extensions_clnt.c 66 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017
  1. /*
  2. * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_local.h"
  11. #include "internal/cryptlib.h"
  12. #include "statem_local.h"
  13. EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
  14. unsigned int context, X509 *x,
  15. size_t chainidx)
  16. {
  17. /* Add RI if renegotiating */
  18. if (!s->renegotiate)
  19. return EXT_RETURN_NOT_SENT;
  20. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  21. || !WPACKET_start_sub_packet_u16(pkt)
  22. || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
  23. s->s3.previous_client_finished_len)
  24. || !WPACKET_close(pkt)) {
  25. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  26. return EXT_RETURN_FAIL;
  27. }
  28. return EXT_RETURN_SENT;
  29. }
  30. EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
  31. unsigned int context, X509 *x,
  32. size_t chainidx)
  33. {
  34. if (s->ext.hostname == NULL)
  35. return EXT_RETURN_NOT_SENT;
  36. /* Add TLS extension servername to the Client Hello message */
  37. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  38. /* Sub-packet for server_name extension */
  39. || !WPACKET_start_sub_packet_u16(pkt)
  40. /* Sub-packet for servername list (always 1 hostname)*/
  41. || !WPACKET_start_sub_packet_u16(pkt)
  42. || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
  43. || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
  44. strlen(s->ext.hostname))
  45. || !WPACKET_close(pkt)
  46. || !WPACKET_close(pkt)) {
  47. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  48. return EXT_RETURN_FAIL;
  49. }
  50. return EXT_RETURN_SENT;
  51. }
  52. /* Push a Max Fragment Len extension into ClientHello */
  53. EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
  54. unsigned int context, X509 *x,
  55. size_t chainidx)
  56. {
  57. if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
  58. return EXT_RETURN_NOT_SENT;
  59. /* Add Max Fragment Length extension if client enabled it. */
  60. /*-
  61. * 4 bytes for this extension type and extension length
  62. * 1 byte for the Max Fragment Length code value.
  63. */
  64. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  65. /* Sub-packet for Max Fragment Length extension (1 byte) */
  66. || !WPACKET_start_sub_packet_u16(pkt)
  67. || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
  68. || !WPACKET_close(pkt)) {
  69. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  70. return EXT_RETURN_FAIL;
  71. }
  72. return EXT_RETURN_SENT;
  73. }
  74. #ifndef OPENSSL_NO_SRP
  75. EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
  76. unsigned int context,
  77. X509 *x, size_t chainidx)
  78. {
  79. /* Add SRP username if there is one */
  80. if (s->srp_ctx.login == NULL)
  81. return EXT_RETURN_NOT_SENT;
  82. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
  83. /* Sub-packet for SRP extension */
  84. || !WPACKET_start_sub_packet_u16(pkt)
  85. || !WPACKET_start_sub_packet_u8(pkt)
  86. /* login must not be zero...internal error if so */
  87. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  88. || !WPACKET_memcpy(pkt, s->srp_ctx.login,
  89. strlen(s->srp_ctx.login))
  90. || !WPACKET_close(pkt)
  91. || !WPACKET_close(pkt)) {
  92. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  93. return EXT_RETURN_FAIL;
  94. }
  95. return EXT_RETURN_SENT;
  96. }
  97. #endif
  98. static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
  99. {
  100. int i, end, ret = 0;
  101. unsigned long alg_k, alg_a;
  102. STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
  103. const uint16_t *pgroups = NULL;
  104. size_t num_groups, j;
  105. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  106. /* See if we support any ECC ciphersuites */
  107. if (s->version == SSL3_VERSION)
  108. return 0;
  109. cipher_stack = SSL_get1_supported_ciphers(ssl);
  110. end = sk_SSL_CIPHER_num(cipher_stack);
  111. for (i = 0; i < end; i++) {
  112. const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  113. alg_k = c->algorithm_mkey;
  114. alg_a = c->algorithm_auth;
  115. if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
  116. || (alg_a & SSL_aECDSA)
  117. || c->min_tls >= TLS1_3_VERSION) {
  118. ret = 1;
  119. break;
  120. }
  121. }
  122. sk_SSL_CIPHER_free(cipher_stack);
  123. if (!ret)
  124. return 0;
  125. /* Check we have at least one EC supported group */
  126. tls1_get_supported_groups(s, &pgroups, &num_groups);
  127. for (j = 0; j < num_groups; j++) {
  128. uint16_t ctmp = pgroups[j];
  129. if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
  130. && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
  131. return 1;
  132. }
  133. return 0;
  134. }
  135. EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
  136. unsigned int context, X509 *x,
  137. size_t chainidx)
  138. {
  139. const unsigned char *pformats;
  140. size_t num_formats;
  141. int reason, min_version, max_version;
  142. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  143. if (reason != 0) {
  144. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  145. return EXT_RETURN_FAIL;
  146. }
  147. if (!use_ecc(s, min_version, max_version))
  148. return EXT_RETURN_NOT_SENT;
  149. /* Add TLS extension ECPointFormats to the ClientHello message */
  150. tls1_get_formatlist(s, &pformats, &num_formats);
  151. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  152. /* Sub-packet for formats extension */
  153. || !WPACKET_start_sub_packet_u16(pkt)
  154. || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
  155. || !WPACKET_close(pkt)) {
  156. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  157. return EXT_RETURN_FAIL;
  158. }
  159. return EXT_RETURN_SENT;
  160. }
  161. EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
  162. unsigned int context, X509 *x,
  163. size_t chainidx)
  164. {
  165. const uint16_t *pgroups = NULL;
  166. size_t num_groups = 0, i, tls13added = 0, added = 0;
  167. int min_version, max_version, reason;
  168. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  169. if (reason != 0) {
  170. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  171. return EXT_RETURN_FAIL;
  172. }
  173. /*
  174. * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
  175. * if we don't have EC support then we don't send this extension.
  176. */
  177. if (!use_ecc(s, min_version, max_version)
  178. && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
  179. return EXT_RETURN_NOT_SENT;
  180. /*
  181. * Add TLS extension supported_groups to the ClientHello message
  182. */
  183. tls1_get_supported_groups(s, &pgroups, &num_groups);
  184. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  185. /* Sub-packet for supported_groups extension */
  186. || !WPACKET_start_sub_packet_u16(pkt)
  187. || !WPACKET_start_sub_packet_u16(pkt)
  188. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
  189. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  190. return EXT_RETURN_FAIL;
  191. }
  192. /* Copy group ID if supported */
  193. for (i = 0; i < num_groups; i++) {
  194. uint16_t ctmp = pgroups[i];
  195. int okfortls13;
  196. if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
  197. && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
  198. if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
  199. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  200. return EXT_RETURN_FAIL;
  201. }
  202. if (okfortls13 && max_version == TLS1_3_VERSION)
  203. tls13added++;
  204. added++;
  205. }
  206. }
  207. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  208. if (added == 0)
  209. SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
  210. "No groups enabled for max supported SSL/TLS version");
  211. else
  212. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  213. return EXT_RETURN_FAIL;
  214. }
  215. if (tls13added == 0 && max_version == TLS1_3_VERSION) {
  216. SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
  217. "No groups enabled for max supported SSL/TLS version");
  218. return EXT_RETURN_FAIL;
  219. }
  220. return EXT_RETURN_SENT;
  221. }
  222. EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  223. unsigned int context, X509 *x,
  224. size_t chainidx)
  225. {
  226. size_t ticklen;
  227. if (!tls_use_ticket(s))
  228. return EXT_RETURN_NOT_SENT;
  229. if (!s->new_session && s->session != NULL
  230. && s->session->ext.tick != NULL
  231. && s->session->ssl_version != TLS1_3_VERSION) {
  232. ticklen = s->session->ext.ticklen;
  233. } else if (s->session && s->ext.session_ticket != NULL
  234. && s->ext.session_ticket->data != NULL) {
  235. ticklen = s->ext.session_ticket->length;
  236. s->session->ext.tick = OPENSSL_malloc(ticklen);
  237. if (s->session->ext.tick == NULL) {
  238. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  239. return EXT_RETURN_FAIL;
  240. }
  241. memcpy(s->session->ext.tick,
  242. s->ext.session_ticket->data, ticklen);
  243. s->session->ext.ticklen = ticklen;
  244. } else {
  245. ticklen = 0;
  246. }
  247. if (ticklen == 0 && s->ext.session_ticket != NULL &&
  248. s->ext.session_ticket->data == NULL)
  249. return EXT_RETURN_NOT_SENT;
  250. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  251. || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
  252. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  253. return EXT_RETURN_FAIL;
  254. }
  255. return EXT_RETURN_SENT;
  256. }
  257. EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
  258. unsigned int context, X509 *x,
  259. size_t chainidx)
  260. {
  261. size_t salglen;
  262. const uint16_t *salg;
  263. if (!SSL_CLIENT_USE_SIGALGS(s))
  264. return EXT_RETURN_NOT_SENT;
  265. salglen = tls12_get_psigalgs(s, 1, &salg);
  266. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
  267. /* Sub-packet for sig-algs extension */
  268. || !WPACKET_start_sub_packet_u16(pkt)
  269. /* Sub-packet for the actual list */
  270. || !WPACKET_start_sub_packet_u16(pkt)
  271. || !tls12_copy_sigalgs(s, pkt, salg, salglen)
  272. || !WPACKET_close(pkt)
  273. || !WPACKET_close(pkt)) {
  274. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  275. return EXT_RETURN_FAIL;
  276. }
  277. return EXT_RETURN_SENT;
  278. }
  279. #ifndef OPENSSL_NO_OCSP
  280. EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
  281. unsigned int context, X509 *x,
  282. size_t chainidx)
  283. {
  284. int i;
  285. /* This extension isn't defined for client Certificates */
  286. if (x != NULL)
  287. return EXT_RETURN_NOT_SENT;
  288. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
  289. return EXT_RETURN_NOT_SENT;
  290. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  291. /* Sub-packet for status request extension */
  292. || !WPACKET_start_sub_packet_u16(pkt)
  293. || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
  294. /* Sub-packet for the ids */
  295. || !WPACKET_start_sub_packet_u16(pkt)) {
  296. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  297. return EXT_RETURN_FAIL;
  298. }
  299. for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
  300. unsigned char *idbytes;
  301. OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
  302. int idlen = i2d_OCSP_RESPID(id, NULL);
  303. if (idlen <= 0
  304. /* Sub-packet for an individual id */
  305. || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
  306. || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
  307. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  308. return EXT_RETURN_FAIL;
  309. }
  310. }
  311. if (!WPACKET_close(pkt)
  312. || !WPACKET_start_sub_packet_u16(pkt)) {
  313. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  314. return EXT_RETURN_FAIL;
  315. }
  316. if (s->ext.ocsp.exts) {
  317. unsigned char *extbytes;
  318. int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
  319. if (extlen < 0) {
  320. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  321. return EXT_RETURN_FAIL;
  322. }
  323. if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
  324. || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
  325. != extlen) {
  326. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  327. return EXT_RETURN_FAIL;
  328. }
  329. }
  330. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  331. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  332. return EXT_RETURN_FAIL;
  333. }
  334. return EXT_RETURN_SENT;
  335. }
  336. #endif
  337. #ifndef OPENSSL_NO_NEXTPROTONEG
  338. EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
  339. unsigned int context,
  340. X509 *x, size_t chainidx)
  341. {
  342. if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
  343. || !SSL_IS_FIRST_HANDSHAKE(s))
  344. return EXT_RETURN_NOT_SENT;
  345. /*
  346. * The client advertises an empty extension to indicate its support
  347. * for Next Protocol Negotiation
  348. */
  349. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  350. || !WPACKET_put_bytes_u16(pkt, 0)) {
  351. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  352. return EXT_RETURN_FAIL;
  353. }
  354. return EXT_RETURN_SENT;
  355. }
  356. #endif
  357. EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
  358. unsigned int context,
  359. X509 *x, size_t chainidx)
  360. {
  361. s->s3.alpn_sent = 0;
  362. if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
  363. return EXT_RETURN_NOT_SENT;
  364. if (!WPACKET_put_bytes_u16(pkt,
  365. TLSEXT_TYPE_application_layer_protocol_negotiation)
  366. /* Sub-packet ALPN extension */
  367. || !WPACKET_start_sub_packet_u16(pkt)
  368. || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
  369. || !WPACKET_close(pkt)) {
  370. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  371. return EXT_RETURN_FAIL;
  372. }
  373. s->s3.alpn_sent = 1;
  374. return EXT_RETURN_SENT;
  375. }
  376. #ifndef OPENSSL_NO_SRTP
  377. EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
  378. unsigned int context, X509 *x,
  379. size_t chainidx)
  380. {
  381. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  382. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
  383. int i, end;
  384. if (clnt == NULL)
  385. return EXT_RETURN_NOT_SENT;
  386. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  387. /* Sub-packet for SRTP extension */
  388. || !WPACKET_start_sub_packet_u16(pkt)
  389. /* Sub-packet for the protection profile list */
  390. || !WPACKET_start_sub_packet_u16(pkt)) {
  391. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  392. return EXT_RETURN_FAIL;
  393. }
  394. end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
  395. for (i = 0; i < end; i++) {
  396. const SRTP_PROTECTION_PROFILE *prof =
  397. sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  398. if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
  399. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  400. return EXT_RETURN_FAIL;
  401. }
  402. }
  403. if (!WPACKET_close(pkt)
  404. /* Add an empty use_mki value */
  405. || !WPACKET_put_bytes_u8(pkt, 0)
  406. || !WPACKET_close(pkt)) {
  407. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  408. return EXT_RETURN_FAIL;
  409. }
  410. return EXT_RETURN_SENT;
  411. }
  412. #endif
  413. EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
  414. unsigned int context,
  415. X509 *x, size_t chainidx)
  416. {
  417. if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  418. return EXT_RETURN_NOT_SENT;
  419. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  420. || !WPACKET_put_bytes_u16(pkt, 0)) {
  421. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  422. return EXT_RETURN_FAIL;
  423. }
  424. return EXT_RETURN_SENT;
  425. }
  426. #ifndef OPENSSL_NO_CT
  427. EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
  428. unsigned int context,
  429. X509 *x, size_t chainidx)
  430. {
  431. if (s->ct_validation_callback == NULL)
  432. return EXT_RETURN_NOT_SENT;
  433. /* Not defined for client Certificates */
  434. if (x != NULL)
  435. return EXT_RETURN_NOT_SENT;
  436. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
  437. || !WPACKET_put_bytes_u16(pkt, 0)) {
  438. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  439. return EXT_RETURN_FAIL;
  440. }
  441. return EXT_RETURN_SENT;
  442. }
  443. #endif
  444. EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
  445. unsigned int context,
  446. X509 *x, size_t chainidx)
  447. {
  448. if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
  449. return EXT_RETURN_NOT_SENT;
  450. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  451. || !WPACKET_put_bytes_u16(pkt, 0)) {
  452. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  453. return EXT_RETURN_FAIL;
  454. }
  455. return EXT_RETURN_SENT;
  456. }
  457. EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
  458. unsigned int context, X509 *x,
  459. size_t chainidx)
  460. {
  461. int currv, min_version, max_version, reason;
  462. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  463. if (reason != 0) {
  464. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  465. return EXT_RETURN_FAIL;
  466. }
  467. /*
  468. * Don't include this if we can't negotiate TLSv1.3. We can do a straight
  469. * comparison here because we will never be called in DTLS.
  470. */
  471. if (max_version < TLS1_3_VERSION)
  472. return EXT_RETURN_NOT_SENT;
  473. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  474. || !WPACKET_start_sub_packet_u16(pkt)
  475. || !WPACKET_start_sub_packet_u8(pkt)) {
  476. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  477. return EXT_RETURN_FAIL;
  478. }
  479. for (currv = max_version; currv >= min_version; currv--) {
  480. if (!WPACKET_put_bytes_u16(pkt, currv)) {
  481. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  482. return EXT_RETURN_FAIL;
  483. }
  484. }
  485. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  486. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  487. return EXT_RETURN_FAIL;
  488. }
  489. return EXT_RETURN_SENT;
  490. }
  491. /*
  492. * Construct a psk_kex_modes extension.
  493. */
  494. EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
  495. unsigned int context, X509 *x,
  496. size_t chainidx)
  497. {
  498. #ifndef OPENSSL_NO_TLS1_3
  499. int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
  500. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
  501. || !WPACKET_start_sub_packet_u16(pkt)
  502. || !WPACKET_start_sub_packet_u8(pkt)
  503. || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
  504. || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
  505. || !WPACKET_close(pkt)
  506. || !WPACKET_close(pkt)) {
  507. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  508. return EXT_RETURN_FAIL;
  509. }
  510. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
  511. if (nodhe)
  512. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  513. #endif
  514. return EXT_RETURN_SENT;
  515. }
  516. #ifndef OPENSSL_NO_TLS1_3
  517. static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
  518. {
  519. unsigned char *encoded_point = NULL;
  520. EVP_PKEY *key_share_key = NULL;
  521. size_t encodedlen;
  522. if (s->s3.tmp.pkey != NULL) {
  523. if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
  524. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  525. return 0;
  526. }
  527. /*
  528. * Could happen if we got an HRR that wasn't requesting a new key_share
  529. */
  530. key_share_key = s->s3.tmp.pkey;
  531. } else {
  532. key_share_key = ssl_generate_pkey_group(s, curve_id);
  533. if (key_share_key == NULL) {
  534. /* SSLfatal() already called */
  535. return 0;
  536. }
  537. }
  538. /* Encode the public key. */
  539. encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
  540. &encoded_point);
  541. if (encodedlen == 0) {
  542. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  543. goto err;
  544. }
  545. /* Create KeyShareEntry */
  546. if (!WPACKET_put_bytes_u16(pkt, curve_id)
  547. || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
  548. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  549. goto err;
  550. }
  551. /*
  552. * When changing to send more than one key_share we're
  553. * going to need to be able to save more than one EVP_PKEY. For now
  554. * we reuse the existing tmp.pkey
  555. */
  556. s->s3.tmp.pkey = key_share_key;
  557. s->s3.group_id = curve_id;
  558. OPENSSL_free(encoded_point);
  559. return 1;
  560. err:
  561. if (s->s3.tmp.pkey == NULL)
  562. EVP_PKEY_free(key_share_key);
  563. OPENSSL_free(encoded_point);
  564. return 0;
  565. }
  566. #endif
  567. EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
  568. unsigned int context, X509 *x,
  569. size_t chainidx)
  570. {
  571. #ifndef OPENSSL_NO_TLS1_3
  572. size_t i, num_groups = 0;
  573. const uint16_t *pgroups = NULL;
  574. uint16_t curve_id = 0;
  575. /* key_share extension */
  576. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  577. /* Extension data sub-packet */
  578. || !WPACKET_start_sub_packet_u16(pkt)
  579. /* KeyShare list sub-packet */
  580. || !WPACKET_start_sub_packet_u16(pkt)) {
  581. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  582. return EXT_RETURN_FAIL;
  583. }
  584. tls1_get_supported_groups(s, &pgroups, &num_groups);
  585. /*
  586. * Make the number of key_shares sent configurable. For
  587. * now, we just send one
  588. */
  589. if (s->s3.group_id != 0) {
  590. curve_id = s->s3.group_id;
  591. } else {
  592. for (i = 0; i < num_groups; i++) {
  593. if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
  594. continue;
  595. if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
  596. 0, NULL))
  597. continue;
  598. curve_id = pgroups[i];
  599. break;
  600. }
  601. }
  602. if (curve_id == 0) {
  603. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
  604. return EXT_RETURN_FAIL;
  605. }
  606. if (!add_key_share(s, pkt, curve_id)) {
  607. /* SSLfatal() already called */
  608. return EXT_RETURN_FAIL;
  609. }
  610. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  611. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  612. return EXT_RETURN_FAIL;
  613. }
  614. return EXT_RETURN_SENT;
  615. #else
  616. return EXT_RETURN_NOT_SENT;
  617. #endif
  618. }
  619. EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
  620. unsigned int context,
  621. X509 *x, size_t chainidx)
  622. {
  623. EXT_RETURN ret = EXT_RETURN_FAIL;
  624. /* Should only be set if we've had an HRR */
  625. if (s->ext.tls13_cookie_len == 0)
  626. return EXT_RETURN_NOT_SENT;
  627. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  628. /* Extension data sub-packet */
  629. || !WPACKET_start_sub_packet_u16(pkt)
  630. || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
  631. s->ext.tls13_cookie_len)
  632. || !WPACKET_close(pkt)) {
  633. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  634. goto end;
  635. }
  636. ret = EXT_RETURN_SENT;
  637. end:
  638. OPENSSL_free(s->ext.tls13_cookie);
  639. s->ext.tls13_cookie = NULL;
  640. s->ext.tls13_cookie_len = 0;
  641. return ret;
  642. }
  643. EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
  644. unsigned int context, X509 *x,
  645. size_t chainidx)
  646. {
  647. #ifndef OPENSSL_NO_PSK
  648. char identity[PSK_MAX_IDENTITY_LEN + 1];
  649. #endif /* OPENSSL_NO_PSK */
  650. const unsigned char *id = NULL;
  651. size_t idlen = 0;
  652. SSL_SESSION *psksess = NULL;
  653. SSL_SESSION *edsess = NULL;
  654. const EVP_MD *handmd = NULL;
  655. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  656. if (s->hello_retry_request == SSL_HRR_PENDING)
  657. handmd = ssl_handshake_md(s);
  658. if (s->psk_use_session_cb != NULL
  659. && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
  660. || (psksess != NULL
  661. && psksess->ssl_version != TLS1_3_VERSION))) {
  662. SSL_SESSION_free(psksess);
  663. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  664. return EXT_RETURN_FAIL;
  665. }
  666. #ifndef OPENSSL_NO_PSK
  667. if (psksess == NULL && s->psk_client_callback != NULL) {
  668. unsigned char psk[PSK_MAX_PSK_LEN];
  669. size_t psklen = 0;
  670. memset(identity, 0, sizeof(identity));
  671. psklen = s->psk_client_callback(ssl, NULL,
  672. identity, sizeof(identity) - 1,
  673. psk, sizeof(psk));
  674. if (psklen > PSK_MAX_PSK_LEN) {
  675. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
  676. return EXT_RETURN_FAIL;
  677. } else if (psklen > 0) {
  678. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  679. const SSL_CIPHER *cipher;
  680. idlen = strlen(identity);
  681. if (idlen > PSK_MAX_IDENTITY_LEN) {
  682. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  683. return EXT_RETURN_FAIL;
  684. }
  685. id = (unsigned char *)identity;
  686. /*
  687. * We found a PSK using an old style callback. We don't know
  688. * the digest so we default to SHA256 as per the TLSv1.3 spec
  689. */
  690. cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
  691. if (cipher == NULL) {
  692. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  693. return EXT_RETURN_FAIL;
  694. }
  695. psksess = SSL_SESSION_new();
  696. if (psksess == NULL
  697. || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
  698. || !SSL_SESSION_set_cipher(psksess, cipher)
  699. || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
  700. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  701. OPENSSL_cleanse(psk, psklen);
  702. return EXT_RETURN_FAIL;
  703. }
  704. OPENSSL_cleanse(psk, psklen);
  705. }
  706. }
  707. #endif /* OPENSSL_NO_PSK */
  708. SSL_SESSION_free(s->psksession);
  709. s->psksession = psksess;
  710. if (psksess != NULL) {
  711. OPENSSL_free(s->psksession_id);
  712. s->psksession_id = OPENSSL_memdup(id, idlen);
  713. if (s->psksession_id == NULL) {
  714. s->psksession_id_len = 0;
  715. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  716. return EXT_RETURN_FAIL;
  717. }
  718. s->psksession_id_len = idlen;
  719. }
  720. if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
  721. || (s->session->ext.max_early_data == 0
  722. && (psksess == NULL || psksess->ext.max_early_data == 0))) {
  723. s->max_early_data = 0;
  724. return EXT_RETURN_NOT_SENT;
  725. }
  726. edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
  727. s->max_early_data = edsess->ext.max_early_data;
  728. if (edsess->ext.hostname != NULL) {
  729. if (s->ext.hostname == NULL
  730. || (s->ext.hostname != NULL
  731. && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
  732. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  733. SSL_R_INCONSISTENT_EARLY_DATA_SNI);
  734. return EXT_RETURN_FAIL;
  735. }
  736. }
  737. if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
  738. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  739. return EXT_RETURN_FAIL;
  740. }
  741. /*
  742. * Verify that we are offering an ALPN protocol consistent with the early
  743. * data.
  744. */
  745. if (edsess->ext.alpn_selected != NULL) {
  746. PACKET prots, alpnpkt;
  747. int found = 0;
  748. if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
  749. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  750. return EXT_RETURN_FAIL;
  751. }
  752. while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
  753. if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
  754. edsess->ext.alpn_selected_len)) {
  755. found = 1;
  756. break;
  757. }
  758. }
  759. if (!found) {
  760. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  761. SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  762. return EXT_RETURN_FAIL;
  763. }
  764. }
  765. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  766. || !WPACKET_start_sub_packet_u16(pkt)
  767. || !WPACKET_close(pkt)) {
  768. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  769. return EXT_RETURN_FAIL;
  770. }
  771. /*
  772. * We set this to rejected here. Later, if the server acknowledges the
  773. * extension, we set it to accepted.
  774. */
  775. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  776. s->ext.early_data_ok = 1;
  777. return EXT_RETURN_SENT;
  778. }
  779. #define F5_WORKAROUND_MIN_MSG_LEN 0xff
  780. #define F5_WORKAROUND_MAX_MSG_LEN 0x200
  781. /*
  782. * PSK pre binder overhead =
  783. * 2 bytes for TLSEXT_TYPE_psk
  784. * 2 bytes for extension length
  785. * 2 bytes for identities list length
  786. * 2 bytes for identity length
  787. * 4 bytes for obfuscated_ticket_age
  788. * 2 bytes for binder list length
  789. * 1 byte for binder length
  790. * The above excludes the number of bytes for the identity itself and the
  791. * subsequent binder bytes
  792. */
  793. #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
  794. EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
  795. unsigned int context, X509 *x,
  796. size_t chainidx)
  797. {
  798. unsigned char *padbytes;
  799. size_t hlen;
  800. if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
  801. return EXT_RETURN_NOT_SENT;
  802. /*
  803. * Add padding to workaround bugs in F5 terminators. See RFC7685.
  804. * This code calculates the length of all extensions added so far but
  805. * excludes the PSK extension (because that MUST be written last). Therefore
  806. * this extension MUST always appear second to last.
  807. */
  808. if (!WPACKET_get_total_written(pkt, &hlen)) {
  809. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  810. return EXT_RETURN_FAIL;
  811. }
  812. /*
  813. * If we're going to send a PSK then that will be written out after this
  814. * extension, so we need to calculate how long it is going to be.
  815. */
  816. if (s->session->ssl_version == TLS1_3_VERSION
  817. && s->session->ext.ticklen != 0
  818. && s->session->cipher != NULL) {
  819. const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
  820. s->session->cipher->algorithm2);
  821. if (md != NULL) {
  822. /*
  823. * Add the fixed PSK overhead, the identity length and the binder
  824. * length.
  825. */
  826. hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
  827. + EVP_MD_get_size(md);
  828. }
  829. }
  830. if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
  831. /* Calculate the amount of padding we need to add */
  832. hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
  833. /*
  834. * Take off the size of extension header itself (2 bytes for type and
  835. * 2 bytes for length bytes), but ensure that the extension is at least
  836. * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
  837. * 8.x are intolerant of that condition)
  838. */
  839. if (hlen > 4)
  840. hlen -= 4;
  841. else
  842. hlen = 1;
  843. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
  844. || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
  845. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  846. return EXT_RETURN_FAIL;
  847. }
  848. memset(padbytes, 0, hlen);
  849. }
  850. return EXT_RETURN_SENT;
  851. }
  852. /*
  853. * Construct the pre_shared_key extension
  854. */
  855. EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
  856. unsigned int context,
  857. X509 *x, size_t chainidx)
  858. {
  859. #ifndef OPENSSL_NO_TLS1_3
  860. uint32_t agesec, agems = 0;
  861. size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
  862. unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
  863. const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
  864. int dores = 0;
  865. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  866. OSSL_TIME t;
  867. s->ext.tick_identity = 0;
  868. /*
  869. * Note: At this stage of the code we only support adding a single
  870. * resumption PSK. If we add support for multiple PSKs then the length
  871. * calculations in the padding extension will need to be adjusted.
  872. */
  873. /*
  874. * If this is an incompatible or new session then we have nothing to resume
  875. * so don't add this extension.
  876. */
  877. if (s->session->ssl_version != TLS1_3_VERSION
  878. || (s->session->ext.ticklen == 0 && s->psksession == NULL))
  879. return EXT_RETURN_NOT_SENT;
  880. if (s->hello_retry_request == SSL_HRR_PENDING)
  881. handmd = ssl_handshake_md(s);
  882. if (s->session->ext.ticklen != 0) {
  883. /* Get the digest associated with the ciphersuite in the session */
  884. if (s->session->cipher == NULL) {
  885. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  886. return EXT_RETURN_FAIL;
  887. }
  888. mdres = ssl_md(sctx, s->session->cipher->algorithm2);
  889. if (mdres == NULL) {
  890. /*
  891. * Don't recognize this cipher so we can't use the session.
  892. * Ignore it
  893. */
  894. goto dopsksess;
  895. }
  896. if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
  897. /*
  898. * Selected ciphersuite hash does not match the hash for the session
  899. * so we can't use it.
  900. */
  901. goto dopsksess;
  902. }
  903. /*
  904. * Technically the C standard just says time() returns a time_t and says
  905. * nothing about the encoding of that type. In practice most
  906. * implementations follow POSIX which holds it as an integral type in
  907. * seconds since epoch. We've already made the assumption that we can do
  908. * this in multiple places in the code, so portability shouldn't be an
  909. * issue.
  910. */
  911. t = ossl_time_subtract(ossl_time_now(), s->session->time);
  912. agesec = (uint32_t)ossl_time2seconds(t);
  913. /*
  914. * We calculate the age in seconds but the server may work in ms. Due to
  915. * rounding errors we could overestimate the age by up to 1s. It is
  916. * better to underestimate it. Otherwise, if the RTT is very short, when
  917. * the server calculates the age reported by the client it could be
  918. * bigger than the age calculated on the server - which should never
  919. * happen.
  920. */
  921. if (agesec > 0)
  922. agesec--;
  923. if (s->session->ext.tick_lifetime_hint < agesec) {
  924. /* Ticket is too old. Ignore it. */
  925. goto dopsksess;
  926. }
  927. /*
  928. * Calculate age in ms. We're just doing it to nearest second. Should be
  929. * good enough.
  930. */
  931. agems = agesec * (uint32_t)1000;
  932. if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
  933. /*
  934. * Overflow. Shouldn't happen unless this is a *really* old session.
  935. * If so we just ignore it.
  936. */
  937. goto dopsksess;
  938. }
  939. /*
  940. * Obfuscate the age. Overflow here is fine, this addition is supposed
  941. * to be mod 2^32.
  942. */
  943. agems += s->session->ext.tick_age_add;
  944. reshashsize = EVP_MD_get_size(mdres);
  945. s->ext.tick_identity++;
  946. dores = 1;
  947. }
  948. dopsksess:
  949. if (!dores && s->psksession == NULL)
  950. return EXT_RETURN_NOT_SENT;
  951. if (s->psksession != NULL) {
  952. mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
  953. if (mdpsk == NULL) {
  954. /*
  955. * Don't recognize this cipher so we can't use the session.
  956. * If this happens it's an application bug.
  957. */
  958. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  959. return EXT_RETURN_FAIL;
  960. }
  961. if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
  962. /*
  963. * Selected ciphersuite hash does not match the hash for the PSK
  964. * session. This is an application bug.
  965. */
  966. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  967. return EXT_RETURN_FAIL;
  968. }
  969. pskhashsize = EVP_MD_get_size(mdpsk);
  970. }
  971. /* Create the extension, but skip over the binder for now */
  972. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  973. || !WPACKET_start_sub_packet_u16(pkt)
  974. || !WPACKET_start_sub_packet_u16(pkt)) {
  975. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  976. return EXT_RETURN_FAIL;
  977. }
  978. if (dores) {
  979. if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
  980. s->session->ext.ticklen)
  981. || !WPACKET_put_bytes_u32(pkt, agems)) {
  982. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  983. return EXT_RETURN_FAIL;
  984. }
  985. }
  986. if (s->psksession != NULL) {
  987. if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
  988. s->psksession_id_len)
  989. || !WPACKET_put_bytes_u32(pkt, 0)) {
  990. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  991. return EXT_RETURN_FAIL;
  992. }
  993. s->ext.tick_identity++;
  994. }
  995. if (!WPACKET_close(pkt)
  996. || !WPACKET_get_total_written(pkt, &binderoffset)
  997. || !WPACKET_start_sub_packet_u16(pkt)
  998. || (dores
  999. && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
  1000. || (s->psksession != NULL
  1001. && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
  1002. || !WPACKET_close(pkt)
  1003. || !WPACKET_close(pkt)
  1004. || !WPACKET_get_total_written(pkt, &msglen)
  1005. /*
  1006. * We need to fill in all the sub-packet lengths now so we can
  1007. * calculate the HMAC of the message up to the binders
  1008. */
  1009. || !WPACKET_fill_lengths(pkt)) {
  1010. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1011. return EXT_RETURN_FAIL;
  1012. }
  1013. msgstart = WPACKET_get_curr(pkt) - msglen;
  1014. if (dores
  1015. && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
  1016. resbinder, s->session, 1, 0) != 1) {
  1017. /* SSLfatal() already called */
  1018. return EXT_RETURN_FAIL;
  1019. }
  1020. if (s->psksession != NULL
  1021. && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
  1022. pskbinder, s->psksession, 1, 1) != 1) {
  1023. /* SSLfatal() already called */
  1024. return EXT_RETURN_FAIL;
  1025. }
  1026. return EXT_RETURN_SENT;
  1027. #else
  1028. return EXT_RETURN_NOT_SENT;
  1029. #endif
  1030. }
  1031. EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
  1032. ossl_unused unsigned int context,
  1033. ossl_unused X509 *x,
  1034. ossl_unused size_t chainidx)
  1035. {
  1036. #ifndef OPENSSL_NO_TLS1_3
  1037. if (!s->pha_enabled)
  1038. return EXT_RETURN_NOT_SENT;
  1039. /* construct extension - 0 length, no contents */
  1040. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
  1041. || !WPACKET_start_sub_packet_u16(pkt)
  1042. || !WPACKET_close(pkt)) {
  1043. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1044. return EXT_RETURN_FAIL;
  1045. }
  1046. s->post_handshake_auth = SSL_PHA_EXT_SENT;
  1047. return EXT_RETURN_SENT;
  1048. #else
  1049. return EXT_RETURN_NOT_SENT;
  1050. #endif
  1051. }
  1052. /*
  1053. * Parse the server's renegotiation binding and abort if it's not right
  1054. */
  1055. int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
  1056. unsigned int context,
  1057. X509 *x, size_t chainidx)
  1058. {
  1059. size_t expected_len = s->s3.previous_client_finished_len
  1060. + s->s3.previous_server_finished_len;
  1061. size_t ilen;
  1062. const unsigned char *data;
  1063. /* Check for logic errors */
  1064. if (!ossl_assert(expected_len == 0
  1065. || s->s3.previous_client_finished_len != 0)
  1066. || !ossl_assert(expected_len == 0
  1067. || s->s3.previous_server_finished_len != 0)) {
  1068. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1069. return 0;
  1070. }
  1071. /* Parse the length byte */
  1072. if (!PACKET_get_1_len(pkt, &ilen)) {
  1073. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
  1074. return 0;
  1075. }
  1076. /* Consistency check */
  1077. if (PACKET_remaining(pkt) != ilen) {
  1078. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
  1079. return 0;
  1080. }
  1081. /* Check that the extension matches */
  1082. if (ilen != expected_len) {
  1083. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
  1084. return 0;
  1085. }
  1086. if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
  1087. || memcmp(data, s->s3.previous_client_finished,
  1088. s->s3.previous_client_finished_len) != 0) {
  1089. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
  1090. return 0;
  1091. }
  1092. if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
  1093. || memcmp(data, s->s3.previous_server_finished,
  1094. s->s3.previous_server_finished_len) != 0) {
  1095. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
  1096. return 0;
  1097. }
  1098. s->s3.send_connection_binding = 1;
  1099. return 1;
  1100. }
  1101. /* Parse the server's max fragment len extension packet */
  1102. int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
  1103. unsigned int context,
  1104. X509 *x, size_t chainidx)
  1105. {
  1106. unsigned int value;
  1107. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  1108. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1109. return 0;
  1110. }
  1111. /* |value| should contains a valid max-fragment-length code. */
  1112. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  1113. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1114. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1115. return 0;
  1116. }
  1117. /* Must be the same value as client-configured one who was sent to server */
  1118. /*-
  1119. * RFC 6066: if a client receives a maximum fragment length negotiation
  1120. * response that differs from the length it requested, ...
  1121. * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
  1122. */
  1123. if (value != s->ext.max_fragment_len_mode) {
  1124. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1125. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1126. return 0;
  1127. }
  1128. /*
  1129. * Maximum Fragment Length Negotiation succeeded.
  1130. * The negotiated Maximum Fragment Length is binding now.
  1131. */
  1132. s->session->ext.max_fragment_len_mode = value;
  1133. return 1;
  1134. }
  1135. int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
  1136. unsigned int context,
  1137. X509 *x, size_t chainidx)
  1138. {
  1139. if (s->ext.hostname == NULL) {
  1140. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1141. return 0;
  1142. }
  1143. if (PACKET_remaining(pkt) > 0) {
  1144. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1145. return 0;
  1146. }
  1147. if (!s->hit) {
  1148. if (s->session->ext.hostname != NULL) {
  1149. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1150. return 0;
  1151. }
  1152. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  1153. if (s->session->ext.hostname == NULL) {
  1154. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1155. return 0;
  1156. }
  1157. }
  1158. return 1;
  1159. }
  1160. int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
  1161. unsigned int context,
  1162. X509 *x, size_t chainidx)
  1163. {
  1164. size_t ecpointformats_len;
  1165. PACKET ecptformatlist;
  1166. if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
  1167. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1168. return 0;
  1169. }
  1170. if (!s->hit) {
  1171. ecpointformats_len = PACKET_remaining(&ecptformatlist);
  1172. if (ecpointformats_len == 0) {
  1173. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  1174. return 0;
  1175. }
  1176. s->ext.peer_ecpointformats_len = 0;
  1177. OPENSSL_free(s->ext.peer_ecpointformats);
  1178. s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
  1179. if (s->ext.peer_ecpointformats == NULL) {
  1180. s->ext.peer_ecpointformats_len = 0;
  1181. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1182. return 0;
  1183. }
  1184. s->ext.peer_ecpointformats_len = ecpointformats_len;
  1185. if (!PACKET_copy_bytes(&ecptformatlist,
  1186. s->ext.peer_ecpointformats,
  1187. ecpointformats_len)) {
  1188. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1189. return 0;
  1190. }
  1191. }
  1192. return 1;
  1193. }
  1194. int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
  1195. unsigned int context,
  1196. X509 *x, size_t chainidx)
  1197. {
  1198. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1199. if (s->ext.session_ticket_cb != NULL &&
  1200. !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
  1201. PACKET_remaining(pkt),
  1202. s->ext.session_ticket_cb_arg)) {
  1203. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
  1204. return 0;
  1205. }
  1206. if (!tls_use_ticket(s)) {
  1207. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1208. return 0;
  1209. }
  1210. if (PACKET_remaining(pkt) > 0) {
  1211. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1212. return 0;
  1213. }
  1214. s->ext.ticket_expected = 1;
  1215. return 1;
  1216. }
  1217. #ifndef OPENSSL_NO_OCSP
  1218. int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
  1219. unsigned int context,
  1220. X509 *x, size_t chainidx)
  1221. {
  1222. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1223. /* We ignore this if the server sends a CertificateRequest */
  1224. return 1;
  1225. }
  1226. /*
  1227. * MUST only be sent if we've requested a status
  1228. * request message. In TLS <= 1.2 it must also be empty.
  1229. */
  1230. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  1231. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1232. return 0;
  1233. }
  1234. if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
  1235. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1236. return 0;
  1237. }
  1238. if (SSL_CONNECTION_IS_TLS13(s)) {
  1239. /* We only know how to handle this if it's for the first Certificate in
  1240. * the chain. We ignore any other responses.
  1241. */
  1242. if (chainidx != 0)
  1243. return 1;
  1244. /* SSLfatal() already called */
  1245. return tls_process_cert_status_body(s, pkt);
  1246. }
  1247. /* Set flag to expect CertificateStatus message */
  1248. s->ext.status_expected = 1;
  1249. return 1;
  1250. }
  1251. #endif
  1252. #ifndef OPENSSL_NO_CT
  1253. int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1254. X509 *x, size_t chainidx)
  1255. {
  1256. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1257. /* We ignore this if the server sends it in a CertificateRequest */
  1258. return 1;
  1259. }
  1260. /*
  1261. * Only take it if we asked for it - i.e if there is no CT validation
  1262. * callback set, then a custom extension MAY be processing it, so we
  1263. * need to let control continue to flow to that.
  1264. */
  1265. if (s->ct_validation_callback != NULL) {
  1266. size_t size = PACKET_remaining(pkt);
  1267. /* Simply copy it off for later processing */
  1268. OPENSSL_free(s->ext.scts);
  1269. s->ext.scts = NULL;
  1270. s->ext.scts_len = (uint16_t)size;
  1271. if (size > 0) {
  1272. s->ext.scts = OPENSSL_malloc(size);
  1273. if (s->ext.scts == NULL) {
  1274. s->ext.scts_len = 0;
  1275. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  1276. return 0;
  1277. }
  1278. if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
  1279. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1280. return 0;
  1281. }
  1282. }
  1283. } else {
  1284. ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  1285. ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
  1286. /*
  1287. * If we didn't ask for it then there must be a custom extension,
  1288. * otherwise this is unsolicited.
  1289. */
  1290. if (custom_ext_find(&s->cert->custext, role,
  1291. TLSEXT_TYPE_signed_certificate_timestamp,
  1292. NULL) == NULL) {
  1293. SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1294. return 0;
  1295. }
  1296. if (!custom_ext_parse(s, context,
  1297. TLSEXT_TYPE_signed_certificate_timestamp,
  1298. PACKET_data(pkt), PACKET_remaining(pkt),
  1299. x, chainidx)) {
  1300. /* SSLfatal already called */
  1301. return 0;
  1302. }
  1303. }
  1304. return 1;
  1305. }
  1306. #endif
  1307. #ifndef OPENSSL_NO_NEXTPROTONEG
  1308. /*
  1309. * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  1310. * elements of zero length are allowed and the set of elements must exactly
  1311. * fill the length of the block. Returns 1 on success or 0 on failure.
  1312. */
  1313. static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
  1314. {
  1315. PACKET tmp_protocol;
  1316. while (PACKET_remaining(pkt)) {
  1317. if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
  1318. || PACKET_remaining(&tmp_protocol) == 0) {
  1319. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1320. return 0;
  1321. }
  1322. }
  1323. return 1;
  1324. }
  1325. int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1326. X509 *x, size_t chainidx)
  1327. {
  1328. unsigned char *selected;
  1329. unsigned char selected_len;
  1330. PACKET tmppkt;
  1331. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1332. /* Check if we are in a renegotiation. If so ignore this extension */
  1333. if (!SSL_IS_FIRST_HANDSHAKE(s))
  1334. return 1;
  1335. /* We must have requested it. */
  1336. if (sctx->ext.npn_select_cb == NULL) {
  1337. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1338. return 0;
  1339. }
  1340. /* The data must be valid */
  1341. tmppkt = *pkt;
  1342. if (!ssl_next_proto_validate(s, &tmppkt)) {
  1343. /* SSLfatal() already called */
  1344. return 0;
  1345. }
  1346. if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
  1347. &selected, &selected_len,
  1348. PACKET_data(pkt), PACKET_remaining(pkt),
  1349. sctx->ext.npn_select_cb_arg) !=
  1350. SSL_TLSEXT_ERR_OK) {
  1351. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
  1352. return 0;
  1353. }
  1354. /*
  1355. * Could be non-NULL if server has sent multiple NPN extensions in
  1356. * a single Serverhello
  1357. */
  1358. OPENSSL_free(s->ext.npn);
  1359. s->ext.npn = OPENSSL_malloc(selected_len);
  1360. if (s->ext.npn == NULL) {
  1361. s->ext.npn_len = 0;
  1362. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1363. return 0;
  1364. }
  1365. memcpy(s->ext.npn, selected, selected_len);
  1366. s->ext.npn_len = selected_len;
  1367. s->s3.npn_seen = 1;
  1368. return 1;
  1369. }
  1370. #endif
  1371. int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1372. X509 *x, size_t chainidx)
  1373. {
  1374. size_t len;
  1375. /* We must have requested it. */
  1376. if (!s->s3.alpn_sent) {
  1377. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1378. return 0;
  1379. }
  1380. /*-
  1381. * The extension data consists of:
  1382. * uint16 list_length
  1383. * uint8 proto_length;
  1384. * uint8 proto[proto_length];
  1385. */
  1386. if (!PACKET_get_net_2_len(pkt, &len)
  1387. || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
  1388. || PACKET_remaining(pkt) != len) {
  1389. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1390. return 0;
  1391. }
  1392. OPENSSL_free(s->s3.alpn_selected);
  1393. s->s3.alpn_selected = OPENSSL_malloc(len);
  1394. if (s->s3.alpn_selected == NULL) {
  1395. s->s3.alpn_selected_len = 0;
  1396. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1397. return 0;
  1398. }
  1399. if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
  1400. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1401. return 0;
  1402. }
  1403. s->s3.alpn_selected_len = len;
  1404. if (s->session->ext.alpn_selected == NULL
  1405. || s->session->ext.alpn_selected_len != len
  1406. || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
  1407. != 0) {
  1408. /* ALPN not consistent with the old session so cannot use early_data */
  1409. s->ext.early_data_ok = 0;
  1410. }
  1411. if (!s->hit) {
  1412. /*
  1413. * This is a new session and so alpn_selected should have been
  1414. * initialised to NULL. We should update it with the selected ALPN.
  1415. */
  1416. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1417. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1418. return 0;
  1419. }
  1420. s->session->ext.alpn_selected =
  1421. OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
  1422. if (s->session->ext.alpn_selected == NULL) {
  1423. s->session->ext.alpn_selected_len = 0;
  1424. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1425. return 0;
  1426. }
  1427. s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
  1428. }
  1429. return 1;
  1430. }
  1431. #ifndef OPENSSL_NO_SRTP
  1432. int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
  1433. unsigned int context, X509 *x, size_t chainidx)
  1434. {
  1435. unsigned int id, ct, mki;
  1436. int i;
  1437. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
  1438. SRTP_PROTECTION_PROFILE *prof;
  1439. if (!PACKET_get_net_2(pkt, &ct) || ct != 2
  1440. || !PACKET_get_net_2(pkt, &id)
  1441. || !PACKET_get_1(pkt, &mki)
  1442. || PACKET_remaining(pkt) != 0) {
  1443. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1444. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1445. return 0;
  1446. }
  1447. if (mki != 0) {
  1448. /* Must be no MKI, since we never offer one */
  1449. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
  1450. return 0;
  1451. }
  1452. /* Throw an error if the server gave us an unsolicited extension */
  1453. clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
  1454. if (clnt == NULL) {
  1455. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
  1456. return 0;
  1457. }
  1458. /*
  1459. * Check to see if the server gave us something we support (and
  1460. * presumably offered)
  1461. */
  1462. for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
  1463. prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  1464. if (prof->id == id) {
  1465. s->srtp_profile = prof;
  1466. return 1;
  1467. }
  1468. }
  1469. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1470. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1471. return 0;
  1472. }
  1473. #endif
  1474. int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1475. X509 *x, size_t chainidx)
  1476. {
  1477. /* Ignore if inappropriate ciphersuite */
  1478. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  1479. && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
  1480. && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
  1481. && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
  1482. && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
  1483. && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
  1484. && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
  1485. s->ext.use_etm = 1;
  1486. return 1;
  1487. }
  1488. int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1489. X509 *x, size_t chainidx)
  1490. {
  1491. if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
  1492. return 1;
  1493. s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  1494. if (!s->hit)
  1495. s->session->flags |= SSL_SESS_FLAG_EXTMS;
  1496. return 1;
  1497. }
  1498. int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
  1499. unsigned int context,
  1500. X509 *x, size_t chainidx)
  1501. {
  1502. unsigned int version;
  1503. if (!PACKET_get_net_2(pkt, &version)
  1504. || PACKET_remaining(pkt) != 0) {
  1505. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1506. return 0;
  1507. }
  1508. /*
  1509. * The only protocol version we support which is valid in this extension in
  1510. * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
  1511. */
  1512. if (version != TLS1_3_VERSION) {
  1513. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1514. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  1515. return 0;
  1516. }
  1517. /* We ignore this extension for HRRs except to sanity check it */
  1518. if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
  1519. return 1;
  1520. /* We just set it here. We validate it in ssl_choose_client_version */
  1521. s->version = version;
  1522. if (!ssl_set_record_protocol_version(s, version)) {
  1523. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1524. return 0;
  1525. }
  1526. return 1;
  1527. }
  1528. int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
  1529. unsigned int context, X509 *x,
  1530. size_t chainidx)
  1531. {
  1532. #ifndef OPENSSL_NO_TLS1_3
  1533. unsigned int group_id;
  1534. PACKET encoded_pt;
  1535. EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
  1536. const TLS_GROUP_INFO *ginf = NULL;
  1537. /* Sanity check */
  1538. if (ckey == NULL || s->s3.peer_tmp != NULL) {
  1539. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1540. return 0;
  1541. }
  1542. if (!PACKET_get_net_2(pkt, &group_id)) {
  1543. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1544. return 0;
  1545. }
  1546. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
  1547. const uint16_t *pgroups = NULL;
  1548. size_t i, num_groups;
  1549. if (PACKET_remaining(pkt) != 0) {
  1550. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1551. return 0;
  1552. }
  1553. /*
  1554. * It is an error if the HelloRetryRequest wants a key_share that we
  1555. * already sent in the first ClientHello
  1556. */
  1557. if (group_id == s->s3.group_id) {
  1558. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1559. return 0;
  1560. }
  1561. /* Validate the selected group is one we support */
  1562. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1563. for (i = 0; i < num_groups; i++) {
  1564. if (group_id == pgroups[i])
  1565. break;
  1566. }
  1567. if (i >= num_groups
  1568. || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
  1569. || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
  1570. 0, NULL)) {
  1571. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1572. return 0;
  1573. }
  1574. s->s3.group_id = group_id;
  1575. EVP_PKEY_free(s->s3.tmp.pkey);
  1576. s->s3.tmp.pkey = NULL;
  1577. return 1;
  1578. }
  1579. if (group_id != s->s3.group_id) {
  1580. /*
  1581. * This isn't for the group that we sent in the original
  1582. * key_share!
  1583. */
  1584. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1585. return 0;
  1586. }
  1587. /* Retain this group in the SSL_SESSION */
  1588. if (!s->hit) {
  1589. s->session->kex_group = group_id;
  1590. } else if (group_id != s->session->kex_group) {
  1591. /*
  1592. * If this is a resumption but changed what group was used, we need
  1593. * to record the new group in the session, but the session is not
  1594. * a new session and could be in use by other threads. So, make
  1595. * a copy of the session to record the new information so that it's
  1596. * useful for any sessions resumed from tickets issued on this
  1597. * connection.
  1598. */
  1599. SSL_SESSION *new_sess;
  1600. if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
  1601. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  1602. return 0;
  1603. }
  1604. SSL_SESSION_free(s->session);
  1605. s->session = new_sess;
  1606. s->session->kex_group = group_id;
  1607. }
  1608. if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
  1609. group_id)) == NULL) {
  1610. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1611. return 0;
  1612. }
  1613. if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
  1614. || PACKET_remaining(&encoded_pt) == 0) {
  1615. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1616. return 0;
  1617. }
  1618. if (!ginf->is_kem) {
  1619. /* Regular KEX */
  1620. skey = EVP_PKEY_new();
  1621. if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
  1622. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  1623. EVP_PKEY_free(skey);
  1624. return 0;
  1625. }
  1626. if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
  1627. PACKET_remaining(&encoded_pt)) <= 0) {
  1628. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
  1629. EVP_PKEY_free(skey);
  1630. return 0;
  1631. }
  1632. if (ssl_derive(s, ckey, skey, 1) == 0) {
  1633. /* SSLfatal() already called */
  1634. EVP_PKEY_free(skey);
  1635. return 0;
  1636. }
  1637. s->s3.peer_tmp = skey;
  1638. } else {
  1639. /* KEM Mode */
  1640. const unsigned char *ct = PACKET_data(&encoded_pt);
  1641. size_t ctlen = PACKET_remaining(&encoded_pt);
  1642. if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
  1643. /* SSLfatal() already called */
  1644. return 0;
  1645. }
  1646. }
  1647. s->s3.did_kex = 1;
  1648. #endif
  1649. return 1;
  1650. }
  1651. int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1652. X509 *x, size_t chainidx)
  1653. {
  1654. PACKET cookie;
  1655. if (!PACKET_as_length_prefixed_2(pkt, &cookie)
  1656. || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
  1657. &s->ext.tls13_cookie_len)) {
  1658. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1659. return 0;
  1660. }
  1661. return 1;
  1662. }
  1663. int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
  1664. unsigned int context,
  1665. X509 *x, size_t chainidx)
  1666. {
  1667. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1668. unsigned long max_early_data;
  1669. if (!PACKET_get_net_4(pkt, &max_early_data)
  1670. || PACKET_remaining(pkt) != 0) {
  1671. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
  1672. return 0;
  1673. }
  1674. s->session->ext.max_early_data = max_early_data;
  1675. return 1;
  1676. }
  1677. if (PACKET_remaining(pkt) != 0) {
  1678. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1679. return 0;
  1680. }
  1681. if (!s->ext.early_data_ok
  1682. || !s->hit) {
  1683. /*
  1684. * If we get here then we didn't send early data, or we didn't resume
  1685. * using the first identity, or the SNI/ALPN is not consistent so the
  1686. * server should not be accepting it.
  1687. */
  1688. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  1689. return 0;
  1690. }
  1691. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1692. return 1;
  1693. }
  1694. int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
  1695. unsigned int context, X509 *x,
  1696. size_t chainidx)
  1697. {
  1698. #ifndef OPENSSL_NO_TLS1_3
  1699. unsigned int identity;
  1700. if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
  1701. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1702. return 0;
  1703. }
  1704. if (identity >= (unsigned int)s->ext.tick_identity) {
  1705. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
  1706. return 0;
  1707. }
  1708. /*
  1709. * Session resumption tickets are always sent before PSK tickets. If the
  1710. * ticket index is 0 then it must be for a session resumption ticket if we
  1711. * sent two tickets, or if we didn't send a PSK ticket.
  1712. */
  1713. if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
  1714. s->hit = 1;
  1715. SSL_SESSION_free(s->psksession);
  1716. s->psksession = NULL;
  1717. return 1;
  1718. }
  1719. if (s->psksession == NULL) {
  1720. /* Should never happen */
  1721. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1722. return 0;
  1723. }
  1724. /*
  1725. * If we used the external PSK for sending early_data then s->early_secret
  1726. * is already set up, so don't overwrite it. Otherwise we copy the
  1727. * early_secret across that we generated earlier.
  1728. */
  1729. if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
  1730. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
  1731. || s->session->ext.max_early_data > 0
  1732. || s->psksession->ext.max_early_data == 0)
  1733. memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
  1734. SSL_SESSION_free(s->session);
  1735. s->session = s->psksession;
  1736. s->psksession = NULL;
  1737. s->hit = 1;
  1738. /* Early data is only allowed if we used the first ticket */
  1739. if (identity != 0)
  1740. s->ext.early_data_ok = 0;
  1741. #endif
  1742. return 1;
  1743. }