2
0

extensions_clnt.c 66 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991
  1. /*
  2. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_locl.h"
  11. #include "internal/cryptlib.h"
  12. #include "statem_locl.h"
  13. EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
  14. unsigned int context, X509 *x,
  15. size_t chainidx)
  16. {
  17. /* Add RI if renegotiating */
  18. if (!s->renegotiate)
  19. return EXT_RETURN_NOT_SENT;
  20. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  21. || !WPACKET_start_sub_packet_u16(pkt)
  22. || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
  23. s->s3->previous_client_finished_len)
  24. || !WPACKET_close(pkt)) {
  25. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE,
  26. ERR_R_INTERNAL_ERROR);
  27. return EXT_RETURN_FAIL;
  28. }
  29. return EXT_RETURN_SENT;
  30. }
  31. EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
  32. unsigned int context, X509 *x,
  33. size_t chainidx)
  34. {
  35. if (s->ext.hostname == NULL)
  36. return EXT_RETURN_NOT_SENT;
  37. /* Add TLS extension servername to the Client Hello message */
  38. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  39. /* Sub-packet for server_name extension */
  40. || !WPACKET_start_sub_packet_u16(pkt)
  41. /* Sub-packet for servername list (always 1 hostname)*/
  42. || !WPACKET_start_sub_packet_u16(pkt)
  43. || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
  44. || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
  45. strlen(s->ext.hostname))
  46. || !WPACKET_close(pkt)
  47. || !WPACKET_close(pkt)) {
  48. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME,
  49. ERR_R_INTERNAL_ERROR);
  50. return EXT_RETURN_FAIL;
  51. }
  52. return EXT_RETURN_SENT;
  53. }
  54. /* Push a Max Fragment Len extension into ClientHello */
  55. EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
  56. unsigned int context, X509 *x,
  57. size_t chainidx)
  58. {
  59. if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
  60. return EXT_RETURN_NOT_SENT;
  61. /* Add Max Fragment Length extension if client enabled it. */
  62. /*-
  63. * 4 bytes for this extension type and extension length
  64. * 1 byte for the Max Fragment Length code value.
  65. */
  66. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  67. /* Sub-packet for Max Fragment Length extension (1 byte) */
  68. || !WPACKET_start_sub_packet_u16(pkt)
  69. || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
  70. || !WPACKET_close(pkt)) {
  71. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  72. SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
  73. return EXT_RETURN_FAIL;
  74. }
  75. return EXT_RETURN_SENT;
  76. }
  77. #ifndef OPENSSL_NO_SRP
  78. EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
  79. X509 *x, size_t chainidx)
  80. {
  81. /* Add SRP username if there is one */
  82. if (s->srp_ctx.login == NULL)
  83. return EXT_RETURN_NOT_SENT;
  84. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
  85. /* Sub-packet for SRP extension */
  86. || !WPACKET_start_sub_packet_u16(pkt)
  87. || !WPACKET_start_sub_packet_u8(pkt)
  88. /* login must not be zero...internal error if so */
  89. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  90. || !WPACKET_memcpy(pkt, s->srp_ctx.login,
  91. strlen(s->srp_ctx.login))
  92. || !WPACKET_close(pkt)
  93. || !WPACKET_close(pkt)) {
  94. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP,
  95. ERR_R_INTERNAL_ERROR);
  96. return EXT_RETURN_FAIL;
  97. }
  98. return EXT_RETURN_SENT;
  99. }
  100. #endif
  101. #ifndef OPENSSL_NO_EC
  102. static int use_ecc(SSL *s)
  103. {
  104. int i, end, ret = 0;
  105. unsigned long alg_k, alg_a;
  106. STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
  107. /* See if we support any ECC ciphersuites */
  108. if (s->version == SSL3_VERSION)
  109. return 0;
  110. cipher_stack = SSL_get1_supported_ciphers(s);
  111. end = sk_SSL_CIPHER_num(cipher_stack);
  112. for (i = 0; i < end; i++) {
  113. const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  114. alg_k = c->algorithm_mkey;
  115. alg_a = c->algorithm_auth;
  116. if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
  117. || (alg_a & SSL_aECDSA)
  118. || c->min_tls >= TLS1_3_VERSION) {
  119. ret = 1;
  120. break;
  121. }
  122. }
  123. sk_SSL_CIPHER_free(cipher_stack);
  124. return ret;
  125. }
  126. EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
  127. unsigned int context, X509 *x,
  128. size_t chainidx)
  129. {
  130. const unsigned char *pformats;
  131. size_t num_formats;
  132. if (!use_ecc(s))
  133. return EXT_RETURN_NOT_SENT;
  134. /* Add TLS extension ECPointFormats to the ClientHello message */
  135. tls1_get_formatlist(s, &pformats, &num_formats);
  136. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  137. /* Sub-packet for formats extension */
  138. || !WPACKET_start_sub_packet_u16(pkt)
  139. || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
  140. || !WPACKET_close(pkt)) {
  141. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  142. SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  143. return EXT_RETURN_FAIL;
  144. }
  145. return EXT_RETURN_SENT;
  146. }
  147. EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
  148. unsigned int context, X509 *x,
  149. size_t chainidx)
  150. {
  151. const uint16_t *pgroups = NULL;
  152. size_t num_groups = 0, i;
  153. if (!use_ecc(s))
  154. return EXT_RETURN_NOT_SENT;
  155. /*
  156. * Add TLS extension supported_groups to the ClientHello message
  157. */
  158. /* TODO(TLS1.3): Add support for DHE groups */
  159. tls1_get_supported_groups(s, &pgroups, &num_groups);
  160. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  161. /* Sub-packet for supported_groups extension */
  162. || !WPACKET_start_sub_packet_u16(pkt)
  163. || !WPACKET_start_sub_packet_u16(pkt)) {
  164. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  165. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
  166. ERR_R_INTERNAL_ERROR);
  167. return EXT_RETURN_FAIL;
  168. }
  169. /* Copy curve ID if supported */
  170. for (i = 0; i < num_groups; i++) {
  171. uint16_t ctmp = pgroups[i];
  172. if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
  173. if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
  174. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  175. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
  176. ERR_R_INTERNAL_ERROR);
  177. return EXT_RETURN_FAIL;
  178. }
  179. }
  180. }
  181. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  182. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  183. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
  184. ERR_R_INTERNAL_ERROR);
  185. return EXT_RETURN_FAIL;
  186. }
  187. return EXT_RETURN_SENT;
  188. }
  189. #endif
  190. EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
  191. unsigned int context, X509 *x,
  192. size_t chainidx)
  193. {
  194. size_t ticklen;
  195. if (!tls_use_ticket(s))
  196. return EXT_RETURN_NOT_SENT;
  197. if (!s->new_session && s->session != NULL
  198. && s->session->ext.tick != NULL
  199. && s->session->ssl_version != TLS1_3_VERSION) {
  200. ticklen = s->session->ext.ticklen;
  201. } else if (s->session && s->ext.session_ticket != NULL
  202. && s->ext.session_ticket->data != NULL) {
  203. ticklen = s->ext.session_ticket->length;
  204. s->session->ext.tick = OPENSSL_malloc(ticklen);
  205. if (s->session->ext.tick == NULL) {
  206. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  207. SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
  208. ERR_R_INTERNAL_ERROR);
  209. return EXT_RETURN_FAIL;
  210. }
  211. memcpy(s->session->ext.tick,
  212. s->ext.session_ticket->data, ticklen);
  213. s->session->ext.ticklen = ticklen;
  214. } else {
  215. ticklen = 0;
  216. }
  217. if (ticklen == 0 && s->ext.session_ticket != NULL &&
  218. s->ext.session_ticket->data == NULL)
  219. return EXT_RETURN_NOT_SENT;
  220. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  221. || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
  222. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  223. SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  224. return EXT_RETURN_FAIL;
  225. }
  226. return EXT_RETURN_SENT;
  227. }
  228. EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
  229. unsigned int context, X509 *x,
  230. size_t chainidx)
  231. {
  232. size_t salglen;
  233. const uint16_t *salg;
  234. if (!SSL_CLIENT_USE_SIGALGS(s))
  235. return EXT_RETURN_NOT_SENT;
  236. salglen = tls12_get_psigalgs(s, 1, &salg);
  237. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
  238. /* Sub-packet for sig-algs extension */
  239. || !WPACKET_start_sub_packet_u16(pkt)
  240. /* Sub-packet for the actual list */
  241. || !WPACKET_start_sub_packet_u16(pkt)
  242. || !tls12_copy_sigalgs(s, pkt, salg, salglen)
  243. || !WPACKET_close(pkt)
  244. || !WPACKET_close(pkt)) {
  245. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS,
  246. ERR_R_INTERNAL_ERROR);
  247. return EXT_RETURN_FAIL;
  248. }
  249. return EXT_RETURN_SENT;
  250. }
  251. #ifndef OPENSSL_NO_OCSP
  252. EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
  253. unsigned int context, X509 *x,
  254. size_t chainidx)
  255. {
  256. int i;
  257. /* This extension isn't defined for client Certificates */
  258. if (x != NULL)
  259. return EXT_RETURN_NOT_SENT;
  260. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
  261. return EXT_RETURN_NOT_SENT;
  262. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  263. /* Sub-packet for status request extension */
  264. || !WPACKET_start_sub_packet_u16(pkt)
  265. || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
  266. /* Sub-packet for the ids */
  267. || !WPACKET_start_sub_packet_u16(pkt)) {
  268. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  269. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  270. return EXT_RETURN_FAIL;
  271. }
  272. for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
  273. unsigned char *idbytes;
  274. OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
  275. int idlen = i2d_OCSP_RESPID(id, NULL);
  276. if (idlen <= 0
  277. /* Sub-packet for an individual id */
  278. || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
  279. || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
  280. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  281. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
  282. ERR_R_INTERNAL_ERROR);
  283. return EXT_RETURN_FAIL;
  284. }
  285. }
  286. if (!WPACKET_close(pkt)
  287. || !WPACKET_start_sub_packet_u16(pkt)) {
  288. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  289. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  290. return EXT_RETURN_FAIL;
  291. }
  292. if (s->ext.ocsp.exts) {
  293. unsigned char *extbytes;
  294. int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
  295. if (extlen < 0) {
  296. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  297. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
  298. ERR_R_INTERNAL_ERROR);
  299. return EXT_RETURN_FAIL;
  300. }
  301. if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
  302. || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
  303. != extlen) {
  304. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  305. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
  306. ERR_R_INTERNAL_ERROR);
  307. return EXT_RETURN_FAIL;
  308. }
  309. }
  310. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  311. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  312. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  313. return EXT_RETURN_FAIL;
  314. }
  315. return EXT_RETURN_SENT;
  316. }
  317. #endif
  318. #ifndef OPENSSL_NO_NEXTPROTONEG
  319. EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
  320. X509 *x, size_t chainidx)
  321. {
  322. if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
  323. return EXT_RETURN_NOT_SENT;
  324. /*
  325. * The client advertises an empty extension to indicate its support
  326. * for Next Protocol Negotiation
  327. */
  328. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  329. || !WPACKET_put_bytes_u16(pkt, 0)) {
  330. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN,
  331. ERR_R_INTERNAL_ERROR);
  332. return EXT_RETURN_FAIL;
  333. }
  334. return EXT_RETURN_SENT;
  335. }
  336. #endif
  337. EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
  338. X509 *x, size_t chainidx)
  339. {
  340. s->s3->alpn_sent = 0;
  341. if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
  342. return EXT_RETURN_NOT_SENT;
  343. if (!WPACKET_put_bytes_u16(pkt,
  344. TLSEXT_TYPE_application_layer_protocol_negotiation)
  345. /* Sub-packet ALPN extension */
  346. || !WPACKET_start_sub_packet_u16(pkt)
  347. || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
  348. || !WPACKET_close(pkt)) {
  349. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN,
  350. ERR_R_INTERNAL_ERROR);
  351. return EXT_RETURN_FAIL;
  352. }
  353. s->s3->alpn_sent = 1;
  354. return EXT_RETURN_SENT;
  355. }
  356. #ifndef OPENSSL_NO_SRTP
  357. EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
  358. unsigned int context, X509 *x,
  359. size_t chainidx)
  360. {
  361. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
  362. int i, end;
  363. if (clnt == NULL)
  364. return EXT_RETURN_NOT_SENT;
  365. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  366. /* Sub-packet for SRTP extension */
  367. || !WPACKET_start_sub_packet_u16(pkt)
  368. /* Sub-packet for the protection profile list */
  369. || !WPACKET_start_sub_packet_u16(pkt)) {
  370. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
  371. ERR_R_INTERNAL_ERROR);
  372. return EXT_RETURN_FAIL;
  373. }
  374. end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
  375. for (i = 0; i < end; i++) {
  376. const SRTP_PROTECTION_PROFILE *prof =
  377. sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  378. if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
  379. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  380. SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
  381. return EXT_RETURN_FAIL;
  382. }
  383. }
  384. if (!WPACKET_close(pkt)
  385. /* Add an empty use_mki value */
  386. || !WPACKET_put_bytes_u8(pkt, 0)
  387. || !WPACKET_close(pkt)) {
  388. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
  389. ERR_R_INTERNAL_ERROR);
  390. return EXT_RETURN_FAIL;
  391. }
  392. return EXT_RETURN_SENT;
  393. }
  394. #endif
  395. EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
  396. X509 *x, size_t chainidx)
  397. {
  398. if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  399. return EXT_RETURN_NOT_SENT;
  400. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  401. || !WPACKET_put_bytes_u16(pkt, 0)) {
  402. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM,
  403. ERR_R_INTERNAL_ERROR);
  404. return EXT_RETURN_FAIL;
  405. }
  406. return EXT_RETURN_SENT;
  407. }
  408. #ifndef OPENSSL_NO_CT
  409. EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
  410. X509 *x, size_t chainidx)
  411. {
  412. if (s->ct_validation_callback == NULL)
  413. return EXT_RETURN_NOT_SENT;
  414. /* Not defined for client Certificates */
  415. if (x != NULL)
  416. return EXT_RETURN_NOT_SENT;
  417. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
  418. || !WPACKET_put_bytes_u16(pkt, 0)) {
  419. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT,
  420. ERR_R_INTERNAL_ERROR);
  421. return EXT_RETURN_FAIL;
  422. }
  423. return EXT_RETURN_SENT;
  424. }
  425. #endif
  426. EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
  427. X509 *x, size_t chainidx)
  428. {
  429. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  430. || !WPACKET_put_bytes_u16(pkt, 0)) {
  431. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS,
  432. ERR_R_INTERNAL_ERROR);
  433. return EXT_RETURN_FAIL;
  434. }
  435. return EXT_RETURN_SENT;
  436. }
  437. EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
  438. unsigned int context, X509 *x,
  439. size_t chainidx)
  440. {
  441. int currv, min_version, max_version, reason;
  442. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  443. if (reason != 0) {
  444. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  445. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
  446. return EXT_RETURN_FAIL;
  447. }
  448. /*
  449. * Don't include this if we can't negotiate TLSv1.3. We can do a straight
  450. * comparison here because we will never be called in DTLS.
  451. */
  452. if (max_version < TLS1_3_VERSION)
  453. return EXT_RETURN_NOT_SENT;
  454. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  455. || !WPACKET_start_sub_packet_u16(pkt)
  456. || !WPACKET_start_sub_packet_u8(pkt)) {
  457. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  458. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
  459. ERR_R_INTERNAL_ERROR);
  460. return EXT_RETURN_FAIL;
  461. }
  462. for (currv = max_version; currv >= min_version; currv--) {
  463. if (!WPACKET_put_bytes_u16(pkt, currv)) {
  464. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  465. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
  466. ERR_R_INTERNAL_ERROR);
  467. return EXT_RETURN_FAIL;
  468. }
  469. }
  470. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  471. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  472. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
  473. ERR_R_INTERNAL_ERROR);
  474. return EXT_RETURN_FAIL;
  475. }
  476. return EXT_RETURN_SENT;
  477. }
  478. /*
  479. * Construct a psk_kex_modes extension.
  480. */
  481. EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
  482. unsigned int context, X509 *x,
  483. size_t chainidx)
  484. {
  485. #ifndef OPENSSL_NO_TLS1_3
  486. int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
  487. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
  488. || !WPACKET_start_sub_packet_u16(pkt)
  489. || !WPACKET_start_sub_packet_u8(pkt)
  490. || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
  491. || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
  492. || !WPACKET_close(pkt)
  493. || !WPACKET_close(pkt)) {
  494. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  495. SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
  496. return EXT_RETURN_FAIL;
  497. }
  498. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
  499. if (nodhe)
  500. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  501. #endif
  502. return EXT_RETURN_SENT;
  503. }
  504. #ifndef OPENSSL_NO_TLS1_3
  505. static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
  506. {
  507. unsigned char *encoded_point = NULL;
  508. EVP_PKEY *key_share_key = NULL;
  509. size_t encodedlen;
  510. if (s->s3->tmp.pkey != NULL) {
  511. if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
  512. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
  513. ERR_R_INTERNAL_ERROR);
  514. return 0;
  515. }
  516. /*
  517. * Could happen if we got an HRR that wasn't requesting a new key_share
  518. */
  519. key_share_key = s->s3->tmp.pkey;
  520. } else {
  521. key_share_key = ssl_generate_pkey_group(s, curve_id);
  522. if (key_share_key == NULL) {
  523. /* SSLfatal() already called */
  524. return 0;
  525. }
  526. }
  527. /* Encode the public key. */
  528. encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
  529. &encoded_point);
  530. if (encodedlen == 0) {
  531. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
  532. goto err;
  533. }
  534. /* Create KeyShareEntry */
  535. if (!WPACKET_put_bytes_u16(pkt, curve_id)
  536. || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
  537. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
  538. ERR_R_INTERNAL_ERROR);
  539. goto err;
  540. }
  541. /*
  542. * TODO(TLS1.3): When changing to send more than one key_share we're
  543. * going to need to be able to save more than one EVP_PKEY. For now
  544. * we reuse the existing tmp.pkey
  545. */
  546. s->s3->tmp.pkey = key_share_key;
  547. s->s3->group_id = curve_id;
  548. OPENSSL_free(encoded_point);
  549. return 1;
  550. err:
  551. if (s->s3->tmp.pkey == NULL)
  552. EVP_PKEY_free(key_share_key);
  553. OPENSSL_free(encoded_point);
  554. return 0;
  555. }
  556. #endif
  557. EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
  558. unsigned int context, X509 *x,
  559. size_t chainidx)
  560. {
  561. #ifndef OPENSSL_NO_TLS1_3
  562. size_t i, num_groups = 0;
  563. const uint16_t *pgroups = NULL;
  564. uint16_t curve_id = 0;
  565. /* key_share extension */
  566. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  567. /* Extension data sub-packet */
  568. || !WPACKET_start_sub_packet_u16(pkt)
  569. /* KeyShare list sub-packet */
  570. || !WPACKET_start_sub_packet_u16(pkt)) {
  571. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
  572. ERR_R_INTERNAL_ERROR);
  573. return EXT_RETURN_FAIL;
  574. }
  575. tls1_get_supported_groups(s, &pgroups, &num_groups);
  576. /*
  577. * TODO(TLS1.3): Make the number of key_shares sent configurable. For
  578. * now, just send one
  579. */
  580. if (s->s3->group_id != 0) {
  581. curve_id = s->s3->group_id;
  582. } else {
  583. for (i = 0; i < num_groups; i++) {
  584. if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
  585. continue;
  586. curve_id = pgroups[i];
  587. break;
  588. }
  589. }
  590. if (curve_id == 0) {
  591. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
  592. SSL_R_NO_SUITABLE_KEY_SHARE);
  593. return EXT_RETURN_FAIL;
  594. }
  595. if (!add_key_share(s, pkt, curve_id)) {
  596. /* SSLfatal() already called */
  597. return EXT_RETURN_FAIL;
  598. }
  599. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  600. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
  601. ERR_R_INTERNAL_ERROR);
  602. return EXT_RETURN_FAIL;
  603. }
  604. return EXT_RETURN_SENT;
  605. #else
  606. return EXT_RETURN_NOT_SENT;
  607. #endif
  608. }
  609. EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
  610. X509 *x, size_t chainidx)
  611. {
  612. EXT_RETURN ret = EXT_RETURN_FAIL;
  613. /* Should only be set if we've had an HRR */
  614. if (s->ext.tls13_cookie_len == 0)
  615. return EXT_RETURN_NOT_SENT;
  616. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  617. /* Extension data sub-packet */
  618. || !WPACKET_start_sub_packet_u16(pkt)
  619. || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
  620. s->ext.tls13_cookie_len)
  621. || !WPACKET_close(pkt)) {
  622. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE,
  623. ERR_R_INTERNAL_ERROR);
  624. goto end;
  625. }
  626. ret = EXT_RETURN_SENT;
  627. end:
  628. OPENSSL_free(s->ext.tls13_cookie);
  629. s->ext.tls13_cookie = NULL;
  630. s->ext.tls13_cookie_len = 0;
  631. return ret;
  632. }
  633. EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
  634. unsigned int context, X509 *x,
  635. size_t chainidx)
  636. {
  637. #ifndef OPENSSL_NO_PSK
  638. char identity[PSK_MAX_IDENTITY_LEN + 1];
  639. #endif /* OPENSSL_NO_PSK */
  640. const unsigned char *id = NULL;
  641. size_t idlen = 0;
  642. SSL_SESSION *psksess = NULL;
  643. SSL_SESSION *edsess = NULL;
  644. const EVP_MD *handmd = NULL;
  645. if (s->hello_retry_request == SSL_HRR_PENDING)
  646. handmd = ssl_handshake_md(s);
  647. if (s->psk_use_session_cb != NULL
  648. && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
  649. || (psksess != NULL
  650. && psksess->ssl_version != TLS1_3_VERSION))) {
  651. SSL_SESSION_free(psksess);
  652. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  653. SSL_R_BAD_PSK);
  654. return EXT_RETURN_FAIL;
  655. }
  656. #ifndef OPENSSL_NO_PSK
  657. if (psksess == NULL && s->psk_client_callback != NULL) {
  658. unsigned char psk[PSK_MAX_PSK_LEN];
  659. size_t psklen = 0;
  660. memset(identity, 0, sizeof(identity));
  661. psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
  662. psk, sizeof(psk));
  663. if (psklen > PSK_MAX_PSK_LEN) {
  664. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  665. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  666. return EXT_RETURN_FAIL;
  667. } else if (psklen > 0) {
  668. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  669. const SSL_CIPHER *cipher;
  670. idlen = strlen(identity);
  671. if (idlen > PSK_MAX_IDENTITY_LEN) {
  672. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  673. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  674. ERR_R_INTERNAL_ERROR);
  675. return EXT_RETURN_FAIL;
  676. }
  677. id = (unsigned char *)identity;
  678. /*
  679. * We found a PSK using an old style callback. We don't know
  680. * the digest so we default to SHA256 as per the TLSv1.3 spec
  681. */
  682. cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
  683. if (cipher == NULL) {
  684. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  685. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  686. ERR_R_INTERNAL_ERROR);
  687. return EXT_RETURN_FAIL;
  688. }
  689. psksess = SSL_SESSION_new();
  690. if (psksess == NULL
  691. || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
  692. || !SSL_SESSION_set_cipher(psksess, cipher)
  693. || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
  694. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  695. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  696. ERR_R_INTERNAL_ERROR);
  697. OPENSSL_cleanse(psk, psklen);
  698. return EXT_RETURN_FAIL;
  699. }
  700. OPENSSL_cleanse(psk, psklen);
  701. }
  702. }
  703. #endif /* OPENSSL_NO_PSK */
  704. SSL_SESSION_free(s->psksession);
  705. s->psksession = psksess;
  706. if (psksess != NULL) {
  707. OPENSSL_free(s->psksession_id);
  708. s->psksession_id = OPENSSL_memdup(id, idlen);
  709. if (s->psksession_id == NULL) {
  710. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  711. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  712. return EXT_RETURN_FAIL;
  713. }
  714. s->psksession_id_len = idlen;
  715. }
  716. if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
  717. || (s->session->ext.max_early_data == 0
  718. && (psksess == NULL || psksess->ext.max_early_data == 0))) {
  719. s->max_early_data = 0;
  720. return EXT_RETURN_NOT_SENT;
  721. }
  722. edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
  723. s->max_early_data = edsess->ext.max_early_data;
  724. if (edsess->ext.hostname != NULL) {
  725. if (s->ext.hostname == NULL
  726. || (s->ext.hostname != NULL
  727. && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
  728. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  729. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  730. SSL_R_INCONSISTENT_EARLY_DATA_SNI);
  731. return EXT_RETURN_FAIL;
  732. }
  733. }
  734. if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
  735. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  736. SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  737. return EXT_RETURN_FAIL;
  738. }
  739. /*
  740. * Verify that we are offering an ALPN protocol consistent with the early
  741. * data.
  742. */
  743. if (edsess->ext.alpn_selected != NULL) {
  744. PACKET prots, alpnpkt;
  745. int found = 0;
  746. if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
  747. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  748. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  749. return EXT_RETURN_FAIL;
  750. }
  751. while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
  752. if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
  753. edsess->ext.alpn_selected_len)) {
  754. found = 1;
  755. break;
  756. }
  757. }
  758. if (!found) {
  759. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  760. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  761. SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  762. return EXT_RETURN_FAIL;
  763. }
  764. }
  765. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  766. || !WPACKET_start_sub_packet_u16(pkt)
  767. || !WPACKET_close(pkt)) {
  768. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  769. ERR_R_INTERNAL_ERROR);
  770. return EXT_RETURN_FAIL;
  771. }
  772. /*
  773. * We set this to rejected here. Later, if the server acknowledges the
  774. * extension, we set it to accepted.
  775. */
  776. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  777. s->ext.early_data_ok = 1;
  778. return EXT_RETURN_SENT;
  779. }
  780. #define F5_WORKAROUND_MIN_MSG_LEN 0xff
  781. #define F5_WORKAROUND_MAX_MSG_LEN 0x200
  782. /*
  783. * PSK pre binder overhead =
  784. * 2 bytes for TLSEXT_TYPE_psk
  785. * 2 bytes for extension length
  786. * 2 bytes for identities list length
  787. * 2 bytes for identity length
  788. * 4 bytes for obfuscated_ticket_age
  789. * 2 bytes for binder list length
  790. * 1 byte for binder length
  791. * The above excludes the number of bytes for the identity itself and the
  792. * subsequent binder bytes
  793. */
  794. #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
  795. EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
  796. unsigned int context, X509 *x,
  797. size_t chainidx)
  798. {
  799. unsigned char *padbytes;
  800. size_t hlen;
  801. if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
  802. return EXT_RETURN_NOT_SENT;
  803. /*
  804. * Add padding to workaround bugs in F5 terminators. See RFC7685.
  805. * This code calculates the length of all extensions added so far but
  806. * excludes the PSK extension (because that MUST be written last). Therefore
  807. * this extension MUST always appear second to last.
  808. */
  809. if (!WPACKET_get_total_written(pkt, &hlen)) {
  810. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
  811. ERR_R_INTERNAL_ERROR);
  812. return EXT_RETURN_FAIL;
  813. }
  814. /*
  815. * If we're going to send a PSK then that will be written out after this
  816. * extension, so we need to calculate how long it is going to be.
  817. */
  818. if (s->session->ssl_version == TLS1_3_VERSION
  819. && s->session->ext.ticklen != 0
  820. && s->session->cipher != NULL) {
  821. const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
  822. if (md != NULL) {
  823. /*
  824. * Add the fixed PSK overhead, the identity length and the binder
  825. * length.
  826. */
  827. hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
  828. + EVP_MD_size(md);
  829. }
  830. }
  831. if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
  832. /* Calculate the amount of padding we need to add */
  833. hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
  834. /*
  835. * Take off the size of extension header itself (2 bytes for type and
  836. * 2 bytes for length bytes), but ensure that the extension is at least
  837. * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
  838. * 8.x are intolerant of that condition)
  839. */
  840. if (hlen > 4)
  841. hlen -= 4;
  842. else
  843. hlen = 1;
  844. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
  845. || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
  846. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
  847. ERR_R_INTERNAL_ERROR);
  848. return EXT_RETURN_FAIL;
  849. }
  850. memset(padbytes, 0, hlen);
  851. }
  852. return EXT_RETURN_SENT;
  853. }
  854. /*
  855. * Construct the pre_shared_key extension
  856. */
  857. EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
  858. X509 *x, size_t chainidx)
  859. {
  860. #ifndef OPENSSL_NO_TLS1_3
  861. uint32_t now, agesec, agems = 0;
  862. size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
  863. unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
  864. const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
  865. int dores = 0;
  866. s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
  867. /*
  868. * Note: At this stage of the code we only support adding a single
  869. * resumption PSK. If we add support for multiple PSKs then the length
  870. * calculations in the padding extension will need to be adjusted.
  871. */
  872. /*
  873. * If this is an incompatible or new session then we have nothing to resume
  874. * so don't add this extension.
  875. */
  876. if (s->session->ssl_version != TLS1_3_VERSION
  877. || (s->session->ext.ticklen == 0 && s->psksession == NULL))
  878. return EXT_RETURN_NOT_SENT;
  879. if (s->hello_retry_request == SSL_HRR_PENDING)
  880. handmd = ssl_handshake_md(s);
  881. if (s->session->ext.ticklen != 0) {
  882. /* Get the digest associated with the ciphersuite in the session */
  883. if (s->session->cipher == NULL) {
  884. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  885. ERR_R_INTERNAL_ERROR);
  886. return EXT_RETURN_FAIL;
  887. }
  888. mdres = ssl_md(s->session->cipher->algorithm2);
  889. if (mdres == NULL) {
  890. /*
  891. * Don't recognize this cipher so we can't use the session.
  892. * Ignore it
  893. */
  894. goto dopsksess;
  895. }
  896. if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
  897. /*
  898. * Selected ciphersuite hash does not match the hash for the session
  899. * so we can't use it.
  900. */
  901. goto dopsksess;
  902. }
  903. /*
  904. * Technically the C standard just says time() returns a time_t and says
  905. * nothing about the encoding of that type. In practice most
  906. * implementations follow POSIX which holds it as an integral type in
  907. * seconds since epoch. We've already made the assumption that we can do
  908. * this in multiple places in the code, so portability shouldn't be an
  909. * issue.
  910. */
  911. now = (uint32_t)time(NULL);
  912. agesec = now - (uint32_t)s->session->time;
  913. /*
  914. * We calculate the age in seconds but the server may work in ms. Due to
  915. * rounding errors we could overestimate the age by up to 1s. It is
  916. * better to underestimate it. Otherwise, if the RTT is very short, when
  917. * the server calculates the age reported by the client it could be
  918. * bigger than the age calculated on the server - which should never
  919. * happen.
  920. */
  921. if (agesec > 0)
  922. agesec--;
  923. if (s->session->ext.tick_lifetime_hint < agesec) {
  924. /* Ticket is too old. Ignore it. */
  925. goto dopsksess;
  926. }
  927. /*
  928. * Calculate age in ms. We're just doing it to nearest second. Should be
  929. * good enough.
  930. */
  931. agems = agesec * (uint32_t)1000;
  932. if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
  933. /*
  934. * Overflow. Shouldn't happen unless this is a *really* old session.
  935. * If so we just ignore it.
  936. */
  937. goto dopsksess;
  938. }
  939. /*
  940. * Obfuscate the age. Overflow here is fine, this addition is supposed
  941. * to be mod 2^32.
  942. */
  943. agems += s->session->ext.tick_age_add;
  944. reshashsize = EVP_MD_size(mdres);
  945. dores = 1;
  946. }
  947. dopsksess:
  948. if (!dores && s->psksession == NULL)
  949. return EXT_RETURN_NOT_SENT;
  950. if (s->psksession != NULL) {
  951. mdpsk = ssl_md(s->psksession->cipher->algorithm2);
  952. if (mdpsk == NULL) {
  953. /*
  954. * Don't recognize this cipher so we can't use the session.
  955. * If this happens it's an application bug.
  956. */
  957. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  958. SSL_R_BAD_PSK);
  959. return EXT_RETURN_FAIL;
  960. }
  961. if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
  962. /*
  963. * Selected ciphersuite hash does not match the hash for the PSK
  964. * session. This is an application bug.
  965. */
  966. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  967. SSL_R_BAD_PSK);
  968. return EXT_RETURN_FAIL;
  969. }
  970. pskhashsize = EVP_MD_size(mdpsk);
  971. }
  972. /* Create the extension, but skip over the binder for now */
  973. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  974. || !WPACKET_start_sub_packet_u16(pkt)
  975. || !WPACKET_start_sub_packet_u16(pkt)) {
  976. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  977. ERR_R_INTERNAL_ERROR);
  978. return EXT_RETURN_FAIL;
  979. }
  980. if (dores) {
  981. if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
  982. s->session->ext.ticklen)
  983. || !WPACKET_put_bytes_u32(pkt, agems)) {
  984. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  985. ERR_R_INTERNAL_ERROR);
  986. return EXT_RETURN_FAIL;
  987. }
  988. }
  989. if (s->psksession != NULL) {
  990. if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
  991. s->psksession_id_len)
  992. || !WPACKET_put_bytes_u32(pkt, 0)) {
  993. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  994. ERR_R_INTERNAL_ERROR);
  995. return EXT_RETURN_FAIL;
  996. }
  997. }
  998. if (!WPACKET_close(pkt)
  999. || !WPACKET_get_total_written(pkt, &binderoffset)
  1000. || !WPACKET_start_sub_packet_u16(pkt)
  1001. || (dores
  1002. && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
  1003. || (s->psksession != NULL
  1004. && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
  1005. || !WPACKET_close(pkt)
  1006. || !WPACKET_close(pkt)
  1007. || !WPACKET_get_total_written(pkt, &msglen)
  1008. /*
  1009. * We need to fill in all the sub-packet lengths now so we can
  1010. * calculate the HMAC of the message up to the binders
  1011. */
  1012. || !WPACKET_fill_lengths(pkt)) {
  1013. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  1014. ERR_R_INTERNAL_ERROR);
  1015. return EXT_RETURN_FAIL;
  1016. }
  1017. msgstart = WPACKET_get_curr(pkt) - msglen;
  1018. if (dores
  1019. && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
  1020. resbinder, s->session, 1, 0) != 1) {
  1021. /* SSLfatal() already called */
  1022. return EXT_RETURN_FAIL;
  1023. }
  1024. if (s->psksession != NULL
  1025. && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
  1026. pskbinder, s->psksession, 1, 1) != 1) {
  1027. /* SSLfatal() already called */
  1028. return EXT_RETURN_FAIL;
  1029. }
  1030. if (dores)
  1031. s->session->ext.tick_identity = 0;
  1032. if (s->psksession != NULL)
  1033. s->psksession->ext.tick_identity = (dores ? 1 : 0);
  1034. return EXT_RETURN_SENT;
  1035. #else
  1036. return EXT_RETURN_NOT_SENT;
  1037. #endif
  1038. }
  1039. EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
  1040. unsigned int context,
  1041. X509 *x, size_t chainidx)
  1042. {
  1043. #ifndef OPENSSL_NO_TLS1_3
  1044. if (!s->pha_enabled)
  1045. return EXT_RETURN_NOT_SENT;
  1046. /* construct extension - 0 length, no contents */
  1047. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
  1048. || !WPACKET_start_sub_packet_u16(pkt)
  1049. || !WPACKET_close(pkt)) {
  1050. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1051. SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH,
  1052. ERR_R_INTERNAL_ERROR);
  1053. return EXT_RETURN_FAIL;
  1054. }
  1055. s->post_handshake_auth = SSL_PHA_EXT_SENT;
  1056. return EXT_RETURN_SENT;
  1057. #else
  1058. return EXT_RETURN_NOT_SENT;
  1059. #endif
  1060. }
  1061. /*
  1062. * Parse the server's renegotiation binding and abort if it's not right
  1063. */
  1064. int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
  1065. X509 *x, size_t chainidx)
  1066. {
  1067. size_t expected_len = s->s3->previous_client_finished_len
  1068. + s->s3->previous_server_finished_len;
  1069. size_t ilen;
  1070. const unsigned char *data;
  1071. /* Check for logic errors */
  1072. if (!ossl_assert(expected_len == 0
  1073. || s->s3->previous_client_finished_len != 0)
  1074. || !ossl_assert(expected_len == 0
  1075. || s->s3->previous_server_finished_len != 0)) {
  1076. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1077. ERR_R_INTERNAL_ERROR);
  1078. return 0;
  1079. }
  1080. /* Parse the length byte */
  1081. if (!PACKET_get_1_len(pkt, &ilen)) {
  1082. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1083. SSL_R_RENEGOTIATION_ENCODING_ERR);
  1084. return 0;
  1085. }
  1086. /* Consistency check */
  1087. if (PACKET_remaining(pkt) != ilen) {
  1088. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1089. SSL_R_RENEGOTIATION_ENCODING_ERR);
  1090. return 0;
  1091. }
  1092. /* Check that the extension matches */
  1093. if (ilen != expected_len) {
  1094. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1095. SSL_R_RENEGOTIATION_MISMATCH);
  1096. return 0;
  1097. }
  1098. if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
  1099. || memcmp(data, s->s3->previous_client_finished,
  1100. s->s3->previous_client_finished_len) != 0) {
  1101. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1102. SSL_R_RENEGOTIATION_MISMATCH);
  1103. return 0;
  1104. }
  1105. if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
  1106. || memcmp(data, s->s3->previous_server_finished,
  1107. s->s3->previous_server_finished_len) != 0) {
  1108. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1109. SSL_R_RENEGOTIATION_MISMATCH);
  1110. return 0;
  1111. }
  1112. s->s3->send_connection_binding = 1;
  1113. return 1;
  1114. }
  1115. /* Parse the server's max fragment len extension packet */
  1116. int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
  1117. X509 *x, size_t chainidx)
  1118. {
  1119. unsigned int value;
  1120. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  1121. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
  1122. SSL_R_BAD_EXTENSION);
  1123. return 0;
  1124. }
  1125. /* |value| should contains a valid max-fragment-length code. */
  1126. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  1127. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1128. SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
  1129. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1130. return 0;
  1131. }
  1132. /* Must be the same value as client-configured one who was sent to server */
  1133. /*-
  1134. * RFC 6066: if a client receives a maximum fragment length negotiation
  1135. * response that differs from the length it requested, ...
  1136. * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
  1137. */
  1138. if (value != s->ext.max_fragment_len_mode) {
  1139. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1140. SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
  1141. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1142. return 0;
  1143. }
  1144. /*
  1145. * Maximum Fragment Length Negotiation succeeded.
  1146. * The negotiated Maximum Fragment Length is binding now.
  1147. */
  1148. s->session->ext.max_fragment_len_mode = value;
  1149. return 1;
  1150. }
  1151. int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
  1152. X509 *x, size_t chainidx)
  1153. {
  1154. if (s->ext.hostname == NULL) {
  1155. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1156. ERR_R_INTERNAL_ERROR);
  1157. return 0;
  1158. }
  1159. if (PACKET_remaining(pkt) > 0) {
  1160. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1161. SSL_R_BAD_EXTENSION);
  1162. return 0;
  1163. }
  1164. if (!s->hit) {
  1165. if (s->session->ext.hostname != NULL) {
  1166. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1167. ERR_R_INTERNAL_ERROR);
  1168. return 0;
  1169. }
  1170. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  1171. if (s->session->ext.hostname == NULL) {
  1172. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1173. ERR_R_INTERNAL_ERROR);
  1174. return 0;
  1175. }
  1176. }
  1177. return 1;
  1178. }
  1179. #ifndef OPENSSL_NO_EC
  1180. int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
  1181. X509 *x, size_t chainidx)
  1182. {
  1183. size_t ecpointformats_len;
  1184. PACKET ecptformatlist;
  1185. if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
  1186. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS,
  1187. SSL_R_BAD_EXTENSION);
  1188. return 0;
  1189. }
  1190. if (!s->hit) {
  1191. ecpointformats_len = PACKET_remaining(&ecptformatlist);
  1192. if (ecpointformats_len == 0) {
  1193. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1194. SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH);
  1195. return 0;
  1196. }
  1197. s->session->ext.ecpointformats_len = 0;
  1198. OPENSSL_free(s->session->ext.ecpointformats);
  1199. s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
  1200. if (s->session->ext.ecpointformats == NULL) {
  1201. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1202. SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  1203. return 0;
  1204. }
  1205. s->session->ext.ecpointformats_len = ecpointformats_len;
  1206. if (!PACKET_copy_bytes(&ecptformatlist,
  1207. s->session->ext.ecpointformats,
  1208. ecpointformats_len)) {
  1209. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1210. SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  1211. return 0;
  1212. }
  1213. }
  1214. return 1;
  1215. }
  1216. #endif
  1217. int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
  1218. X509 *x, size_t chainidx)
  1219. {
  1220. if (s->ext.session_ticket_cb != NULL &&
  1221. !s->ext.session_ticket_cb(s, PACKET_data(pkt),
  1222. PACKET_remaining(pkt),
  1223. s->ext.session_ticket_cb_arg)) {
  1224. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1225. SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
  1226. return 0;
  1227. }
  1228. if (!tls_use_ticket(s)) {
  1229. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  1230. SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
  1231. return 0;
  1232. }
  1233. if (PACKET_remaining(pkt) > 0) {
  1234. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1235. SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
  1236. return 0;
  1237. }
  1238. s->ext.ticket_expected = 1;
  1239. return 1;
  1240. }
  1241. #ifndef OPENSSL_NO_OCSP
  1242. int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
  1243. X509 *x, size_t chainidx)
  1244. {
  1245. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1246. /* We ignore this if the server sends a CertificateRequest */
  1247. /* TODO(TLS1.3): Add support for this */
  1248. return 1;
  1249. }
  1250. /*
  1251. * MUST only be sent if we've requested a status
  1252. * request message. In TLS <= 1.2 it must also be empty.
  1253. */
  1254. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  1255. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  1256. SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  1257. return 0;
  1258. }
  1259. if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
  1260. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1261. SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  1262. return 0;
  1263. }
  1264. if (SSL_IS_TLS13(s)) {
  1265. /* We only know how to handle this if it's for the first Certificate in
  1266. * the chain. We ignore any other responses.
  1267. */
  1268. if (chainidx != 0)
  1269. return 1;
  1270. /* SSLfatal() already called */
  1271. return tls_process_cert_status_body(s, pkt);
  1272. }
  1273. /* Set flag to expect CertificateStatus message */
  1274. s->ext.status_expected = 1;
  1275. return 1;
  1276. }
  1277. #endif
  1278. #ifndef OPENSSL_NO_CT
  1279. int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1280. size_t chainidx)
  1281. {
  1282. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1283. /* We ignore this if the server sends it in a CertificateRequest */
  1284. /* TODO(TLS1.3): Add support for this */
  1285. return 1;
  1286. }
  1287. /*
  1288. * Only take it if we asked for it - i.e if there is no CT validation
  1289. * callback set, then a custom extension MAY be processing it, so we
  1290. * need to let control continue to flow to that.
  1291. */
  1292. if (s->ct_validation_callback != NULL) {
  1293. size_t size = PACKET_remaining(pkt);
  1294. /* Simply copy it off for later processing */
  1295. OPENSSL_free(s->ext.scts);
  1296. s->ext.scts = NULL;
  1297. s->ext.scts_len = (uint16_t)size;
  1298. if (size > 0) {
  1299. s->ext.scts = OPENSSL_malloc(size);
  1300. if (s->ext.scts == NULL
  1301. || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
  1302. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
  1303. ERR_R_INTERNAL_ERROR);
  1304. return 0;
  1305. }
  1306. }
  1307. } else {
  1308. ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  1309. ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
  1310. /*
  1311. * If we didn't ask for it then there must be a custom extension,
  1312. * otherwise this is unsolicited.
  1313. */
  1314. if (custom_ext_find(&s->cert->custext, role,
  1315. TLSEXT_TYPE_signed_certificate_timestamp,
  1316. NULL) == NULL) {
  1317. SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT,
  1318. SSL_R_BAD_EXTENSION);
  1319. return 0;
  1320. }
  1321. if (!custom_ext_parse(s, context,
  1322. TLSEXT_TYPE_signed_certificate_timestamp,
  1323. PACKET_data(pkt), PACKET_remaining(pkt),
  1324. x, chainidx)) {
  1325. /* SSLfatal already called */
  1326. return 0;
  1327. }
  1328. }
  1329. return 1;
  1330. }
  1331. #endif
  1332. #ifndef OPENSSL_NO_NEXTPROTONEG
  1333. /*
  1334. * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  1335. * elements of zero length are allowed and the set of elements must exactly
  1336. * fill the length of the block. Returns 1 on success or 0 on failure.
  1337. */
  1338. static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
  1339. {
  1340. PACKET tmp_protocol;
  1341. while (PACKET_remaining(pkt)) {
  1342. if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
  1343. || PACKET_remaining(&tmp_protocol) == 0) {
  1344. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE,
  1345. SSL_R_BAD_EXTENSION);
  1346. return 0;
  1347. }
  1348. }
  1349. return 1;
  1350. }
  1351. int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1352. size_t chainidx)
  1353. {
  1354. unsigned char *selected;
  1355. unsigned char selected_len;
  1356. PACKET tmppkt;
  1357. /* Check if we are in a renegotiation. If so ignore this extension */
  1358. if (!SSL_IS_FIRST_HANDSHAKE(s))
  1359. return 1;
  1360. /* We must have requested it. */
  1361. if (s->ctx->ext.npn_select_cb == NULL) {
  1362. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN,
  1363. SSL_R_BAD_EXTENSION);
  1364. return 0;
  1365. }
  1366. /* The data must be valid */
  1367. tmppkt = *pkt;
  1368. if (!ssl_next_proto_validate(s, &tmppkt)) {
  1369. /* SSLfatal() already called */
  1370. return 0;
  1371. }
  1372. if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
  1373. PACKET_data(pkt),
  1374. PACKET_remaining(pkt),
  1375. s->ctx->ext.npn_select_cb_arg) !=
  1376. SSL_TLSEXT_ERR_OK) {
  1377. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
  1378. SSL_R_BAD_EXTENSION);
  1379. return 0;
  1380. }
  1381. /*
  1382. * Could be non-NULL if server has sent multiple NPN extensions in
  1383. * a single Serverhello
  1384. */
  1385. OPENSSL_free(s->ext.npn);
  1386. s->ext.npn = OPENSSL_malloc(selected_len);
  1387. if (s->ext.npn == NULL) {
  1388. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
  1389. ERR_R_INTERNAL_ERROR);
  1390. return 0;
  1391. }
  1392. memcpy(s->ext.npn, selected, selected_len);
  1393. s->ext.npn_len = selected_len;
  1394. s->s3->npn_seen = 1;
  1395. return 1;
  1396. }
  1397. #endif
  1398. int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1399. size_t chainidx)
  1400. {
  1401. size_t len;
  1402. /* We must have requested it. */
  1403. if (!s->s3->alpn_sent) {
  1404. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN,
  1405. SSL_R_BAD_EXTENSION);
  1406. return 0;
  1407. }
  1408. /*-
  1409. * The extension data consists of:
  1410. * uint16 list_length
  1411. * uint8 proto_length;
  1412. * uint8 proto[proto_length];
  1413. */
  1414. if (!PACKET_get_net_2_len(pkt, &len)
  1415. || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
  1416. || PACKET_remaining(pkt) != len) {
  1417. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1418. SSL_R_BAD_EXTENSION);
  1419. return 0;
  1420. }
  1421. OPENSSL_free(s->s3->alpn_selected);
  1422. s->s3->alpn_selected = OPENSSL_malloc(len);
  1423. if (s->s3->alpn_selected == NULL) {
  1424. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1425. ERR_R_INTERNAL_ERROR);
  1426. return 0;
  1427. }
  1428. if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
  1429. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1430. SSL_R_BAD_EXTENSION);
  1431. return 0;
  1432. }
  1433. s->s3->alpn_selected_len = len;
  1434. if (s->session->ext.alpn_selected == NULL
  1435. || s->session->ext.alpn_selected_len != len
  1436. || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len)
  1437. != 0) {
  1438. /* ALPN not consistent with the old session so cannot use early_data */
  1439. s->ext.early_data_ok = 0;
  1440. }
  1441. if (!s->hit) {
  1442. /*
  1443. * This is a new session and so alpn_selected should have been
  1444. * initialised to NULL. We should update it with the selected ALPN.
  1445. */
  1446. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1447. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1448. ERR_R_INTERNAL_ERROR);
  1449. return 0;
  1450. }
  1451. s->session->ext.alpn_selected =
  1452. OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
  1453. if (s->session->ext.alpn_selected == NULL) {
  1454. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1455. ERR_R_INTERNAL_ERROR);
  1456. return 0;
  1457. }
  1458. s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
  1459. }
  1460. return 1;
  1461. }
  1462. #ifndef OPENSSL_NO_SRTP
  1463. int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1464. size_t chainidx)
  1465. {
  1466. unsigned int id, ct, mki;
  1467. int i;
  1468. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
  1469. SRTP_PROTECTION_PROFILE *prof;
  1470. if (!PACKET_get_net_2(pkt, &ct) || ct != 2
  1471. || !PACKET_get_net_2(pkt, &id)
  1472. || !PACKET_get_1(pkt, &mki)
  1473. || PACKET_remaining(pkt) != 0) {
  1474. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1475. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1476. return 0;
  1477. }
  1478. if (mki != 0) {
  1479. /* Must be no MKI, since we never offer one */
  1480. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1481. SSL_R_BAD_SRTP_MKI_VALUE);
  1482. return 0;
  1483. }
  1484. /* Throw an error if the server gave us an unsolicited extension */
  1485. clnt = SSL_get_srtp_profiles(s);
  1486. if (clnt == NULL) {
  1487. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1488. SSL_R_NO_SRTP_PROFILES);
  1489. return 0;
  1490. }
  1491. /*
  1492. * Check to see if the server gave us something we support (and
  1493. * presumably offered)
  1494. */
  1495. for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
  1496. prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  1497. if (prof->id == id) {
  1498. s->srtp_profile = prof;
  1499. return 1;
  1500. }
  1501. }
  1502. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1503. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1504. return 0;
  1505. }
  1506. #endif
  1507. int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1508. size_t chainidx)
  1509. {
  1510. /* Ignore if inappropriate ciphersuite */
  1511. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  1512. && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
  1513. && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
  1514. s->ext.use_etm = 1;
  1515. return 1;
  1516. }
  1517. int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1518. size_t chainidx)
  1519. {
  1520. s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  1521. if (!s->hit)
  1522. s->session->flags |= SSL_SESS_FLAG_EXTMS;
  1523. return 1;
  1524. }
  1525. int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
  1526. X509 *x, size_t chainidx)
  1527. {
  1528. unsigned int version;
  1529. if (!PACKET_get_net_2(pkt, &version)
  1530. || PACKET_remaining(pkt) != 0) {
  1531. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1532. SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
  1533. SSL_R_LENGTH_MISMATCH);
  1534. return 0;
  1535. }
  1536. /*
  1537. * The only protocol version we support which is valid in this extension in
  1538. * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
  1539. */
  1540. if (version != TLS1_3_VERSION) {
  1541. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1542. SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
  1543. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  1544. return 0;
  1545. }
  1546. /* We ignore this extension for HRRs except to sanity check it */
  1547. if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
  1548. return 1;
  1549. /* We just set it here. We validate it in ssl_choose_client_version */
  1550. s->version = version;
  1551. return 1;
  1552. }
  1553. int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1554. size_t chainidx)
  1555. {
  1556. #ifndef OPENSSL_NO_TLS1_3
  1557. unsigned int group_id;
  1558. PACKET encoded_pt;
  1559. EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
  1560. /* Sanity check */
  1561. if (ckey == NULL || s->s3->peer_tmp != NULL) {
  1562. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1563. ERR_R_INTERNAL_ERROR);
  1564. return 0;
  1565. }
  1566. if (!PACKET_get_net_2(pkt, &group_id)) {
  1567. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1568. SSL_R_LENGTH_MISMATCH);
  1569. return 0;
  1570. }
  1571. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
  1572. const uint16_t *pgroups = NULL;
  1573. size_t i, num_groups;
  1574. if (PACKET_remaining(pkt) != 0) {
  1575. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1576. SSL_R_LENGTH_MISMATCH);
  1577. return 0;
  1578. }
  1579. /*
  1580. * It is an error if the HelloRetryRequest wants a key_share that we
  1581. * already sent in the first ClientHello
  1582. */
  1583. if (group_id == s->s3->group_id) {
  1584. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1585. SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
  1586. return 0;
  1587. }
  1588. /* Validate the selected group is one we support */
  1589. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1590. for (i = 0; i < num_groups; i++) {
  1591. if (group_id == pgroups[i])
  1592. break;
  1593. }
  1594. if (i >= num_groups
  1595. || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
  1596. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1597. SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
  1598. return 0;
  1599. }
  1600. s->s3->group_id = group_id;
  1601. EVP_PKEY_free(s->s3->tmp.pkey);
  1602. s->s3->tmp.pkey = NULL;
  1603. return 1;
  1604. }
  1605. if (group_id != s->s3->group_id) {
  1606. /*
  1607. * This isn't for the group that we sent in the original
  1608. * key_share!
  1609. */
  1610. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1611. SSL_R_BAD_KEY_SHARE);
  1612. return 0;
  1613. }
  1614. if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
  1615. || PACKET_remaining(&encoded_pt) == 0) {
  1616. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1617. SSL_R_LENGTH_MISMATCH);
  1618. return 0;
  1619. }
  1620. skey = ssl_generate_pkey(ckey);
  1621. if (skey == NULL) {
  1622. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1623. ERR_R_MALLOC_FAILURE);
  1624. return 0;
  1625. }
  1626. if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
  1627. PACKET_remaining(&encoded_pt))) {
  1628. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1629. SSL_R_BAD_ECPOINT);
  1630. EVP_PKEY_free(skey);
  1631. return 0;
  1632. }
  1633. if (ssl_derive(s, ckey, skey, 1) == 0) {
  1634. /* SSLfatal() already called */
  1635. EVP_PKEY_free(skey);
  1636. return 0;
  1637. }
  1638. s->s3->peer_tmp = skey;
  1639. #endif
  1640. return 1;
  1641. }
  1642. int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1643. size_t chainidx)
  1644. {
  1645. PACKET cookie;
  1646. if (!PACKET_as_length_prefixed_2(pkt, &cookie)
  1647. || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
  1648. &s->ext.tls13_cookie_len)) {
  1649. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE,
  1650. SSL_R_LENGTH_MISMATCH);
  1651. return 0;
  1652. }
  1653. return 1;
  1654. }
  1655. int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
  1656. X509 *x, size_t chainidx)
  1657. {
  1658. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1659. unsigned long max_early_data;
  1660. if (!PACKET_get_net_4(pkt, &max_early_data)
  1661. || PACKET_remaining(pkt) != 0) {
  1662. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
  1663. SSL_R_INVALID_MAX_EARLY_DATA);
  1664. return 0;
  1665. }
  1666. s->session->ext.max_early_data = max_early_data;
  1667. return 1;
  1668. }
  1669. if (PACKET_remaining(pkt) != 0) {
  1670. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
  1671. SSL_R_BAD_EXTENSION);
  1672. return 0;
  1673. }
  1674. if (!s->ext.early_data_ok
  1675. || !s->hit
  1676. || s->session->ext.tick_identity != 0) {
  1677. /*
  1678. * If we get here then we didn't send early data, or we didn't resume
  1679. * using the first identity, or the SNI/ALPN is not consistent so the
  1680. * server should not be accepting it.
  1681. */
  1682. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
  1683. SSL_R_BAD_EXTENSION);
  1684. return 0;
  1685. }
  1686. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1687. return 1;
  1688. }
  1689. int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1690. size_t chainidx)
  1691. {
  1692. #ifndef OPENSSL_NO_TLS1_3
  1693. unsigned int identity;
  1694. if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
  1695. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
  1696. SSL_R_LENGTH_MISMATCH);
  1697. return 0;
  1698. }
  1699. if (s->session->ext.tick_identity == (int)identity) {
  1700. s->hit = 1;
  1701. SSL_SESSION_free(s->psksession);
  1702. s->psksession = NULL;
  1703. return 1;
  1704. }
  1705. if (s->psksession == NULL
  1706. || s->psksession->ext.tick_identity != (int)identity) {
  1707. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
  1708. SSL_R_BAD_PSK_IDENTITY);
  1709. return 0;
  1710. }
  1711. /*
  1712. * If we used the external PSK for sending early_data then s->early_secret
  1713. * is already set up, so don't overwrite it. Otherwise we copy the
  1714. * early_secret across that we generated earlier.
  1715. */
  1716. if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
  1717. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
  1718. || s->session->ext.max_early_data > 0
  1719. || s->psksession->ext.max_early_data == 0)
  1720. memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
  1721. SSL_SESSION_free(s->session);
  1722. s->session = s->psksession;
  1723. s->psksession = NULL;
  1724. s->hit = 1;
  1725. #endif
  1726. return 1;
  1727. }