainidx)
1318 {
1319 if (!s->s3.send_connection_binding)
1320 return EXT_RETURN_NOT_SENT;
1321
1322 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1323 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1324 || !WPACKET_start_sub_packet_u16(pkt)
1325 || !WPACKET_start_sub_packet_u8(pkt)
1326 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1327 s->s3.previous_client_finished_len)
1328 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1329 s->s3.previous_server_finished_len)
1330 || !WPACKET_close(pkt)
1331 || !WPACKET_close(pkt)) {
1332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1333 ERR_R_INTERNAL_ERROR);
1334 return EXT_RETURN_FAIL;
1335 }
1336
1337 return EXT_RETURN_SENT;
1338 }
1339
1340 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1341 unsigned int context, X509 *x,
1342 size_t chainidx)
1343 {
1344 if (s->servername_done != 1)
1345 return EXT_RETURN_NOT_SENT;
1346
1347 /*
1348 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1349 * We just use the servername from the initial handshake.
1350 */
1351 if (s->hit && !SSL_IS_TLS13(s))
1352 return EXT_RETURN_NOT_SENT;
1353
1354 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1355 || !WPACKET_put_bytes_u16(pkt, 0)) {
1356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1357 ERR_R_INTERNAL_ERROR);
1358 return EXT_RETURN_FAIL;
1359 }
1360
1361 return EXT_RETURN_SENT;
1362 }
1363
1364 /* Add/include the server's max fragment len extension into ServerHello */
1365 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1366 unsigned int context, X509 *x,
1367 size_t chainidx)
1368 {
1369 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1370 return EXT_RETURN_NOT_SENT;
1371
1372 /*-
1373 * 4 bytes for this extension type and extension length
1374 * 1 byte for the Max Fragment Length code value.
1375 */
1376 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1377 || !WPACKET_start_sub_packet_u16(pkt)
1378 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1379 || !WPACKET_close(pkt)) {
1380 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1381 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1382 return EXT_RETURN_FAIL;
1383 }
1384
1385 return EXT_RETURN_SENT;
1386 }
1387
1388 #ifndef OPENSSL_NO_EC
1389 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1390 unsigned int context, X509 *x,
1391 size_t chainidx)
1392 {
1393 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1394 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1395 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1396 && (s->ext.peer_ecpointformats != NULL);
1397 const unsigned char *plist;
1398 size_t plistlen;
1399
1400 if (!using_ecc)
1401 return EXT_RETURN_NOT_SENT;
1402
1403 tls1_get_formatlist(s, &plist, &plistlen);
1404 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1405 || !WPACKET_start_sub_packet_u16(pkt)
1406 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1407 || !WPACKET_close(pkt)) {
1408 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1409 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1410 return EXT_RETURN_FAIL;
1411 }
1412
1413 return EXT_RETURN_SENT;
1414 }
1415 #endif
1416
1417 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1418 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1419 unsigned int context, X509 *x,
1420 size_t chainidx)
1421 {
1422 const uint16_t *groups;
1423 size_t numgroups, i, first = 1;
1424 int version;
1425
1426 /* s->s3.group_id is non zero if we accepted a key_share */
1427 if (s->s3.group_id == 0)
1428 return EXT_RETURN_NOT_SENT;
1429
1430 /* Get our list of supported groups */
1431 tls1_get_supported_groups(s, &groups, &numgroups);
1432 if (numgroups == 0) {
1433 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1434 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1435 return EXT_RETURN_FAIL;
1436 }
1437
1438 /* Copy group ID if supported */
1439 version = SSL_version(s);
1440 for (i = 0; i < numgroups; i++) {
1441 uint16_t group = groups[i];
1442
1443 if (tls_valid_group(s, group, version, version)
1444 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1445 if (first) {
1446 /*
1447 * Check if the client is already using our preferred group. If
1448 * so we don't need to add this extension
1449 */
1450 if (s->s3.group_id == group)
1451 return EXT_RETURN_NOT_SENT;
1452
1453 /* Add extension header */
1454 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1455 /* Sub-packet for supported_groups extension */
1456 || !WPACKET_start_sub_packet_u16(pkt)
1457 || !WPACKET_start_sub_packet_u16(pkt)) {
1458 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1459 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1460 ERR_R_INTERNAL_ERROR);
1461 return EXT_RETURN_FAIL;
1462 }
1463
1464 first = 0;
1465 }
1466 if (!WPACKET_put_bytes_u16(pkt, group)) {
1467 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1468 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1469 ERR_R_INTERNAL_ERROR);
1470 return EXT_RETURN_FAIL;
1471 }
1472 }
1473 }
1474
1475 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1476 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1477 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1478 ERR_R_INTERNAL_ERROR);
1479 return EXT_RETURN_FAIL;
1480 }
1481
1482 return EXT_RETURN_SENT;
1483 }
1484 #endif
1485
1486 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1487 unsigned int context, X509 *x,
1488 size_t chainidx)
1489 {
1490 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1491 s->ext.ticket_expected = 0;
1492 return EXT_RETURN_NOT_SENT;
1493 }
1494
1495 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1496 || !WPACKET_put_bytes_u16(pkt, 0)) {
1497 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1498 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1499 return EXT_RETURN_FAIL;
1500 }
1501
1502 return EXT_RETURN_SENT;
1503 }
1504
1505 #ifndef OPENSSL_NO_OCSP
1506 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1507 unsigned int context, X509 *x,
1508 size_t chainidx)
1509 {
1510 /* We don't currently support this extension inside a CertificateRequest */
1511 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1512 return EXT_RETURN_NOT_SENT;
1513
1514 if (!s->ext.status_expected)
1515 return EXT_RETURN_NOT_SENT;
1516
1517 if (SSL_IS_TLS13(s) && chainidx != 0)
1518 return EXT_RETURN_NOT_SENT;
1519
1520 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1521 || !WPACKET_start_sub_packet_u16(pkt)) {
1522 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1523 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1524 return EXT_RETURN_FAIL;
1525 }
1526
1527 /*
1528 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1529 * send back an empty extension, with the certificate status appearing as a
1530 * separate message
1531 */
1532 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1533 /* SSLfatal() already called */
1534 return EXT_RETURN_FAIL;
1535 }
1536 if (!WPACKET_close(pkt)) {
1537 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1538 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1539 return EXT_RETURN_FAIL;
1540 }
1541
1542 return EXT_RETURN_SENT;
1543 }
1544 #endif
1545
1546 #ifndef OPENSSL_NO_NEXTPROTONEG
1547 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1548 unsigned int context, X509 *x,
1549 size_t chainidx)
1550 {
1551 const unsigned char *npa;
1552 unsigned int npalen;
1553 int ret;
1554 int npn_seen = s->s3.npn_seen;
1555
1556 s->s3.npn_seen = 0;
1557 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1558 return EXT_RETURN_NOT_SENT;
1559
1560 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1561 s->ctx->ext.npn_advertised_cb_arg);
1562 if (ret == SSL_TLSEXT_ERR_OK) {
1563 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1564 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1565 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1566 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1567 ERR_R_INTERNAL_ERROR);
1568 return EXT_RETURN_FAIL;
1569 }
1570 s->s3.npn_seen = 1;
1571 }
1572
1573 return EXT_RETURN_SENT;
1574 }
1575 #endif
1576
1577 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1578 X509 *x, size_t chainidx)
1579 {
1580 if (s->s3.alpn_selected == NULL)
1581 return EXT_RETURN_NOT_SENT;
1582
1583 if (!WPACKET_put_bytes_u16(pkt,
1584 TLSEXT_TYPE_application_layer_protocol_negotiation)
1585 || !WPACKET_start_sub_packet_u16(pkt)
1586 || !WPACKET_start_sub_packet_u16(pkt)
1587 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1588 s->s3.alpn_selected_len)
1589 || !WPACKET_close(pkt)
1590 || !WPACKET_close(pkt)) {
1591 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1592 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1593 return EXT_RETURN_FAIL;
1594 }
1595
1596 return EXT_RETURN_SENT;
1597 }
1598
1599 #ifndef OPENSSL_NO_SRTP
1600 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1601 unsigned int context, X509 *x,
1602 size_t chainidx)
1603 {
1604 if (s->srtp_profile == NULL)
1605 return EXT_RETURN_NOT_SENT;
1606
1607 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1608 || !WPACKET_start_sub_packet_u16(pkt)
1609 || !WPACKET_put_bytes_u16(pkt, 2)
1610 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1611 || !WPACKET_put_bytes_u8(pkt, 0)
1612 || !WPACKET_close(pkt)) {
1613 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1614 ERR_R_INTERNAL_ERROR);
1615 return EXT_RETURN_FAIL;
1616 }
1617
1618 return EXT_RETURN_SENT;
1619 }
1620 #endif
1621
1622 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1623 X509 *x, size_t chainidx)
1624 {
1625 if (!s->ext.use_etm)
1626 return EXT_RETURN_NOT_SENT;
1627
1628 /*
1629 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1630 * for other cases too.
1631 */
1632 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1633 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1634 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1635 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1636 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1637 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1638 s->ext.use_etm = 0;
1639 return EXT_RETURN_NOT_SENT;
1640 }
1641
1642 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1643 || !WPACKET_put_bytes_u16(pkt, 0)) {
1644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1645 ERR_R_INTERNAL_ERROR);
1646 return EXT_RETURN_FAIL;
1647 }
1648
1649 return EXT_RETURN_SENT;
1650 }
1651
1652 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1653 X509 *x, size_t chainidx)
1654 {
1655 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1656 return EXT_RETURN_NOT_SENT;
1657
1658 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1659 || !WPACKET_put_bytes_u16(pkt, 0)) {
1660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1661 ERR_R_INTERNAL_ERROR);
1662 return EXT_RETURN_FAIL;
1663 }
1664
1665 return EXT_RETURN_SENT;
1666 }
1667
1668 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1669 unsigned int context, X509 *x,
1670 size_t chainidx)
1671 {
1672 if (!ossl_assert(SSL_IS_TLS13(s))) {
1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1674 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1675 ERR_R_INTERNAL_ERROR);
1676 return EXT_RETURN_FAIL;
1677 }
1678
1679 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1680 || !WPACKET_start_sub_packet_u16(pkt)
1681 || !WPACKET_put_bytes_u16(pkt, s->version)
1682 || !WPACKET_close(pkt)) {
1683 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1684 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1685 ERR_R_INTERNAL_ERROR);
1686 return EXT_RETURN_FAIL;
1687 }
1688
1689 return EXT_RETURN_SENT;
1690 }
1691
1692 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1693 unsigned int context, X509 *x,
1694 size_t chainidx)
1695 {
1696 #ifndef OPENSSL_NO_TLS1_3
1697 unsigned char *encodedPoint;
1698 size_t encoded_pt_len = 0;
1699 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1700
1701 if (s->hello_retry_request == SSL_HRR_PENDING) {
1702 if (ckey != NULL) {
1703 /* Original key_share was acceptable so don't ask for another one */
1704 return EXT_RETURN_NOT_SENT;
1705 }
1706 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1707 || !WPACKET_start_sub_packet_u16(pkt)
1708 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1709 || !WPACKET_close(pkt)) {
1710 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1711 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1712 ERR_R_INTERNAL_ERROR);
1713 return EXT_RETURN_FAIL;
1714 }
1715
1716 return EXT_RETURN_SENT;
1717 }
1718
1719 if (ckey == NULL) {
1720 /* No key_share received from client - must be resuming */
1721 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1722 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1723 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1724 return EXT_RETURN_FAIL;
1725 }
1726 return EXT_RETURN_NOT_SENT;
1727 }
1728
1729 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1730 || !WPACKET_start_sub_packet_u16(pkt)
1731 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1732 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1733 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1734 return EXT_RETURN_FAIL;
1735 }
1736
1737 skey = ssl_generate_pkey(s, ckey);
1738 if (skey == NULL) {
1739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1740 ERR_R_MALLOC_FAILURE);
1741 return EXT_RETURN_FAIL;
1742 }
1743
1744 /* Generate encoding of server key */
1745 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1746 if (encoded_pt_len == 0) {
1747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1748 ERR_R_EC_LIB);
1749 EVP_PKEY_free(skey);
1750 return EXT_RETURN_FAIL;
1751 }
1752
1753 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1754 || !WPACKET_close(pkt)) {
1755 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1756 ERR_R_INTERNAL_ERROR);
1757 EVP_PKEY_free(skey);
1758 OPENSSL_free(encodedPoint);
1759 return EXT_RETURN_FAIL;
1760 }
1761 OPENSSL_free(encodedPoint);
1762
1763 /* This causes the crypto state to be updated based on the derived keys */
1764 s->s3.tmp.pkey = skey;
1765 if (ssl_derive(s, skey, ckey, 1) == 0) {
1766 /* SSLfatal() already called */
1767 return EXT_RETURN_FAIL;
1768 }
1769 return EXT_RETURN_SENT;
1770 #else
1771 return EXT_RETURN_FAIL;
1772 #endif
1773 }
1774
1775 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1776 X509 *x, size_t chainidx)
1777 {
1778 #ifndef OPENSSL_NO_TLS1_3
1779 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1780 unsigned char *hmac, *hmac2;
1781 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1782 EVP_MD_CTX *hctx;
1783 EVP_PKEY *pkey;
1784 int ret = EXT_RETURN_FAIL;
1785
1786 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1787 return EXT_RETURN_NOT_SENT;
1788
1789 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1790 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1791 SSL_R_NO_COOKIE_CALLBACK_SET);
1792 return EXT_RETURN_FAIL;
1793 }
1794
1795 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1796 || !WPACKET_start_sub_packet_u16(pkt)
1797 || !WPACKET_start_sub_packet_u16(pkt)
1798 || !WPACKET_get_total_written(pkt, &startlen)
1799 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1800 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1801 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1802 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1803 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1804 &ciphlen)
1805 /* Is there a key_share extension present in this HRR? */
1806 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1807 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1808 || !WPACKET_start_sub_packet_u16(pkt)
1809 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1810 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1811 ERR_R_INTERNAL_ERROR);
1812 return EXT_RETURN_FAIL;
1813 }
1814
1815 /*
1816 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1817 * on raw buffers, so we first reserve sufficient bytes (above) and then
1818 * subsequently allocate them (below)
1819 */
1820 if (!ssl3_digest_cached_records(s, 0)
1821 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1822 /* SSLfatal() already called */
1823 return EXT_RETURN_FAIL;
1824 }
1825
1826 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1827 || !ossl_assert(hashval1 == hashval2)
1828 || !WPACKET_close(pkt)
1829 || !WPACKET_start_sub_packet_u8(pkt)
1830 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1832 ERR_R_INTERNAL_ERROR);
1833 return EXT_RETURN_FAIL;
1834 }
1835
1836 /* Generate the application cookie */
1837 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1838 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1839 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1840 return EXT_RETURN_FAIL;
1841 }
1842
1843 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1844 || !ossl_assert(appcookie1 == appcookie2)
1845 || !WPACKET_close(pkt)
1846 || !WPACKET_get_total_written(pkt, &totcookielen)
1847 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1849 ERR_R_INTERNAL_ERROR);
1850 return EXT_RETURN_FAIL;
1851 }
1852 hmaclen = SHA256_DIGEST_LENGTH;
1853
1854 totcookielen -= startlen;
1855 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1857 ERR_R_INTERNAL_ERROR);
1858 return EXT_RETURN_FAIL;
1859 }
1860
1861 /* HMAC the cookie */
1862 hctx = EVP_MD_CTX_create();
1863 pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
1864 s->ctx->propq,
1865 s->session_ctx->ext.cookie_hmac_key,
1866 sizeof(s->session_ctx->ext
1867 .cookie_hmac_key));
1868 if (hctx == NULL || pkey == NULL) {
1869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1870 ERR_R_MALLOC_FAILURE);
1871 goto err;
1872 }
1873
1874 if (EVP_DigestSignInit_with_libctx(hctx, NULL, "SHA2-256",
1875 s->ctx->libctx, s->ctx->propq,
1876 pkey) <= 0
1877 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1878 totcookielen) <= 0) {
1879 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1880 ERR_R_INTERNAL_ERROR);
1881 goto err;
1882 }
1883
1884 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1885 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1886 ERR_R_INTERNAL_ERROR);
1887 goto err;
1888 }
1889
1890 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1891 || !ossl_assert(hmac == hmac2)
1892 || !ossl_assert(cookie == hmac - totcookielen)
1893 || !WPACKET_close(pkt)
1894 || !WPACKET_close(pkt)) {
1895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1896 ERR_R_INTERNAL_ERROR);
1897 goto err;
1898 }
1899
1900 ret = EXT_RETURN_SENT;
1901
1902 err:
1903 EVP_MD_CTX_free(hctx);
1904 EVP_PKEY_free(pkey);
1905 return ret;
1906 #else
1907 return EXT_RETURN_FAIL;
1908 #endif
1909 }
1910
1911 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1912 unsigned int context, X509 *x,
1913 size_t chainidx)
1914 {
1915 const unsigned char cryptopro_ext[36] = {
1916 0xfd, 0xe8, /* 65000 */
1917 0x00, 0x20, /* 32 bytes length */
1918 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1919 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1920 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1921 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1922 };
1923
1924 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1925 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1926 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1927 return EXT_RETURN_NOT_SENT;
1928
1929 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1930 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1931 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1932 return EXT_RETURN_FAIL;
1933 }
1934
1935 return EXT_RETURN_SENT;
1936 }
1937
1938 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1939 unsigned int context, X509 *x,
1940 size_t chainidx)
1941 {
1942 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1943 if (s->max_early_data == 0)
1944 return EXT_RETURN_NOT_SENT;
1945
1946 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1947 || !WPACKET_start_sub_packet_u16(pkt)
1948 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1949 || !WPACKET_close(pkt)) {
1950 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1951 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1952 return EXT_RETURN_FAIL;
1953 }
1954
1955 return EXT_RETURN_SENT;
1956 }
1957
1958 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1959 return EXT_RETURN_NOT_SENT;
1960
1961 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1962 || !WPACKET_start_sub_packet_u16(pkt)
1963 || !WPACKET_close(pkt)) {
1964 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1965 ERR_R_INTERNAL_ERROR);
1966 return EXT_RETURN_FAIL;
1967 }
1968
1969 return EXT_RETURN_SENT;
1970 }
1971
1972 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1973 X509 *x, size_t chainidx)
1974 {
1975 if (!s->hit)
1976 return EXT_RETURN_NOT_SENT;
1977
1978 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1979 || !WPACKET_start_sub_packet_u16(pkt)
1980 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1981 || !WPACKET_close(pkt)) {
1982 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1983 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1984 return EXT_RETURN_FAIL;
1985 }
1986
1987 return EXT_RETURN_SENT;
1988 }
A mirror of the official openssl repository